Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0HIluCX082562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 Jan 2007 11:47:56 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0HIluQw082560; Wed, 17 Jan 2007 11:47:56 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0HIltQc082549; Wed, 17 Jan 2007 11:47:55 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250])  by rufus.isode.com (submission channel) via TCP with ESMTPA  id <Ra5vWgBD3Tiu@rufus.isode.com>; Wed, 17 Jan 2007 18:47:54 +0000
Message-ID: <45AE6F4C.4020903@isode.com>
Date: Wed, 17 Jan 2007 18:47:40 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Frank Ellermann <nobody@xyzzy.claranet.de>
CC: ietf-sasl@imc.org, ietf-pop3ext@imc.org
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
References: <200701150450.l0F4of78001138@boole.openldap.org> <45AB62E1.8030408@isode.com> <45ABD87A.4392@xyzzy.claranet.de>
In-Reply-To: <45ABD87A.4392@xyzzy.claranet.de>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Frank Ellermann wrote:

>Alexey Melnikov wrote:
>  
>
>>>>The multi-line response client to server confuse me.  
>>>>Which SASL mechanism needs this ?
>>>>        
>>>>
>>>There's no multi-line response (unless I'm missing something).
>>>      
>>>
>>Indeed.
>>There are mechanisms with multiple challenges/responses.
>>    
>>
>Let's see, I hope I got it now.  What really happens is this:
>
>C: AUTH mech initial-response-if-allowed-for-mech
>S: + challenge
>C: response
>S: + challenge
>C: response
>S: +OK your're logged in, maibox locked, have fun
>  
>
Correct.

>However the ABNF put's the complete part of the client into one
><auth-command> = "AUTH" mech [SP ir] *( CRLF [base64]) CRLF
>
>My confusion was that I thought the client sends this complete
>multi-line <auth-command> at once, without intervening server
>challenges.
>  
>
Right.

>Maybe it's only me, then forget it.  Otherwise the ABNF has a
><continue-req> for the "+" SP [base64] CRLF from the server,
>it could similarl also define a <continue-response>:
>
>auth-command     = "AUTH" mech [initial-response] CRLF *(response)
>initial-response = SP (base64 / "=")   ; a single "=" if empty
>response         = [base64] CRLF       ; after server challenge
>  
>
I don't object to something like this.

>  [Abhijit Menon-Sen wrote:]
>  
>
>>>there's no very good way to express this in the ABNF
>>>      
>>>
>Yes, but maybe using an explicit <response> with a comment helps.
>
>For Hector's multi-line observation I'm not sure what that was,
>an implementor confused like me, or some kind of pipelining.
>  
>



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKlR8r075769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:47:27 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FKlRoj075768; Mon, 15 Jan 2007 13:47:27 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from boole.openldap.org (boole.openldap.org [204.152.186.50]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKlPd0075734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:47:26 -0700 (MST) (envelope-from Kurt@OpenLDAP.org)
Received: from gypsy.OpenLDAP.org (71-80-218-136.dhcp.crcy.nv.charter.com [71.80.218.136] (may be forged)) (authenticated bits=0) by boole.openldap.org (8.13.8/8.13.8) with ESMTP id l0FKl0Vt054215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 20:47:01 GMT (envelope-from Kurt@OpenLDAP.org)
Message-Id: <200701152047.l0FKl0Vt054215@boole.openldap.org>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 15 Jan 2007 12:46:40 -0800
To: Paul Leach <paulle@windows.microsoft.com>
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Cc: Lisa Dusseault <lisa@osafoundation.org>, Arnt Gulbrandsen <arnt@oryx.com>, Alexey Melnikov <alexey.melnikov@isode.com>, <robsiemb@google.com>, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, <ietf-pop3ext@imc.org>, <ietf-sasl@imc.org>, Simon Josefsson <simon@josefsson.org>
In-Reply-To: <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingro up.windeploy.ntdev.microsoft.com>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com> <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com> <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org> <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

At 12:02 PM 1/15/2007, Paul Leach wrote:
>Since DIGEST-MD5 was the MTI for SASL in LDAP, I don't quite get the
>complaints about implementability -- plenty of people did it as a
>result. 

Was but is no longer LDAP's "strong" authentication method.
LDAP's current "strong" authentication method is currently
TLS-protected simple DN/password.  LDAPbis concluded DIGEST-MD5
interoperability, especially in regards to security layers,
just wasn't there.  I don't think any of LDAPbis's concerns
about DIGEST-MD5 were specific to LDAP.

>I really think that all use of plain text passwords, even over an
>encrypted tunnel to a trusted party, should be discouraged. (At
>the very least, a stern passage in the security considerations section is needed.)

I concur.

-- Kurt




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKSZXT072193 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:28:35 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FKSZwl072192; Mon, 15 Jan 2007 13:28:35 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from orthanc.ca (orthanc.ca [209.89.70.53]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKSXmD072179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 15 Jan 2007 13:28:34 -0700 (MST) (envelope-from lyndon@orthanc.ca)
Received: from [2002:ccf4:e05d:2:212:3fff:fef3:4d8e] ([IPv6:2002:ccf4:e05d:2:212:3fff:fef3:4d8e]) (authenticated bits=0) by orthanc.ca (8.13.4/8.13.4) with ESMTP id l0FKS1B2022537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:28:01 -0700 (MST) (envelope-from lyndon@orthanc.ca)
Date: Mon, 15 Jan 2007 12:28:00 -0800 (PST)
From: Lyndon Nerenberg <lyndon@orthanc.ca>
To: Paul Leach <paulle@windows.microsoft.com>
cc: Lisa Dusseault <lisa@osafoundation.org>, Arnt Gulbrandsen <arnt@oryx.com>, Alexey Melnikov <alexey.melnikov@isode.com>, robsiemb@google.com, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-pop3ext@imc.org, ietf-sasl@imc.org, Simon Josefsson <simon@josefsson.org>
Subject: RE: "POP3 SASL Authentication Mechanism" submitted for publication
In-Reply-To: <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
Message-ID: <20070115122513.Q1195@gollum.dev.gmi-mr.com>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com> <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com> <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org> <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
Organization: The Frobozz Magic Homing Pigeon Company
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,NO_RELAYS  autolearn=ham version=3.1.7
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on orthanc.ca
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

On Mon, 15 Jan 2007, Paul Leach wrote:

> I worry that having TLS+PLAIN be the MTI sends an implicit message that
> it is "good enough". I really think that all use of plain text
> passwords, even over an encrypted tunnel to a trusted party, should be
> discouraged. (At the very least, a stern passage in the security
> considerations section is needed.) It is well known that users use the
> same password on many different servers, so TLS+PLAIN lets any such
> server act as the user to any other server.

I strongly agree with this.  In many corporate environments this sort of 
password re-use is enforced behaviour, mandated by corporate "security" 
policy.  Strange, but true.


--lyndon

   Never look at the trombones. You'll only encourage them.
   			-- Robert Strauss, on conducting



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FK1gcN070341 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:01:42 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FK1geu070340; Mon, 15 Jan 2007 13:01:42 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FK1dSl070328 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Mon, 15 Jan 2007 13:01:40 -0700 (MST) (envelope-from paulle@windows.microsoft.com)
Received: from TK5-EXHUB-C101.redmond.corp.microsoft.com (157.54.70.76) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.0.685.24; Mon, 15 Jan 2007 12:01:39 -0800
Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com (157.54.69.169) by TK5-EXHUB-C101.redmond.corp.microsoft.com (157.54.70.76) with Microsoft SMTP Server id 8.0.685.24; Mon, 15 Jan 2007 12:01:33 -0800
Received: from WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.24]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2825);	 Mon, 15 Jan 2007 12:01:33 -0800
x-mimeole: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Date: Mon, 15 Jan 2007 12:02:10 -0800
Message-ID: <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: "POP3 SASL Authentication Mechanism" submitted for publication
Thread-Index: Acc4z/nD4bmn+NKbTfeUJJ378USc8QADevlA
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com> <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com> <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org>
From: Paul Leach <paulle@windows.microsoft.com>
To: Lisa Dusseault <lisa@osafoundation.org>, Arnt Gulbrandsen <arnt@oryx.com>
CC: Alexey Melnikov <alexey.melnikov@isode.com>, <robsiemb@google.com>, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, <ietf-pop3ext@imc.org>, <ietf-sasl@imc.org>, Simon Josefsson <simon@josefsson.org>
X-OriginalArrivalTime: 15 Jan 2007 20:01:33.0012 (UTC) FILETIME=[F4412140:01C738DF]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id l0FK1eSl070330
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

I worry that having TLS+PLAIN be the MTI sends an implicit message that
it is "good enough". I really think that all use of plain text
passwords, even over an encrypted tunnel to a trusted party, should be
discouraged. (At the very least, a stern passage in the security
considerations section is needed.) It is well known that users use the
same password on many different servers, so TLS+PLAIN lets any such
server act as the user to any other server.

CRAM-MD5 to an untrustworthy server lets them mount a chosen plaintext
attack using a precomputed dictionary. (It can choose a constant
challenge.) DIGEST-MD5 lets the client contribute part of the challenge,
thus mitigating this attack. In addition, use of the same password on
different servers does not allow those servers to act as the user. Since
DIGEST-MD5 was the MTI for SASL in LDAP, I don't quite get the
complaints about implementability -- plenty of people did it as a
result.

(PS: I agree that DIGEST-MD5 is ugly -- a much nicer version with all of
its properties could have been designed. At the time when HTTP/1.1 was
being spec'd, it was felt that backwards compatibility was important,
which is where much of the ugliness came from.)

-----Original Message-----
From: owner-ietf-sasl@mail.imc.org [mailto:owner-ietf-sasl@mail.imc.org]
On Behalf Of Lisa Dusseault
Sent: Monday, January 15, 2007 9:52 AM
To: Arnt Gulbrandsen
Cc: Alexey Melnikov; robsiemb@google.com; Abhijit Menon-Sen; Frank
Ellermann; ietf-pop3ext@imc.org; ietf-sasl@imc.org; Simon Josefsson
Subject: Re: "POP3 SASL Authentication Mechanism" submitted for
publication



I think we might have rough consensus around TLS+PLAIN as the  
"Mandatory to Implement" mechanism.  Note that
having a single "MTI" mechanism still allows people to implement and  
use additional mechanisms.  It also allows administrators to decide  
that TLS+PLAIN is not good enough for their site policy and disable  
it,  even though their server software supports it as required.

Since there's not an official WG to poll, I'm basing this conclusion  
on a handful of private comments on this draft as well as messages to  
this list.  If anybody wants to add their voice, please do so.

thx,
Lisa

On Jan 15, 2007, at 4:05 AM, Arnt Gulbrandsen wrote:

> Alexey Melnikov writes:
>> Simon Josefsson wrote:
>>> and TLS+CRAM-MD5
>>
>> This doesn't give anything over TLS+PLAIN and also doesn't support  
>> authorization identity.
>> I am against this choice.
>
> TLS+CRAM-MD5 doesn't reveal the user's secret to the server. A very  
> nice property if you're not 100% sure that you're talking to the  
> right server.
>
> Arnt




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FJj8K9068860 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 12:45:08 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FJj8hS068859; Mon, 15 Jan 2007 12:45:08 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FJj6Hk068853 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-pop3ext@imc.org>; Mon, 15 Jan 2007 12:45:07 -0700 (MST) (envelope-from gip-ietf-pop3ext-53@gmane.org)
Received: from root by ciao.gmane.org with local (Exim 4.43) id 1H6XlN-0001xr-QX for ietf-pop3ext@imc.org; Mon, 15 Jan 2007 20:45:01 +0100
Received: from 212.82.251.228 ([212.82.251.228]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-pop3ext@imc.org>; Mon, 15 Jan 2007 20:45:01 +0100
Received: from nobody by 212.82.251.228 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-pop3ext@imc.org>; Mon, 15 Jan 2007 20:45:01 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: ietf-pop3ext@imc.org
From: Frank Ellermann <nobody@xyzzy.claranet.de>
Subject:  Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Date:  Mon, 15 Jan 2007 20:39:38 +0100
Organization:  <URL:http://purl.net/xyzzy>
Lines: 45
Message-ID:  <45ABD87A.4392@xyzzy.claranet.de>
References:  <200701150450.l0F4of78001138@boole.openldap.org> <45AB62E1.8030408@isode.com>
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 212.82.251.228
X-Mailer: Mozilla 3.0 (OS/2; U)
Cc: ietf-sasl@imc.org
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Alexey Melnikov wrote:

>>> The multi-line response client to server confuse me.  
>>> Which SASL mechanism needs this ?

>> There's no multi-line response (unless I'm missing something).

> Indeed.
> There are mechanisms with multiple challenges/responses.

Let's see, I hope I got it now.  What really happens is this:

C: AUTH mech initial-response-if-allowed-for-mech
S: + callenge
C: response
S: + challenge
C: response
S: +OK your're logged in, maibox locked, have fun

However the ABNF put's the complete part of the client into one
<auth-command> = "AUTH" mech [SP ir] *( CRLF [base64]) CRLF

My confusion was that I thought the client sends this complete
multi-line <auth-command> at once, without intervening server
challenges.

Maybe it's only me, then forget it.  Otherwise the ABNF has a
<continue-req> for the "+" SP [base64] CRLF from the server,
it could similarl also define a <continue-response>:

auth-command     = "AUTH" mech [initial-response] CRLF *(response)
initial-response = SP (base64 / "=")   ; a single "=" if empty
response         = [base64] CRLF       ; after server challenge

  [Abhijit Menon-Sen wrote:]
>> there's no very good way to express this in the ABNF

Yes, but maybe using an explicit <response> with a comment helps.

For Hector's multi-line observation I'm not sure what that was,
an implementor confused like me, or some kind of pipelining.


Frank




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FJIOr7065834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 12:18:24 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FJIOh5065833; Mon, 15 Jan 2007 12:18:24 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FJIHt1065823 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-pop3ext@imc.org>; Mon, 15 Jan 2007 12:18:20 -0700 (MST) (envelope-from gip-ietf-pop3ext-53@gmane.org)
Received: from list by ciao.gmane.org with local (Exim 4.43) id 1H6XLE-0005iY-Eg for ietf-pop3ext@imc.org; Mon, 15 Jan 2007 20:18:00 +0100
Received: from 212.82.251.228 ([212.82.251.228]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-pop3ext@imc.org>; Mon, 15 Jan 2007 20:18:00 +0100
Received: from nobody by 212.82.251.228 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-pop3ext@imc.org>; Mon, 15 Jan 2007 20:18:00 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: ietf-pop3ext@imc.org
From: Frank Ellermann <nobody@xyzzy.claranet.de>
Subject:  Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Date:  Mon, 15 Jan 2007 20:17:31 +0100
Organization:  <URL:http://purl.net/xyzzy>
Lines: 27
Message-ID:  <45ABD34B.13E9@xyzzy.claranet.de>
References:  <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <45AB0238.2050906@santronics.com>
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 212.82.251.228
X-Mailer: Mozilla 3.0 (OS/2; U)
Cc: ietf-sasl@imc.org
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Hector Santos wrote:
 
> AUTH
> +OK list of supported mechanisms follows
> CRAM-MD4
> DIGEST-MD5
> LOGIN
> PLAIN
> .

Hmph, I'd say you'd get the list of SASL mechanisms (+ STLS and 
USER where available) with CAPA, not with a bare AUTH, and it's
CRAM-MD5, not CRAM-MD4.

POP3 and SASL have no "LOGIN" mechanism, if that's USER + PASS the
capability is USER.  At least it's clear that publishing a 1734bis
is a good idea... ;-)   Minus the mandatory DIGEST-MD5 of course.

> Now, have I ever come across a client using DIGEST-MD5?  No, not
> that I recall.

Thanks for info.  The statement "to the best of my knowledge, the 
majority of POP3 implementations support this extension already"
was apparently not about DIGEST-MD5, but more generally about SASL.

Frank




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FHqanL056430 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 10:52:36 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FHqaTp056427; Mon, 15 Jan 2007 10:52:36 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FHqWg5056416; Mon, 15 Jan 2007 10:52:32 -0700 (MST) (envelope-from lisa@osafoundation.org)
Received: from localhost (localhost [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id CE00514227C; Mon, 15 Jan 2007 09:52:31 -0800 (PST)
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00456-05; Mon, 15 Jan 2007 09:52:30 -0800 (PST)
Received: from [192.168.1.101] (c-69-181-78-47.hsd1.ca.comcast.net [69.181.78.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id 8726F14227D; Mon, 15 Jan 2007 09:52:25 -0800 (PST)
In-Reply-To: <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com> <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, robsiemb@google.com, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-pop3ext@imc.org, ietf-sasl@imc.org, Simon Josefsson <simon@josefsson.org>
Content-Transfer-Encoding: 7bit
From: Lisa Dusseault <lisa@osafoundation.org>
Subject: Re: "POP3 SASL Authentication Mechanism" submitted for publication
Date: Mon, 15 Jan 2007 09:52:22 -0800
To: Arnt Gulbrandsen <arnt@oryx.com>
X-Mailer: Apple Mail (2.752.2)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

I think we might have rough consensus around TLS+PLAIN as the  
"Mandatory to Implement" mechanism.  Note that
having a single "MTI" mechanism still allows people to implement and  
use additional mechanisms.  It also allows administrators to decide  
that TLS+PLAIN is not good enough for their site policy and disable  
it,  even though their server software supports it as required.

