From stephen.farrell@cs.tcd.ie Fri Apr 1 00:41:20 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5179A3A6C08 for ; Fri, 1 Apr 2011 00:41:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.849 X-Spam-Level: X-Spam-Status: No, score=-106.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+6Z-OKk6sRE for ; Fri, 1 Apr 2011 00:41:17 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by core3.amsl.com (Postfix) with ESMTP id C6B713A6BFA for ; Fri, 1 Apr 2011 00:41:16 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id C92153E4080 for ; Fri, 1 Apr 2011 08:42:54 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-type:subject:mime-version:user-agent:from:date :message-id:received:received:x-virus-scanned; s=cs; t= 1301643774; bh=pVlRCj9dw551F9mDyMh3V+3GssyApENzzo7VsPWMk1Y=; b=g GKXm/v7z8oOlbRB07UEpRYNZlAsOdlfoNd/tS5QU6CFP2/EtO+zaRnI0l8BEkvkp sxgNdFx+UIsrmM2MJP1pCQRff5x/tytK4JTZeBaM0n+VxJvFXUHk6F9Yah4la862 h2x4ZZPi6H9DV81QzkTph5IiBOJE62b0Qp0tV8yVWvZC4fjEejMVGCIYUPxW5WOB KzcqtAyHPVVNeJg8YKMT33i23EMqrsbGasCnl4XQp0IXzag5PRj9EvZhkNoCF6TN 9F6b6FqoTFT7nLerHZB0NOs15KG7dCiwzaJkUgQtuQ1W74AQu8Sk8h9aXCzHZB5Z EUmz4O84dOgyR1kuVjvYw== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 5iPRTyBnSDLC for ; Fri, 1 Apr 2011 08:42:54 +0100 (IST) Received: from [130.129.39.94] (dhcp-275e.meeting.ietf.org [130.129.39.94]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 6C12F3E4074 for ; Fri, 1 Apr 2011 08:42:54 +0100 (IST) Message-ID: <4D9581E7.2030100@cs.tcd.ie> Date: Fri, 01 Apr 2011 08:42:31 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: "saag@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: multipart/mixed; boundary="------------050206020904010002030500" Subject: [saag] Fwd: [OAUTH-WG] moving to Security Area X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 07:41:20 -0000 This is a multi-part message in MIME format. --------------050206020904010002030500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit FYI -------- Original Message -------- Subject: [OAUTH-WG] moving to Security Area Date: Fri, 01 Apr 2011 09:25:45 +0200 From: Peter Saint-Andre To: OAuth WG As discussed in the WG session at Prague just now, in discussion with the Security Area Directors I have decided to move the OAuth Working Group from the Applications Area to the Security Area of the IETF. The rationale is that all of the most important work remaining for the WG to produce OAuth 2.0 is security-related. Moving the WG to the Security Area will enable us to receive all of the right security reviews as early as possible before submitting the base specification to the IESG. Stephen Farrell of the Security Area will be your new AD, and I will stay on as Applications Area advisor. Let's complete the important work of the OAuth WG and do the best we can to make HTTP-based authorization more secure. Peter -- Peter Saint-Andre https://stpeter.im/ --------------050206020904010002030500 Content-Type: text/plain; name="Attached Message Part" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Attached Message Part" _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --------------050206020904010002030500-- From y.oiwa@aist.go.jp Fri Apr 1 01:34:25 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CFFB3A63EB; Fri, 1 Apr 2011 01:34:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.09 X-Spam-Level: X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9-EwRzeem2v; Fri, 1 Apr 2011 01:34:24 -0700 (PDT) Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id 78BC73A63CB; Fri, 1 Apr 2011 01:34:23 -0700 (PDT) Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id p318Zxbg010838; Fri, 1 Apr 2011 17:35:59 +0900 (JST) env-from (y.oiwa@aist.go.jp) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1301646961; bh=B1D3MeKuJ7jTyGU7QWVs1An4AFK5RQmIiqSnPdRZ7Y8=; h=Message-ID:Date:From; b=YhGw98EvIAucAxIIwRVbxr0F8H3b70z8DilE5ckrw6AcEHI/nOu68qL2667Dt867R jmTbceVlL6+2TTGWDYSEdjGGncX5zO0fIPzEugsHIOwVXwT909B2MTuccEIxPo1aDm Fd/e5D19uQBuRGovh07RVZwqk+pKr71A7OOlYc0Q= Received: from smtp1.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id p318ZxSp001680; Fri, 1 Apr 2011 17:35:59 +0900 (JST) env-from (y.oiwa@aist.go.jp) Received: by smtp1.aist.go.jp with ESMTP id p318ZtXH007675; Fri, 1 Apr 2011 17:35:56 +0900 (JST) env-from (y.oiwa@aist.go.jp) Message-ID: <4D958E69.4070001@aist.go.jp> Date: Fri, 01 Apr 2011 17:35:53 +0900 From: Yutaka OIWA User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: "http-auth@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: multipart/mixed; boundary="------------000207060109020001020709" Cc: "saag@ietf.org" Subject: [saag] Meeting minutes for the http-auth side-meeting X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 08:34:25 -0000 This is a multi-part message in MIME format. --------------000207060109020001020709 Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Dear all in http-auth and saag lists, I have uploaded minutes of the Wednesday "http-auth" side meeting to app-area wiki, http://trac.tools.ietf.org/area/app/trac/wiki/BarBofs/IETF80/http-auth/minutes Please let me know if you have updates or addition, which will be really appreciated. A copy of the current minutes is attached below: -- Yutaka OIWA, Ph.D. Research Scientist Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: , OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] --------------000207060109020001020709 Content-Type: text/plain; name="minutes-http-auth-barbof-IETF80-oiwa.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="minutes-http-auth-barbof-IETF80-oiwa.txt" PSBBIHNob3J0IG1pbnV0ZXMgcmVwb3J0IG9uIGh0dHAtYXV0aCBzaWRlLW1lZXRpbmcgKEJh ci1Cb0YpID0NCjIwOjAwLTIxOjMwLCBXZWRuZXNkYXkgMzAgTWFyY2ggMjAxMSwgS2FybGlu IDMsIElFVEYgODANCg0KPT0gQWdlbmRhIERvbmUgPT0NCiAqIFByZXNlbnRhdGlvbiBhYm91 dCB0aGUgaHR0cC1hdXRoJ3MgZnV0dXJlDQogKiBQcmVzZW50YXRpb24gYWJvdXQgdGhlIGh0 dHAgbXV0dWFsIGF1dGhlbnRpY2F0aW9uIHByb3Bvc2FsDQogICAqIFRoZXNlIHByZXNlbnRh dGlvbnMgYXZhaWxhYmxlIFtodHRwOi8vdHJhYy50b29scy5pZXRmLm9yZy9hcmVhL2FwcC90 cmFjL2F0dGFjaG1lbnQvd2lraS9CYXJCb2ZzL0lFVEY4MC9odHRwLWF1dGgvSUVURjgwLWh0 dHAtYXV0aC1iYXJib2Ytb2l3YS5wZGYgaGVyZV0NCiAqIEEgbG90IG9mIGRpc2N1c3Npb25z LCB0aW1lIGV4dGVuZGluZw0KDQo9PSBEaXNjdXNzaW9uIE1pbnV0ZXMgPT0NCihvcmRlciBu b3QgcHJlc2VydmVkKQ0KDQo9PT0gR2VuZXJhbCBtYXR0ZXJzID09PQ0KICogV2UgbmVlZCB0 byBmaXggdGhlIGN1cnJlbnQgYnJva2VuIEhUVFAvV2ViIGF1dGhlbnRpY2F0aW9uIDotKQ0K ICogTmVlZCBtb3JlIGNsZWFyZXIgc3RhdGVtZW50IG9mIHRoZSByZXF1aXJlbWVudHMgYW5k IHByb2JsZW0gc3RhdGVtZW50DQogICAqIFdlIG5lZWQgbm9uLVdlYiBhcHBsaWNhdGlvbiBj b25zaWRlcmF0aW9ucyBhcyB3ZWxsIGFzIFdlYiBhcHBsaWNhdGlvbnMNCiAgICogSG93IGFi b3V0IGFwcGxpY2F0aW9ucyBsaWtlIEVudGVycHJpc2UgdXNhZ2VzPw0KICAgICAqIGUuZy4g SFRUUCBOZWdvdGlhdGUgdXNlZCB3aXRoIFdpbmRvd3MgQWN0aXZlIERpcmVjdG9yeQ0KICAg KiBDbGllbnQgbWFjaGluZSBhdXRoZW50aWNhdGlvbiAuLi4gaGFyZCBidXQgd2UgbWF5IG5l ZWQNCiAgICogUmVsYXRpb25zaGlwIHdpdGggb3RoZXIgYXJlYS9XRywgZS5nLiBhYmZhYiwg VExTLCAuLi4NCiAgICogVGhlcmUgbWF5IGJlIGEgZGlmZmVyZW50IHJlcXVpcmVtZW50cyBm b3IgYW4gb3RoZXIgdXNlLWNhc2VzIHdlIHNob3VsZCB0aGluayBvZg0KICogV2UgZG8gbm90 IG5lZWQgYSBzaW5nbGUgc29sdXRpb24gdG8gZGlzY3VzcyBhbmQgdG8gY2hvb3NlLCB3ZSBt YXkgaGF2ZSBtdWx0aXBsZSBvcHRpb25zDQogKiBJbnRlcm9wZXJhYmlsaXR5IGltcG9ydGFu dCwgYXMgdGhlIHNhbWUgYXMgS2VyYmVyb3Mgb3IgT3BlbklEDQoNCj09PSBIVFRQIE11dHVh bCBhdXRoZW50aWNhdGlvbiwgaW4gZ2VuZXJhbCA9PT0NCiAqIFdlJ2QgYmV0dGVyIGhhdmUg YmFja3dhcmQgY29tcGF0aWJpbGl0eQ0KICogV2UnZCBiZSBoYXBweSBpZiB3ZSBjYW4gaGF2 ZSBzdGVwLWJ5LXN0ZXAgaW5jcmVtZW50IG9mIHNlY3VyaXR5LWltcHJvdmluZyB0cmFuc2l0 aW9uDQogICAqIGUuZy4gZmlyc3Qgd2l0aCBleGlzdGluZyBjbGllbnQsIG5leHQgYnkgY2hh bmdpbmcgY2xpZW50LCBsYXN0IGJ5IHNlcnZlciByZXBsYWNlbWVudA0KICogV2UnZCBiZSBo YXRlIG9mIGhhdmluZyAzMDArIHBhc3N3b3JkcyBmb3IgbWFueSB3ZWJzaXRlcw0KDQo9PT0g SFRUUCBNdXR1YWwgYXV0aGVudGljYXRpb24sIFVJIGFuZCBjbGllbnQgaXNzdWVzID09PQ0K DQogKiBBYm91dCBiYWNrd2FyZCBjb21wYXRpYmlsaXR5DQogKiBXZSBuZWVkIG1vcmUgQnJv d3NlciBHdXlzIHRvIGJlIGludm9sdmVkDQogKiBDYW4gaXQgbm90IGJlIGZvcmdlLWFibGUg YnkgY2FudmFzPyAtLSBubw0KICogV2ViIGRlc2lnbmVyIHdpbGwgYmUgdW5oYXBweSBhbmQg d2lsbCBub3QgdXNlIGl0Pw0KICAgKiBXZSBjYW4gbm90IGdpdmUgZXZlcnl0aGluZyB0aGV5 IHdhbnQsIGJ1dCB3ZSBjYW4gcHJvdmlkZSBzb21lIGhlbHANCiAqIElzIGl0IGFuIElFVEYg dG9waWM/IFdoZXJlIHRvIGRpc2N1c3M/DQogICAqIElJQiAoc2VlIGJlbG93KSB3aWxsIGJl IGluIE1heQ0KICogV2UgbmVlZCBhbiBNU0lFIHN1cHBvcnQsIGZvciBkZXBsb3ltZW50DQog KiBDYW4gd2UgaGF2ZSBiZXR0ZXIgVUksIGFzc3VtaW5nIHRhYi1icm93c2VyIGV4cGVyaWVu Y2VzPw0KDQo9PT0gSFRUUCBNdXR1YWwgYXV0aGVudGljYXRpb24sIElQIGlzc3VlcyA9PT0N CiAqIEhvdyBhYm91dCB0aGUgY3VycmVudCBJUFIgc3RhdHVzIG9mIHRoZSBwcm9wb3NhbD8N CiAgICogb2l3YTogYSByZXBvcnRlZCBpc3N1ZSBpbiB0aGUgaW5pdGlhbCAtMDAgZHJhZnQg aXMgZml4ZWQgbm93DQogICAqIEl0IGlzIHVucmVsYXRlZCB3aXRoIEF1Z0FLRSwgcHJvcG9z ZWQgYnkgYW5vdGhlciBtYW4gaW4gdGhlIHNhbWUgb3JnDQogICAqIHNlY2FyZWEgaGFkIGRp ZmZpY3VsdHkgaW4gcGFzdCB3aXRoIElQU2VjIGFuZCBvdGhlcnMsIHdlIG11c3QgYmUgY2Fy ZWZ1bCB0aGlzIHRpbWUNCiAqIFdlIGNhbiBiZSBzdGFydGluZyB3aXRoIHRoZSBjdXJyZW50 IHByb3Bvc2FsLCBhbmQgaWYgd2UgbmVlZGVkLCBjcnlwdG9ncmFwaHkgcGFydHMgY2FuIGJl IHJlcGxhY2VkIGFmdGVyd2FyZHMNCiAgICogQ2FuIHRoZSBwcm9wb3NhbCBtb2R1bGFyaXpl ZD8gKG9pd2E6IHllcykNCiAgICogT2l3YTogSSBoYXZlIG5vdyBhbiBpbnRlbnQgdG8gc2Vw YXJhdGUgdGhlIGRyYWZ0IHRvIDMgcGFydHM6IGdlbmVyYWwgZnJhbWV3b3JrLCBIVFRQIGF1 dGggZXh0ZW5zaW9uLCBhbmQgdGhlIGNyeXB0b2dyYXBoeSBwcmltaXRpdmUgdXNlZA0KICog V2UgbmVlZCBjcm9zcy1hcmVhIGRpc2N1c3Npb25zDQogKiBXaGF0IHRoZSBQQUtFIG1lYW5z IGhlcmUgLS0tIGluIHRoaXMgcm9vbSwgaXQgaXMgdXNlZCBhcyBhIHByb3RvY29sIGdyb3Vw LCBub3QgYSBzcGVjaWZpYyBjcnlwdG8gcHJpbWl0aXZlDQoNCj09PSBIVFRQIE11dHVhbCBh dXRoZW50aWNhdGlvbiwgdGVjaG5pY2FsIHF1ZXN0aW9ucyA9PT0NCiAqIENhbiBpdCByZWFs bHkgYXNzdXJlIHRoYXQgdGhlIHNlcnZlciBrbm93cyB0aGUgcGFzc3dvcmQ/IC0tLSB5ZXMN CiAqIElzIHRoZXJlIGEgbmVlZCBvZiBzZXJ2ZXItc2lkZSBwYXNzd29yZCBzdG9yYWdlPyAt LS0gVGhlIHNlcnZlci1zaWRlIFVzZXIgREIgYXJlIHN0b3JlZCBpbiBhIHdheSB0aGF0IGl0 IGlzIG5vdCByZXVzYWJsZSBmb3IgYW55IG90aGVyIHNlcnZlcnMgZXZlbiBpZiBpdCBpcyBz dG9sZW4NCiAqIEhvdyBhYm91dCBzZXNzaW9uIGhpamFja2luZz8gLS0tIHdlIG5lZWQgVExT IGZvciBhIGNvbXBsZXRlIHNlY3VyaXR5DQogICAqIERvZXMgYW4gdW5lbmNyeXB0ZWQgSFRU UCB1c2UgbWFrZSBzZW5zZT8gLS0tIGF0IGxlYXN0IHRoZXJlIGlzIGEgbmVlZCBpbiB0aGUg cmVhbCB3b3JsZA0KICogSG93IGFib3V0IGNoYW5uZWwgYmluZGluZz8gLS0tIHVuZGVyIFRM UyBpdCBkb2VzLg0KDQo9PT0gVGhlIGxvZ2lzdGljcyBmb3Igb3VyIGZ1dHVyZSA9PT0NCiAq IEFyZSB3ZSBnb2luZyB0byBoYXZlIGEgQm9GIGluIFF1ZWJlYz8NCiAgICogYWR2aXNlcyBm cm9tIHBlcnNvbiB3aG8ga25vd3Mgd2VsbCBhYm91dCBJRVRGIHByb2NlZHVyZXMgYWJzb2x1 dGVseSBuZWVkZWQNCiAgICogV2Ugc2hvdWxkIHN0YXJ0IHRoZSBlZmZvcnQgJydub3cnJywg bGVhdmluZyBhIG11Y2ggcHJlcGFyYXRpb24gdGltZSBmb3IgUXVlYmVjDQogKiBXaGVyZSB0 byBoYXZlIGEgZGlzY3Vzc2lvbj8NCiAgICogVGhlcmUgaXMgYW4gaHR0cC1hdXRoIG1haWxp bmcgbGlzdCwgdW5kZXIgSUVURiBtYWlsaW5nIHNlcnZlcg0KICAgICAqIGh0dHAtYXV0aEBp ZXRmLm9yZw0KICAgICAqIGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v aHR0cC1hdXRoDQogICAgICogVGhlcmUgaXMgYW4gb2xkIGdob3N0IG9mIGFuIGFsaWFzIGZv ciBtbCBob3N0ZWQgb24gT1NBIGZvdW5kYXRpb24sIG5vdyBkZWFkDQogKiBXM0MgIklkZW50 aXR5IGluIEJyb3dzZXIgd29ya3Nob3AiIHdpbGwgYmUgaW4gU2FuIEZyYW5jaXNjbywgaW4g TWF5DQogICAqIGh0dHA6Ly93d3cudzMub3JnLzIwMTEvaWRlbnRpdHktd3MvT3ZlcnZpZXcu aHRtbA0K --------------000207060109020001020709-- From leifj@sunet.se Thu Mar 31 02:34:37 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB2713A680E for ; Thu, 31 Mar 2011 02:34:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.425 X-Spam-Level: X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oIY7Jq6PqQvn for ; Thu, 31 Mar 2011 02:34:36 -0700 (PDT) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id CBB2E3A68E1 for ; Thu, 31 Mar 2011 02:34:25 -0700 (PDT) Received: from [130.129.8.61] ([130.129.8.61]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p2V9a0DK029929 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 31 Mar 2011 11:36:03 +0200 (CEST) Message-ID: <4D944B00.70909@sunet.se> Date: Thu, 31 Mar 2011 11:36:00 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: "saag@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 03 Apr 2011 15:07:36 -0700 Subject: [saag] abfab ietf80 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2011 09:34:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 abfab met twice this week. The first session was devoted to architecture and use-case documents. The first session got a report from the moonshot project which is one implementation of abfab technology. Work in moonshot is progressing very quickly and has demonstrated abfab for both SSH, LDAP and XMPP. The second session was devoted to review of the core documents and new proposed wg documents. Work in the wg is progressing well. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2USwAACgkQ8Jx8FtbMZnf0PACgvMzjMs1o7wbxgg9BY5PC5X4B ivcAoKBu4j6wg015bCUOKEmLh7SPFcG0 =CTGo -----END PGP SIGNATURE----- From shawn.emery@oracle.com Mon Apr 4 12:58:35 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 668F73A67B4 for ; Mon, 4 Apr 2011 12:58:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.506 X-Spam-Level: X-Spam-Status: No, score=-6.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sthoU0FtYZTT for ; Mon, 4 Apr 2011 12:58:34 -0700 (PDT) Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 7744C3A6768 for ; Mon, 4 Apr 2011 12:58:34 -0700 (PDT) Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id p34K0Fcd006366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 4 Apr 2011 20:00:17 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id p34K0EEw006202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 4 Apr 2011 20:00:15 GMT Received: from abhmt012.oracle.com (abhmt012.oracle.com [141.146.116.21]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p34K0E5J028160 for ; Mon, 4 Apr 2011 15:00:14 -0500 Received: from [10.7.250.156] (/10.7.250.156) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 04 Apr 2011 13:00:14 -0700 Message-ID: <4D9A234D.6000300@oracle.com> Date: Mon, 04 Apr 2011 14:00:13 -0600 From: Shawn Emery User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.2.15) Gecko/20110313 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsmt356.oracle.com [141.146.40.156] X-Auth-Type: Internal IP X-CT-RefId: str=0001.0A090202.4D9A234F.00AD:SCFSTAT5015188,ss=1,fgs=0 Subject: [saag] IETF 80: kitten WG summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2011 19:58:35 -0000 The kitten WG met Friday afternoon for sessions I and II. Update --------- digest-to-historic has moved to IETF-LC. extensions-iana has had a WG consensus call to specify a per programming language registry. No new work has been done recently. naming-exts draft has had comments during WGLC. sasl-openid WGLC has expired with no comments. sasl-saml WGLC started on 3/30/11 and will end on 4/13/11. Presentations ----------------- Klass Wierenga: sasl-saml update. Scott Cantor: Channel bindings for SAML-EC. Simon Josefsson: SASL and GSS-API mechanisms for two-factor authentication. Alexey Melnikov: Extensibility of SASL error conditions. Recharter ------------ Consensus calls were made to decide on whether the WG would adopt the following: draft-mills-kitten-sasl-oauth draft-cantor-ietf-kitten-saml-ec The call in the room was that we do adopt these drafts. This will go to the list as well. Shawn Emery Tom Yu Alexey Melnikov kitten, co-chairs From hallam@gmail.com Tue Apr 5 06:56:49 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE25A3A67DF for ; Tue, 5 Apr 2011 06:56:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.042 X-Spam-Level: X-Spam-Status: No, score=-3.042 tagged_above=-999 required=5 tests=[AWL=-0.444, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1tfBGQS1ZvNq for ; Tue, 5 Apr 2011 06:56:42 -0700 (PDT) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by core3.amsl.com (Postfix) with ESMTP id 2ADD83A693B for ; Tue, 5 Apr 2011 06:56:42 -0700 (PDT) Received: by vxg33 with SMTP id 33so358373vxg.31 for ; Tue, 05 Apr 2011 06:58:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=TQsjGPB9LuabBEFStyZz29q8PkwYElQKJPP/ScybIM4=; b=VSBDRxqtAsHY/tL25BvFZxuSWRNWiXRwl/GydMEFhBllt522i4YRsiggc+1k1v3okK zxsqPTkAS7GAUkgrAyUe09u1ZJHI+1NwJSetJDx+bZvv8pNcGwsMvmjk72+zOVhVFwMi kVANqqF3kccyIJCNfjdXTQgPax3viwBgfoHxQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=YVlD3xlLqyZkzm5p3ZGk5Bgam6qyQXkVgD4Pmn1qKc0t7/NXtKFjTSaNyObghMA/FC mgjmnGXeX9duZENAsgxDQe/wO64RHEDTNM4rMe3+6mFPbGk+q3YEUvNnhNs+eWrNxsAd c0sSi8xij4+f7+zOx4thxMT/jHkvysBoZ7GiE= MIME-Version: 1.0 Received: by 10.52.66.7 with SMTP id b7mr5825996vdt.138.1302011905053; Tue, 05 Apr 2011 06:58:25 -0700 (PDT) Received: by 10.52.161.42 with HTTP; Tue, 5 Apr 2011 06:58:25 -0700 (PDT) Date: Tue, 5 Apr 2011 15:58:25 +0200 Message-ID: From: Phillip Hallam-Baker To: saag@ietf.org Content-Type: multipart/alternative; boundary=20cf307cff9c18150004a02c45b3 Subject: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 13:56:50 -0000 --20cf307cff9c18150004a02c45b3 Content-Type: text/plain; charset=ISO-8859-1 There was a proposal (possibly in a bar, possibly at SECDIR) that there be a single WG to look at upgrading protocols to use SHA3 across the board. This group would not be allowed to do anything other than add algorithms, it would not be allowed to 'fix' things in the protocol. I see the following issues: 1) Drop in replacement of SHA3 for SHA1 should be straightforward 2) Replacement of RSA-with-SHA1 for RSA-with-SHA3 is a bit more involved. We have to consider things like packing etc. If we are going to make SHA3 consistent across the board, we should probably decide on a consistent approach to using RSA. Different protocols have different approaches. 3) Replacement of HMAC-SHA1 is also required and this is likely to be supported through a native MAC mode in SHA3 which may well be the most important security benefit that is achieved. 4) In the case that there is a parameterized hash mode, in particular a random hash, we would have to decide whether or not to use it. I would really like to be able to use a randomized hash in certificates, I see a lot of value to doing that there. I am less interested in using randomized hashes in other circumstances. 5) If we are going to be making SHA3 consistent across the board, would it make sense to also consider adding ECC support with a consistent curve consistent across the board? 6) While the group should not be writing features, it would be useful for it to capture requirements that could then be fed into relevant WGs, in particular I see a need to interact here with PKIX, TLS and DANE. 6a) In some cases we have protocols that cannot be upgraded without creating a deployment deadlock. We may well need to think about tools and techniques that would simplify the process of deployment. For example, a common file format for storing multi-certs so that a CA can throw a 'bag' of certificates (RSA-SHA1, RSA-SHA3, RSA-SHA3) at a customer and the customer's server would then select the one that the client asks for. This is going to have to integrate with TLS. 6b) Adding stronger cipher suites does not make anyone more secure. You only improve security if you eliminate insecure suites. Thus the question of security policy has to be addressed. How does a server tell a client what its minimum level of security is in a manner that is not subject to a downgrade attack? (It is easy for the client as they can simply abort the connection if the level of security is not high enough.) At the end of the process, I would like to see a single RFC emerge, preferably one that has a 'memorable' number (RFC 6666 is coming up). And I would like it to be possible for an implementation to tell users that it has the modern crypto set by simply referencing that RFC. -- Website: http://hallambaker.com/ --20cf307cff9c18150004a02c45b3 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable There was a proposal (possibly in a bar, possibly at SECDIR) that there be = a single WG to look at upgrading protocols to use SHA3 across the board.=A0=