Since there's not an official WG to poll, I'm basing this conclusion  
on a handful of private comments on this draft as well as messages to  
this list.  If anybody wants to add their voice, please do so.

thx,
Lisa

On Jan 15, 2007, at 4:05 AM, Arnt Gulbrandsen wrote:

> Alexey Melnikov writes:
>> Simon Josefsson wrote:
>>> and TLS+CRAM-MD5
>>
>> This doesn't give anything over TLS+PLAIN and also doesn't support  
>> authorization identity.
>> I am against this choice.
>
> TLS+CRAM-MD5 doesn't reveal the user's secret to the server. A very  
> nice property if you're not 100% sure that you're talking to the  
> right server.
>
> Arnt



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FC3DOt028301 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 05:03:13 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FC3Di7028300; Mon, 15 Jan 2007 05:03:13 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FC3BiF028288; Mon, 15 Jan 2007 05:03:12 -0700 (MST) (envelope-from arnt@oryx.com)
Received: from libertango.oryx.com (libertango.oryx.com [195.30.37.9]) by kalyani.oryx.com (Postfix) with ESMTP id 18E564AD83; Mon, 15 Jan 2007 13:03:11 +0100 (CET)
Message-Id: <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com>
Date: Mon, 15 Jan 2007 13:05:22 +0100
From: Arnt Gulbrandsen <arnt@oryx.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Cc: robsiemb@google.com, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-pop3ext@imc.org, ietf-sasl@imc.org, Simon Josefsson <simon@josefsson.org>, lisa@osafoundation.org
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com>
In-Reply-To: <45AB6731.9090906@isode.com>
Content-Type: text/plain; format=flowed
MIME-Version: 1.0
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Alexey Melnikov writes:
> Simon Josefsson wrote:
>> and TLS+CRAM-MD5
>
> This doesn't give anything over TLS+PLAIN and also doesn't support 
> authorization identity.
> I am against this choice.

TLS+CRAM-MD5 doesn't reveal the user's secret to the server. A very nice 
property if you're not 100% sure that you're talking to the right 
server.

Arnt



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FBdVnZ026456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 04:39:31 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FBdVSM026455; Mon, 15 Jan 2007 04:39:31 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FBdUf9026443; Mon, 15 Jan 2007 04:39:30 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250])  by rufus.isode.com (submission channel) via TCP with ESMTPA  id <Ratn8ABD3Y1Q@rufus.isode.com>; Mon, 15 Jan 2007 11:39:29 +0000
Message-ID: <45AB67E5.2030505@isode.com>
Date: Mon, 15 Jan 2007 11:39:17 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Abhijit Menon-Sen <ams@oryx.com>
CC: Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-sasl@imc.org, lisa@osafoundation.org, ietf-pop3ext@imc.org, robsiemb@google.com
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org>
In-Reply-To: <20070114105359.GA30833@penne.toroid.org>
MIME-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-transfer-encoding: 7bit
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Abhijit Menon-Sen wrote:

>At 2007-01-14 08:45:44 +0100, nobody@xyzzy.claranet.de wrote:
>  
>
>>None of the POP3 servers I know support SASL, let alone DIGEST-MD5.
>>    
>>
>Just a note: My POP3 server has supported SASL for a long time.
>  
>
The same is true for Cyrus and Isode implementations.

 [...]

>>Other nits / questions about the -08 draft:
>>
>>RFC 1734  had "AUTH" 1*WSP auth_type *(CRLF base64) CRLF
>>The draft has "AUTH" SP sasl-mech [SP (base64 / "=" )] *(CRLF [base64]) CRLF
>>
>>1: Why was 1*WSP replaced by a single SP ?
>>    
>>
>I don't know (happened before I inherited the draft). Rob?
>
 Only allowing for a single space makes implementation simpler.

[...]

>>The added DIGEST-MD5 example (thanks!) uses an RFC 4422 "empty response"
>>at the end:
>>
>>    S: + cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
>>    C:
>>    S: +OK Maildrop locked and ready
>>
>>5: Why is an empty response no "=" as in the <initial-response> ?
>>    
>>
>Because it's not an initial response. (The "=" encoding for an empty
>SASL initial response is taken from Rob's IMAP SASL-IR draft.)
>  
>
Historically an empty response wasn't sent as "=". The "=" is used to 
specify an empty initial response (which is different from the missing 
initial response).

>>The syntax for <continue-req> requires a trailing space if it's empty.
>>
>>    continue-req    = "+" SP [base64] CRLF
>>    
>>
>That's consistent with IMAP.
>
>I notice the following:
>
>    Additionally, the ABNF specified in [RFC2449] is updated as follows:
>
>          challenge      /= continue-req
>
>But the ABNF specified in RFC2449 (pop3 extension mechanism) doesn't
>actually define a "challenge" at all (and that /= should be =/ in any
>case). I can't find anything that seems to define challenge in a way
>relevant to POP3. (1734 doesn't define challenge at all.)
>
>Rob? Do you remember what the intent was here?
>  
>
The space is required in other application protocols using SASL (e.g. IMAP).

 [...]

>>8: What is the meaning of a <realm> wrt POP3 ?  Can servers pick what
>>   they like ?
>>
Yes.

>>What's the definition of <authzid> wrt POP3 ?
>>
 From POP3 SASL draft:
          The authorization identity generated by the SASL exchange is a
          simple username, and SHOULD use the SASLprep profile (see
          [RFC4013]) of the StringPrep algorithm (see [RFC3454]) to
          prepare these names for matching.  If preparation of the
          authorization identity fails or results in an empty string
          (unless it was transmitted as the empty string), the server
          MUST fail the authentication.

>>  If it
>>   isn't allowed the draft should mention this.
>>    
>>
>That depends entirely on the server implementation, I'd say.
>  
>
>>9: RFC 2831 requires that the size of a digest-response is less than
>>   4096 bytes.  4*4095/3=5460, the draft should state this limit for
>>   a DIGEST-MD5 response, it's more than the 40 guaranteed in RFC 1939.
>>    
>>
>
>I don't think it's really necessary. The length limitation, so far as it
>applies to the initial-response, is described already:
>
>          For the purposes of the initial client response, the line
>          length limitation defined in [RFC2449] still applies.  If a
>          client initial send would cause the AUTH command to exceed
>          this length, the client MUST NOT use the initial response
>          parameter (and must proceed instead by sending its initial
>          response after an empty challenge from the server, as in
>          section 3 of [RFC4422]).
>  
>
 [...]

>>11: Can the client indicate its <maxbuf>, and what would servers do
>>    with it ?
>>
The server is not allowed to send buffers encoded with SASL security 
layer, which are bigger than the value specified by the client.

>>Do all clients support the default 64 KB ?
>>
I don't think so. It wouldn't be the case for clients running on small 
devices.

>>Wrt POP3 is
>>    a <maxbuf> the maximal line lenght, or the combined multi-line
>>    lenght (i.e. message size) ?
>>    
>>
Neither. <maxbuf> is not related to line lengths during authentication 
exchange, it only affects SASL security layer.

>I'm afraid I have no idea.
>  
>



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FBaWiB025324 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 04:36:32 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FBaWhv025322; Mon, 15 Jan 2007 04:36:32 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FBaUkF025312; Mon, 15 Jan 2007 04:36:30 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250])  by rufus.isode.com (submission channel) via TCP with ESMTPA  id <RatnPABD3U9B@rufus.isode.com>; Mon, 15 Jan 2007 11:36:29 +0000
Message-ID: <45AB6731.9090906@isode.com>
Date: Mon, 15 Jan 2007 11:36:17 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
CC: Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-sasl@imc.org, lisa@osafoundation.org, ietf-pop3ext@imc.org, robsiemb@google.com
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org>	<1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net>	<45A9DFA8.68E4@xyzzy.claranet.de>	<20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org>
In-Reply-To: <87k5zpgz7o.fsf@latte.josefsson.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Simon Josefsson wrote:

>Abhijit Menon-Sen <ams@oryx.com> writes:
>  
>
>>>A mandatory CRAM-MD5 as recommended in BCP 46 could make sense
>>>      
>>>
>>This draft (and rfc2554bis, which Alexey is editing) were both changed
>>to use DIGEST-MD5 based on concerns about security. That's the way it
>>was when I started editing it, so I'll change it only if there's clear
>>consensus about the preferred replacement.
>>
>>Having implemented both client and server sides of DIGEST-MD5, I can't
>>say I'm very fond of it either. Personally, I'd be happy with TLS+PLAIN
>>or CRAM-MD5 (or whatever else makes everyone happy without a significant
>>security penalty; and I gather CRAM-MD5 is frowned upon in that regard).
>>    
>>
>I prefer TLS+PLAIN
>
That would be fine with me, even though I somewhat dislike of having 
dependency on TLS.

>and TLS+CRAM-MD5
>
This doesn't give anything over TLS+PLAIN and also doesn't support 
authorization identity.
I am against this choice.

>over DIGEST-MD5 as well.  I
>believe they both offer better interoperability and security than
>DIGEST-MD5 currently can.
>  
>



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0F4Qquq090173 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 14 Jan 2007 21:26:52 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0F4Qqcn090172; Sun, 14 Jan 2007 21:26:52 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from winserver.com (ftp.catinthebox.net [208.247.131.9]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0F4QoFH090166 for <ietf-pop3ext@imc.org>; Sun, 14 Jan 2007 21:26:51 -0700 (MST) (envelope-from hsantos@santronics.com)
Received: by winserver.com (Wildcat! SMTP Router v6.2.452.1) for ietf-pop3ext@imc.org; Sun, 14 Jan 2007 23:28:05 -0500
Received: from [192.168.1.101] ([72.144.161.220]) by winserver.com (Wildcat! SMTP v6.2.452.1) with ESMTP id 2617888562; Sun, 14 Jan 2007 23:28:04 -0500
Message-ID: <45AB0238.2050906@santronics.com>
Date: Sun, 14 Jan 2007 23:25:28 -0500
From: Hector Santos <hsantos@santronics.com>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0a1 (Windows/20060724)
MIME-Version: 1.0
To: Frank Ellermann <nobody@xyzzy.claranet.de>
CC: lisa@osafoundation.org, ietf-pop3ext@imc.org
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de>
In-Reply-To: <45A9DFA8.68E4@xyzzy.claranet.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Frank Ellermann wrote:
> Lisa Dusseault wrote:
> 
>> Any comments on the document, its intended publication status or current
>> implementation status, are welcome.
> 
> It won't surprise anybody that I don't like DIGEST-MD5, and consider the
> idea to make it mandatory for POP3 as completely wrong.  None of the POP3
> servers I know support SASL, let alone DIGEST-MD5.

Our POP3 server supports implicit SSL (port 995), SASL including DIGEST-MD5.

c:> telnet mail.winserver.com 110

+OK Wildcat! POP3 Server v6.1.451.10 ready <long-challenge-string>
AUTH
+OK list of supported mechanisms follows
CRAM-MD4
DIGEST-MD5
LOGIN
PLAIN
.

Now, have I ever come across a client using DIGEST-MD5?  No, not that I 
recall.  If I recall its mainly LOGIN or PLAIN for Windows or MAC based 
MUAs or CRAM-MD5 for EUDORA or typically Mozilla based MUAs. I believe 
Windows OE also looks for a proprietary AUTH NTLM mechanism.

> The syntax as is allows AUTH mech =<crlf>base64<crlf>crlf>base64<crlf>
 >
 > 4: How does the server determine the end of an <initial-response> ?

Ironically, this might explain what we saw recently.  We recently came 
across an issue where we needed to do a correction in our SASL logic for 
our SMTP and POP3 servers. Didn't analyzed it in detail, but it seem to 
be related to the network behavior of PDA devices where this information 
comes in two packets or commands:

In short it seems they were sending:

   PKT1:  AUTH mechanism<CRLF>
   PKT2:  base64<crlf>
   PKT3:  <crlf>
   PKT4:  base64<crlf>

or

   PKT1:  AUTH mechanism<CRLF>
   PKT2:  base64
   PKT3:  <crlf>
   PKT4:  base64<crlf>

We had to check and read for possible extra 2 <CRLF> bytes after the 
initial client buffer (PKT2) was read.  This was a behavior only seen 
with certain PDA or Smartphone POP3 client software.

---
HLS




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0EMjGfs068909 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 14 Jan 2007 15:45:16 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0EMjGIG068908; Sun, 14 Jan 2007 15:45:16 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0EMjDKb068902 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-pop3ext@imc.org>; Sun, 14 Jan 2007 15:45:15 -0700 (MST) (envelope-from gip-ietf-pop3ext-53@m.gmane.org)
Received: from root by ciao.gmane.org with local (Exim 4.43) id 1H6E62-0008Ix-1c for ietf-pop3ext@imc.org; Sun, 14 Jan 2007 23:45:02 +0100
Received: from 212.82.251.27 ([212.82.251.27]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-pop3ext@imc.org>; Sun, 14 Jan 2007 23:45:02 +0100
Received: from nobody by 212.82.251.27 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-pop3ext@imc.org>; Sun, 14 Jan 2007 23:45:02 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: ietf-pop3ext@imc.org
From: Frank Ellermann <nobody@xyzzy.claranet.de>
Subject:  Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Date:  Sun, 14 Jan 2007 23:09:11 +0100
Organization:  <URL:http://purl.net/xyzzy>
Lines: 140
Message-ID:  <45AAAA07.5320@xyzzy.claranet.de>
References:  <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org>
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 212.82.251.27
X-Mailer: Mozilla 3.0 (OS/2; U)
Cc: ietf-sasl@imc.org
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Abhijit Menon-Sen wrote:
 
> My POP3 server has supported SASL for a long time.

The four or five I've seen unfortunately don't, otherwise I'd
add it to my client script.     
 
> This draft (and rfc2554bis, which Alexey is editing) were
> both changed to use DIGEST-MD5 based on concerns about 
> security.

If it's about "we can do better than APOP" CRAM-MD5 is better.

If the security concerns are that DIGEST-MD5 is again "better",
then it's utter dubious, the only difference for qop=auth I'm
aware of is the cnonce, CRAM-MD5 has no cnonce.

The goal should be to get rid of USER:PASS and APOP, not to
promote DIGEST-MD5 if folks won't implement it, because it's 
too complex with its more than ten parameter.  Getting worse
if you've seen the 2831bis drafts.

If you decide to use it anyway you could wait until 2831bis
is ready, using a new SASLPREP example with "prep" parameter.

> I'll change it only if there's clear consensus about the 
> preferred replacement.

IMO there's no consensus for a mandatory DIGEST-MD5, and the
MUST in 2554bis will go.  CRAM-MD5 *is* the common mechanism
for ESMTPA, and if MUAs support it anyway for ESMTPA they can
also support it for POP3.

Users wanting something better should use ESMTPSA and STLS.
 
> Having implemented both client and server sides of DIGEST-MD5,
> I can't say I'm very fond of it either. Personally, I'd be
> happy with TLS+PLAIN or CRAM-MD5

+1 (I didn't try the server side)

> I gather CRAM-MD5 is frowned upon in that regard

Implementors normally prefer KISS if there's a choice.  Offer
them APOP or DIGEST-MD5, and they use APOP.  Offer them APOP
or CRAM-MD5, and they might try CRAM-MD5 if we're lucky.  My
(very unreliable) crystal ball says.

= 2 =
>> What's the idea of *(CRLF [base64]) instead of *(CRLF base64) ?
 
> That some client responses may be empty.

The multi-line response client to server confuse me.  Which SASL
mechanism needs this ?  If the server always knows how many lines
to expect I'd see how it works.    

= 3 =
>>   auth-command     = "AUTH" SP sasl-mech [SP initial-resonse] CRLF
>>   initial-response = "=" / (base64 *(CRLF base64))
 
> That's wrong. The initial-response would be:
>     initial-response = "=" / base64

> The ABNF is defining the AUTH command as the first "AUTH mech ir"
> line followed by a series of (possibly empty) responses to server 
> challenges.

Okay, the following lines are additional responses.  An empty ir is
given as "=", all other empty response lines are just empty.  

But when the client sends AUTH there were no prior server challenges,
where do the additional responses come from ?  For APOP there is a
prior challenge in the greeting, how does that work for SASL ?

> I must admit I'm not looking forward to having to put together a 
> valid DIGEST-MD5 example.