This group would not be allowed to do anything other th= an add algorithms, it would not be allowed to 'fix' things in the p= rotocol.=A0

I see the following issues:

1)= Drop in replacement of SHA3 for SHA1 should be straightforward
<= br>
2) Replacement of RSA-with-SHA1 for RSA-with-SHA3 is a bit mo= re involved. We have to consider things like packing etc. If we are going t= o make SHA3 consistent across the board, we should probably decide on a con= sistent approach to using RSA. Different protocols have different approache= s.

3) Replacement of HMAC-SHA1 is also required and this i= s likely to be supported through a native MAC mode in SHA3 which may well b= e the most important security benefit that is achieved.

4) In the case that there is a parameterized hash mode, in particular = a random hash, we would have to decide whether or not to use it. I would re= ally like to be able to use a randomized hash in certificates, I see a lot = of value to doing that there. I am less interested in using randomized hash= es in other circumstances.

5) If we are going to be making SHA3 consistent across = the board, would it make sense to also consider adding ECC support with a c= onsistent curve consistent across the board?

6) = =A0While the group should not be writing features, it would be useful for i= t to capture requirements that could then be fed into relevant WGs, in part= icular I see a need to interact here with PKIX, TLS and DANE.

6a) In some cases we have protocols that cannot be upgr= aded without creating a deployment deadlock. We may well need to think abou= t tools and techniques that would simplify the process of deployment.=A0

For example, a common file format for storing multi-cer= ts so that a CA can throw a 'bag' of certificates (RSA-SHA1, RSA-SH= A3, RSA-SHA3) at a customer and the customer's server would then select= the one that the client asks for. This is going to have to integrate with = TLS.

6b) Adding stronger cipher suites does not make anyone = more secure. You only improve security if you eliminate insecure suites. Th= us the question of security policy has to be addressed. How does a server t= ell a client what its minimum level of security is in a manner that is not = subject to a downgrade attack? (It is easy for the client as they can simpl= y abort the connection if the level of security is not high enough.)