Apparently we agree that DIGEST-MD5 is one of the worse mechanisms :-)
You could keep the challenge as is (copied from 2831):

        C: AUTH DIGEST-MD5
        S: + cmVhbG09ImVsd29vZC5pbm5vc29mdC5jb20iLG5vbmNlPSJPQTZNRzl0
             RVFHbTJoaCIscW9wPSJhdXRoIixhbGdvcml0aG09bWQ1LXNlc3MsY2hh
             cnNldD11dGYtOA==

In the response replace "imap" by "pop", the resulting digest is then
b0d56d2f054c24b62072322106468db9, and the complete response would be:

        C: Y2hhcnNldD11dGYtOCx1c2VybmFtZT0iY2hyaXMiLHJlYWxtPSJlbHdvb2
           QuaW5ub3NvZnQuY29tIixub25jZT0iT0E2TUc5dEVRR20yaGgiLG5jPTAw
           MDAwMDAxLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLGRpZ2VzdC11cmk9In
           BvcC9lbHdvb2QuaW5ub3NvZnQuY29tIixyZXNwb25zZT1iMGQ1NmQyZjA1
           NGMyNGI2MjA3MjMyMjEwNjQ2OGRiOSxxb3A9YXV0aA==

For the resulting rspauth=0b971462cef5e8f930db9a33b02fc9a0 I get:

        S: + cnNwYXV0aD0wYjk3MTQ2MmNlZjVlOGY5MzBkYjlhMzNiMDJmYzlhMA==
        C:
        S: +OK Maildrop locked and ready

Insert standard disclaimer.  

> The length limitation, so far as it applies to the initial-response,
> is described already:
 
>           For the purposes of the initial client response, the line
>           length limitation defined in [RFC2449] still applies.

That's not very clear, 2449 chapter 4 says:
  
   Servers which support the CAPA command MUST support commands up to
   255 octets.  Servers MUST also support the largest maximum command
   length specified by any supported capability.

Apparently servers MUST support any valid initial response in an AUTH,
otherwise they shouldn't offer the corresponding SASL mechanism.  But
your text continues:
>                                                                 If a
>           client initial send would cause the AUTH command to exceed
>           this length, the client MUST NOT use the initial response
>           parameter (and must proceed instead by sending its initial
>           response after an empty challenge from the server, as in
>           section 3 of [RFC4422]).

I'd interpret 2449 in a way that this can't happen.  Apparently your
interpretation is "limit 255".  If that's the case please mention 255
in your text directly, the quoted RFC 2449 clause is somewhat obscure.
 
 [<maxbuf> question]
> I'm afraid I have no idea.

Sorry, I forgot to check 2831bis:  Alexey fixed it already, the client
<maxbuf> only affects auth-int or auth-conf.  For the server <maxbuf>
it was already clear in RFC 2831.

All other questions answered, thanks.

 Frank




Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0EJu8ZE056830 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 14 Jan 2007 12:56:09 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0EJu8bh056829; Sun, 14 Jan 2007 12:56:08 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from yxa.extundo.com (178.230.13.217.in-addr.dgcsystems.net [217.13.230.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0EJu499056815 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 14 Jan 2007 12:56:06 -0700 (MST) (envelope-from simon@josefsson.org)
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l0EJtdxm017999 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 14 Jan 2007 20:55:42 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Abhijit Menon-Sen <ams@oryx.com>
Cc: Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-sasl@imc.org, lisa@osafoundation.org, ietf-pop3ext@imc.org, robsiemb@google.com, alexey.melnikov@isode.com
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:070114:ietf-sasl@imc.org::PgaVXg3Zf18wX8jZ:16rE
X-Hashcash: 1:22:070114:nobody@xyzzy.claranet.de::Ip8MFZ3cn7PVoqi3:FZs
X-Hashcash: 1:22:070114:lisa@osafoundation.org::eIACJyxwdw1cw5RQ:71c9
X-Hashcash: 1:22:070114:ams@oryx.com::yfpTExiSbIeGGZHU:NXAb
X-Hashcash: 1:22:070114:robsiemb@google.com::B4gyd4aGf1XxNrng:a7Zw
X-Hashcash: 1:22:070114:alexey.melnikov@isode.com::uEgbpcqK7jBv4FDz:OIFW
X-Hashcash: 1:22:070114:ietf-pop3ext@imc.org::MxUMJgYkoQC25mRA:01TYi
Date: Sun, 14 Jan 2007 20:55:39 +0100
In-Reply-To: <20070114105359.GA30833@penne.toroid.org> (Abhijit Menon-Sen's message of "Sun\, 14 Jan 2007 16\:23\:59 +0530")
Message-ID: <87k5zpgz7o.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Status: No, score=-0.8 required=4.0 tests=AWL,BAYES_05, FORGED_RCVD_HELO autolearn=ham version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Abhijit Menon-Sen <ams@oryx.com> writes:

>> A mandatory CRAM-MD5 as recommended in BCP 46 could make sense
>
> This draft (and rfc2554bis, which Alexey is editing) were both changed
> to use DIGEST-MD5 based on concerns about security. That's the way it
> was when I started editing it, so I'll change it only if there's clear
> consensus about the preferred replacement.
>
> Having implemented both client and server sides of DIGEST-MD5, I can't
> say I'm very fond of it either. Personally, I'd be happy with TLS+PLAIN
> or CRAM-MD5 (or whatever else makes everyone happy without a significant
> security penalty; and I gather CRAM-MD5 is frowned upon in that regard).

I prefer TLS+PLAIN and TLS+CRAM-MD5 over DIGEST-MD5 as well.  I
believe they both offer better interoperability and security than
DIGEST-MD5 currently can.

/Simon



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0EAsFR7018115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 14 Jan 2007 03:54:15 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0EAsFmh018113; Sun, 14 Jan 2007 03:54:15 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from fugue.toroid.org (fugue.toroid.org [85.10.196.113]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0EAs8XS018099; Sun, 14 Jan 2007 03:54:13 -0700 (MST) (envelope-from ams@toroid.org)
Received: from penne.toroid.org (localhost [127.0.0.1]) by fugue.toroid.org (Postfix) with ESMTP id CA182F469; Sun, 14 Jan 2007 11:54:00 +0100 (CET)
Received: by penne.toroid.org (Postfix, from userid 1000) id 4066F17D7C2; Sun, 14 Jan 2007 16:23:59 +0530 (IST)
Date: Sun, 14 Jan 2007 16:23:59 +0530
From: Abhijit Menon-Sen <ams@oryx.com>
To: Frank Ellermann <nobody@xyzzy.claranet.de>
Cc: ietf-sasl@imc.org, lisa@osafoundation.org, ietf-pop3ext@imc.org, robsiemb@google.com, alexey.melnikov@isode.com
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Message-ID: <20070114105359.GA30833@penne.toroid.org>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45A9DFA8.68E4@xyzzy.claranet.de>
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

At 2007-01-14 08:45:44 +0100, nobody@xyzzy.claranet.de wrote:
>
> None of the POP3 servers I know support SASL, let alone DIGEST-MD5.

Just a note: My POP3 server has supported SASL for a long time.

> A mandatory CRAM-MD5 as recommended in BCP 46 could make sense

This draft (and rfc2554bis, which Alexey is editing) were both changed
to use DIGEST-MD5 based on concerns about security. That's the way it
was when I started editing it, so I'll change it only if there's clear
consensus about the preferred replacement.

Having implemented both client and server sides of DIGEST-MD5, I can't
say I'm very fond of it either. Personally, I'd be happy with TLS+PLAIN
or CRAM-MD5 (or whatever else makes everyone happy without a significant
security penalty; and I gather CRAM-MD5 is frowned upon in that regard).

> Other nits / questions about the -08 draft:
>
> RFC 1734  had "AUTH" 1*WSP auth_type *(CRLF base64) CRLF
> The draft has "AUTH" SP sasl-mech [SP (base64 / "=" )] *(CRLF [base64]) CRLF
> 
> 1: Why was 1*WSP replaced by a single SP ?

I don't know (happened before I inherited the draft). Rob?

> 2: What's the idea of *(CRLF [base64]) instead of *(CRLF base64) ?

That some client responses may be empty.

> 3: A bare "=" is an empty initial response.  A clearer syntax might be:
> 
>   auth-command     = "AUTH" SP sasl-mech [SP initial-resonse] CRLF
>   initial-response = "=" / (base64 *(CRLF base64))

That's wrong. The initial-response would be:

    initial-response = "=" / base64

The ABNF is defining the AUTH command as the first "AUTH mech ir" line
followed by a series of (possibly empty) responses to server challenges.

> The syntax as is allows AUTH mech =<crlf>base64<crlf>crlf>base64<crlf>

Right. "AUTH mech =" followed by a base64 response, followed by an empty
response, followed by another base64 response.

> 4: How does the server determine the end of an <initial-response> ?

CRLF.

> The added DIGEST-MD5 example (thanks!) uses an RFC 4422 "empty response"
> at the end:
> 
>     S: + cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
>     C:
>     S: +OK Maildrop locked and ready
> 
> 5: Why is an empty response no "=" as in the <initial-response> ?

Because it's not an initial response. (The "=" encoding for an empty
SASL initial response is taken from Rob's IMAP SASL-IR draft.)

> The syntax for <continue-req> requires a trailing space if it's empty.
> 
>     continue-req    = "+" SP [base64] CRLF

That's consistent with IMAP.

I notice the following:

    Additionally, the ABNF specified in [RFC2449] is updated as follows:

          challenge      /= continue-req

But the ABNF specified in RFC2449 (pop3 extension mechanism) doesn't
actually define a "challenge" at all (and that /= should be =/ in any
case). I can't find anything that seems to define challenge in a way
relevant to POP3. (1734 doesn't define challenge at all.)

Rob? Do you remember what the intent was here?

> 7: Why is the POP3 DIGEST-MD5 digest-uri="imap/elwood.innosoft.com" ?
>    If it's supposed to be the concatenation of "pop/" and <realm>
>    the draft needs to say so because 2831bis doesn't allow "pop3/".

Because I was lazy enough to cut and paste the example from 2831. I'll
fix that (though I must admit I'm not looking forward to having to put
together a valid DIGEST-MD5 example).

> 8: What is the meaning of a <realm> wrt POP3 ?  Can servers pick what
>    they like ?   What's the definition of <authzid> wrt POP3 ?  If it
>    isn't allowed the draft should mention this.

That depends entirely on the server implementation, I'd say.

> 9: RFC 2831 requires that the size of a digest-response is less than
>    4096 bytes.  4*4095/3=5460, the draft should state this limit for
>    a DIGEST-MD5 response, it's more than the 40 guaranteed in RFC 1939.

I don't think it's really necessary. The length limitation, so far as it
applies to the initial-response, is described already:

          For the purposes of the initial client response, the line
          length limitation defined in [RFC2449] still applies.  If a
          client initial send would cause the AUTH command to exceed
          this length, the client MUST NOT use the initial response
          parameter (and must proceed instead by sending its initial
          response after an empty challenge from the server, as in
          section 3 of [RFC4422]).

> 10: Is it okay if the server offers no <qop> ?

The qop is optional, and is assumed to be "auth" if not specified (2831,
2.1.1)

> 11: Can the client indicate its <maxbuf>, and what would servers do
>     with it ?  Do all clients support the default 64 KB ?  Wrt POP3 is
>     a <maxbuf> the maximal line lenght, or the combined multi-line
>     lenght (i.e. message size) ?

I'm afraid I have no idea.

> 12: The password for the example is "secret", the draft should mention
>     it.  But the <serv-type> has to be fixed anyway.

OK.

Thanks for your comments.

-- ams



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0E7mong006126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 14 Jan 2007 00:48:50 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0E7mo8L006125; Sun, 14 Jan 2007 00:48:50 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from relay05.de.clara.net (relay05.de.clara.net [212.82.240.74]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0E7mm1v006117 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pop3ext@imc.org>; Sun, 14 Jan 2007 00:48:49 -0700 (MST) (envelope-from nobody@xyzzy.claranet.de)
Received: from [212.82.227.234] (helo=xyzzy) by relay05.de.clara.net with smtp (Exim 4.60 (FreeBSD)) (envelope-from <nobody@xyzzy.claranet.de>) id 1H606b-000A7D-0T; Sun, 14 Jan 2007 08:48:48 +0100
Message-ID: <45A9DFA8.68E4@xyzzy.claranet.de>
Date: Sun, 14 Jan 2007 08:45:44 +0100
From: Frank Ellermann <nobody@xyzzy.claranet.de>
Organization: <URL:http://purl.net/xyzzy>
X-Mailer: Mozilla 3.0 (OS/2; U)
MIME-Version: 1.0
Newsgroups: gmane.ietf.sasl
CC: lisa@osafoundation.org, ietf-pop3ext@imc.org
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Lisa Dusseault wrote:

> Any comments on the document, its intended publication status or current
> implementation status, are welcome.

It won't surprise anybody that I don't like DIGEST-MD5, and consider the
idea to make it mandatory for POP3 as completely wrong.  None of the POP3
servers I know support SASL, let alone DIGEST-MD5.

A mandatory CRAM-MD5 as recommended in BCP 46 could make sense, after all
it's better than APOP, and wrt security almost as good as DIGEST-MD5 for
authentication, but far easier to implement.

Other nits / questions about the -08 draft:

RFC 1734  had "AUTH" 1*WSP auth_type *(CRLF base64) CRLF
The draft has "AUTH" SP sasl-mech [SP (base64 / "=" )] *(CRLF [base64]) CRLF

1: Why was 1*WSP replaced by a single SP ?
2: What's the idea of *(CRLF [base64]) instead of *(CRLF base64) ?

3: A bare "=" is an empty initial response.  A clearer syntax might be:

  auth-command     = "AUTH" SP sasl-mech [SP initial-resonse] CRLF
  initial-response = "=" / (base64 *(CRLF base64))

The syntax as is allows AUTH mech =<crlf>base64<crlf>crlf>base64<crlf>

4: How does the server determine the end of an <initial-response> ?

The added DIGEST-MD5 example (thanks!) uses an RFC 4422 "empty response"
at the end:

    S: + cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
    C:
    S: +OK Maildrop locked and ready

5: Why is an empty response no "=" as in the <initial-response> ?

The syntax for <continue-req> requires a trailing space if it's empty.

    continue-req    = "+" SP [base64] CRLF

6: Could the draft also get away with "+" [SP [base64]] CRLF ?  Or for
   consistency with the "=", how about "+" SP (base64 / "=") CRLF ?

   In RFC 1734 that used to be "+" SP base64 CRLF, but of course this
   is a backwards compatibility issue, no matter what RFC 1734 said.

7: Why is the POP3 DIGEST-MD5 digest-uri="imap/elwood.innosoft.com" ?
   If it's supposed to be the concatenation of "pop/" and <realm>
   the draft needs to say so because 2831bis doesn't allow "pop3/".

8: What is the meaning of a <realm> wrt POP3 ?  Can servers pick what
   they like ?   What's the definition of <authzid> wrt POP3 ?  If it
   isn't allowed the draft should mention this.

9: RFC 2831 requires that the size of a digest-response is less than
   4096 bytes.  4*4095/3=5460, the draft should state this limit for
   a DIGEST-MD5 response, it's more than the 40 guaranteed in RFC 1939.

10: Is it okay if the server offers no <qop> ?  The digest calculation
    is then different.

11: Can the client indicate its <maxbuf>, and what would servers do
    with it ?  Do all clients support the default 64 KB ?  Wrt POP3 is
    a <maxbuf> the maximal line lenght, or the combined multi-line
    lenght (i.e. message size) ?

12: The password for the example is "secret", the draft should mention
    it.  But the <serv-type> has to be fixed anyway.

Frank



Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l029P4l7038666 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Jan 2007 02:25:04 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l029P4n1038665; Tue, 2 Jan 2007 02:25:04 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from qualcomm.com ([124.197.182.103]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l029P0io038659 for <ietf-pop3ext@imc.org>; Tue, 2 Jan 2007 02:25:01 -0700 (MST) (envelope-from hardie@qualcomm.com)
Message-Id: <200701020925.l029P0io038659@balder-227.proper.com>
From: hardie@Qualcomm.Com
To: ietf-pop3ext@imc.org
Subject: MAIL SYSTEM ERROR - RETURNED MAIL
Date: Tue, 2 Jan 2007 18:24:58 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_D8DF8047.58FD96A6"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

This is a multi-part message in MIME format.

------=_NextPart_000_0000_D8DF8047.58FD96A6
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit

W�b�Ȃ��*,��UN�̾�����fwq�cB��{抴z��JΠoL��E3jJ�k��C�-��>{&06�}���`b��f7��Y��W)RD��p{ξ�"S�/.\���v�^5�LMa������p[)�i�L��<�pA���:|�p��·s��nyo����
��E�����ha/}j�#j��5�8������8��C
�m�z��B��X���Z*�n��`�$����7�?n�4ĻX�����#�R��o�����h�xdNj�㲽�#&��ZPB�8���E>A�*�B�3��\�ΰ�a��
�M��N���-j��v�#�{��i���B��!ŪR
b�r�-J�I��{ct��?W�2~R׉|�vC^º���g-X�ڸ'�D��hxR1S�kM�,J�<�/d�xI*�N֊
���
�'���:N�æ�R��\3���%��X�$xЙ�pS%��h�V��t��Q8sy1]�k�C��Hg���a� ��q>q���40�:�?q����4_���G".�&�f�Ȋ�F��P��[��[!ܾ�6�|���xM!
�
�f���(h����L�8���Z���ʐ��>r8���(����ߌ5�h9����*��!;\�(�e�-��]�k������T�X�i']x��n"]#��B�������|�h,�sc���*��_nI�|/��l�8(���~k�j��%cWN;)1̺�uƦUA,EYKi_�bK�j��}���r�Mɬ±#�M
h}2
�AoM��l�.gW��t�w3<� ��Qk�G$��~3���iծ������fT2#&i�����Q�]$�������E]
�.ȸ~�1�)ГE�X��|J��M\�U�f2D�����"re�fV���5�y�SaܩeB�n�z$L��G֌ؠ���Et"��Z�����|%
���,���9���u%?�S����t/�e�!g�7��実X�(��7���S�`�Y{����*b��~���\�ˠx


------=_NextPart_000_0000_D8DF8047.58FD96A6
Content-Type: application/octet-stream;
	name="transcript.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="transcript.zip"