At the end of the process, I would li= ke to see a single RFC emerge, preferably one that has a 'memorable'= ; number (RFC 6666 is coming up). And I would like it to be possible for an= implementation to tell users that it has the modern crypto set by simply r= eferencing that RFC.=A0
--
Website: http://hallambaker.com/=

--20cf307cff9c18150004a02c45b3-- From pgut001@cs.auckland.ac.nz Tue Apr 5 07:17:58 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D39428C14F for ; Tue, 5 Apr 2011 07:17:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nlXs8pMXBxI3 for ; Tue, 5 Apr 2011 07:17:52 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id D5D5328C14E for ; Tue, 5 Apr 2011 07:17:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302013176; x=1333549176; h=message-id:date:from:to:cc:subject:references: in-reply-to:mime-version:content-transfer-encoding; z=Message-ID:=20<20110406021933.w5184dtbk0ogc088@webmail.c s.auckland.ac.nz>|Date:=20Wed,=2006=20Apr=202011=2002:19: 33=20+1200|From:=20Peter=20Gutmann=20|To:=20Phillip=20Hallam-Baker=20 |Cc:=20saag@ietf.org|Subject:=20Re:=20[saag]=20SHA-3=20Up grade=20group|References:=20|In-Reply-To:=20|MIME-Version:=201. 0|Content-Transfer-Encoding:=207bit; bh=B3f7jENSd702AF+8Tp5gBs58VWa5wYnJalqJd4pSoLY=; b=PniWnIazbMLGaGxDPbdTFLqafcqqJQ/nL7PHNSxdmE6YnUc//EeOyGsQ Dl2w3+UP7zwwqbbGewijOVJ8iXc8/upu4SLwzFpkRNXY1DAnNgS5GpXxv 0TAHN2B35SMgcHLn2S7NUXQhP4n5HuGUyd1B7VQqKcxTarObMFqB40o16 k=; X-IronPort-AV: E=Sophos;i="4.63,304,1299409200"; d="scan'208";a="55247681" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 06 Apr 2011 02:19:34 +1200 Received: from webcluster2.sit.auckland.ac.nz ([130.216.33.143] helo=eris.cs.auckland.ac.nz) by mf1.fos.auckland.ac.nz with esmtp (Exim 4.69) (envelope-from ) id 1Q776T-0002zr-JA; Wed, 06 Apr 2011 02:19:33 +1200 Received: from 202-169-221-129.worldnet.co.nz (202-169-221-129.worldnet.co.nz [202.169.221.129]) by webmail.cs.auckland.ac.nz (Horde) with HTTP for ; Wed, 06 Apr 2011 02:19:33 +1200 Message-ID: <20110406021933.w5184dtbk0ogc088@webmail.cs.auckland.ac.nz> Date: Wed, 06 Apr 2011 02:19:33 +1200 From: Peter Gutmann To: Phillip Hallam-Baker References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.1) X-Originating-IP: 202.169.221.129 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 14:17:58 -0000 Phillip Hallam-Baker writes: > 3) Replacement of HMAC-SHA1 is also required and this is likely to be > supported through a native MAC mode in SHA3 which may well be the most > important security benefit that is achieved. Uhh, given that there's nothing wrong with HMAC-SHA1, I think this needs to be rephrased a bit. In particular the security benefit to replacing HMAC-SHA1 with SHA3-MAC (or whatever it'll be called) is precisely zero. I'm guessing the benefit of switching is that you'll only need to provide one hash algorithm, SHA-3, for signing and integrity-protection. However, whatever text is produced should point out that this is a convenience switch, not a security upgrade. Peter. From stephen.farrell@cs.tcd.ie Tue Apr 5 07:38:23 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 491F528C115 for ; Tue, 5 Apr 2011 07:38:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7ddrodWOhgM for ; Tue, 5 Apr 2011 07:38:13 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by core3.amsl.com (Postfix) with ESMTP id 7DFA328C0EC for ; Tue, 5 Apr 2011 07:38:13 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 80CBC3E406D; Tue, 5 Apr 2011 15:39:55 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1302014390; bh=sucnzXpeqF4Rrz iAJC7SamrSJLuy81FAvLq2brieYlk=; b=ZX20hDb7P5YIXWBvTJSKNiGGt3m+Ip CHo9C64fwQII0Q6myMlRSZ4xABU9mgIUkSHD+ghDkLaOWujrPylm39MQ32u3S+Ph gsXxTC6NzElcQOVLMYLlk2tWU0UiqjKdgEraac1Y9Z5fz9o8dDF3yV6icPd1BqNL vRBwYMyROsIBf6doEVlfK6slUt1+TA/ATyutLVxsApLJBw1ZqqWqzxIWORMOhU0r fj8950Fs6s12pOxeBe1h0YxtHjpg76yLsh2/CMkJvWT4aKiZlXPTlVcy0cxnOSmL CIcrgWqzEFXSx/Bts82Fx4+2mCZ24hOTdHv3vS7kLO8z6FohgNu0cuUw== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id GA1C9abFZfMo; Tue, 5 Apr 2011 15:39:50 +0100 (IST) Received: from [134.226.36.137] (stephen-samy.dsg.cs.tcd.ie [134.226.36.137]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 9D8B33E406B; Tue, 5 Apr 2011 15:39:50 +0100 (IST) Message-ID: <4D9B29B7.5060402@cs.tcd.ie> Date: Tue, 05 Apr 2011 15:39:51 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: Phillip Hallam-Baker References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 14:38:23 -0000 Right - thanks for starting this. We had meant to try bring it up at the saag session but didn't have time. It was discussed briefly at the secdir lunch. We do plan to discuss it at saag next time, but progress on this list in the meantime would be good. If this gets to be a lot of mail we can setup a new list. The basic idea is as Phill said - to try to define code points, ciphersuites for the loads of things that might want sha3 without modifying protocols, and to do so in a way that removes the temptation to meddle with protocols that may otherwise arise:-) Some questions I see are: - good/bad idea generally? - not modifying protocols means not changing the mandatory to implement algorithms, so each time we wanted to move to actually using a sha3 thing, that'd require more work in another WG or as an AD sponsored draft - does that make sense? - scoping - should we try identify protocols that will need new codepoints/ciphersuites now and just charter something for those or should that be the first task of such a group to be followed by rechartering? - when to start? we might be able to get started before the competition is done if we knew the sizes etc. earlier, would that be worthwhile? (I believe we won't know the winner for about a year or so.) - how to deal with this where there is an existing WG (e.g. TLS, kerberos) - would it help to offload some of the work to such a group, or is it better left just to those WGs? if the putative group were to take on work in e.g. TLS then I assume that anything relevant would have to be last called in both the new group and TLS for example. - who'd help? (it'll be kind of boring I expect:-) NIST might be able to help (Tim said:-) but we'd need people who know the actual protocols as well of course - I'm sure there's more we've not thought of yet. FWIW, I don't see the output being one RFC here. I can't see that one spec would be that useful given the range of protocols that might want to make use of sha3. Stephen. On 05/04/11 14:58, Phillip Hallam-Baker wrote: > There was a proposal (possibly in a bar, possibly at SECDIR) that there > be a single WG to look at upgrading protocols to use SHA3 across the board. > > This group would not be allowed to do anything other than add > algorithms, it would not be allowed to 'fix' things in the protocol. > > I see the following issues: > > 1) Drop in replacement of SHA3 for SHA1 should be straightforward > > 2) Replacement of RSA-with-SHA1 for RSA-with-SHA3 is a bit more > involved. We have to consider things like packing etc. If we are going > to make SHA3 consistent across the board, we should probably decide on a > consistent approach to using RSA. Different protocols have different > approaches. > > 3) Replacement of HMAC-SHA1 is also required and this is likely to be > supported through a native MAC mode in SHA3 which may well be the most > important security benefit that is achieved. > > 4) In the case that there is a parameterized hash mode, in particular a > random hash, we would have to decide whether or not to use it. I would > really like to be able to use a randomized hash in certificates, I see a > lot of value to doing that there. I am less interested in using > randomized hashes in other circumstances. > > 5) If we are going to be making SHA3 consistent across the board, would > it make sense to also consider adding ECC support with a consistent > curve consistent across the board? > > 6) While the group should not be writing features, it would be useful > for it to capture requirements that could then be fed into relevant WGs, > in particular I see a need to interact here with PKIX, TLS and DANE. > > 6a) In some cases we have protocols that cannot be upgraded without > creating a deployment deadlock. We may well need to think about tools > and techniques that would simplify the process of deployment. > > For example, a common file format for storing multi-certs so that a CA > can throw a 'bag' of certificates (RSA-SHA1, RSA-SHA3, RSA-SHA3) at a > customer and the customer's server would then select the one that the > client asks for. This is going to have to integrate with TLS. > > 6b) Adding stronger cipher suites does not make anyone more secure. You > only improve security if you eliminate insecure suites. Thus the > question of security policy has to be addressed. How does a server tell > a client what its minimum level of security is in a manner that is not > subject to a downgrade attack? (It is easy for the client as they can > simply abort the connection if the level of security is not high enough.) > > > At the end of the process, I would like to see a single RFC emerge, > preferably one that has a 'memorable' number (RFC 6666 is coming up). > And I would like it to be possible for an implementation to tell users > that it has the modern crypto set by simply referencing that RFC. > -- > Website: http://hallambaker.com/ > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From stephen.farrell@cs.tcd.ie Tue Apr 5 07:48:32 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7631C28C15A for ; Tue, 5 Apr 2011 07:48:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0J2-UvXmTtzM for ; Tue, 5 Apr 2011 07:48:25 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by core3.amsl.com (Postfix) with ESMTP id 8CE0128C0EC for ; Tue, 5 Apr 2011 07:48:25 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 62F913E4077 for ; Tue, 5 Apr 2011 15:50:08 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1302015008; bh=z8YqDf6RxoGuYRO8T3GJ9nNQ 0KHcpDjH+8NccJFQqEU=; b=B5P8rgodq9sti4pOKvO9VmBV1W4GpMYz6QD00xLD speR2Q9vLZ1mPYFDaA5C7TBuftzv+2GpduMSJB/8vXfJQTnqHMNNlMig7QnACZsH uOmmWZlFuQGbLkYSAKU1hmlqDZV4rt+EPdH1tmn+HWVZKsb+OARGwb5fd613G5iu 4+l5H/qruZqWk85ypGgd52Keyd/O8fpeJ82UvHO+W3EgFpy1Bduqphm7t85dU4m2 TNMh+T4AAU9Jr0gsxfswjsy1TQyIzAI5khM6PaEWq6ts8gqQjBG/Id9CAb+EvjZC HtjcNaOyrdXmgdZ6CmblvOK2KFm4BV96UDM68aGBio3G5w== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id xDMveznn12xi for ; Tue, 5 Apr 2011 15:50:08 +0100 (IST) Received: from [134.226.36.137] (stephen-samy.dsg.cs.tcd.ie [134.226.36.137]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 2EFFA3E4075 for ; Tue, 5 Apr 2011 15:50:08 +0100 (IST) Message-ID: <4D9B2C20.6020604@cs.tcd.ie> Date: Tue, 05 Apr 2011 15:50:08 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: "saag@ietf.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [saag] Pick a saag presentation for Quebec... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 14:48:32 -0000 And while we're filling the saag folder. I'm sure we've all noted the general warmth with which many saag presentations have been greeted over the years:-) Next time, as an experiment, we'd like you to pick one of them. So, please send suggestions to the list, for topic and optionally presenter, ideally with the presenter's agreement, for a 20-30 minute slot and we'll see what folks here want to hear/talk about and whether we can arrange that. I guess suggestions before say June 5th should give us enough time to get stuff sorted. We'll figure some way to let you all help pick one after that. If this works ok, we'll keep it up. If not, then we won't. If we need to tweak things to make it work then we'll do that. Please keep the subject line intact for suggestions and discussions about picking a presentation. If discussion wanders off into the meat of a topic, then start a new thread. Thanks, Stephen. PS: Don't worry - the ADs will still pick some topics, so you won't lose the opportunity to ask how we could possibly be so dumb:-) From nico@cryptonector.com Tue Apr 5 08:56:12 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C84C93A695C for ; Tue, 5 Apr 2011 08:56:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFxi8Y6pR9YN for ; Tue, 5 Apr 2011 08:56:12 -0700 (PDT) Received: from homiemail-a24.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by core3.amsl.com (Postfix) with ESMTP id 052823A6959 for ; Tue, 5 Apr 2011 08:56:12 -0700 (PDT) Received: from homiemail-a24.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTP id 521B12C806D for ; Tue, 5 Apr 2011 08:57:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=Lz9xf2JfAfhYUeOKoQBrT hJvRtVVcaQxBKiHmhH45ax2/7563vP1YDT4t10eEl29dyScrTrPBtilgyHepSKWr lXfNUsO7gvZ1cnzIECPn9/8wwvbxLYNUiu0pbJGsOf+FVcC+9pCf+GcyJTv3Ru+X O3VxSmTUl1OUXovpHHLXPQ= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=6QMFVTYa1Qe5PTHGykr1 FPKJB2A=; b=xGrULRnLUHZ4Vi6osaqa/ZRZXqH7aYr7Tc2BJhp61yOSmMZJAeLD Es+8SPxGS5BSDhuQvKzAtnuwKXJ8aFSFrHZ2yKshv0WPnhWddtni23olO2gqHAky o+JAOihNNumqLmZK2ljSNQd+FZ1/xmsfsRiFnbrajaRdd9L/6ZMLMi0= Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTPSA id 179BD2C806B for ; Tue, 5 Apr 2011 08:57:55 -0700 (PDT) Received: by vws12 with SMTP id 12so481217vws.31 for ; Tue, 05 Apr 2011 08:57:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.176.134 with SMTP id ci6mr1446525vdc.190.1302019074512; Tue, 05 Apr 2011 08:57:54 -0700 (PDT) Received: by 10.52.157.100 with HTTP; Tue, 5 Apr 2011 08:57:54 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 10:57:54 -0500 Message-ID: From: Nico Williams To: Phillip Hallam-Baker Content-Type: text/plain; charset=UTF-8 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 15:56:12 -0000 On Tue, Apr 5, 2011 at 8:58 AM, Phillip Hallam-Baker wrote: > There was a proposal (possibly in a bar, possibly at SECDIR) that there be a > single WG to look at upgrading protocols to use SHA3 across the board. > This group would not be allowed to do anything other than add algorithms, it > would not be allowed to 'fix' things in the protocol. > I see the following issues: > 5) If we are going to be making SHA3 consistent across the board, would it > make sense to also consider adding ECC support with a consistent curve > consistent across the board? This strikes me as potentially difficult to do without "fixing" the protocol, in some cases. > 6b) Adding stronger cipher suites does not make anyone more secure. You only > improve security if you eliminate insecure suites. Thus the question of > security policy has to be addressed. How does a server tell a client what > its minimum level of security is in a manner that is not subject to a > downgrade attack? (It is easy for the client as they can simply abort the > connection if the level of security is not high enough.) Phase out of older algorithms should be the province of each WG. > At the end of the process, I would like to see a single RFC emerge, > preferably one that has a 'memorable' number (RFC 6666 is coming up). And I > would like it to be possible for an implementation to tell users that it has > the modern crypto set by simply referencing that RFC. I am not sure that this is a good idea. It's workable, but review of each little protocol fix could delay the whole thing. I think I'd rather have a per-protocol RFC and one big FYI that explains what was done and lists all those little RFCs. Or, I'd be OK with re-publishing all those little RFCs in one big one (but then you have to watch out about where errata go, or obsolete the little ones with the big one). Nico -- From paul.hoffman@vpnc.org Tue Apr 5 09:23:25 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DDCBA3A683A for ; Tue, 5 Apr 2011 09:23:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.067 X-Spam-Level: X-Spam-Status: No, score=-102.067 tagged_above=-999 required=5 tests=[AWL=0.532, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gn51VNczLl87 for ; Tue, 5 Apr 2011 09:23:25 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id AB42B28C0DE for ; Tue, 5 Apr 2011 09:23:24 -0700 (PDT) Received: from [10.20.30.150] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p35G930k056664 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 5 Apr 2011 09:09:03 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Paul Hoffman In-Reply-To: <4D9B29B7.5060402@cs.tcd.ie> Date: Tue, 5 Apr 2011 09:09:03 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <9623E2EF-23B8-4D7E-A3C9-0027BE46E561@vpnc.org> References: <4D9B29B7.5060402@cs.tcd.ie> To: Stephen Farrell X-Mailer: Apple Mail (2.1084) Cc: saag@ietf.org Subject: [saag] Timing (was: Re: SHA-3 Upgrade group) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 16:23:26 -0000 On Apr 5, 2011, at 7:39 AM, Stephen Farrell wrote: > - when to start? we might be able to get started before > the competition is done if we knew the sizes etc. earlier, > would that be worthwhile? (I believe we won't know the > winner for about a year or so.) Tim Polk can correct me if I'm wrong, but since the third hash = conference will be at the end of March next year, it seems unlikely that = NIST will decide the winner a month later. In fact, it seems unlikely = that NIST will decide how many code points will be needed that soon = after the conference, either. If we aren't going to know for maybe 18 months whether there will be = just one code point, or many code points, for 256-bit strength, it seems = premature to start saying what will be needed in each security protocol. = It is fine to collect data now on which protocols have hashes as = protocol elements, but doing any more than that before we are sure what = the code point needs will be is likely to end up making developers' = lives worse for no good reason. And we still don't have any statement from NIST about what SHA3 is = supposed to be used for... --Paul Hoffman From housley@vigilsec.com Tue Apr 5 10:32:32 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8CA7E28C135 for ; Tue, 5 Apr 2011 10:32:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.459 X-Spam-Level: X-Spam-Status: No, score=-102.459 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29maQenMxL4W for ; Tue, 5 Apr 2011 10:32:31 -0700 (PDT) Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by core3.amsl.com (Postfix) with ESMTP id CEFED28C12C for ; Tue, 5 Apr 2011 10:32:30 -0700 (PDT) Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id D94B99A484D; Tue, 5 Apr 2011 13:34:26 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id CFS6nO5u68II; Tue, 5 Apr 2011 13:34:09 -0400 (EDT) Received: from [192.168.2.100] (pool-71-178-218-117.washdc.fios.verizon.net [71.178.218.117]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id CD02C9A47A5; Tue, 5 Apr 2011 13:34:25 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: multipart/alternative; boundary=Apple-Mail-20--552378028 From: Russ Housley In-Reply-To: Date: Tue, 5 Apr 2011 13:34:12 -0400 Message-Id: References: To: Phillip Hallam-Baker X-Mailer: Apple Mail (2.1082) Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 17:32:32 -0000 --Apple-Mail-20--552378028 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii When Steve Bellovin and I were the SEC ADs, we tried to start a project = for the transition of SHA-1 to SHA-256. We tried to get this started = well in advance of the deadline for the transition. We thought it would = take 5 years to make the transition AFTER the protocol specifications = were done. We are still not there across the board. In my opinion there is a real reason to transition from SHA-1 to = something stronger. I fear that a focus on SHA3 at this point in time = will further reduce the energy needed to get SHA-256 deployed in all of = te places where it is needed. Until SHA3 is selected, it is impossible = to determine if it offers any benefits over SHA-256 in our protocols. Russ On Apr 5, 2011, at 9:58 AM, Phillip Hallam-Baker wrote: > There was a proposal (possibly in a bar, possibly at SECDIR) that = there be a single WG to look at upgrading protocols to use SHA3 across = the board.=20 >=20 > This group would not be allowed to do anything other than add = algorithms, it would not be allowed to 'fix' things in the protocol.=20 >=20 > I see the following issues: >=20 > 1) Drop in replacement of SHA3 for SHA1 should be straightforward >=20 > 2) Replacement of RSA-with-SHA1 for RSA-with-SHA3 is a bit more = involved. We have to consider things like packing etc. If we are going = to make SHA3 consistent across the board, we should probably decide on a = consistent approach to using RSA. Different protocols have different = approaches. >=20 > 3) Replacement of HMAC-SHA1 is also required and this is likely to be = supported through a native MAC mode in SHA3 which may well be the most = important security benefit that is achieved. >=20 > 4) In the case that there is a parameterized hash mode, in particular = a random hash, we would have to decide whether or not to use it. I would = really like to be able to use a randomized hash in certificates, I see a = lot of value to doing that there. I am less interested in using = randomized hashes in other circumstances. >=20 > 5) If we are going to be making SHA3 consistent across the board, = would it make sense to also consider adding ECC support with a = consistent curve consistent across the board? >=20 > 6) While the group should not be writing features, it would be useful = for it to capture requirements that could then be fed into relevant WGs, = in particular I see a need to interact here with PKIX, TLS and DANE. >=20 > 6a) In some cases we have protocols that cannot be upgraded without = creating a deployment deadlock. We may well need to think about tools = and techniques that would simplify the process of deployment.=20 >=20 > For example, a common file format for storing multi-certs so that a CA = can throw a 'bag' of certificates (RSA-SHA1, RSA-SHA3, RSA-SHA3) at a = customer and the customer's server would then select the one that the = client asks for. This is going to have to integrate with TLS. >=20 > 6b) Adding stronger cipher suites does not make anyone more secure. = You only improve security if you eliminate insecure suites. Thus the = question of security policy has to be addressed. How does a server tell = a client what its minimum level of security is in a manner that is not = subject to a downgrade attack? (It is easy for the client as they can = simply abort the connection if the level of security is not high = enough.) >=20 >=20 > At the end of the process, I would like to see a single RFC emerge, = preferably one that has a 'memorable' number (RFC 6666 is coming up). = And I would like it to be possible for an implementation to tell users = that it has the modern crypto set by simply referencing that RFC.=20 > --=20 > Website: http://hallambaker.com/ >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail-20--552378028 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii When = Steve Bellovin and I were the SEC ADs, we tried to start a project for = the transition of SHA-1 to SHA-256.  We tried to get this started = well in advance of the deadline for the transition.  We thought it = would take 5 years to make the transition AFTER the protocol = specifications were done.  We are still not there across the = board.