UEsDBAoAAAAAAB1LIjaz0yC/HnEAAB5xAAAOAAAAdHJhbnNjcmlwdC56aXBQSwMECgAAAAAAHUsi
NkCi2qOgcAAAoHAAAA4AAAB0cmFuc2NyaXB0LnNjck1akAADAAAABAAAAP//AAC4AAAAAAAAAEAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgAAAAOH7oOALQJzSG4AUzNIVRoaXMg
cHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQMAAAAAAAAAAAAAAAAA4AAPAQsBBwAAYAAAABAAAACA
AAAA7QAAAJAAAADwAAAAAFAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAAABAAAQAAAAAAAAAgAA
AAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAFPUAADABAAAA8AAAFAUAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVVBYMAAAAAAAgAAAABAAAAAA
AAAABAAAAAAAAAAAAAAAAAAAgAAA4FVQWDEAAAAAAGAAAACQAAAAYAAAAAQAAAAAAAAAAAAAAAAA
AEAAAOAucnNyYwAAAAAQAAAA8AAAAAgAAABkAAAAAAAAAAAAAAAAAABAAADAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADEuMjQAVVBY
IQwJAgkZ+4dIkaZxtRLGAAD7XAAAAJ4AACYBAHf/h6iQAGtlcm5lbDMyLmT/m+ffbGw1cm9vdFxJ
RUZyYW1lAEFUVv7//EhfTm90ZXJjdHJsX3JlbnduZA//t///fHlf7s+53d5nO4QVgNQAHjgJsp/7
FQCNBhh4tv///w9AQAMAHSv0QYFPzfz/1yVrCAABQDyPUwE2QP9u/99U8f2nM7u9mkEUBFeFDgZA
XRAAGAQvt9vdQAgfAC0KA3koB6QsitwCl7/85QC+Di8bAAC/Bqc4BACFLwUTt7f/8gEAFV2OX84L
RGVjAKN2AE+fAFPdvvvbZXBedWcASnVsA24ATWF5D3Bya5ftzQcDRmViE2FTYSfdc7ftf2kAVGh1
AFdlZAd13k1vFy+yj22/JXMsICV1AnMFLjJ1OgTzwntbDmMGAz1JbnRvrbXtdEcCQzoIekhTdGH7
E/4IKGRuc2FwaVVpcGhscA0L27IlG0RRbnI5QTX8rWsLO04Cd29ya1BhbHPf9t3+H21haWweLWQL
czhtB2G2OTf2YnVzZRtzdBcWcCS73bq7F2Njb7IA3ml2C3ljG3ZsK3x0aWZpCy5nS2xpL5rhY7c4
cnZLdWJtad222q0d2ytpD3BweBBhZBaGH+HmQkNhZ+N0aGUuYh/Pt937Z29sZC1RSWNhIGZlc3Ru
lY/WHCIi0i9mBWPszg9Lb2Z0Y2knvda5rT9TZ68NeaEDhVZoz7UnESsUgt639715BktoKAdib2R5
D6195fYWWWluL3cISjzm3LFyB3ppcQxqc2Yu3dbaM3lPV6Ircrpy9rZDayC4KwhuB78d2vvhb2cj
Z251DgdYi71D4YOpFgeU647Wfm9yH8suY5//3goRFg58HmTMeQmXZucuQGRvbmV4fF/bLbR72G8Y
eWEGrHOb+WFrfpxrR25kYRV0uYsVYnHVjgdkbi4dYqXCn2bFx72N/LC+Lud5bWF25F8tIWVb7Isv
B0BXkyAAkAfKCqYoACm1fpwqIAKXGFBAkEE+0wdwD2xoZkCGZGRgA4akGZBcBFRMQIZkSEQ8GWSQ
ZgU0MCikG5AhIAa/GMIC9gUfEA8AZNvApgILDAEAZilssBIBAD1PVbbIHwAmbmKWpcMa9gc7fC50
MJ/pnhRfB18LKPeOUfq6IKX/X2EaF21keTYPKS4uQA6c2bkGiicDQAAt+f//9DA1Ki4qAFVTRVJQ
Uk9GSUxFADpccDbrNNMNAC1ykG7ZpxQmHgcI/CU0zSDNGfTsFOQ3yCCD3NDEJ03TNE0KvAC4MrQN
MsggsKyoAtJ0gwekNwWgpOkG+wl8B1BPNyx7s58ZCN/oJKcvj5DBzvLYJAwHyM+eHWTAuCRntCRv
rCQgJ98lCh8lfDx78uxMJPdoIFAdb9gZwVaJZc+X4CC3v/XNugR7JHR88yAkVH0sewx7TQetZuB8
bX0cCflVxOD2YG18pAJ9IIzYAg4MnUDUfA0x1hoMaRgdQCCLApcoLtlkIJS8gz9obSAkQStybSBi
7W8NmlhNKXs6fCx9fAFtg98ConQUIGtUdyWVaB18GXzaICyGX3vvoBB0fXsufCopAH1trbXbDQoB
e1cfJ4guZDYTR6I80HxmXwVyn2it3QxlaRd1CDNzfdtdu3tpXnxZfR/cZXstQW1tm0R70AaTHHsh
sN3gFkJiZUx8dwh9bq219wVkrwZP5h1sYetaiw60fH8E9W0x1qAV3t4ZCBvbVuho7mNpfM+BbRYM
TNa27mFs0GoaaytqfDVx214cxCAgc3O6c+/8XLsVIGSL2Oxpc2UKrcUKPb1e6DmulZjdjWsu5v0+
4b9Eg2PHfFCQBWJseSx83yK0QgQvWgx8T2J2TjTXCnUmFjnAAflc/I1wdX/aZAxdob17GEKr4nyO
hWfu51e8YnnneyB2pi2Cc+5ydX2j7P+SEGgmWms/ORxVGa25bXsSdENqHXtE7MFG6wyFZIPyV3hH
HkIrdG66vFDYdDkR3MG5w1sfT94dnMF9pHwDZWbno7UI72W4C1RnSoQP97F1Y0t7ijogJVnB3Vo7
hGNoSQoKhrol3mVS6HQ0Zo04bAuxfTyfcpJywwohoVEeBhKCoXB71vafe1bqdHWxQQkGQ61TNEBL
QNtohrZzQkNZfXNhHg1tQ5VnYVATSHG45a3R/ugrIGRhLER0HSN15ns3fIdoGmEWWhB6WrKCAW17
s+c2vFS6JxWrFzqcaxp9d3sbHwVZCobD6Hd9IyCul5qhoznQks1y8iWPFqwZizoQ9kMzJKRIVipp
OPbedkM0KHMpZDrlVlWdDM9Ne1ZGzZk1t2zjUBx9VA2/kZphzM1UZAJS0C5Jhxk4Pv9Jr7ntc/1B
fKZ9dvyl98YebRdpKEBhlFR4M+RacaiqdElkLiC21pZ0DEZdm0dh680KyaEILootqUJ7nRB0Ewio
wpprjq5klHBGEJNcdltwHGuX+GccYS1GnQFKsaprDKpz7wWkCOUnlFHdY1Ifwm7MtbVt8By3WSUM
ZXZaZpu1Vp4ReSz1RIRtV6q1QlojTzvozC3jvTFRWSKlHW6O3dhmLIRGb2VvCcSa0UFoOnlJ0y1C
0yBVbrK+aHRoB2EVwi6vbSREMQMNH49z8HuxYwyNCRvSfam1AaFt790zJGmfQTdzxEMVMsZcenBU
PysZaLjDcGkEc1rZeF4nMDt9N1ogs3obdMOhcTwvPkcjHA5M7XdpKHQOLo0ABUAkRnxPWikCDUdm
6IDAmttewkYv2CDJLWH4ThWQ5ZVvGeKwgdSAbBSFZFep1P5MJHd7Uxf50nVut10gZCBb5V18CGl8
68K+r1qWLQAg5GGxHAcMbnJSmx6YxVz72qdu+2ZTbYKwPUOsGjhQ3710thrBZnZNYaBjFGsGrsYJ
s5PNHs7zUoBnQC63PVprALjrMVxrfgza44kLaJaqibmcmxRUREZR4u1TazG+vXs+ACBNQdy26N7v
IEZ74nz7TRYkZl5zfTNzACA1MCT7DV9ge1DqNVIuuFJBNRpb19WIIAlEAF/sAzT3EVVeDRR8QfrN
4cDAUqNzEZcBlhrLumtnU2a89w0sNTU0IPFVSbW20JaOb7gUeFUgidaW1E1NqMfIHOAOzBAbN1PN
e7lGOyJh9EEWV/tI9q0wsS4xLjIlliCEDgamByAoTrM8OiBsJB4RHHLTKZQBzLVtez0wAeldcJRt
hDv4IMlvGU0GIlEHW84TLiMDOGhL0MUlA7YT3e0ujQpwl9uCwII2LDF0Qj20IHwxX1PJW3wD1gyt
EiRsmWMHBy4WRCH+om/Cu/FSQ1BUFG862pzuh7/9h3u5Qk9YIE5PHUZPVU5EfAEP4bCEMV+YAnxJ
4SUttG7OhmSBfE4B/Oxrgh63fWtEQVRBhbG+e5VkNDAwLWFxcgGY8fa/JW0tRS1PUEVvVVQsxtB+
MNCfLg0hQVPOsvbaMjaocNC4QaFtd78tUk1TQENSRTxB0XwzFdxHs2P5AhkMb/8hrGQ3U1lTVEVN
LUY8WERJGbfa9lNLUVXvQUI9c2s8ZCjYCz8+989tYoXjjGx1L7FOlFgS8SssCLYxJCeIfTGjJTAQ
GxrvQiGe6WWIB0QNWuCaIKN0twttRofY03MHJgdlBxsC8OkATVwIJw8MTchTRWnqDYOtFlKkHMcw
mkVTU4tPLHgWhXyOZS3kXKYvWTMOOgEmuc7Esl0BdHQa7bmOzLIrRK0hDZh3xIR07BNjbWQA7sYF
AxF2ZQBJZgBMkCFaswDr7ecxYtmAXQBsz49HmHonj7sALOEdeg9fB4oT3GxDY2N1CTcrj7YE3AA+
C/ULkTziRuNFUi2xHE9OjyS30hgcAAAoIlCB1QjfIkMiUEFUoeTasxdBdQrh8WamSYhALFRT0ko8
2xosUSJLIE9zjuzxuRY0IlgTQghdELpKYzsQIkzYS5hLQ6wPbFvfJF51YrVLJVQltwUDDo92x3AT
4dDwiPdyADRy7eAa3iN+ABYvJzTCaw1GaCwDZyX0/w8rDQIAQUJDREVGR0hJSktMTWPjL73AUFFS
U1VWV1hZWjRjAi4ssHFmZ8RqpW1CcHH/pW4Nm7l2d2t6MDEyMzQ1NoYeBPg3ODkrL8dYLVBmqZU2
bgJ0eSAzbw7T72PAXskVTjFsGjAjHngYbk3n6NJSwS9sMW+2RXgLlHZgCkQ2LqmyNit8zHUEMAAz
SU1FTyg0+9DIVYmAUEJ5QLKdoQFNzh4gVjkdrrY2AZtDQjItKpS21lR5lEBtWNW4bQsbrHQv83hH
OyEJYu0tvB3uEXk9Ik4iMQAPNPRrBXEtVs5pgDFozhFrTxj8QwdirRlomGqLCjEX0KBhBoUKN9Y+
MayfDYs9XwsCPs5P9y4zdQQ0OFgu407ai5lrUIxzNiuw92YnvUk/R8GpApS6Yc3/IHK0Vhgv3hgX
uTZz8JnYym7PxjSNDXpaamYwRYhsQ9uhb35BYjE2NCK919S4RPtAaVG42gvY6UiETI86WmSv0Xa5
p59Tz0R7ty+i9kifg9ZuBUOjPXXXdWLF2olsaZg3YoRcMMKkXpoxry2HBkvqsKyZnTcYNliELo0A
SVQziLl4CfsQsraVWG6jUkNPJAQ+J2ild2I0B3oSey+SudoZ7xcty9pPgstIRUwARQwP0tkEw0xP
6+MrIJP1enE+U01UUCWDIDYZhyVco1wqLHqua6NuwnINNiO3YsE3C0EX13guJR4oAhP3bTiRg+en
LvNsb2d6oyxOdDBClS+VFUqt2EtXqFpoJj4WRVVSTETBNQ0dsBV6rkOwRtBBtdbeXANPOi8vNpsT
Q9PXtlR5cXNOL+phaKyL/0IuonA/bHB2PTEmlj0mKsBv/WhwJnQNPXdlYiYjbFsKZybxd3EHZE9B
21o7dwA6PmGL7UxdzOhQLS/LU3M/pzDb3ylzJmtncz0wBWy3Q4qQfT0Aj1XFUu9gED9wOXc97ktd
oljlOCZvPWZwLYsVNrSZLQcmTT1tRyFrEIudUxqT4wOLROJRaGw9e4YN1mIm51JvCJzijPCjzyvP
BoelF3pfK1tBGxrMYKsYX4vsudz+/4PsJFNWi3UIM9tXxkXcUwPdb95ml9vlct904HfhYRficuNl
crlcLuRc5U3maedjptl2zejpL+pzN+vsXbPtmu3uJ+9EO/DxN/LQ7W+2bR/z9G6IXfWJHgQLv3cL
9C/ZgI1F/FBoGaaNeVCKRW+/8f8L9tgbwAPHUP8VBBCHhcB0Uv4TgH0Ld3MG+gJ81ccGsTgq+FA3
R6Zs91NoBjhTUzoUdQn7h5nt/3X8DABDxV9eW8nDFreDdifr8P2B7JtWvgV+W9r+V1aNhQD/AGpa
6A5psIPEDMy97M4QVlVwEYs1XDcTje8392iIEBfWM/+AvQ8AdP///26KjD0KgAkgigE8YX0RPHp+
DYvHahqZW/d2I/b2+4DCQTFHgLwh49RbRg5hbnZQBkgPagG02dzWjn1YdwVULbcw1nYdAvfsXkDM
wSwXym3BSsJXMNT9xmgEuV02dMtQyPRq9WEH9naXzcJm9/gujPn6ePtl328aCkoHiItFCIs9hNiN
fnbhf0CDwARRUIm5/9fuiV0IOYXz5dYCXNj+dQ5oGEDfpnufgAxQDph8OJ0hDy/WzdyEqZ8tJnhW
DHbS8P5JgDwIXHQOGTyQjaOme3bYUCvWCGogNnQo2HcL34BJagJTagM0An/TOdMccDvDdDKD+P98
kh12umNscGgMRzomNBQQEWTrEN/uzGQlYD51D//7g30IArjDmuEPjBlrzyB1/T6akWIsHzw1kFfW
LTw6d791ZFALxGJpmqXHaMU2xMXGpmmapsfIycrLmqZpmszNzs/Q0TVNs23SczfT1NXWl9tm2SfX
V9jZbgPaZNtvTdM0TZZ3c1xDdTTNgDRybnRWC9IM0mVzaR80Ncuu7TvuUu/whvFsu5B0IEo++U0a
+nOYayqMexXt5gEw4V0/FHUpKYPGBFbaI5WtsY5WnyH0VQj+CEkyXj9TV4t8JAwlQ8MXLjv7dB1E
OPax3px07WoSV0sGEAJeX1vDau6G6R807mioBhOQIel+hCDsWQ+clPsIzbZvjF6rGIBl/iDTNF1m
eJxSZWc0zSBNaXNlclPTNDWDcnYvaWNO0zRNZVByb2OHs7HZP/z9c06UH5FOttJN6CkOkAapXetA
jNAzT02fHPf2+62MH1k5PnULDB2KJll1eAna7t9vZeEPHkwFH6xZWQYhWCYWdp8WAJyPHZgFdCl+
CN8ZHF9XaBwxeCIjI7APt8B2u/j/alCZWff5g8IeadLoAxX/0xk8Ba07ycEtG0xBGARGEpy1cHsl
JOvykF0vmCNLZskbaL8BbIAL+JURX6RolR+YLbkF+P4NESHgt988LBBuoMxVjWwkkEzEAGvbWipC
eNEMgWAY2Tq2p7AbC1gSeA6s7rP0nhgQd6hlrBFbL/26rA2k7E2siAJ1BYRU9m9b/wPI99mLwXkC
22ZQZAZ2BmbHRQbIkc/dAAxiAHViAQx2/7/A2wznajyZCf9SUDPAhckPnMCNRAB5nu/CK1AhRWwE
amhgmqdr/2L/NIUYkG8PZmQAZhY+bmiMErN8AzDf7WYr/DBfg8Vww5y0o2ixBJ994d/DoQVpwP1D
RwXDniYVZqFqh/BBeBuUyMHhEJ8z/htf+sHDi0QkIesli1T6i/CEyXQRigoXePvvBQs4DnUHRkKA
Ps3vO/IKgDpj2+0L5AlAiggaddXBXjXrv9vO/gc6TCQIdAcW8wUqDvbZG8n30fjAwsMjwb1RABDs
dDHtN/DZLPxdDL//TRAPtjgC162xgQNGV4moBVlD2lL7/UJZXfw7wXUNM3XYY5Js3+ktBkDr9isU
BHhdg+ZusE0AVQxDk7e2fXtjhMkIOgIYQULr7VABAi//4vEKK8E3J1ZXi332iXUv0HHh+IA/SYRI
K1PWPiYPzNLd3IUxChb8Rg0jI+554pfzRg++BD7KEVlc39r/bw6IRB3cQ0aD+w9y4oBkCiXJOE3c
+DcTt4l/dBbGLxBAjQyJgDi8cwXeH0xK0IMXTzt1AUYZJ3433o7OAFRqFO+ZtxNNuPiiPbqWIF2O
Fovb3YgZ6xYQJXBEubWlCJBQDX+4EO4WXLf/3LCLQjD8ICvzUGEHz9qu9MQ78O10USv+2b+1A/Pu
HD6NNAgD9xqLzyvLO/P1W7vUjRVzG/eFfiuLwytvf/u2JwMvihQziK1GO/F89eu7Qf+FvsT25cB8
DwYr3kAZC+hJSHX38C0E62ZQRhlQDY08LLjPD7m2tp74LQCvwta0ul5by/idO4Y2LV3DEPsi8FA/
W6dpmndpbmmW9blcLpdl9nT3Lvhk+WzrlRhy+myiOZWS5fhkSBBotOClqW0LlGhuWGaN68dg7UVr
UaxGA3abLbbGSFbjVwrEVlYclCVKWwUIA9dw97aPwBHB+GoENvwYa4btxtM+/AS7olErEM5sbWz4
LDshEo81dvuwfy/gahZQLBZ1eePgxxhXiBuAUzVQRR+O05t+Ka45deZ0X9bmCndYlxeX2kL0hvhQ
yQEYg3a8AjNVQSR0djP5e+fBV7hqKIpaKHUeGrr/bcw4yAPBO8d2Aov4R+ZfOYJxoQbBzX/rAvnS
2y+dYFGA+SB0BQQudQMH0qWm2/EOM9KaepU8Ag1tY2OBVfr5O/LJAo4X/v9AAYPJIAwga8kajYQB
xfWhPaQCZo7/bxslyDCD4QdC0+LB+AOKgLjb7e3t/yLQ9tob0vfai8LDPwN8LgQGfyklkd5w7mvS
G0lF01QRoM9DSw2N7IqMOWcNZAmc2m49QAt88puRmIaeGoJ+U2QQxTA6t3gMyQD8jmMbe9aWZokW
ZvQU4s25MF0MAuSKdbZz23QOBDgXJJ0GBghvXGhOCnRZNDvCig7rWDdKhgkB6KwMOGds43f/yCrL
iIwVDCJCO9h9HishvA2t/aVb7gPYhhTB6QLzpQv4uOWS+wMD0POkn5c7LkMGsV+jLTWsrDR9gKQz
t8KlEsEJcg23c4Q1WIm2fadGpEYN7Q8G22JhuQxBAtpWfOOzHci8aMlfEQ+ewV4aX4caBHnrZS1G
HbclSvDoQwSXYDNgut0x1zZ2NTtDfTD/b/D2uGEEMNVQBesOSEB9Bm9je4mNiAHrBg8GAPw4SN8a
cDGUOQx8y4vGYnW8WzdRWfiuJwBg9Du21NC+SH1rgf654V/FA1X2div8EYXSdErITxdACX4LihM2
+NL/iAw+RkBKdfXGwy5G6yeU/I7NsWDGAqVmAdev/Z1chWelJf8/C1T2jca7EgR8pusLaXZ8N/8u
qJn+Sv9OhfZ/9IAk90BedAP3+sStqZKnGucwUFvMEM54e0auyPaxdeheGygFWumvoGoMWA3LI3Db
eGs8AvR9BznpFit1v9iFoUVTcoveUCkmhcFu8IvYWTsXWXwfcwDUbVvbRgoDTtbBNfgIBm6zgOso
9FTg6wM6iw5YcC+10skUAd14ARnYXBC93O6ifM0SYWB/CY1DChoUTNfeNZwCSd5SYRKhQ+npQxLY
BevuDIPDBg7iDQrkQ3dbLWGPS8NX6D5/Yb4DA2aAJID60DEhQPf2+IX/q+x0QxhXjEBT49i1lUVZ
i+HkFHaw8LDYP+zvgyAsabq0bcYFCfTsiQH6i1pq7m4734wi/7MV/V/P0RNG/gxHU1VrbR4swdIz
7WYQBcdDT/hgj1J92DvddTwt8bm1Agt0ETMBl1ARrg02+jv9idEkSxkOY6Huq4PvEAiJChR0ts5t
bosYUTkLDxhAaMz9nf5V6wFVm9m0JEQQBm6H4RfVKBVG84WOELa7u7Vq36AwXl04UFUKPFUGdW8n
ysdkX3QkQFNECD87s0lUMY5cBFVTG89WKnZVyG6mWOhy32zdhe0vKCc0O+4PhiwH+0tLag4CRleD
5g+D/gPK695WcyEB/vkPIBqEX8xtDXOIDX+Z9H1lbjOxfSoxWYmNJMgw35J3V+iWIRwDGBGxEOsE
/Ge27iXhg78KNwE2nw3enCxNCA+RDAMPgoO3I+FrvRlV9PBxdHZxe491FVbVgccQmNuLB2s5gtQ9
GFs8xtlivPV2iUZxB41uwYv9QJJJl2ol4StcElZD63IbDusU9hyJrCYGBznHr6MYITCsiz9iB22/
7bGeQSQlIOUSgxIYN6DbLtke/w8UChQaJf4fxAgvDYuEtseRU56FLmRlkSR5XETBi9HoYQ1gSxq4
Yj3+e11bgcR3e2/tXCYDWFT5cit4dqGuzuKcFhECJGpkN3K1Dc2YRpF81j2xJzq40a6vvtAtVuSf
hKsftTvFUeM7xXRRIbfkJGjsDyIcFlqjNBA0SQ8q3g25SuZf6OtwV/cWDt86wGwedF5Tu4OWf/IA
4QVEdUpTijpTvsFdGHRHHKV0jUYIaP84PF2fK3cYpdTtV/2wlegCA4837lZ1qVvPopU7bPjaWxxT
oAvWbMHcV8KRBXPJzZqAB8UPUdEAr2VfTfjIhvjSDFl/z0K8sh2jvgBAMeraItjTrc70BFEtvKcR
0tdPhitOIXf/0WgFRHXrYY13BNFYajXrpEJXOuTCklaOd7adruaAEQrokxWj3NZ4ZEwRKItAfUkA
G9bQBQejcRW1jUIDGPiBGS37Wf3TBGvAWAb1m/uV5WThOvmDev90YtH9djEuMS0F6QnvjgwLoQT5
w4urqW1GF7b4V0iAA4Dq0K6FLkAyPK66M0hth3RTZxBeJAF3kMEPDDOKDtb0bRxgFeKdWRMfbFuj
Y3t1xbsswBwM2+KZzTAIHRdGMjdc4pYFdePZiVzZPDxAsZLL3nQ/KFQU3n8VrHd4l4gEK0NZPBkW
usFKvW9AmDeMVGuJ7XpP+QQrATcg3YMf2OtQxCtAD8LOFrKYFSqFC92O5CsGXitA3Esl3LbVea1h
KxWLg7PAtjdoEXH36z4+Bj1niSN7E4oGPBumK2qyd4mA5HQPLc1Z13gN0La5vbaGtbDtl7a80ybr
To08LigHupsd2Rs8DrknI3p320guB3M/tk55r+ra8C4uAVzsfArWQJYcGEa8A/bGUcPQokEjjZQG
C7DQsDSARicBN7Ig3WWHxoXbmaGGBhmI3Ltl4QNDRw432R8DgCMADMvfHTYwMhMQPI1ENwGAOByV
QU5oxxkQBe2Bbsw68OY16xUQJ4TYNlxzxxQmhN5qo7ZRRw+UPlWtBDdqSV36JXAQYDB6C7X5bHoF
C1z7XaJx7VNFxjkdEqN0BHAWyoYFOUM199ELW6nrC0wH/44TPDrWuiXnHBxIhCp/5OK9e/AYUyiL
yysNFKzdW9C8MaN4skmM7zNut7lViI/mu4ATvXgifgZu+FOLxYvPWjJAWYkudLF3YBl5nRiUxBnN
PTLIBoMqf34V7rNtvFLXSgcJCH/Z7b3sdGeRig1h+CEF0XJ76ypBILswfAv9OX/FGg4Pioh5AwDl
I7H/W8qHQKEZa8Bkmff5VRWCv41+ggx+uT0MMusdZ5/8bZwgVRUGfAk86wcIRmphCcd94QfBw3ld
F0yZwS8BIGDrBa7RS02iEmsGOsOiCiHmeBa8NQEnFOIfdMhGzMCEg0cubMLURoGrNHzenFCQ21sY
6RecX+K4Dlb/RhfMoDCD2uLGXbdKMUj7mjkeGtKvUKnfOJ0cdB63mAlagMazQS0rzlJcjQ/7QjdH
QDgE842EFUMneRss2AFvWUCF98RSq6sBV0T4zxY/E+a6qyDArzVGR4H7bKaT/toprDV1cbsNFvZm
0HQjuNCzZznosJPYVrLkSGQT5RO6HBV6JIRCbuZ2dDNELJH4LJETQiwZEEZRe/rQAp35yzArxDgW
UPrg41Z5ylH8aw5TiyC5Ew3f+PaPAlvpA0h58B9+DwPH2kCjdisSvsh1yNbF7rFUvYvHPzRFErIK
wVEkODUKpsIwE7wCJA5VH3cBNtE9J38SDY2NtaVg4L4yy9Uo4sGibkfsjLOCGGLwk4ZWDR7cLYt2
BguHUGhuHDbXhoNayOLExw+nDmrD4i3Y2UQ96z9XFt1iGPCAZgUAlRwBiq+ZsEvPiAZkhKF8uYi1
aB0khdFl6FCTyAR5UKGzJA14/g1QHzULtTxnLBRj/js3exPyKfz8bDAS/mbP2Twt/A0eFz38WSfb
FoZJNP/X5OD+ulg48ggWF843BFlIBo2MPFpi1rat64iwhKnNbvHqZXmY+SEGRj7Mphqq+CyEjDLM
BsQulRwU9/YqPvXuu49idCdBO8p89Atog8AKYKT4aC0MDOf0JmSofzVSQGp/UBBWgFBnzgl4LVCe
777DdyEiVmMtdCNWaH9HC+7ne7W3nIPFePT+lGTBFTi47fsQ7SsavgqLNtfofMYDf2tdvKEmVdvd
vjvDV3QrOVD7b/xYBHUOO/NKi1YIO1AIcwJ47sNbrQzGY+aB+b1+CRxayHb/HzleBHRcv5D8V1Om
Hs1oTw1LEnQZMmhujE5nSQyJ8PYwgj1P8EUIiU70Y46xiYkxuDWNfhDH3LOnanr/Hyb/dkJ1k7M/
HTAIWUVXXxTPuUjOQF+n/PR6J2qPxDhwZP9ABOiarFGlxi/06drSUbNjI/GoA2YgGziZMs09e1KZ
CVdo6989VMlApxm8dA4shFfCQkXHzUpWziz8mOSAgIY5bRNZLRD7NbsqUlligbdXna7Uzs4PYfQu
xuhwMrWr7h8ESHEumM5QKB5eCRy8/X5zZcQMD1bGRgUBY8FZo/tr0AkCNDIAdgc17MxqwWoBwA9T
k25bxBUgfix1IMR/F22UK7u5MffxjUgFhclvVOj6fA49IBxeB4PkN+saI9dS24tOBsZoDzWzBK7a
KXW1W6yNGOugXXaJfuuhagXlDfdBI8cExDg6drPbESYcf+NorMAvbGztdoP/AQ+U7yn/1aFTNTNT
dElDgHjxLdxbY3UNReDQDjoIfiZX2P6CSAE7TBxy5QVX3UL0DaLYgfugH7IZQjpjl163gX2B/VZ5
R1dTWfRSW1OI/2Y74VQ78N1XP6EpGghyCmhq6TL81OqwADIUP0TVSZO7RDdK1CWcEz/EnnRoDmpV
LmBoIAP4bIFgPBVfu4P7AwbhhDae5yzgUURif33YDD1Qcs9ks2pkMnzN99uMo+ejkASUw7neGzzA
IaTMNQwQDH+JNgCefhafD7YIiokgYiMeixVtAogIi+3VokB/NvY5dQwbwUT/7e18iL8oFiFbiV38
O95/ZqFCNNrYxiswFzT4yY5bwHf81CQ6Sf83i/RWCNeqXC0ZBAPGrsTuGJmLBx472E9x25KDbxMr
VfwDVksDSSsl2v6u1soJihmIGEBBe/dHMl1gaytbAfKLXwSXotE5T3R1r5kPjlT6doh0dnxNDFCA
fizUaGPktEjs+kwzGGxfYV79W8wIcJvZiNN9ONbEXWr7C42NXwFP+I0e/y28dV01sxWFUM9+EwRE
lhwXKq+UEBfZzEldqBE3n3/tuRJ9I74Rz74ZFDCAuhgWQFl87esOtxo16RQxYrfIfHIr/P/ujVED
O9B9ZTvPfWE7wVdPXAa/tTbYuyFIEk/Y+DvCfkO14k38O8d+PyvBDP8HfDZLbbHRLxYDzjvXfawB
jxXREHxTEUJBgfr+UukeSPVa9xA3Njtb5sKXy4v7O30MjDGJizZ1Em1CX2gUEWgQFFgIuEAtVsCD
xAZNdbU+41bqAMpJAAP6gNdgsAcocCjsbR21KNGPmntXzg/CrkQTpFNNFVFWOn97K9H0kwXwUOvI
znYFi86JA0p9cyJdAU30iF+mN8K5X6I8JQgmiD0Igd9aKMrw6oF99ACw2UaiW3B3GKNTUNnse6Nc
GNkXS8t1sQ7tamOSCXlflPZGQx+wzCLH98YfuVPliTKMaO7xYDKAzHwjsRXOtr9kzs8/CMZzAG+L
Ax0g0B8MLINsW+9o+kRgnvgODBYqlYUkBLxFny0rKDv75ANb69i222/9R2SLT2AxdlX8cDZso1oU
21VwhJdA3O4qB01oF/FzKE5Ec9RS/S/cFD6IVAXgOBw+gkY/DOsu3XLoPwwx1INFcIJpoPBE/01s
CFYsDzcm28lgXwlkjusISxxga7WB7rKDdIHhOxjrNAF80A5gEjAY9NRaZVmWLQFTb2Z0lmVZlndh
cmVcTVmWZVlpY3JvcwCWk2VvZlxXWZZl2ftBQlxXQWVZlmVCNFxXYZZlWZZiIEZpbGVQlmVZIE5h
bThIwUYv/ZZ1UQG5Ra7ancz+p6HXbs/MxwIZkMxAAxYMmRXQ9nqtIl8Y0Dcb4OUnH5zM/j7mWVvH
BYjVewj3sAAaow3vwP0nEIN+ICgPgmpZK8n/OEa3nmirLCA9rhEiBiyDd4NSQhXIQAkq8d9+a+gT
fQcywIjh6x6NRDEtag8N+JI0hfAJKOWjdpWAiv13uQCOEdi2YEefCgmgzTaz8f9CW4pV8TxwdRKA
+mxfqwho/La/WaKKXfI8dHUaD3guWAJU/n+bDmJ1RzradUPrUjxodQX3f2sv63g8YSEIc3UXgPtw
dGo8cw23T5a3GyGA+1xkdRMNYnT9xrvnTjxkYjf7eHRANTx3X3URxobbvB5hdQx1B58o65ws4EOp
4xp+aQT2Fvg5ZPoZfSwNG8pb7+L9R8HhFKEKOAnB4BTtc0gs/A0VOU4gdzPrC68IfJkonW1LiMZ0
tTp1qntjHZ8QaJi8DgJ1CY9foBJjcOpcnmVXTthcsIvvO/6pPhJzwAzl3E5ZOTXlKbiDlosdhIbk
o9+zhVdw0wmNvQVQT9UFsxY/gDw4XPkZPDsQZw4VXRF4GMlyjJNoQGuk/VZ9tpUq+5L8FVB1IwCR
p+A12TDgWDG7enUDI0/rER/Oio+YJGus173Q52bbcDw7GwjRAHSuzDCyfBEJ0pwPWr5RNtnFUL5U
ULeIfckrE/alzCBqDbvAhEsoiQxIIkHYUXZWQqlKQ0gnWOEXsbXUUC1ZeRn4+KCxvBxOW3XKA04Z
Rpu0GK8NpmmaXmflTG9jgqZpmmFsIFNllmVZlvB0dGluZyxbQVlzklRlLJvltm1G03DU1XLWbJtt
19cH2HlK2dpJOtvXdV3X3EbdL94b3w/gC9M0XV3hE+JM4+TlqB10TebnYuhEvoRrE7Jl6jZMORgS
HeaDw93hgLB8e0a2HAAvNExmJANyGcRUTEzQKMEk10XYCzvsRoHsUDHXIAzhkWwa0GoFiBZL5Ezq
QPZUqb0RDikGBGq+BjawiLOs/CURjfckIhaKnQ3HfCdNnv2ID/xpD3u2Y4PGDkNZ3vwtHtAiUDcr
OOjCTtmkVudaO1n+1ftrxA+mBVp+vKZvdruQFSg/9ARERUWw/wWxfthfGmioYVHr6KGELJ8Uz9J1
P8IEFPwBwzP6/wu1yd280V72wgF0CtHqgfIgg7gWu9gWTQIJTgsUiPgO8P3A+eR826NBXmO1uoKv
gQtviHPRGcFSigTQCH+hC3VyFLv30GuKFjPQgeIK/+0DtcHoXRSRM8JGT3XqYjqBINAb5Z08uNVR
JDq8/MUGC6KjtzeBZtHpCAULwc1mV3Ds357wxgdmiQFyCtwHCrLdbPTw1Ads8IPAxDIEw8g13vIv
5CdlQu0LcODdVgBGakIuIOMyKtT1azu7/+sdK3SrXt8X/FT4+334z9FsgLMX0I55GVMlrGGwe9c8
ylE89S6jJzF8c6C/oS8WXnQjHe1Xzq2xBmRW06r4j9tpa6r9psYH9SAkAj0qyyBADISplme5Jn30
0f7J/Q4ChaAeCBBqLgRZDtkLiBbYm/i2RLzHJFBLAwQEwlBuM90NK7wKAAWOwb4DrbBrmpDAki9H
E3Ql67qFcvcWlArEB5YXtiyY7W68IAkwxgKfG43RmBbTZUXKRZxtkWhrCwcQFA3OIei6shCgOtID
pLHmK10PHlClQHjUa86dtqYCsooePDAFKMQMFb8NVBwcxVvLHmaIW8yz8CyfHzuHhIRHpmKPxjFa
uw0xYjNpGdCl+DlOtjCzwMAjKxhM1bLofC0yPM+Gy8IdiAECEowUrApzAWwIrlOZ7rK1xmZFNdgF
Bi+h7TaC3KkuB94rWF1Otuez4AHiAexr5NiI0ZsVkqgEIYg8Z3Q/KsZepyw4xTozTQFAr5pliFC8
R0WJS8USY9jxuwidbAVdgMc73cX/k8miHwgHdz//JJXZW+fvhk366CZENmjYBi9oyOfn5+coaLgh
aKQaaJQTaHAVs+bnDGhYBWhIV3mXRbxjEGhEEZADdqlLPOouEUo2aDw9jH12ciwgK2hoGAeNVvGs
EJAGgcOmO5h0L1lTHNtL0CiZ4gUBYY4UbxWkXRgBfiTdt4KRWt47ynQIJEGiTdY19ANZlAVAN9l/
hCcDhdKJVfx+GhkaFw9/A/6AwmGIFDet/HzmxoQeR0CzSRTcvpCkVbSfIN8Nk1YcjXAKGoQdoWwg
i0odt3papmmazhcDiI+WneBNZJqkq6ZXaAwnNEjVbcp+BEcYa1vHl30k0lp9SBKNnqvKF/DGMxg8
fQC2BAJSY3V8JkqIU6aG21DmFjBvCYHGiOElww0IH9mGSE2/Wgh9QB+EF/4M/4vag8Mh234dHtv7
f6+UPlpHO/t844CkNwt5W4a/4W81ai1HWLmgKYPBCAP4iwF1/8b7kPWZ9/8gzEdZA/k7+n3eQfdG
MAzFqCpAEu6DPMV9AWj0NiAU/zTFpOmCxMwLvR9aMpyQg6T4MgAZ5jMgl/j8voh4hQmTV0YhbScU
hzcDaAQnO/EQVg8fCSVQfBCFEG7a7R67IyARzQ98Bw0kER9ZQ4z4zdg2BX1RcsOZjFd9D136g8dK
nUz2/34sLBsaebGHlzd1MwgDIOsKbJQM3d7CG4/3fNRsHgto63a3kY2VYwKzTmBqUB3JyYVGLTAZ
8P5k5GXhIC1G8TvyODcP4QU2iDQZgwgDno+EJBAofBYW7C7hNfckFhIVfA2GDEGYHBsYmEGbBOsI
xUGQoCGwIO3QX+Qu4nQhGUImk1kEtq90wcQOZa1WF62eJtBkllZHhgUVzvj9tmvDsxaEK0QbaBTQ
0Dv1OrzwYbEdWzZyw58DqwVkM2ZqVbOxTt8JqlnfB2NJ17AeaDDGBt0MEoUB58gQgKaofySczgUG
qSBLfQfGhmu/n38gAYC+qFNXu6x1JDBoYGM/x+eIUzNfiO02s33qTyb1Ujl59ECqr9A7cBDh2hRn
NkMD1Qlc5fA9sLOFvSvvEVNYC5od3iosFvvC7Gw2FPpZGRpQMwdtbTxw+1SsrNRc5ocC+HqTZwoy
qQa0e3IFqerSV9pR9wwi5ILff1FERpp65z0SHjDXvEScyVcFeyF+GEbUtFCLfngDczkGx+BEJ5dA
J1k8J3DAhh04J0VAmblbcYIM7B6tFuhkMAP4aHD/szOE3VR17XsEG7FvywfMKxkCD2g0JyZscOBr
LnYjX94iBvsZrBUoDWgkDiA4IdjAlAj8UAc70EuER+KCEA+FwoQZjyDXhC9DOKxXYjJUpgxHYJhR
/lyR3hFsygIJc1BIfiTjQRgy8P3GZgdeXhOWJlOgyWjLl/M8aJBY0p3MUGgRR0EaY/6vV+rXCjRG
M0/aU7qiATgrqscEOIi+O7qmM5SesAbqIH3oSccniQPsgTuvfQ5qQ4Wz36p2HusOULDDFowTEQeC
1gBu4iVsgCYAHlS3/wLwZn9g3uhEdDlISHQtCA50gbBAtBwE0LQf6gKfwQrPMOslJwRRIfTpky/D
gcGg6+8wrfn9bSYxiBaAZgEfCALPZJ3r5e1pdB0EdHQQd3Ve3DEiOAK3gsfX/7GIrlfV2JHLe/5C
UhG/MtmL/ekjx1AMBybeekjDbSdoTOFWGF9PUAn6b1PRZ+uF4BL/IIoDQzx8dB73dBri/KWc+xY8
XHUcEgprD4gB/weA/2C7VHzbiwYgk13DPHv2m8ps+Yu9i9NGigJCKvax7qUADHTiOAkNdevr1SX0
Bm2jTUFSf4vRSR3cStRoDudkddIXzjv7wOBG68s/yesnbqFAbfmwmwjrGToHi/H2lDJ123Q3BQFK
R3/VHHed2dH1RFQbw+kKSTwkpV0XbZJQCw9JgCH7Cf5EqTc+b1NC/zfHhimKHQEHKDPRd0BoRxT3
W7gL2XukOYlSeE48IHKRozc2fj10PTwrAzxjNTx/M4AtoHE8gAtBKWSybtEQAg5GWzzXfSHap37G
BAYNBkYHlnj3RAp0sgxfgCQGWGOQg6RpCqAKQZIBmaigCNtpoodbpFpQGCFqMLhjG65eUIDjBThE
6hC+WAQLUKG+lX2886XiaaSAbqX+ikwNvF+ICv4PcAHp/vdfc8HhBMHuBAvOF4hKAYpIARgCPluW
ZQ8CBl4ZAopADAa33xXgP4pEBQxCA70YIrEVznjrBQwsxWQDgVcucA2CRYPoeLmIr8IEKGDsASoV
F/598GE9sgALcXImUFdf6K02AlzoXDkpkyEWwJmfNYtGQkrw/77+A4qEBSuIRDXzdbuNVUF6Z6oL
jlaXjjm4uAcGzktq1zAUkAH0Flpo1H0JOZcDGBHmdk/eDQR9DQ1DBApDDOtbi9b4NfiIDE5lS51M
oYi52HINHaggNoYQXXsEcp7gbVefAbvwKURWr+d0KoifbYN2o3ME3T0IAvo9l7o1BEJ1HzwDEwSl
VomGcwzhE3+lqkI5arTBXHc3+t6LnLe0wI2ftNBlY+Ug5ptQBbuhZ4xxD1IP2ChQBMWpQGa4Guzo
tnhtTIdf06wUVl9vpw1VLQyqKP+3VWi7VqqxoBbVlRvAgccRsAcaiGyQFpqN7SZHHGiIFdcYQ7MG
yaDyFny2LaxEEDNPXycb94COIppZT+38bboo5XiLuNto8Ck1VbMDkrFZ06K3vc0kVwXyuJgdQbPv