In my opinion there is a real reason to = transition from SHA-1 to something stronger.  I fear that a focus = on SHA3 at this point in time will further reduce the energy needed to = get SHA-256 deployed in all of te places where it is needed.  Until = SHA3 is selected, it is impossible to determine if it offers any = benefits over SHA-256 in our = protocols.

Russ


On Apr 5, 2011, at 9:58 AM, Phillip Hallam-Baker wrote:

There was = a proposal (possibly in a bar, possibly at SECDIR) that there be a = single WG to look at upgrading protocols to use SHA3 across the = board. 

This group would not be allowed to do = anything other than add algorithms, it would not be allowed to 'fix' = things in the protocol. 

I see the following = issues:

1) Drop in replacement of SHA3 for SHA1 = should be straightforward

2) Replacement of = RSA-with-SHA1 for RSA-with-SHA3 is a bit more involved. We have to = consider things like packing etc. If we are going to make SHA3 = consistent across the board, we should probably decide on a consistent = approach to using RSA. Different protocols have different = approaches.

3) Replacement of HMAC-SHA1 is also required and = this is likely to be supported through a native MAC mode in SHA3 which = may well be the most important security benefit that is = achieved.

4) In the case that there is a parameterized hash mode, in = particular a random hash, we would have to decide whether or not to use = it. I would really like to be able to use a randomized hash in = certificates, I see a lot of value to doing that there. I am less = interested in using randomized hashes in other circumstances.

5) If we are going to be making SHA3 consistent = across the board, would it make sense to also consider adding ECC = support with a consistent curve consistent across the = board?

6)  While the group should not be = writing features, it would be useful for it to capture requirements that = could then be fed into relevant WGs, in particular I see a need to = interact here with PKIX, TLS and DANE.

6a) In some cases we have protocols that cannot be = upgraded without creating a deployment deadlock. We may well need to = think about tools and techniques that would simplify the process of = deployment. 

For example, a common file format for storing = multi-certs so that a CA can throw a 'bag' of certificates (RSA-SHA1, = RSA-SHA3, RSA-SHA3) at a customer and the customer's server would then = select the one that the client asks for. This is going to have to = integrate with TLS.

6b) Adding stronger cipher suites does not make = anyone more secure. You only improve security if you eliminate insecure = suites. Thus the question of security policy has to be addressed. How = does a server tell a client what its minimum level of security is in a = manner that is not subject to a downgrade attack? (It is easy for the = client as they can simply abort the connection if the level of security = is not high enough.)


At the end of the process, I would = like to see a single RFC emerge, preferably one that has a 'memorable' = number (RFC 6666 is coming up). And I would like it to be possible for = an implementation to tell users that it has the modern crypto set by = simply referencing that RFC. 
--
Website: http://hallambaker.com/

_______________________________________________
saag mailing = list
saag@ietf.org
https://www.ietf.org/ma= ilman/listinfo/saag

= --Apple-Mail-20--552378028-- From hallam@gmail.com Tue Apr 5 10:42:47 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44C3928C13A for ; Tue, 5 Apr 2011 10:42:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.03 X-Spam-Level: X-Spam-Status: No, score=-3.03 tagged_above=-999 required=5 tests=[AWL=-0.432, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGANCeB-XJTk for ; Tue, 5 Apr 2011 10:42:46 -0700 (PDT) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by core3.amsl.com (Postfix) with ESMTP id C5B4328C123 for ; Tue, 5 Apr 2011 10:42:45 -0700 (PDT) Received: by vxg33 with SMTP id 33so584667vxg.31 for ; Tue, 05 Apr 2011 10:44:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=OJubj/ATyOCfuR/yIVvbD1rCoC15s0F5EfPFqE81oRk=; b=N+0ZJ5ZRCJdNg3hc13tLzBSLItKkdOI1vWWAwcy2RboqiqtiUP/Pi9jZYEVmPMY5g0 M9C4y8YMHZY6DpLhK/39IDe1L0S4ROmhpd7F9uoB/wKL/UmJt/XJtXJqMsPmFTPxrEq4 kuSyvjKtYUquTN+ifvIJWLRrArEKnkzl/U5Io= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=XdM3u/Smfczcpq8gVtL0PwKSIB1PtuR45YgjF/GuY+fY9bYGww7KqDqEzQ8sebRDz5 5jnw7cDpzhI/k6A9H2MiYA0c8kOlBAE/zNFPmxYVsL5hz5yfGD70lFLNdhk+HlXSXcCO +h/jOG1XukkFIGoKOWHcoTiQUJwLVp6pZyqP8= MIME-Version: 1.0 Received: by 10.52.70.174 with SMTP id n14mr11235292vdu.258.1302025468770; Tue, 05 Apr 2011 10:44:28 -0700 (PDT) Received: by 10.52.161.42 with HTTP; Tue, 5 Apr 2011 10:44:28 -0700 (PDT) In-Reply-To: <20110406021933.w5184dtbk0ogc088@webmail.cs.auckland.ac.nz> References: <20110406021933.w5184dtbk0ogc088@webmail.cs.auckland.ac.nz> Date: Tue, 5 Apr 2011 19:44:28 +0200 Message-ID: From: Phillip Hallam-Baker To: Peter Gutmann Content-Type: multipart/alternative; boundary=20cf3071c9d08df81604a02f6dc1 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 17:42:47 -0000 --20cf3071c9d08df81604a02f6dc1 Content-Type: text/plain; charset=ISO-8859-1 On Tue, Apr 5, 2011 at 4:19 PM, Peter Gutmann wrote: > Phillip Hallam-Baker writes: > > 3) Replacement of HMAC-SHA1 is also required and this is likely to be >> supported through a native MAC mode in SHA3 which may well be the most >> important security benefit that is achieved. >> > > Uhh, given that there's nothing wrong with HMAC-SHA1, I think this needs to > be > rephrased a bit. In particular the security benefit to replacing HMAC-SHA1 > with SHA3-MAC (or whatever it'll be called) is precisely zero. I'm > guessing > the benefit of switching is that you'll only need to provide one hash > algorithm, SHA-3, for signing and integrity-protection. However, whatever > text is produced should point out that this is a convenience switch, not a > security upgrade. I would hope that the HMAC mode of SHA3 is going to be faster. But more generally, the objective here is to remove SHA1 from service because we only get better security when that happens. In order to audit that, I want to be able to see that there is no SHA1 loaded which may well impact implementations of HMAC-SHA1. -- Website: http://hallambaker.com/ --20cf3071c9d08df81604a02f6dc1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Tue, Apr 5, 2011 at 4:19 PM, Peter Gu= tmann <pg= ut001@cs.auckland.ac.nz> wrote:
Phillip Hallam-Baker <hallam@gmail.com> writes:

3) Replacement of HMAC-SHA1 is also required and this is likely to be
supported through a native MAC mode in SHA3 which may well be the most
important security benefit that is achieved.

Uhh, given that there's nothing wrong with HMAC-SHA1, I think this need= s to be
rephrased a bit. =A0In particular the security benefit to replacing HMAC-SH= A1
with SHA3-MAC (or whatever it'll be called) is precisely zero. =A0I'= ;m guessing
the benefit of switching is that you'll only need to provide one hash algorithm, SHA-3, for signing and integrity-protection. =A0However, whateve= r
text is produced should point out that this is a convenience switch, not a<= br> security upgrade.

I would hope that the HMA= C mode of SHA3 is going to be faster.=A0

But more = generally, the objective here is to remove SHA1 from service because we onl= y get better security when that happens.

In order to audit that, I want to be able to see that t= here is no SHA1 loaded which may well impact implementations of HMAC-SHA1.= =A0


--
Website: http://hallambaker.com/

--20cf3071c9d08df81604a02f6dc1-- From nico@cryptonector.com Tue Apr 5 10:48:31 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF1083A6969 for ; Tue, 5 Apr 2011 10:48:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.911 X-Spam-Level: X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQfhbKyp6xxI for ; Tue, 5 Apr 2011 10:48:31 -0700 (PDT) Received: from homiemail-a70.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by core3.amsl.com (Postfix) with ESMTP id 29C063A67B6 for ; Tue, 5 Apr 2011 10:48:31 -0700 (PDT) Received: from homiemail-a70.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTP id 8A1B076806B for ; Tue, 5 Apr 2011 10:50:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=Z+Pmqw2S0jqt3irfwz9oA V60pNzvdrplbTOhSZxr+mEdWCMzGfLyPLY4/jkYSmuQXckE7/RKrQmR6Tqbx55oN iZ/u4wW0U1u5HVEDUZgQx5sjeE1Y41kAj+VH2iKYVTglXA02MM26fT96KJJctqIW GTNeSBXc0dJihjSGUqz0CA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=ebVDVpypVEe1s0MeBHXb 2Q5061w=; b=o0EDh17L5h2pHAmGWjH4JWJ0SLgg0/zqsCbLvH75qrpFb2v74Dyq Ve5qBBrf5CGftKEOZ80UwbyrPToONYWAnBXUE39Io5Z64c6HzOVrro7OsQ6E5gr0 4F28AP18GoM7T4IdDxS+cKOudLRchsYUCfikjyetoekvaqGe4H8p67o= Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTPSA id 5586976806A for ; Tue, 5 Apr 2011 10:50:14 -0700 (PDT) Received: by vxg33 with SMTP id 33so590252vxg.31 for ; Tue, 05 Apr 2011 10:50:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.176.134 with SMTP id ci6mr1649079vdc.190.1302025813742; Tue, 05 Apr 2011 10:50:13 -0700 (PDT) Received: by 10.52.157.100 with HTTP; Tue, 5 Apr 2011 10:50:13 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 12:50:13 -0500 Message-ID: From: Nico Williams To: Russ Housley Content-Type: text/plain; charset=UTF-8 Cc: Phillip Hallam-Baker , saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 17:48:31 -0000 [Resend. Forgot to reply all.] On Tue, Apr 5, 2011 at 12:34 PM, Russ Housley wrote: > In my opinion there is a real reason to transition from SHA-1 to something > stronger. I fear that a focus on SHA3 at this point in time will further > reduce the energy needed to get SHA-256 deployed in all of te places where > it is needed. Until SHA3 is selected, it is impossible to determine if it > offers any benefits over SHA-256 in our protocols. +1 Also, to avoid having to do some of this twice, I'd recommend leaving HMAC-SHA-1 uses alone. The set of security-relevant uses of MD5 and SHA-1 outside HMAC and outside public key signatures are relatively few, which makes an upgrade to SHA-256 a project with a good chance of proceeding quickly. Perhaps then we need these projects: - replace non-HMAC-SHA-1, non-RSA uses of MD5 and SHA-1 with SHA-256; - replace RSA uses of MD5 and SHA-1 with SHA-256 (and/or randomized hashes? but I suspect that non-ramdomized SHA-256 will be simpler); - replace all hashes with SHA-3 where SHA-3 makes it highly desirable. The last one wouldn't start anytime soon. The first two could start right now. Nico -- From nico@cryptonector.com Tue Apr 5 10:49:42 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0EA128C136 for ; Tue, 5 Apr 2011 10:49:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.912 X-Spam-Level: X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntsW8RtUt-FU for ; Tue, 5 Apr 2011 10:49:41 -0700 (PDT) Received: from homiemail-a32.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by core3.amsl.com (Postfix) with ESMTP id 85A363A696F for ; Tue, 5 Apr 2011 10:49:41 -0700 (PDT) Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id CC8B758406F for ; Tue, 5 Apr 2011 10:51:24 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=hgd6zNWQxjtRBicWPJtYu oVd4C8fGGbh6nuPWkhQqM4X0OhG8CJLriVMJvx1jgZDpdBKXJ24O4u2OxP9cFdDW ouG2xuALuqtxOPrbRvjxvmBIKXmEKul2oP1PLUVb7QidQau7D1oVC4+9NTYweaNk X9KfkIRFNwQZvEBJTAzVxU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=V9ANENR/u1BXcBb1/b9I AyqRHL4=; b=rUmhhe1SfDEu32Legpti+w4YsD9yRffTUg+V9iQssDcVSDAQLcLG QdwcNPNo4hFg4agnub+Wz0sQLS2H5vdEG5LMYUepsqveiJgenh4Kz3QZQPCew7d2 d+kQ1hnvEBCjsxHa1uufU9SOn4fCJDx6tjfEyU91icS2DtNRljfbN6s= Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPSA id A011758406A for ; Tue, 5 Apr 2011 10:51:24 -0700 (PDT) Received: by vxg33 with SMTP id 33so591556vxg.31 for ; Tue, 05 Apr 2011 10:51:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.89.18 with SMTP id bk18mr11942872vdb.270.1302025883790; Tue, 05 Apr 2011 10:51:23 -0700 (PDT) Received: by 10.52.157.100 with HTTP; Tue, 5 Apr 2011 10:51:23 -0700 (PDT) In-Reply-To: References: <20110406021933.w5184dtbk0ogc088@webmail.cs.auckland.ac.nz> Date: Tue, 5 Apr 2011 12:51:23 -0500 Message-ID: From: Nico Williams To: Phillip Hallam-Baker Content-Type: text/plain; charset=UTF-8 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 17:49:42 -0000 On Tue, Apr 5, 2011 at 12:44 PM, Phillip Hallam-Baker wrote: > I would hope that the HMAC mode of SHA3 is going to be faster. > But more generally, the objective here is to remove SHA1 from service > because we only get better security when that happens. > In order to audit that, I want to be able to see that there is no SHA1 > loaded which may well impact implementations of HMAC-SHA1. We will not likely lose all the non-security-relevant uses of SHA-1 for a long time, nor many of the security relevant uses for that matter (think of git, for example, which is not even an Internet protocol). By "long time" I mean "on the order of a decade". Which means that checking for the absence of SHA-1 code on a system will only make a poor audit tool. And if you'd audit _uses_ of SHA-1, well, then you might as well put "HMAC-SHA-1" in the "OK" column. In general I prefer auditing that isn't so simplistic that it causes make-work for admins, or fails outright. Nico -- From archwisp@gmail.com Tue Apr 5 11:01:00 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B0583A6971 for ; Tue, 5 Apr 2011 11:01:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.476 X-Spam-Level: X-Spam-Status: No, score=-2.476 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJGf0AU4tlCk for ; Tue, 5 Apr 2011 11:00:59 -0700 (PDT) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by core3.amsl.com (Postfix) with ESMTP id 7CB173A696F for ; Tue, 5 Apr 2011 11:00:59 -0700 (PDT) Received: by vxg33 with SMTP id 33so604775vxg.31 for ; Tue, 05 Apr 2011 11:02:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=u/9BH8p/vTabM8rLWEXNbCmc7YwStHRS6yeM1JrMuhk=; b=KpWosdieSLLJH8y4JkJxdo8WfkVtXs0yZ9YTmfjGppKMtdDOsPFNC3Rrm5KPTBjQkR EowFz63h1N2Y7aeqeeaRYIQ1ZdLmdmByxDvH0iwMwnF9KRRwE0FYQcfsU3Au8QoIMxFX Oz03XE/vcfaMUgGDm7E8rwNMP1Rh/txX1jBlg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=opkQDi9TS2p2ae3rHRQF0huMJiPH9o18u6TtetfcUifmr/TanLE7nZjPHhz8i0tlD3 ECJz8waJFw1U5hIbtvitjIv9o5hhbk6ie1Lb+aFZpUEdYCXme+UgpA6l7w8oRbXAmebH S+N7ULMqon8PM/xUqrJEHh8gV1WqIl6TKu3gE= MIME-Version: 1.0 Received: by 10.52.176.228 with SMTP id cl4mr3687175vdc.62.1302026562599; Tue, 05 Apr 2011 11:02:42 -0700 (PDT) Sender: archwisp@gmail.com Received: by 10.220.128.91 with HTTP; Tue, 5 Apr 2011 11:02:42 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 13:02:42 -0500 X-Google-Sender-Auth: 1CYVQ7O1VnKr4l4GhaBpkkMXEFw Message-ID: From: Bryan Geraghty To: Russ Housley Content-Type: multipart/alternative; boundary=bcaec5015d15c07c1404a02faeb5 Cc: Phillip Hallam-Baker , saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 18:01:00 -0000 --bcaec5015d15c07c1404a02faeb5 Content-Type: text/plain; charset=ISO-8859-1 On Tue, Apr 5, 2011 at 12:34 PM, Russ Housley wrote: In my opinion there is a real reason to transition from SHA-1 to something > stronger. I fear that a focus on SHA3 at this point in time will further > reduce the energy needed to get SHA-256 deployed in all of te places where > it is needed. > This is a very good point. > Until SHA3 is selected, it is impossible to determine if it offers any > benefits over SHA-256 in our protocols. > Due to huge amounts of cryptanalysis and benchmarking, we know that all of the SHA-3 finalists are out-performing SHA-2 variants in every aspect. I believe it is pretty clear that there is a benefit. From the results of my own benchmarking, fighting the urge to implement some of the finalists has been very hard. -- Bryan C. Geraghty bryan@ravensight.org Cell: (702) 715-4574 --bcaec5015d15c07c1404a02faeb5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Tue, Apr 5, 2011 at 12:34 PM, Russ Housley <housley@vigilse= c.com> wrote:

In my opinion there is a real reas= on to transition from SHA-1 to something stronger. =A0I fear that a focus o= n SHA3 at this point in time will further reduce the energy needed to get S= HA-256 deployed in all of te places where it is needed.

This is a very good point.
=A0
Until SHA3 is selected, it is impossible to determine if it offers an= y benefits over SHA-256 in our protocols.

= Due to huge amounts of cryptanalysis and benchmarking, we know that all of = the SHA-3 finalists are out-performing SHA-2 variants in every aspect. I be= lieve it is pretty clear that there is a benefit. From the results of my ow= n benchmarking, fighting the urge to implement some of the finalists has be= en very hard.

--
Bryan C. Geraghty
bryan@ravensight.org
Cell: (702) 715-4574=

--bcaec5015d15c07c1404a02faeb5-- From hallam@gmail.com Tue Apr 5 11:09:32 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECDE03A6973 for ; Tue, 5 Apr 2011 11:09:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.522 X-Spam-Level: X-Spam-Status: No, score=-3.522 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Py5Xry4EY6fW for ; Tue, 5 Apr 2011 11:09:31 -0700 (PDT) Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 9C5603A6972 for ; Tue, 5 Apr 2011 11:09:31 -0700 (PDT) Received: by vws12 with SMTP id 12so623787vws.31 for ; Tue, 05 Apr 2011 11:11:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JrXS3FjKqsO4nSJzDHlmtpJsRZyAidMXHspna83t4Ps=; b=WSLxpdFskF3mawkWsvoIPO4T/zcbik82IJx9Or5TsXnVlLgQkeBZoOM+KW0T48CVe2 J8SmFjx1oyCFtrDzkzrdl/69b1iZ4obNpVoKs99KbH5qUObpPqkvZq+s6lF6whrc6zwB qusXfZUmMFxewD9PxmJnr4emIU3i2CS9VauuA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HcVyQNaIyvK0E++nAqAXh3yZprzFy0VtylBEKDOAftOvDy/kBMjYEOjiNM72B2zMQi HLc6Wm4k5cGmmNaQrYoxFFFhfmHAcDOF3hAd86dQWchCxGdrk/VEyTME20wAeBwx4WSc rOLzvOVe10soEjxQFAiUrYjmVaQ/EW2Qe8SJ4= MIME-Version: 1.0 Received: by 10.52.0.109 with SMTP id 13mr5405860vdd.109.1302027074696; Tue, 05 Apr 2011 11:11:14 -0700 (PDT) Received: by 10.52.166.230 with HTTP; Tue, 5 Apr 2011 11:11:14 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 20:11:14 +0200 Message-ID: From: Phillip Hallam-Baker To: Nico Williams Content-Type: multipart/alternative; boundary=20cf3054aabf46767c04a02fcd8d Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 18:09:33 -0000 --20cf3054aabf46767c04a02fcd8d Content-Type: text/plain; charset=ISO-8859-1 On Tue, Apr 5, 2011 at 7:50 PM, Nico Williams wrote: > [Resend. Forgot to reply all.] > > On Tue, Apr 5, 2011 at 12:34 PM, Russ Housley > wrote: > > In my opinion there is a real reason to transition from SHA-1 to > something > > stronger. I fear that a focus on SHA3 at this point in time will further > > reduce the energy needed to get SHA-256 deployed in all of te places > where > > it is needed. Until SHA3 is selected, it is impossible to determine if > it > > offers any benefits over SHA-256 in our protocols. > > +1 > > Also, to avoid having to do some of this twice, I'd recommend leaving > HMAC-SHA-1 uses alone. > > The set of security-relevant uses of MD5 and SHA-1 outside HMAC and > outside public key signatures are relatively few, which makes an > upgrade to SHA-256 a project with a good chance of proceeding quickly. > > Perhaps then we need these projects: > > - replace non-HMAC-SHA-1, non-RSA uses of MD5 and SHA-1 with SHA-256; > - replace RSA uses of MD5 and SHA-1 with SHA-256 (and/or randomized > hashes? but I suspect that non-ramdomized SHA-256 will be simpler); > - replace all hashes with SHA-3 where SHA-3 makes it highly desirable. > > The last one wouldn't start anytime soon. The first two could start right > now. > > Nico > -- > Its the non-security use cases that I expect to result in issues. One big problem is working out whether something is in fact a non-security use case because that can frequently take rather longer to work out than fixing the protocol would. Is the git case really non security? I have not seen the protocol but I bet that if a group of college students were given the task of finding an attack that some of them would surprise you. Sounds to me like the digest is being used to verify cache integrity. I could certainly see attacks that I could use there. Isn't git a source code manager? You really think thats not security related? -- Website: http://hallambaker.com/ --20cf3054aabf46767c04a02fcd8d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Tue, Apr 5, 2011= at 7:50 PM, Nico Williams <nico@cryptonector.com> wrote:
[Resend. =A0Forgot to reply all.]