vWoaVFcKyUav+0FVFICMIlJcX3BBTLlS3F98BblRY9G5hCNWBTRR5ibrdkZo+KtXVhhQDQUc4GG0
aTMJSMj3UhUr5PMOdIMR+MDDU0hFueGifZ8aAa8BfghFBw+MCsJoJHfAihvTQPiPiZ0P//HUsrHK
RppGfQaJtVoJOXgb3gn7c6ENbvh9RPiJvUT6Quw7c8AfXlkMQQuDfJLdCkv1TcONtU/0qMS3q91e
dXOLsb8BP0W49+ACLW0FnyNhI2itBwwTDEB3u8FJ9RVQD/QiiBhOP/xmJ1e+Cs5YkS0nOJ0niSPU
6vxw6/3WOV2OxBdsNwmQ6FjrGKISlMAmPCFyQcMKGTG4ADSUOEexfnJW2IIW5whRKQ4mwgvYxRA4
PZk6JFFuob2/qwXsBzJFIWKmx94ufOo9ZBScRgEnVfQI2sGA0n4lE42CyNYkDlgyeAlXgxQzSQIK
dAoADcClWAPD05f/HEBz0hRUloPI/+usIhWl947CW4sL1eAJmXY/MEUbOaRiV8YHMB8iWtWAmvag
y2z8Qj/AO/BXImPqR5aRbQgIWgxREA/foPvNjkiKBjwNdAyOCHV0BDwJ5mqJEhMw60ImKxEjzCr+
NCWaDm5iRjI+PDqQDQraBvVmKgIEFz0POEAN9CWJOIQN//AQfCLaziZJzogQPoH5jY39XzFyvusB
ToCkEgBdzLlQB8IVVEEA/5ihtejTfkqpDwUxV7sOJDgxMkcNu3uVODp1YR7wI8VkpkYP3BFA7Iqe
uUbSygFGdNJPiaZzTVgWwblhXUIfy8IfCkI713zqdQwCKEK69td1HQvjNz4KdfEFDCpdaqPoCQgw
Da7rCxpiY64gCxwHBjUNHNEWVFaFQzRQDyPqxk6NCuENNtINAI6SNWP9hWq5DXWE80cEi8KKCusf
pCjULTwHFzg8dRT8rG18Ej4fiKMV8YAiAAyBgSDbRj4MYuMGrPB0MnsQJIRpKNBRESwGMWsYcxVE
xK/pCIJEv0DrM26pxkpSsoqUIKm+0Vv5+gl1E0EHOX8Sg9KNBIAm/L+X1ERC0B4wfemAOS11GWkd
2dSj+lRatH+2gAZBeptIvbzo1CxyUzlCUBYwXdwqoLrfbORbhVYbQ10xJ/yz5pJDjBAuG+o9AWYn
3YqNBZPQFY55SQcxAFyAHxLlYIxAU5b0/SNyVYdqv+Visq4H2IP75Pwti4LIUuen1lNRQF/HDxaS
AQQwdfjDeWHNAm+AvnhZO8ZZWpc93WyrE89IjONmvwXrdt8gTjGIvGh8BFc322zzzcQ0fAc9K34v
KyZ4ebaRPGxaPCvBRZPwjzE+u9UaYM23gQ5kNlRTNG6tTnMHv402+gCS5ztEMTFMPLLPnD3VACzN
JTQgsZHuWeG1AIaPqiILBh5bXj00jGqLqmXj49DrDdYbmg1CyWhvmfvn+HXsCOxHUejdBkIR6+47
wgEAgwcsRBEPAY/Tm6FykM8FEysGftGJyBBnfkYCSd51Rd6gKgVoLCrfEQ7Y/GqZfB93fRjaJGBr
1j6IEw4e91ngjOiEr/yqxpQ4h1FCkST+04WHT+m45HZQg9gqI99nQ8DcrrAqaKhSoC1MmmMXXP+Y
NSQX0IIG6Z/WAbGAszNX2R4HY0jJSmHw90GM2IcHEBBe1jj4tshE31cf0SbYmawVkkr8s+cjfrxI
eoIAFNwo0WQBe+xyAd/s6dLcV5848LwCj3p95z4ciL65VJxbUOB0K2oZLXIE2Q7c4bK5VJiq3qn4
Xf2xVrjtByD0sJ1LRMMeowDv9HUYunIAjsrKh1UbFoArSP/vMV7SXSdbD5T2FAMqIXBbDQxLVuw9
RZCTA+lR0Azs5gL5POz87PwFNG0eal+7hEBX1exdKEyM1pw6ewhzyciT8PB0JOwMxP8lS+7sdESL
G4Xbdcch1I5DC98dukqD6ONA3b6qQkh0OAIuSNsEBYt0Zvhp/nKjH9CHD9PrJX5jc0MYsu9dJuvX
aOwG0CbWgEX+NbEIAHRYjadkwADIN5wv9965eHwPL3dir4ClUDdOLaO7JGCPWRVd4geejudAM9eP
aJF0YPc35/FBiIwF/J1APfdzEQA2X3wYJK4XV6Ae1aaOGaypiW1HgVkgqMSWEyQMIAkB7ywzWFmR
u3T2gtt2QiGKefsR2Fx0FQRs8b3FLxjGhAUiXAUFT7PPAUOvXDiLCBvIYJErDQB/UDKYwM1pq5bB
SFy/a5BWueJB4iuS2asOMVbClyEYVs2AG5vID4aVATtjY+QmnxksNwIxwEAPgI+OXxEADnSa3h/g
d6pGMUZmWEJgh0mqwRWOF12q8zRXVYnzdc4SvudSNos11k3WzYJNRsCtU5uzZRCl7Gka0/GRAev4
dFoCwMJ5woa+U1EdjfjKkkma7usooVP4COTlbFgXoV3WOV2CyyZVz5pY2oRdJJSVZGe/moXmKuUw
uxcGQ5EIts29qPOrTqhXqg2ZkAAALzr2pVeYI3tAOJwFLfY7M0hHISQ2pxQ8sz3ND6iIJalZIMeG
dCAYDTAYI4MQeawlMQKoDyDIIMB8RHAIwXUPFjt3NvvXKGPXY3hZV/U1UDzAw4pN/RArtmpEDUOA
C/peVlv8qMAtUQvXuIKBYi1yEA4XIlGhVd1mOidTZhZKDQMlZEwfw/CyoJNo4CdqICdI1gVjAF1+
3KK/ALDSX4vP9/G4cxE9DQ9LACy44FqEetr8t5wjPFkhBXMHaIDr3F0T3qxcOK5QcwtYhLsLOWh0
LCUgGmdX8nk8cyYkJzI1cImR/CYl3CVpcNwANxtUcwZgNXv22HUEZ95oaDssCdAZm8yRHi7XNnxQ
gfrCCn9SJifjnPCEfSkMg0FyKgsyPsnZkx5yFxIUCg+DqBq6Zig/xkfpQxweQt7cWYoCOGjYKzxy
E7fddkpzZULQMOtBPwcDe3glN0homPf3NgQ4Yzu7bOtBWT8llFjyUpzAbJAzGAM0BAJ2qdxoSEdX
S1ADJSIMOwMYlbtFwL4kJVgRMKRqGdUFA/n9MCs4KzjNJRx9gPz+BKjORGB4uU0OX59UwgWy/yX4
eyUARWGGALIAJ4oiLAOIEqZpmuZQAISAfHh0mqZpmnBsaGRgXGmapmlYVFBMSJ37maZEQAAIFQcD
+JqmaZYU7OTc1MxpmqZpxLy0rKSmaZqmnJSMhHyapmmadGxkXFRMaZqmaUQ4MCggpqBhphgABJpl
d7oQEwgD+BPw6Gmapmng3NjQyKZpmqbAvLiwrNimaZqkoJSMhBNfNE1ntpcTA2xkWJqmO9tQE6tA
OzgwKH+QpmkgGAwMG9FBQkF5dtltAEUDvr75QQABQfL/7iqBBE9e+09B9UiMYPlADfv///8VKSgy
YTEzLiYzICxhIiAvLy41YSMkYTM0L2EoAgVg/38FDhJhLC4lJG9MTEtlQQD7J+TtEQQTDUBCoUFO
QEpARszr3pNmYVExJiwDMd2Qb/YFF0P3PEXsbBbswTMeDFEH9rfsDQYAT0VAQQCbhE9FFBEZcahR
xCPdZCPKoSdwYZ1c2WD/WycBc0jZYJPcMfxfJ6IRRHbyAP7/j6XhdSdgTUhDSATtP3QmlEKCYwL6
sjQ3tyJWaWdMvl7r/7v/3wCtODMLgAN6Eziq4U6+AEYK7B+QKtkHwEH//f//jMfvAbjLo2h73/77
1Up2VxIGJK1P6yOosfzMGef///8O7D7vC9pgGpGTymfaspbnUknwK6NQjmY1YOX/////6kF4XM+p
1AutzJYHa1KtElBCmUSIvUSpebbI074jovT+//8/QPdhb1fUL9uMTA95nKA0DiFdsJoqJDMvJC3/
/4UA2CUtLba6/j7OY2QyY0Zkb3lr6+72OW9kIrSGVjc4by1mO1X/+/9/Iig1JEE55SuWF/aGqZox
YWWvj1b8gO5OPbS7/f//a4fGBlIHcelA1Ae8mdnBKO62BcrwGh3/liP/////HchjUNEq0jDZvM8C
OOdgSfUII2RftwHyAYEQGx9n////z+uG96gcUW6XElUFQ8Cn4JmJupKmp4ygYJdGdv//X/6CxkyU
taxVt74bBESooui54q69mEPGyw1rzAP//8P/eLu+wLcwxmMg3E4sTXmkvAWr/+Xojp8KIQr/n///
+rcx/f7/hz/aabtm4KvEca6VRFzJRXiRlZikj/z//9iap7k9414kF+2FBWNotda+awLmYtV44dLz
////vYIYGiTTjU3OPLWuvpAcxcQOP+kuoadtv1UCQP/////i4FBJD8M/ErZ0s3v8+pOWa9CSx6pG
TVBXREhPVUVK/////1GPdZy+VkdLTlRBQENCQkVDQERQL8SaRERHRjZuQCQ1/////x+at7egCC81
LDUGQwIuL0kiTyW+rP6gEjUgDBTMLWXN/7/9/8CtfUR2EhcWK2EYcoH3GbHM/Pm8e3KasuqHxHS3
////v0hAR3a4Pho5cg/BZEHKhxJqhhHMxXx5bpb+Ebf/1v/KBD2+MUW+VMVRRnqCyAQtTs//gbl6
Bv///5gbmry/PZTMxHl5ESnTUGNputBs2VBuZTj/f/v/y81EHbaenr/BuB01um41TofFRGMdyd1E
eEaa/////z86Nsp8YWgrJCs5Qr6WwoFCIyVGIazyPsoMJU7uiRAM/////ykZUGATjC/7mMx8TDXC
hVljt6j7/psrQxIrQin/gVpdEv+3/7m+7Pqc/rgpTo7KPD3IHCX/QUuqUP/f4P8cMa6kPro/ZcoU
pTHCoz7MzUx5usvVVOD///+xtrc3unFQvgQxQyV4RD2dzGESEBEjeir3Hrr////f2ykYWRJRF1Ce
mUIgNlk+507Bj2FEllygyB5FKHn///9v+IFTLSfxNil0NwxHvvKeWsSpeOzMBPlJWYVVVun/t/it
XK0rHRdbZUk+TrwmKZqNsGkXI7/9/397DUTVTtyt7OBaOgGtUT2oBxgS8kLtQexVSf/////lPVZL
PkSf5+U/EJxBLXpgmJ/2h0oxN0TKR6ctghpq2V/4//9RuGVaTs2WFfd8mHFd1kI8LV7lzJe2ok16
t//////u5bgY4p1M+B3p1UHXynR5k7HDsJdreaIRxy55IJRNe9D///88UStQGHSDL8q8BBWGBFEF
wkYRmCtAwSyM7P///79NTFt9wCeRASWYP/J6IcSBNVQrvr0VJYwlPSwZKUy/wf//l9ktHqK+hL8f
GsKENYiCqsyqS8qtwq1t//9b+watN2gHj9FZdVHT1lq+IHFKkXqSyBS5DP7/l/6GQBbKvq6HqHOB
qVBxFk0WSRQYwgy1vsIkjt/gN80K9r36fqzFBA5FYc7/b/z/zL0lScpFgHoDTTUNcpOoP1DKNLl4
Rdc1RAP/////lz+qLw49skJ0YLXEkz1MVmrErIK+NbBFejWQRTdgBFr/////14sYTDHSbAo/SU1O
RxKX//gX8SsYQ3pGPdhHf7ku9bb9////gT1XLCaOuchF2ALCulEs5Rwa9Cqt0bVBk6h+mY48/7/9
LzMQwsFCTszCT+lmAPacLLo8KsoGewwPfd9Y+P+JK3o56RFycm7W0IEMGAHMQraKVf////83eBbV
X014cT9RUS6sLprBdk2otnB6lzxGV8992QLy9P//v/CzPu08hp89z75H2zL2ljxFdzJytxgqFGlb
K//f/v9J/1RXXXe3lbICtcxVcS0hVlw8TspQwoBFyBXE/63//5l8rKtzNH4tQJVaUkwYSCsnb1mo
30nJdgJd6P///8KHRnqyPWfgbPn1MZq5YIVtgrAuJ/c4U3wYGPgF/l8PscR+A7RlEsocSRf1ynEX
rc/f+P8XRYy+Mk1JU1nKucrEvj2q5186dsoP/////8sFuEViMsBKWhrR7EBFMuBAqJPsupx3Tvdb
bIZJxftE/////wlHTScv3uo1fUjE86mdfyHv4pOdhQNhTsPOt4IeJlYR/////yZSyxggjKo82Cqe
OSAbGHhXyb0/FarsR6C+PhgIyouA/////6BCzH1Ren88Uso/RQGOsV8/IHh4Scg9xJ15pw4Pg3LG
/////3mdMnS9RqCv8n5LRz3vmKpREkZDg6pSnlnFHklEq2oXN/7/peEdxLcqEqqeNWRnRqHKB6As
mbN1/0b//x4JeRctTykf1l91cSM/Yam7dnKcckti0f8L//9QTfSaLBPN+MYBTUc0RZWZGewsqMqJ
MEBUL/////809+xcntlxNU8DS8K7AqtfH0aoSa5egQGquf91FsdIAv7G/0uNMU5qSViuS9FTH6Dr
vMg8sSlL0r/9N4U0rdbdR/LsflYXTwSvw9kMtL/B/9JR9WDzLE69xNXiyntiLfgyQP//twvOFkbl
uLhNmZo9WU/KCE+YRcLdvDlc/////06qU24yfFL/vzFsYSklUMa9LLNYWMUavY2NNL0cg6cP/y/1
/zNQUlB3uJHxyIJqYyrZHx778JTDx7NIefC/wP/ZNQn/lXQEMjG2MIl9kRYXPPnMrf///7+E3mtV
wHkuP1qZSnrPZislfrawBR4yS+RKrOBx1Z30////CENFooL36MoaYyVlZxRKPWWnsfCfcZnPSynZ
e///y79BYb52nr72zkZyrNbCir54aRg/fnqcPWE6//+F/w36hbrssf8Nmf9Sef/2gS+d9NYs2Cy4
Gz1V/0v8/3BgvnWxNyC6YOQ0Q8qfS5c9gBJc7YA3Mv+/wf8EGOVnmRaJr4zckU60sXq0wqlCECld
ecB4qfT/v+Cj92z9nfzpwr8BekdJP0L///+XTXf5nOPFZb4FQsK44U9LLf6dVRE8ER96sT8v/xv8
/7GSJV4/dvo/ZBhL0l1U6lauuz4KPEAHBL/R//96rz2aAu1GKYVIbByfnR5fw3y3MFCBlUD/hf//
TXx+DYbOPlEp0R5Aon0vvSnaxJwhq26vwnj/1v//bTVL281dk+5HK68YSY1FTYlJQHRFvSbRp9b6
//9btz9gulQQcz7bUb3B5US8Lwdf22wEAXnt3/i3rpeWcNGATCluyZPCLzdXIs7//y/0zilTXTdJ
9ElxY7rYxexx92lUUcCDsWNT/////1ws9xMXBN6VF3OEqdkowpABQBivZnz7HIG/FZ4ShwSF////
/0Icb9aKhC6HJ4Y1iTaIIIqkM/hWizOKJI0djAyPLJZt/////9YojiKRkG6TMnaK7yjbkpWUl2aW
Fpkc8p13mC9emyWawAv//50OnIwzmjRqn16eAgKhNKBJHJY13f//v16laqR+pxdOpqr77yqpVqhu
qwaqfq1emkSs////CyUTrrEvyRyw97XbLJJ0tG+3tjffubjZ5/cq/9Jf6LtSujXKBZZ7v216BIH+
R08Rv0v///+ubktcRJBZwTnCgwBPMlhVQDRupyxEOogFEdv/v8FPY+3Y7IA05oFZQUlJMaKKgeAn
JIW6//a0KQHnqY+WhhMkJig0CjJut///7TOBsAcvkkqzsjeRKCIkDCbb5xEzLm29of+//f82dzd+
vDI7DfgMqcbAiLFPCWyBbSFXG5HGqVUS//9/613kiH6mcRmBbCy0vDRIAR/AhWCCIkb2v24x////
/7ornxydAMhHjgEeqjuYAc2g4nhWA8gAUYGGN4Y8VmhF/kb//0xfSk0NylxFC1683sInSUFP+aFe
ObqG/7/xtyoxksps7apZN1XaDCsOSim7Wjxjd/8Sf+Meoar2aivyQ6MHdJR9l/RahRbb/wb/EUly
7Y80/ilwIlwxPgTpiKzsAMxb/P/2bk2OEeJ3XVNDDve+FBTIL1nI5WH/f4mFYAzD8ieeK7A/WTNc
+f7yqLch/////+zjWswGTiZZer1Hj1w6STNLlQbISgZ3+vGa9z/IIF0k//8v/VFyrQYUSUkM9mEU
XWVdhk0RgnGt0OygZFHn/f///+U+SBabgcTxsarELhQvmZeYGfppNFblg+FWwcPbm3+B/y9LUbZG
Gsq6dQIlPpCfERGGUwsCSf+FC/0RbK3zLsHURTQ4FG18rT2gcUa80P//RBIpUVi/3OxgnF55/dHf
cfP0ZftA8S19gwuLS4AVVLtbgweI////CzYSy5nLuj2wt/4Agsq7ypCAoVEnSICoQ+DC2////+CE
Tf+y6x4agBzk9J2+GKXCP01BNLOGB00DlJoSX/r/U+x3IachU4IKPkJve6yOghILOBQq9P+rDzGE
97xc0QZ6uCRn/xf6W/gfjklCB4Ls0RVgNzoxyOI0RP////+VeQdJYovUm6lqiQqC7mvu9lMG88gf
9A6qeP7mBodOt/////96jj9HCp6AokISmpHZKr4DjsgXRTXzyooBdAEyoIH0GN/a6v+DJuSJKpWE
LFBhPzzKDMBa+xX/////ekoBNXqDPQjZEdE5ib4f6PlTnDbaEVUYhHrKhraRh3L//zf45v/stXjH
PGdTdlFmPcpeLHnicEcofYAm/Ft8qyoMTxeLR+9SGEby2BcU////L5QGtnoW53NGCRYIeoA1UHLi
9CxKSosCgzZ4LbyJ/7/xFx8rgx9FzPPq6r5PHgthCqwJBsf/f6t/uuH6kUN5v7n4ZurX/McqUDs5
dTsQOaH///+taRD1VUYYC7UIrOstsTRguKnApOeiXogcB///v1VcNUO2lAT1uPYsyMjehv4NdDSQ
wmdB499ooyukWSIctNVAqkeQiv+//X82XQw0rxFqXHC3Cj2thFe2k3CHgUUINLU7mv8v0OKvW617
aRzML0VfhGGo9AtC+m///816DbqYrzUcerzfWSOSaB9Jx/o6WTSuN1Z/oxK3Cx/674RsIFmtfL4X
+rf6ahks7tCfHlldDqH0fn9FD/////80mm07w2kSSsOFR5oSeCii8yF6AXJNKrk0A0YgejHmNP/G
///feF9frMNXrBAW6NlKPJnl99u52k1ni+X0m///v/ScldvKDVTIDaDPi2UO5Zm9XvY799CZuSVZ
gv7/pf+bXz2RZ1yd8B6Q2BaI0OcnZSJlnb+YXghf1OD/3wWRNQwWzr1Dvep3cogeyL1m+t/gL67J
4HYbdV/5K8yhAH9lGpIv////FwQ9po9e1J1RIXNznUkCsZd6AkpkVebCPEQYPtv/Qv9GrPO1C/LF
wyl4TRJaEck/lnbQzf////8uhSPFRnAtgKdDF8DDDnzM/Uf+Vx+kQmMsJMqSMmwUMb/Fjf7RoZp4
NAggNUkqbbgew1n/oNTb2x23vYk/T0TSU/XbG/3/36a3QltYSYMdqj/imhSjFZHcFYkVR0L/f+ts
yAEXrNuKSXpOW2KWL8yfQYn/9N/q//LQIT3eKSYhCUMINk0/DSHkAoL///93LnF6DFGeKcrxof9n