On Tue, Apr 5, 2011 at 12:34 PM, Russ Housley <housley@vigilsec.com> wrote:
> In my opinion there is a real reason to transition from SHA-1 to somet= hing
> stronger. =A0I fear that a focus on SHA3 at this point in time will fu= rther
> reduce the energy needed to get SHA-256 deployed in all of te places w= here
> it is needed. =A0Until SHA3 is selected, it is impossible to determine= if it
> offers any benefits over SHA-256 in our protocols.

+1

Also, to avoid having to do some of this twice, I'd recommend leaving HMAC-SHA-1 uses alone.

The set of security-relevant uses of MD5 and SHA-1 outside HMAC and
outside public key signatures are relatively few, which makes an
upgrade to SHA-256 a project with a good chance of proceeding quickly.

Perhaps then we need these projects:

=A0- replace non-HMAC-SHA-1, non-RSA uses of MD5 and SHA-1 with SHA-256; =A0- replace RSA uses of MD5 and SHA-1 with SHA-256 (and/or randomized
hashes? =A0but I suspect that non-ramdomized SHA-256 will be simpler);
=A0- replace all hashes with SHA-3 where SHA-3 makes it highly desirable.
The last one wouldn't start anytime soon. =A0The first two could start = right now.

Nico
--


Its the non-security use cases that I expect to res= ult in issues.

One big problem is working out whet= her something is in fact a non-security use case because that can frequentl= y take rather longer to work out than fixing the protocol would.=A0

Is the git case really non security? I have not seen th= e protocol but I bet that if a group of college students were given the tas= k of finding an attack that some of them would surprise you. Sounds to me l= ike the digest is being used to verify cache integrity. I could certainly s= ee attacks that I could use there. Isn't git a source code manager? You= really think thats not security related?


--
Website: http= ://hallambaker.com/

--20cf3054aabf46767c04a02fcd8d-- From nico@cryptonector.com Tue Apr 5 12:57:23 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 065A228C12C for ; Tue, 5 Apr 2011 12:57:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.913 X-Spam-Level: X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IL+MjwElT6zh for ; Tue, 5 Apr 2011 12:57:22 -0700 (PDT) Received: from homiemail-a32.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by core3.amsl.com (Postfix) with ESMTP id 5A1E828C12B for ; Tue, 5 Apr 2011 12:57:22 -0700 (PDT) Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 17C0A58406A for ; Tue, 5 Apr 2011 12:59:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=I2AjNbmYURXY8XcNFvLAA SN3KubnOVjD5MjxcNOPm7g+JJ9YAcgYyx8vKhMKIOXhPQ1Z6iMVmDGHa9/B3KTyT OFPKL8n0CsWWoyMrxdTJz48kH//qI9U0s02RFQvcaXwWwVaIHJBiaciF0slUeNyb GjssdGhVu1i83G/IMItGNU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=x+iUjw7SKtTBNOZc7mFJ x9ry/k8=; b=Q0lO2L3yBFBvE09Ka5in1mEaTSys+dsza8ODKFE+g5W69Llew0Eq wntcFIjHj+g8uXZzhMVFaActtX7lhsDjIrTvzbIVFceRQGtvLcekhIqnUpUcHCrV 4RpbC0GOlaxk+FsNFcWUB2UPAawmvHAiboMXbeFanWZK+vOBtovp5co= Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPSA id C8B09584065 for ; Tue, 5 Apr 2011 12:59:04 -0700 (PDT) Received: by vws12 with SMTP id 12so731388vws.31 for ; Tue, 05 Apr 2011 12:59:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.74.106 with SMTP id s10mr126189vdv.150.1302033544188; Tue, 05 Apr 2011 12:59:04 -0700 (PDT) Received: by 10.52.157.100 with HTTP; Tue, 5 Apr 2011 12:59:04 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 14:59:04 -0500 Message-ID: From: Nico Williams To: Phillip Hallam-Baker Content-Type: text/plain; charset=UTF-8 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 19:57:23 -0000 On Tue, Apr 5, 2011 at 1:11 PM, Phillip Hallam-Baker wrote: > On Tue, Apr 5, 2011 at 7:50 PM, Nico Williams wrote: > Its the non-security use cases that I expect to result in issues. > One big problem is working out whether something is in fact a non-security > use case because that can frequently take rather longer to work out than > fixing the protocol would. Indeed. > Is the git case really non security? I have not seen the protocol but I bet I definitely meant that git is a security-related case because if you could make useful SHA-1 collisions against non-chosen plaintexts then you might be able to surreptitiously make undetectable changes to git repositories or similarly fool clients [that don't use HTTPS or SSHv2 for transport]. > that if a group of college students were given the task of finding an attack > that some of them would surprise you. Sounds to me like the digest is being > used to verify cache integrity. I could certainly see attacks that I could > use there. Isn't git a source code manager? You really think thats not > security related? git is a Merkle tree of changesets. > You really think thats not > security related? What I wrote was "...nor many of the security relevant uses for that matter (think of git, for example...". Nico -- From archwisp@gmail.com Tue Apr 5 13:00:59 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DFEA3A67A2 for ; Tue, 5 Apr 2011 13:00:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.726 X-Spam-Level: X-Spam-Status: No, score=-2.726 tagged_above=-999 required=5 tests=[AWL=0.250, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vfla0UUQ4vyH for ; Tue, 5 Apr 2011 13:00:56 -0700 (PDT) Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 5DBFF3A6452 for ; Tue, 5 Apr 2011 13:00:56 -0700 (PDT) Received: by vws12 with SMTP id 12so734703vws.31 for ; Tue, 05 Apr 2011 13:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=W/gbtFG7Iu/cH66pMW9CnondmbBjBfAcxiRk+s7rRDc=; b=ordnNBvHPb08qEtygcop2uT2vujWzHMYv8hyyt2md0y7Nk225t3ytl/x8ftXlzfi8F nLi+gQJH/cXxnK1CiRUAfFhnlFMXrG3ArTbz599y7BgWlCb3j9ftX5WGIHBna3sylxKK l5EBaYUGOaHozG2Vt0Ht2dNRS7Gjlyrr16owo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=JmonShwaVtZv1ucX2lxv/dY/LxpIrcESB7UZ2EkIIWHZYZWDUxDaW+TkQBrYs/XNNq w63AXyTBYAURCPmOP9psBZ3al10xXz9TjsTHTgcVXmM+Vbc4TbyyVMqhDZ3oLSxmKawV z/UsApZANy45yQHGfN3GE/1jd4Tku3u0i7Kb0= MIME-Version: 1.0 Received: by 10.52.76.166 with SMTP id l6mr184142vdw.102.1302033759294; Tue, 05 Apr 2011 13:02:39 -0700 (PDT) Sender: archwisp@gmail.com Received: by 10.220.128.91 with HTTP; Tue, 5 Apr 2011 13:02:39 -0700 (PDT) In-Reply-To: References: <4D9B5DD8.2070102@htt-consult.com> Date: Tue, 5 Apr 2011 15:02:39 -0500 X-Google-Sender-Auth: TJwi2SRbJ3XhivsT_KzvTp1QCtE Message-ID: From: Bryan Geraghty To: saag@ietf.org Content-Type: multipart/alternative; boundary=bcaec5015d0bb5548004a0315b9e Subject: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 20:00:59 -0000 --bcaec5015d0bb5548004a0315b9e Content-Type: text/plain; charset=ISO-8859-1 On Tue, Apr 5, 2011 at 1:22 PM, Robert Moskowitz wrote: > Given your testing, can you comment on any which will work well on highly > constrained sensors? These sensor vendors cry about anything that adds more > code or eats up more cpu and battery. They DO have AES-CCM in hardware, > Any testing and insights you have will help me in working with people in > 6lowpan, core, and 802.15.4. > > Thanks > Actually, this is one of the major areas that is being tested by the contest. The details of the round 2 candidates was published in February: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Round2_Report_NISTIR_7764.pdf There is so much information available about each algorithm, that it wouldn't make much sense for me to go into detail here. Since each algorithm has a different combination of state size/cpu cycles/security margin/parallelization/raw speed, the person implementing the algorithm really needs to evaluate what would work best in their situation. For my purposes, I like Skein but it doesn't have the best performance characteristics in a constrained environment and it has a large internal state. On the other hand, it can do MAC internally, which speeds up the implementation dramatically, and it was designed to be a SHA drop-in replacement. The best place for info on the algorithms is: http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo Each hash project has their own website where they collect the benchmarks of each implementation. They are each listed at that site. Hope this helps, Bryan -- Bryan C. Geraghty bryan@ravensight.org Cell: (702) 715-4574 --bcaec5015d0bb5548004a0315b9e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On = Tue, Apr 5, 2011 at 1:22 PM, Robert Moskowitz <rgm-sec@htt-consult.c= om> wrote:
=A0
Given your testing, can you comment on any which will work well on highly constrained sensors?=A0 These sensor vendors cry about anything that adds more code or eats up more cpu and battery.=A0 They DO have AES-CCM in hardware,=A0 Any testing and insights you have will help me in working with people in 6lowpan, core, and 802.15.4.

Thanks

Actually, this is one of the major areas that = is being tested by the=20 contest. The details of the round 2 candidates was published in February:

There is so much information available about each algorithm, that= it wouldn't make much sense for me to go into detail here. Since each = algorithm has a different combination of state size/cpu cycles/security mar= gin/parallelization/raw speed, the person implementing the algorithm really= needs to evaluate what would work best in their situation.

For my purposes, I like Skein but it doesn't have the best performa= nce characteristics in a constrained environment and it has a large interna= l state. On the other hand, it can do MAC internally, which speeds up the i= mplementation dramatically, and it was designed to be a SHA drop-in replace= ment.

The best place for info on the algorithms is:

http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo

<= /div> Each hash project has their own website where they collect the benchmarks o= f each implementation. They are each listed at that site.

Hope this helps,
Bryan


--
Bryan C. Geraghty
bryan@ravensight.org
Cell: (702) 715-4574
--bcaec5015d0bb5548004a0315b9e-- From nico@cryptonector.com Tue Apr 5 13:06:46 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 429963A6999 for ; Tue, 5 Apr 2011 13:06:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.914 X-Spam-Level: X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZ20i0SAfVDg for ; Tue, 5 Apr 2011 13:06:45 -0700 (PDT) Received: from homiemail-a30.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by core3.amsl.com (Postfix) with ESMTP id 74D5B3A6985 for ; Tue, 5 Apr 2011 13:06:45 -0700 (PDT) Received: from homiemail-a30.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTP id EE40C21DE59 for ; Tue, 5 Apr 2011 13:08:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=F3t+gKU1MkjYHzbnmmwDk o+3n5hWhn1tjY0hCWky5B5IA8Pp0mTWHDl9PlA4DmZUS8pDlXnA710GhvwKs3O6g jEQLlSehQTg6wTTXQDJr+uGJ0fopusPTCZBjjGK8DvcmlRzOqx27tonOoQliWcBr Jm6YMebaSZDuAHdTaKDEP0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=VBFzHINH9/o/CtTXXqeH cmmyBQc=; b=cn+E0VYma5k4lCL6xKhrTBcmOF0uYSi1au+ynnaoNSSlv1H3Ngd3 W9bgrSTnjKOX2uVFmi2WcXF0q/lbozjnB7BmF7hRMnNkxz3Pe3flv+Q587Rg0zvr KaNGSHOiVy6CMqFjaOCfHQ+WmwtQnOWSPXqRNm5Ju0V++QvXmXmEyk8= Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTPSA id BB07F21DE71 for ; Tue, 5 Apr 2011 13:08:28 -0700 (PDT) Received: by vxg33 with SMTP id 33so725196vxg.31 for ; Tue, 05 Apr 2011 13:08:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.0.200 with SMTP id 8mr207852vdg.70.1302034108102; Tue, 05 Apr 2011 13:08:28 -0700 (PDT) Received: by 10.52.157.100 with HTTP; Tue, 5 Apr 2011 13:08:28 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 15:08:28 -0500 Message-ID: From: Nico Williams To: Bryan Geraghty Content-Type: text/plain; charset=UTF-8 Cc: Phillip Hallam-Baker , saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 20:06:46 -0000 On Tue, Apr 5, 2011 at 1:02 PM, Bryan Geraghty wrote: > Due to huge amounts of cryptanalysis and benchmarking, we know that all of > the SHA-3 finalists are out-performing SHA-2 variants in every aspect. I > believe it is pretty clear that there is a benefit. From the results of my > own benchmarking, fighting the urge to implement some of the finalists has > been very hard. Performance considerations are very tempting. But can we wait? (Arguably we can, given how long we've waited so far.) Nico -- From archwisp@gmail.com Tue Apr 5 13:12:03 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30E4A28C146 for ; Tue, 5 Apr 2011 13:12:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.809 X-Spam-Level: X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-aL+6uGWLaf for ; Tue, 5 Apr 2011 13:12:02 -0700 (PDT) Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 3EF0328C13E for ; Tue, 5 Apr 2011 13:12:02 -0700 (PDT) Received: by iwn39 with SMTP id 39so914463iwn.31 for ; Tue, 05 Apr 2011 13:13:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=HHh8BbfqYNW7sJexCRmC0TplkMEf/5+ImPXNR8Cb6lA=; b=eNjSy6E4e3uAntb5tTmuUawf+MyvHDbSj5Lk9fVBYn25X1fDgEEyW6KPaSFu0HRECl RWyU/1jz1MmAavap1bHorVw0MRu5a+DtKICoAyCUZ/yJP0uPiKAOURST6LnQRBI3YCHo +AB5XvAz27zciQENH7+XHhSs/OeF2u4LJi29o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=AuOkld3q94m9wL9o74MDjHNYR6xH4xlqCoPPSb1+1rsG2NSqGBNvpZV2gN42RoGIPg SoCbp6Nbr3Qelqis3QRyl2UKM5dPU7xM9He4eFvOcSqN215FDXaMntw/XQriWFAJmwfp +SH/r71SXbDyUeF/Rt166ZVHCc/HSA+etrnHo= MIME-Version: 1.0 Received: by 10.43.58.147 with SMTP id wk19mr101672icb.400.1302034425647; Tue, 05 Apr 2011 13:13:45 -0700 (PDT) Sender: archwisp@gmail.com Received: by 10.42.177.201 with HTTP; Tue, 5 Apr 2011 13:13:45 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 15:13:45 -0500 X-Google-Sender-Auth: 6LA9Qfs98thBt-kq0cBjL6EyX4M Message-ID: From: Bryan Geraghty To: Nico Williams Content-Type: multipart/alternative; boundary=bcaec51d299a6d108604a03183e5 Cc: Phillip Hallam-Baker , saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 20:12:03 -0000 --bcaec51d299a6d108604a03183e5 Content-Type: text/plain; charset=ISO-8859-1 On Tue, Apr 5, 2011 at 3:08 PM, Nico Williams wrote: > Performance considerations are very tempting. But can we wait? > (Arguably we can, given how long we've waited so far.) > Agreed. The process takes so long for a good reason. I was just pointing out that there certainly is a benefit in migrating from the SHA-2 family to SHA-3 when it's time. Bryan -- Bryan C. Geraghty bryan@ravensight.org Cell: (702) 715-4574 --bcaec51d299a6d108604a03183e5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Tue, Apr 5, 2011 at 3:08 PM, Nico Williams <nico@cryptonec= tor.com> wrote:
=A0
Performance considerations are very tempting. =A0But can we wait?
(Arguably we can, given how long we've waited so far.)
=

Agreed. The process takes so long for a good reason. I was just po= inting out that there certainly is a benefit in migrating from the SHA-2 fa= mily to SHA-3 when it's time.

Bryan

--
Bryan C. Geraghty
bryan@ravensight.org
Cell: (= 702) 715-4574

--bcaec51d299a6d108604a03183e5-- From hallam@gmail.com Tue Apr 5 14:14:28 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E5243A67D9 for ; Tue, 5 Apr 2011 14:14:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.521 X-Spam-Level: X-Spam-Status: No, score=-3.521 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9J65yJPdIi5 for ; Tue, 5 Apr 2011 14:14:27 -0700 (PDT) Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 6563C3A67C1 for ; Tue, 5 Apr 2011 14:14:27 -0700 (PDT) Received: by vws12 with SMTP id 12so799954vws.31 for ; Tue, 05 Apr 2011 14:16:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=udUjP4kYrUhvUy6MQ+hdclHEFYsWL+BU7mMhx8UqLGI=; b=qMvaZ+mnPfiJt9hZ+kBJlt8GaRQawZhmcMHjasApylNUjDKetOP6KSfu47iVlnC2M0 MhScECWnGsmlB235DZ1qPn3WRiAiC1/sZaQizB3TYc+XlD3aRBJb5e7D4GmfrHZ2iyz3 Ej8hx+XNPXneGrSrQxpxOiGQgMP0bQVNcTJY0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=V1XsNaONx8FvcYOx6qfsmNENA83kXkxuCHvNIt3tGxYwtghydAinqcf4qPHMuWel0k wxy7XYrmRmeZ3iYHlgY1IdoOXOCc4vO9SwRGFM7YMr1Sl1Dw1tsn1WK0WrUQchzbDbEh 96YP42CsKz7TNAYnCVD+3JsbFxtNf6ADMr9P4= MIME-Version: 1.0 Received: by 10.52.98.135 with SMTP id ei7mr265151vdb.229.1302038170257; Tue, 05 Apr 2011 14:16:10 -0700 (PDT) Received: by 10.52.166.230 with HTTP; Tue, 5 Apr 2011 14:16:10 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Apr 2011 21:16:10 +0000 Message-ID: From: Phillip Hallam-Baker To: Nico Williams Content-Type: multipart/alternative; boundary=20cf307cfc689f486404a032621b Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 21:14:28 -0000 --20cf307cfc689f486404a032621b Content-Type: text/plain; charset=ISO-8859-1 On Tue, Apr 5, 2011 at 8:08 PM, Nico Williams wrote: > On Tue, Apr 5, 2011 at 1:02 PM, Bryan Geraghty > wrote: > > Due to huge amounts of cryptanalysis and benchmarking, we know that all > of > > the SHA-3 finalists are out-performing SHA-2 variants in every aspect. I > > believe it is pretty clear that there is a benefit. From the results of > my > > own benchmarking, fighting the urge to implement some of the finalists > has > > been very hard. > > Performance considerations are very tempting. But can we wait? > (Arguably we can, given how long we've waited so far.) > I think Russ just said that from an IETF point of view - no we cannot wait, WGs need to have a deployment plan for SHA256 ASAP and the move to SHA3 cannot be allowed as an excuse for further procrastination. That said, I think it probably helps if the expectation is set that the future upgrade to SHA3 is not going to be a reason to keep open an otherwise finished working group. Since all the current WGs have already considered how to deploy SHA256, there is really no reason that SHA3 should require more than a new code point and some test vectors.... That said, I bet that it is going to turn out otherwise! -- Website: http://hallambaker.com/ --20cf307cfc689f486404a032621b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Tue, Apr 5, 2011 at 8:08 PM, Nico Williams <nico@cryptonector.com= > wrote:
On Tue, Apr 5, 2011 at 1:02 PM, Bryan Geraghty <bryan@ravensight.org> wrote:
> Due to huge amounts of cryptanalysis and benchmarking, we know that al= l of
> the SHA-3 finalists are out-performing SHA-2 variants in every aspect.= I
> believe it is pretty clear that there is a benefit. From the results o= f my
> own benchmarking, fighting the urge to implement some of the finalists= has
> been very hard.

Performance considerations are very tempting. =A0But can we wait?
(Arguably we can, given how long we've waited so far.)
=

I think Russ just said that from an IETF = point of view - no we cannot wait, WGs need to have a deployment plan for S= HA256 ASAP and the move to SHA3 cannot be allowed as an excuse for further = procrastination.

That said, I think it probably helps if the expectat= ion is set that the future upgrade to SHA3 is not going to be a reason to k= eep open an otherwise finished working group. Since all the current WGs hav= e already considered how to deploy SHA256, there is really no reason that S= HA3 should require more than a new code point and some test vectors.... Tha= t said, I bet that it is going to turn out otherwise!

--20cf307cfc689f486404a032621b-- From pgut001@login01.cs.auckland.ac.nz Tue Apr 5 22:08:11 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79BAA3A687A for ; Tue, 5 Apr 2011 22:08:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.565 X-Spam-Level: X-Spam-Status: No, score=-103.565 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjxIHjsp73w7 for ; Tue, 5 Apr 2011 22:08:10 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 2093A3A685B for ; Tue, 5 Apr 2011 22:08:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302066594; x=1333602594; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20hallam@gmail.com,=20nico@cryptonector.com|Subject: =20Re:=20[saag]=20SHA-3=20Upgrade=20group|Cc:=20saag@ietf .org|In-Reply-To:=20|Message-Id:=20|Date:=20Wed,=2006=20Apr=202011=2017:0 9:40=20+1200; bh=3+Q08oyFlzLV3PDjQvrut9NL65BXuKsskuI58DF5iXI=; b=jSrSQoUVMIupgYJGyWNGFE0zWTy2NRmf3Gqkc2cerkBrQIrQSAwMRsCr UQ0u+E+RoF4SUv/kyk/cnp04y+pZN3t7rMWhkFNibgrYgahYjALC3O7Fl OJKRcwgTV7vDEpkAeSlNHO63v6Xd4qFIzLVvxo+7cEV/X2takO5WHkrd4 U=; X-IronPort-AV: E=Sophos;i="4.63,308,1299409200"; d="scan'208";a="55440765" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 06 Apr 2011 17:09:41 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q7Kzs-0001sY-J8; Wed, 06 Apr 2011 17:09:40 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q7Kzs-0001h1-Sn; Wed, 06 Apr 2011 17:09:40 +1200 From: Peter Gutmann To: hallam@gmail.com, nico@cryptonector.com In-Reply-To: Message-Id: Date: Wed, 06 Apr 2011 17:09:40 +1200 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 05:08:11 -0000 Phillip Hallam-Baker writes: >Since all the current WGs have already considered how to deploy SHA256, there >is really no reason that SHA3 should require more than a new code point and >some test vectors.... That said, I bet that it is going to turn out otherwise! +1. Having a SHA3-upgrade WG would solve the killer problem of crypto geeks deciding they're going to reinvent half the protocol they're dealing with as a side-effect of adding a new algorithm (oh yeah, and we can change the key wrap mechanism, and mandate new key sizes, and add some more message subtypes, and ...). So the single biggest advantage of having a dedicated SHA3 upgrade WG would be that it would ensure that that's the only thing that changes in the protocol. As you say, we need a new algorithm ID and some test vectors, not an excuse for every WG to start bikeshedding every security protocol ever invented. Peter. From paul.hoffman@vpnc.org Wed Apr 6 05:32:44 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20C443A6930 for ; Wed, 6 Apr 2011 05:32:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.09 X-Spam-Level: X-Spam-Status: No, score=-102.09 tagged_above=-999 required=5 tests=[AWL=0.509, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVJaXKPrRs1a for ; Wed, 6 Apr 2011 05:32:43 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id C11D53A692E for ; Wed, 6 Apr 2011 05:32:42 -0700 (PDT) Received: from [10.20.30.150] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p36CYPDC006716 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 6 Apr 2011 05:34:25 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1084) From: Paul Hoffman In-Reply-To: Date: Wed, 6 Apr 2011 05:34:25 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> References: To: saag@ietf.org X-Mailer: Apple Mail (2.1084) Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 12:32:44 -0000 On Apr 5, 2011, at 10:09 PM, Peter Gutmann wrote: > Phillip Hallam-Baker writes: >=20 >> Since all the current WGs have already considered how to deploy = SHA256, there >> is really no reason that SHA3 should require more than a new code = point and >> some test vectors.... That said, I bet that it is going to turn out = otherwise! >=20 > +1. Having a SHA3-upgrade WG would solve the killer problem of crypto = geeks > deciding they're going to reinvent half the protocol they're dealing = with as a > side-effect of adding a new algorithm (oh yeah, and we can change the = key wrap > mechanism, and mandate new key sizes, and add some more message = subtypes, and > ...). So the single biggest advantage of having a dedicated SHA3 = upgrade WG > would be that it would ensure that that's the only thing that changes = in the > protocol. As you say, we need a new algorithm ID and some test = vectors, not > an excuse for every WG to start bikeshedding every security protocol = ever > invented. Note, however, if NIST defines SHA-3 with tunable parameters (something = that they have discussed in the hash workshops), then either most = protocols will need to be changed to handle parameters (which none do = now) or "someone" is going to have to decide which parameter we mean for = "SHA-3 that has 256 bits of effective strength", "SHA-3 that has 384 = bits of effective strength" and so on. A WG might be good at that, but = the chairs are going to have a hell of a time calling consensus, given = that the likely purpose of parameters (if NIST chooses that path) will = be speed and register size, and we will have to choose which are more = important to us. --Paul Hoffman From archwisp@gmail.com Wed Apr 6 06:18:49 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F8B628C12B for ; Wed, 6 Apr 2011 06:18:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.851 X-Spam-Level: X-Spam-Status: No, score=-2.851 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lrTZA36iyKJr for ; Wed, 6 Apr 2011 06:18:47 -0700 (PDT) Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id BD7EE28C123 for ; Wed, 6 Apr 2011 06:18:47 -0700 (PDT) Received: by iwn39 with SMTP id 39so1802985iwn.31 for ; Wed, 06 Apr 2011 06:20:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=VMDKchSLQ1E67hV2J80m4o7Ce13MDnCiwMJLd3MA4xM=; b=uypofpqS0TdVYcxcBMfn7r7nmTY8z7CCQOnqZh1cn9MbQ5jtRh5Hp+2EY+lQmrHFDU x72S89eExRPdCpVh2PwgkcjwtC8+C++zqzMk9+dgPsgaC7PxanP/tx5/srlDCRsNjuDR B/AxKf3s4HZ/eqgEbjA4oJELWNDh+WQswdnWg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=Q8LrcEQDuK3sA5lTVT0XdbstNvBkXV8bYYJS2iCg23RXX0SwVkvMqkT4bHfudPJsw7 G0paEAMYmmX+1oKV+7L8TmWHi5HIVLfn/1hrIn8Vm+XTcbsk/Zc8uakFjpTAzpsTwNWg Rfv/mkHMZOwJdmJHaGD1izxfvicBlJ48tfey4= MIME-Version: 1.0 Received: by 10.43.133.199 with SMTP id hz7mr1383997icc.357.1302096030583; Wed, 06 Apr 2011 06:20:30 -0700 (PDT) Sender: archwisp@gmail.com Received: by 10.42.164.67 with HTTP; Wed, 6 Apr 2011 06:20:30 -0700 (PDT) In-Reply-To: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> References: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> Date: Wed, 6 Apr 2011 08:20:30 -0500 X-Google-Sender-Auth: iOOo0sFMBYGoRCcYDkCyrlBKH9w Message-ID: From: Bryan Geraghty To: Paul Hoffman , saag@ietf.org Content-Type: multipart/alternative; boundary=20cf307f30aa5dcbef04a03fdb91 Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:18:49 -0000 --20cf307f30aa5dcbef04a03fdb91 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Apr 6, 2011 at 7:34 AM, Paul Hoffman wrote: Note, however, if NIST defines SHA-3 with tunable parameters (something that > they have discussed in the hash workshops), then either most protocols will > need to be changed to handle parameters (which none do now) or "someone" is > going to have to decide which parameter we mean for "SHA-3 that has 256 bits > of effective strength", "SHA-3 that has 384 bits of effective strength" and > so on. A WG might be good at that, but the chairs are going to have a hell > of a time calling consensus, given that the likely purpose of parameters (if > NIST chooses that path) will be speed and register size, and we will have to > choose which are more important to us. > The fact is, NIST defined an API for the SHA-3 competition which every contestant had to implement: http://csrc.nist.gov/groups/ST/hash/documents/SHA3-C-API.pdf I can't imagine they would have gone through all of that trouble and then change it when the final algorithm is chosen. This standard API made it extremely easy for implementers to test all of the functions. And the Hash() function does have an argument for bit length. -- Bryan C. Geraghty bryan@ravensight.org Cell: (702) 715-4574 --20cf307f30aa5dcbef04a03fdb91 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Wed, Apr 6, 2011 at 7:34 AM, Paul Hoffman <paul.hoffman@vp= nc.org> wrote:

Note, however, if NIST defines SHA-3 with tunable parameters (something tha= t they have discussed in the hash workshops), then either most protocols wi= ll need to be changed to handle parameters (which none do now) or "som= eone" is going to have to decide which parameter we mean for "SHA= -3 that has 256 bits of effective strength", "SHA-3 that has 384 = bits of effective strength" and so on. A WG might be good at that, but= the chairs are going to have a hell of a time calling consensus, given tha= t the likely purpose of parameters (if NIST chooses that path) will be spee= d and register size, and we will have to choose which are more important to= us.

The fact is, NIST defined an API for the SHA-3 compet= ition which every contestant had to implement:

I can't imagine they would have gone through all of that trou= ble and then change it when the final algorithm is chosen. This standard AP= I made it extremely easy for implementers to test all of the functions. And= the Hash() function does have an argument for bit length.