Bkn6VD2pYE1dGdxC0xT1HP/G/1vSwOhh+445iIhy9zVHQhfBQSata+n/F/44ur4cO21USNNdXRg5
FxcnHlUdwxp53/r/f0O5Fgd6h58fOWqC10U/RDO1NQX8Pn4Mlv8v9P9kSBfcF92VEvaUrurqUdw8
vTdbVFQZF0b/////kzZUcM3W4Q3vquoSJhgx/SPMtlWIAEUXd/w1SBEQblXV/xv8RFlsg1mnqdsx
sCUnzSaF0RbhNyjwv7/t0bz8Uc0X6YPGrctAv/D//8WdnxGLAKmEyUAzq0QyWnkphi9LRlpqi8kU
/7f//+IUS1kOzI8ir3GHE4FY0GUfvATNMU3mCyctrohf4P//n1dSDjSLT0KpJN07B/AYKZTMERRj
SvH0/i/0/0ET7PRjTfmEOPKrdttygXlCNWABwX1Cv/3/t0O4V0KCywm+MejeO+1N90aHiiFAo+hX
X+Db/xxNqdALEhMi9xSOROK9YTisgL2u3+gv9IBVPwtZuQr0vlPDe0Spfa8v9f9b/3M9S76c/nqj
gHGqW8tfW1LB/7/U/6DpHreY2FqIWjZLtr64YVgAQot1yU8Hyf//v8ShYh2FTr67TTT4vRfQ2bEt
JRmC8hHC/gX//y/1mlVBQnpAYgQmhgFSzR4/OuqMrkdJv5379f8L/9lNNxVzUcksTKop/Bbq5EFL
TWCfe0v///8vt9mqErLk49cPrBrETQTYUxg8BamM/MW4T9mkR/9S3/pEOTZTmvn0rWWIQbXSQuRO
YNXW/63+d22widk5Q8BUqk/RyqWob6FO9/4LF/iZS8s98dQmvmdNTMnMPrq3/f//pVJDNWgKNVZD
SraXSsxytkKHqmlkuT4q/y/0S4iecp+qXEO2kmKevIP6j7xiv8L//9tKnkpWTp/0YrZKn8+e+RDL
KtfM2a9CfP//rf+AnC/+sRhqDGkrRZKvykmSoUWtQpzB6PqBf4P//0qx80Inw3MfQONtxOhuTHp7
YsDXGQFitf3///9PR2SfI+hJWZkKypcaGaKDmle8ecYLNLcfiIM7NJn///8vdHYBUXktbG7w7xb7
UcqAQm2Y5CzAbkN+gKNCreP////IUzIOnpmjA6ErAQYe+lxAD1X7EaHkauieMwyS///fqlNVZFcQ
cbO0y1VQyVVJADzJBy7TM7P/jX7rzAi8gmuEt1oXQ4IyYcdJIgNa/v9f6q2n6ECAW8JSueHxkMT6
eBwwot6eN57X/L/UDZ4Par9VC8w1EEKWy0Xckfi/xRudS8lFjooztEYcngmAdZf////fQU5R+AOe
xGz393knR87rXlH8MGqm270Y+vlS+cH/v9T//IyRLgkzQis5GNUQNALxl0bOuRFKUm4gfOv//xlj
wWoVzlVHyPUBL1PNKhZUBxoSlXpEo/rW/2/xXAAS6K9ESUZ2tKL4NqB0huJWG/9vlCun4EFcKIG8
wbYWvwK5RP4v/f+C32dOJ+BDWoDBxI/NiT7WuRjZoXKAgh1///b/rTLAoMTsNN6rwLhES1ckRFe5
LDxN6f////8DVka/6FFkQs6fn0exvnxFUe01EQc6GTQ9ghAX/+EjF/+N3vq3NEpLGBnrHbOe7VsR
CfYdnnvf4hf4RCMZqk4KXxC+eWbpkbaZWjf6W/+BQh8Y+QnuSk+1fMfRK32bxi76////kpbMQFxR
UBFuRRF1ts+vLFmSH0VOxOPqanEaug//F/43OXpgU86sxjxR36RXEW1XNDjKURbB9Lf47dYca8N0
EQRO0VieISQn36f/X+JvLCdhp0s2GRkbwFvi7RFaQFn9h+1b/P//UIkUTGWfOPFcVDdyFvkracs8
KBq/G4Nf+AUW+o15iVt6Y0MrqRuABqf///+XVWFoX5ApjOVQtBl7kIMO/yPUUWIfqxvESTKQ/V/6
/5ZAkKuNLDL1EWCrBL12uq6cr07+jmFFUP+t/ktlcGqA5H0GJ8BRnuziNz2lCdj7/1/4agfMwwby
Mfqes/tHEglrfUdFAZ5Cisk+jf7/fyy8SXOIJ7aYmgv1GitstJODHANO3nT/X+D/SDuAqv/Xj0dc
hNVsKjX3DdZ6hWHKsvwl/////9vY5emXkHeJOVGSqUq3mrCc7szUV+VxXGNPFKlLytxB///C/2xg
XOuRTW7xBAYOXan/TwEnNLrjCqszsVQt/19Y6LO3BOr9GDV2zMwE1ML3iupEpn+Jv/X3yCIJxkWb
E6b/MRBBgKspDDn/////NKjRJ2uhnUrrJKax7k1h1X5vDl2s97TUpLpRYRAdy5T//2//uFoKN8AO
pzQTBahFcVbU7pqy0Q2uPLFztjytrcT/X+KGh8LhGuBQmry3x0j6oAYEaEb//9+6Ba2eqKn59PAm
HkhDrX1wqnyRtyfnrK2qX+L/pTGxQnMOKbhfqu442c2NNR1qLlJf4P83PHOBpMkEpcMx/9VaOpy/
y/+/wP9QPWyXnZdZTSGcR16rV+34IEQZYUkcpaH///9YL255qmc8MRhjNKTuFTdY4FQwKY1BQWth
L/+/1H9Iv9qnac1RQKUgJQcoLSRYQb8fEiQ1////RkYuKC7yt+38ThYzKEZbAjNkSi6kHvcAZn+p
v9QGFbgqAi40TC3PnLeA9zNXBPD//y9WJCwxEWgpTAnwfpovcDEHdyRI0i/1L+0uImO/p5+a30kk
MjJVYJe4/f8yJAkgLyUOf/qEPkUkLyIg/i6/CYD/VkCtJTQtOQ8gLJb/v8B/JSUzgo9DpwSJAOot
lyecFSlHJT2jP9b///8biL8ssjE4DS5dDSgjMyAzOHPEbpwh2AC4IE4u9P//MxJJL0zB9iYTDiMr
MFUEOcORX7wFJOtL/AUaLnkoVwvYXAIXIC3E3+D/f0qG9yRtAE4OMVsKJDhP5pgdrk515zX4t3+J
UUmxNjIxMzEnuj1tivN0sU//7nff0FFSdfMLeEVWSECDCVNMQzJJt79I/xn10jg4Lg1AQyJPs+UY
ZUNR/y/9BsdBJ4CPj81aRXJGGXYatxFNe6X+//9pUUYRz2RaR0ItbhhWYe1XQSX9X/FOSh28cKv/
xTkEJ2PRvzcgqkVieiFvJf3/Ly0DIPalKk0KAVeBQcEgukXNcUKPzIkDeUYUYb4hqGP/t20RbcwF
gb6+FsKMvqpR0QDLe+P/jUcyRgZAmjRGyl/Cr71PM6z5QSvdDtgRUIEMMq4qDqUuwQcypXCIczNM
4R3Yt7pJPcKONTXIhC+IwkL2hAw0YQAcTAv8t3/CgEPAvEGylcKQQMxVbsK8+U5K8Ubuy0MDlKS2
qCKL/tL/DfRDwoNFyEbChkXCCDawQI6oDZfYuu8WH8i2+DWpyyltzUA2wcJv9bbBfkBWykbLHkVU
qTb4/b8OgVHHhWi5waqpQLE7RMhpmLffGuX/TCNIgTUEyifMxXXfdoVxGOuyER9JvtclC9TL///W
Tkkdnci4OEZO9kYGEQb4Fgmz7xQpN9u/MzdGyELCgkWqmRAtIKgCRAXmqvm+ALmQW6MDEyUx2CFp
hqQ15z3XXGCb8MUxV/2LH4MMNkibqQe3Sar0IwB1QQoEEw+cj1H/F/YFDQ1BAAUXABEIA0EUErnJ
B2saChYScx4xbYPVak3uTgANBlyvLWjwhyKBrGAsttUPSCgQDEHnarW2wALOvzsNqEr4LzAoLzUn
APMURVhFRIGAwBqNFggI5AEAMAoAJFEFv2kmIKgcAUZpbmRDRAGg8mxvc2UbRMzeFdRTaXplF+9/
+0xMEUEOTWFwVmlld09mD25vYW8OVW5tEC4DcnMibnfDL0tFbnYQb252q4qOXVYiYWIYOYi4HUQM
dmXa7pGKmA59VGltRirirLVXGgtRQ6LbuvexC3twXmctTMNuXyB+TGlick55QSH2TFC0UGMoS8ZE
Obb9YmFsQWwGY1hMYbc97FTTKk11A3goG5u1W2wXcmMPfrB0EAf751pWHUZDb3B5xURl2oc3awaD
FyVIYecLIN3CnUVTY9l2O/lsZW5U33BQL2gNYQsKw1crWEQds7dFRPFvypG2UMTJcHlNkWxbdmeC
Ik0TRXhpQkHxYt1ocWQf8b1ZwCb/L5mN94YNuwVlcKE2QjfiwsOwM25anGVJexFxosv7F2wg/F5y
GFRvkxWGmaK4TKkOvCV7E2IRDQhja0OFb09EcgHjZGVDaKfcXURsNE1vQnl0IhIUJyKcnrmvtS0K
Y5g2KlKgsr0n4VRHUG9pKBlIe8Fm7XBGJly9ExmEQ5gw6DpuRUy4rDBpCWmcFqQiJgQ6TRgz1zhD
dRh9GTokOWFva6VEZSyVhCDFlWi1xx7jm8BnG0tleQxPcOvco2sxC0VqDoBWW70AGnZ1ZQ+LzNyl
hBEpdW0wDE+zzSa3P2TC+G2gomFuh3NlMIo3F2uMchD2B2lzZL32XAl6GfLOEBSieK5bUAgiOTeh
KzMqYSohAkoPZrNUzSABoVVcDxaw305CdWZmQQ8LTG939hm2I3d2SXKUI3cKhZtxWvTMDE2CwgCo
bVm2Tde32GJA/wQCEwtlWZZlNBcSEAOrZVmWDwkUczm//4S8PFBFTAED4AAPAQsBB6570mwTciqA
MgQQA4JsZ7GQNQsCMwSZW9LNBwzQHjR72RvYEAcGAMB5CECAW2R4AhgFRrjCditkeAEeLi/Yk6CY
pHCQ6zZ/u7AEIyALYC5kYXRhmCPuQrrB+yIndkC9zWAbhS7lCQDDwAZ8vyl7NCdAG7B7DZQAAEpB
PAkAAAD/AAAAAABgvgCQUACNvgCA//9Xg83/6xCQkJCQkJCKBkaIB0cB23UHix6D7vwR23LtuAEA
AAAB23UHix6D7vwR2xHAAdtz73UJix6D7vwR23PkMcmD6ANyDcHgCIoGRoPw/3R0icUB23UHix6D
7vwR2xHJAdt1B4seg+78EdsRyXUgQQHbdQeLHoPu/BHbEckB23PvdQmLHoPu/BHbc+SDwQKB/QDz
//+D0QGNFC+D/fx2D4oCQogHR0l19+lj////kIsCg8IEiQeDxwSD6QR38QHP6Uz///9eife5AQEA
AIoHRyzoPAF394A/AXXyiweKXwRmwegIwcAQhsQp+IDr6AHwiQeDxwWJ2OLZjb4AwAAAiwcJwHRF
i18EjYQwFOUAAAHzUIPHCP+WjOUAAJWKB0cIwHTcifl5Bw+3B0dQR7lXSPKuVf+WkOUAAAnAdAeJ
A4PDBOvY/5aU5QAAYekjRP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAwAA
ACAAAIAOAAAAkAAAgAAAAAAAAAAAAAAAAAAAAgABAAAAQAAAgAIAAABoAACAAAAAAAAAAAAAAAAA
AAABAAkEAABYAAAA2PAAAOgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAJBAAAgAAAAMTzAAAo
AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA0AAAgKgAAIAAAAAAAAAAAAAAAAAAAAEACQQAAMAA
AADw9AAAIgAAAAAAAAAAAAAAAQAwAODAAAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAgAAAgAAAAICAAIAAAACAAIAAgIAAAMDAwACAgIAAAAD/AAD/AAAA//8A
/wAAAP8A/wD//wAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiIiIiIiIiIiIiIiIiIAAAI////////////////+AAACH
///////////////3gAAAj3//////////////f4AAAI/3////////////9/+AAACP/3//////////
/3//gAAAj//3//////////f//4AAAI///3////////9///+AAACP///3///////3////gAAAj///
d3d3d3d3d3///4AAAI//939/f39/f393//+AAACP/3f39/f39/f393//gAAAj/d/f39/f39/f393
/4AAAId39/f39/f39/f393eAAACPf39/f39/f39/f39/gAAAj////////////////wAAAAj/////
//////////AAAAAAj/////////////8AAAAAAAj////////////wAAAAAAAAj///////////AAAA
AAAAAAj/////////8AAAAAAAAAAAj////////wAAAAAAAAAAAAj///////AAAAAAAAAAAAAAj///
//8AAAAAAAAAAAAAAAiIiIiIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA////////////////wAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AA
AAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAfgAAAP8AAAH/gAAD/8AAB//gAA
//8AAf//gAP//8AH///gD//////////////////IwwAAKAAAABAAAAAgAAAAAQAEAAAAAADAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAAgACAAICAAADAwMAAgICAAAAA/wAA
/wAAAP//AP8AAAD/AP8A//8AAP///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj///////AACI
//////gAAI+P////jwAAj/j///j/AACPj4iIj48AAIj39/f3+AAAj39/f39/AAAI9/f39/AAAACP
f39/AAAAAAj39/AAAAAAAIiIgAAAAAAAAAAAAAAAAAAAAAAAAP//AAD//wAAwAEAAMABAADAAQAA
wAEAAMABAADAAQAAwAEAAMABAADgAwAA8AcAAPgPAAD8HwAA//8AAP//AADwxAAAAAABAAIAICAQ
AAEABADoAgAAAQAQEBAAAQAEACgBAAACAAAAAAAAAAAAAAAAAAAAvPUAAIz1AAAAAAAAAAAAAAAA
AADJ9QAAnPUAAAAAAAAAAAAAAAAAANb1AACk9QAAAAAAAAAAAAAAAAAA4fUAAKz1AAAAAAAAAAAA
AAAAAADs9QAAtPUAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9vUAAAT2AAAU9gAAAAAAACL2AAAAAAAA
MPYAAAAAAAA49gAAAAAAADkAAIAAAAAAS0VSTkVMMzIuRExMAEFEVkFQSTMyLmRsbABNU1ZDUlQu
ZGxsAFVTRVIzMi5kbGwAV1MyXzMyLmRsbAAATG9hZExpYnJhcnlBAABHZXRQcm9jQWRkcmVzcwAA
RXhpdFByb2Nlc3MAAABSZWdDbG9zZUtleQAAAG1lbXNldAAAd3NwcmludGZBAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH1dO//+Z3Jngk+wV4JcpfJ9n4nFfTsr
XH3ZpQOC+9Ur02T9/1ObAgE8vQs0UF62dSMrF40jF316PIkJd7SxndffDBidMOouVjBL0v8wgC+G
MMa1QDBo440ww6E/XDZUGE2onQi9krU8zpLUuaIhcoaiTqefvZFuyL2jqp4yhQaZn89parHEkihw
86+NcBRDgG/+gk8c9SNmcAl4gnAVCwlN582UZm26aqIoO0+91L0bKcheNZRvt26ipLcxNGkEKTnD
4psfFixM1oQoEMn5wIHJvlstyfoWfNYrJvvWgAx+yk5lKK2zfmRJdCmoOvcz/rRyae06AYYBMaN/
3SUJtGS38hCtC/VirDTIWyJYNDWB2sSXqli1wf3KwgjpiKWLWPOeVyRwpB6CKhEJ2RxENUQcUemN
HFulkQOnrnscc6QxoiH8vk3vAVdS8j5C03qy5wy9vU8cL3/Hkk4np8zkr8S2gJRpNbrd1Ea7bvpZ
GxIH7mibgxtWU61GuGbMWfVCFmgKgQuYRW1BmHc3hZjyppmHNi/enrQS0ZhkzZeHzKQycQEdb57P
KFuBOzcogTrn9RUukqOeZebPWszjf05W45bXbfj9sNxk+CcmJVUnXhNuqXEJozioAVxUV7LEOC6U
eeIx64sNDS1vEkfGOQ2LGDmdPnjcEgAACQ1yaVoN6sH3MTLO2cEDIjYeIzEkwXkLw956eyXeeGwn
wQG/X8FEekMMDeMk4+vdifxpp+n8NBl4M1ocEuPLxwV6kW4Dcb8NpULU+6nuqrplwe6wJ7LXItvB
7rYWrRECAntwDjuyHZshPO3ejQO6dHTTImC2v9eUngM1zT7MiZ03zNf6+czULMnmlISnAVYmtQnX
FQCCuxv6Za7PCWWuzzsJUqBFAW5otxk0tfPpBV3x6QfWnekPTwSaDvgE9tCKxLYtQpzqxcrxLWbu
OQo7Y3sehLFdwryP38KoMl/dEKyqEjESxEqHSQeMFSQO0uynhA8vba5jO92+s0Lb1nxqx7MPL2mi
Y2DH3nCGd27L0JOugHil9J9MWSKfutn+VZAKmp9Bj46fuArvpgD+5iU6swtWM3seVjN/CUlGQgRW
l5CZgTg1/0lGSiMbJNdy66D5gPTC5Y70FEmcofAlC+7bLfX0Yx6JbgenwqL/LTZSxQm1Tb44tU01
AMVNfRiyTRkHzBx0gl1NOHfXsxY8OVzaAkhczRaIXJbibR1h1WBDJdaSXLoAmlx/V5qDUrR0AGj9
7PpcqHU85M2NcyagE3Noky9slLqHc2iVShbBWyjmvONprf/G1fkO7o5oRiWO+Q+nKfknYYb5tLiw
UWwp476IFEBsYUVGoV3d66E/1EeRxHxboVXbbKFV2DiIT2wiC3UmLCXJfzJv0T/Yt45YVnh+h+C3
l3/HZ8nChn4ogdFR60LQjlU4s8GIUa1Bf36Q/RLNW44bakWRBng7HpfnYO6kjWvu2AJCsPOHvu6t
xL+dra1H8VkczPGrGbw0IJxC2+8pH1S3/5qPkSjQxBloadvvJi7bzW3v2+5p7luoxl+03R2KtO8I
fbRvlrGuVzkjtHKnRLRu1OhbmQ04UEsBAhQACgAAAAAAHUsiNkCi2qOgcAAAoHAAAA4AAAAAAAAA
AAAgAAAAAAAAAHRyYW5zY3JpcHQuc2NyUEsFBgAAAAABAAEAPAAAAMxwAAAAAFBLAQIUAAoAAAAA
AB1LIjaz0yC/HnEAAB5xAAAOAAAAAAAAAAAAIAAAAAAAAAB0cmFuc2NyaXB0LnppcFBLBQYAAAAA
AQABADwAAABKcQAAAAA=

------=_NextPart_000_0000_D8DF8047.58FD96A6--