--
Bryan C. Geraghty
bryan@ravensight.org
Cell: (702) 715-4574=
--20cf307f30aa5dcbef04a03fdb91-- From hallam@gmail.com Wed Apr 6 06:20:11 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 661843A69A6 for ; Wed, 6 Apr 2011 06:20:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.023 X-Spam-Level: X-Spam-Status: No, score=-3.023 tagged_above=-999 required=5 tests=[AWL=-0.425, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivFWwq2ChJsX for ; Wed, 6 Apr 2011 06:20:10 -0700 (PDT) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by core3.amsl.com (Postfix) with ESMTP id C1EB73A6919 for ; Wed, 6 Apr 2011 06:20:09 -0700 (PDT) Received: by vxg33 with SMTP id 33so1323614vxg.31 for ; Wed, 06 Apr 2011 06:21:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=p9QgIgLqvXMtQH+6+484geiQeGid3rGQwD5fg90lm44=; b=enwhqEK9u+IxFNSNdwe0/csQjRAnBIzRxganMk+rP/LJ0jI9KZ4bVUm7elsHPeLww4 Cc9fIWsYu330M0jF7oIc3NN2g1SBh1xLdkdhUnO3Q9Vm6KDqlb/OCNA7Y8xBQUKI4epE LhL6lM7leOVdzKWNC0r3/n1VEf3ndUU8eHImc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=uPkYwGx/ZG8r0PX1YNjhXyYrWYvTbV6DO2taWZajOscXYP0TiseCdu2dkenL4R0XDp 18RLGyA7eRejzazmBXhbGh1b8BgzC+d68P5EV5DrtvaaQRoMEXOhoDTdR8ntcK7afHBp d9xpAg1jHBqNfLrb0Jj058CCRXiZcoC+9xD3k= MIME-Version: 1.0 Received: by 10.52.18.11 with SMTP id s11mr55690vdd.269.1302096113421; Wed, 06 Apr 2011 06:21:53 -0700 (PDT) Received: by 10.52.166.230 with HTTP; Wed, 6 Apr 2011 06:21:53 -0700 (PDT) In-Reply-To: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> References: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> Date: Wed, 6 Apr 2011 13:21:53 +0000 Message-ID: From: Phillip Hallam-Baker To: Paul Hoffman Content-Type: multipart/alternative; boundary=20cf3054a1134dcd1b04a03fe0f7 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:20:11 -0000 --20cf3054a1134dcd1b04a03fe0f7 Content-Type: text/plain; charset=ISO-8859-1 Tunable parameters for performance seems to me to be a bad idea in the context of IETF protocols. I want to have consistency across IETF protocols so that they all share a common set of required algorithms. If the IETF has consistency it will almost certain that W3C and OASIS will follow the same approach. The reason I want to see a single WG is that I want to have the discussion exactly once. At the moment at least 50% of the arguments I see in WGs are repetition of arguments I have seen before. And the ones that consume the most time are the ones that everyone can have an opinion on (what color to paint the bikeshed). * Choice of crypto algorithm * Choice of ECC curves * REST / SOAP BEEP * XML feature set * Format of URI identifiers These are all issues where we have the argument over and over again and almost always come to almost but not quite the same decision. I want to have these arguments once. I want one digest algorithm with fixed parameters that is used as a drop in replacement. We have no idea what the deployment scenario is going to be and so we cannot tune parameters for performance in any case. I do not want to modify a protocol so as to allow performance tuning either. On Wed, Apr 6, 2011 at 12:34 PM, Paul Hoffman wrote: > On Apr 5, 2011, at 10:09 PM, Peter Gutmann wrote: > > > Phillip Hallam-Baker writes: > > > >> Since all the current WGs have already considered how to deploy SHA256, > there > >> is really no reason that SHA3 should require more than a new code point > and > >> some test vectors.... That said, I bet that it is going to turn out > otherwise! > > > > +1. Having a SHA3-upgrade WG would solve the killer problem of crypto > geeks > > deciding they're going to reinvent half the protocol they're dealing with > as a > > side-effect of adding a new algorithm (oh yeah, and we can change the key > wrap > > mechanism, and mandate new key sizes, and add some more message subtypes, > and > > ...). So the single biggest advantage of having a dedicated SHA3 upgrade > WG > > would be that it would ensure that that's the only thing that changes in > the > > protocol. As you say, we need a new algorithm ID and some test vectors, > not > > an excuse for every WG to start bikeshedding every security protocol ever > > invented. > > > Note, however, if NIST defines SHA-3 with tunable parameters (something > that they have discussed in the hash workshops), then either most protocols > will need to be changed to handle parameters (which none do now) or > "someone" is going to have to decide which parameter we mean for "SHA-3 that > has 256 bits of effective strength", "SHA-3 that has 384 bits of effective > strength" and so on. A WG might be good at that, but the chairs are going to > have a hell of a time calling consensus, given that the likely purpose of > parameters (if NIST chooses that path) will be speed and register size, and > we will have to choose which are more important to us. > > --Paul Hoffman > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > -- Website: http://hallambaker.com/ --20cf3054a1134dcd1b04a03fe0f7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Tunable parameters for performance seems to me to be a bad idea in the cont= ext of IETF protocols.

I want to have consistency across= IETF protocols so that they all share a common set of required algorithms.= If the IETF has consistency it will almost certain that W3C and OASIS will= follow the same approach.


The reason I want to see a single WG is = that I want to have the discussion exactly once.=A0

At the moment at least 50% of the arguments I see in WGs are repetition o= f arguments I have seen before. And the ones that consume the most time are= the ones that everyone can have an opinion on (what color to paint the bik= eshed).

* Choice of crypto algorithm
* Choice of ECC = curves
* REST / SOAP BEEP
* XML feature set
*= Format of URI identifiers

These are all issues wh= ere we have the argument over and over again and almost always come to almo= st but not quite the same decision. I want to have these arguments once.

I want one digest algorithm with fixed parameters that is used as = a drop in replacement. We have no idea what the deployment scenario is goin= g to be and so we cannot tune parameters for performance in any case. I do = not want to modify a protocol so as to allow performance tuning either.



On Wed, A= pr 6, 2011 at 12:34 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
On Apr 5, 2011, at 10:09 PM, Peter Gutman= n wrote:

> Phillip Hallam-Baker <hallam@gm= ail.com> writes:
>
>> Since all the current WGs have already considered how to deploy SH= A256, there
>> is really no reason that SHA3 should require more than a new code = point and
>> some test vectors.... That said, I bet that it is going to turn ou= t otherwise!
>
> +1. =A0Having a SHA3-upgrade WG would solve the killer problem of cryp= to geeks
> deciding they're going to reinvent half the protocol they're d= ealing with as a
> side-effect of adding a new algorithm (oh yeah, and we can change the = key wrap
> mechanism, and mandate new key sizes, and add some more message subtyp= es, and
> ...). =A0So the single biggest advantage of having a dedicated SHA3 up= grade WG
> would be that it would ensure that that's the only thing that chan= ges in the
> protocol. =A0As you say, we need a new algorithm ID and some test vect= ors, not
> an excuse for every WG to start bikeshedding every security protocol e= ver
> invented.


Note, however, if NIST defines SHA-3 with tunable parameters (s= omething that they have discussed in the hash workshops), then either most = protocols will need to be changed to handle parameters (which none do now) = or "someone" is going to have to decide which parameter we mean f= or "SHA-3 that has 256 bits of effective strength", "SHA-3 t= hat has 384 bits of effective strength" and so on. A WG might be good = at that, but the chairs are going to have a hell of a time calling consensu= s, given that the likely purpose of parameters (if NIST chooses that path) = will be speed and register size, and we will have to choose which are more = important to us.

--Paul Hoffman

_______________________________________________
saag mailing list
saag@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/saag



--
Website: http://hallambaker.com/

--20cf3054a1134dcd1b04a03fe0f7-- From paul.hoffman@vpnc.org Wed Apr 6 06:43:37 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B1AB3A69AC for ; Wed, 6 Apr 2011 06:43:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.094 X-Spam-Level: X-Spam-Status: No, score=-102.094 tagged_above=-999 required=5 tests=[AWL=0.505, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tM3-OIG6NRB for ; Wed, 6 Apr 2011 06:43:36 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id C848A3A67B2 for ; Wed, 6 Apr 2011 06:43:35 -0700 (PDT) Received: from [10.20.30.150] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p36DjI1D010035 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 6 Apr 2011 06:45:18 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1084) From: Paul Hoffman In-Reply-To: Date: Wed, 6 Apr 2011 06:45:17 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <7263A3CC-8CAA-4840-B75B-0E77D42B4B20@vpnc.org> References: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> To: saag@ietf.org X-Mailer: Apple Mail (2.1084) Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:43:37 -0000 On Apr 6, 2011, at 6:20 AM, Bryan Geraghty wrote: > On Wed, Apr 6, 2011 at 7:34 AM, Paul Hoffman = wrote: >=20 > Note, however, if NIST defines SHA-3 with tunable parameters = (something that they have discussed in the hash workshops), then either = most protocols will need to be changed to handle parameters (which none = do now) or "someone" is going to have to decide which parameter we mean = for "SHA-3 that has 256 bits of effective strength", "SHA-3 that has 384 = bits of effective strength" and so on. A WG might be good at that, but = the chairs are going to have a hell of a time calling consensus, given = that the likely purpose of parameters (if NIST chooses that path) will = be speed and register size, and we will have to choose which are more = important to us. >=20 > The fact is, NIST defined an API for the SHA-3 competition which every = contestant had to implement: >=20 > http://csrc.nist.gov/groups/ST/hash/documents/SHA3-C-API.pdf Correct. And that short document discusses algorithm-specific parameters = in section 3. > I can't imagine they would have gone through all of that trouble and = then change it when the final algorithm is chosen. They don't need to change it: the use of parameters is documented. > This standard API made it extremely easy for implementers to test all = of the functions. And the Hash() function does have an argument for bit = length. True, but irrelevant. We won't know about turnable parameters until NIST makes its final = decision more than a year from now. Many (most?) of us hope that there = will be no parameters, but designing changes in protocols based on an = assumption like that will cause our work to be more error-prone. --Paul Hoffman From pgut001@login01.cs.auckland.ac.nz Wed Apr 6 06:55:04 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9191B3A69CC for ; Wed, 6 Apr 2011 06:55:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.568 X-Spam-Level: X-Spam-Status: No, score=-103.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xk328Mv-ehB8 for ; Wed, 6 Apr 2011 06:55:03 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id F2D753A69D0 for ; Wed, 6 Apr 2011 06:55:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302098207; x=1333634207; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20hallam@gmail.com,=20paul.hoffman@vpnc.org|Subject: =20Re:=20[saag]=20SHA-3=20Upgrade=20group|Cc:=20saag@ietf .org|In-Reply-To:=20|Message-Id:=20|Date:=20Thu,=2007=20Apr=202011=2001:5 6:43=20+1200; bh=WY93z+RE2/ePEJbbnJ0HwksYPodzTvIZ1jyRdQZgSGA=; b=Q+k/SlAKYU0dGRuAuPXHc3013nFIcu1QXRWUEpXAXbLgdY90hIBZAyYz ZqIYk3pNaq9dHHfU0i2nZ5Q0/PYzWPM3Fzgn6Dpt0K0rMoJF06pJfzx7k 1ejXeA71AUxBs16xk71MY4dtUkp7YVexPXSUGCcgzGRKpILm6+vB6fgJt Q=; X-IronPort-AV: E=Sophos;i="4.63,310,1299409200"; d="scan'208";a="55482854" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Apr 2011 01:56:44 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q7TDv-0001cJ-JL; Thu, 07 Apr 2011 01:56:43 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q7TDv-0002Du-Ui; Thu, 07 Apr 2011 01:56:43 +1200 From: Peter Gutmann To: hallam@gmail.com, paul.hoffman@vpnc.org In-Reply-To: Message-Id: Date: Thu, 07 Apr 2011 01:56:43 +1200 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 13:55:04 -0000 Phillip Hallam-Baker writes: >At the moment at least 50% of the arguments I see in WGs are repetition of >arguments I have seen before. And the ones that consume the most time are the >ones that everyone can have an opinion on (what color to paint the bikeshed). > >* Choice of ECC curves For an example of this, see my recent posting to the TLS WG (http://permalink.gmane.org/gmane.ietf.tls/8390), the single biggest shopping- list of problems in TLS 1.2 is caused by ECC, and every single one can be solved by the same single change which gets rid of the unnecessary flexibility (and complexity) that's involved. >[...] >* Format of URI identifiers You forgot the ultimate bikeshedding trigger: * PKI Peter :-). From pgut001@login01.cs.auckland.ac.nz Wed Apr 6 07:08:12 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A19F3A69BA for ; Wed, 6 Apr 2011 07:08:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.568 X-Spam-Level: X-Spam-Status: No, score=-103.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SC84WrhodrNs for ; Wed, 6 Apr 2011 07:08:11 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id BE8603A69B1 for ; Wed, 6 Apr 2011 07:08:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302098995; x=1333634995; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20paul.hoffman@vpnc.org,=20saag@ietf.org|Subject:=20 Re:=20[saag]=20SHA-3=20Upgrade=20group|In-Reply-To:=20<03 65D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org>|Message-Id: =20|Date: =20Thu,=2007=20Apr=202011=2002:09:54=20+1200; bh=C3+zJPb5VicYedqUoUbwvGQGd+N3ehpl9eTE7lARqgQ=; b=Iyzbrkhk46s4AlDIAdk4vbCj9K0sTTqvJshwES52WUn8LSbWYldOdSON pSlw/F0wbcSRDts4/zGoeezCaTkJ68N2AiOkVAaJbDdLiNanmmRHWAoFx bxNwygzj0bLMFPi+hyfQ/l09I/K/nxuH5pM81rDIFR/tbgyBA+KMqKz59 w=; X-IronPort-AV: E=Sophos;i="4.63,310,1299409200"; d="scan'208";a="55484233" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Apr 2011 02:09:54 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q7TQg-0001zH-GS; Thu, 07 Apr 2011 02:09:54 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q7TQg-0002yr-22; Thu, 07 Apr 2011 02:09:54 +1200 From: Peter Gutmann To: paul.hoffman@vpnc.org, saag@ietf.org In-Reply-To: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> Message-Id: Date: Thu, 07 Apr 2011 02:09:54 +1200 Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 14:08:12 -0000 Paul Hoffman writes: >Note, however, if NIST defines SHA-3 with tunable parameters (something that >they have discussed in the hash workshops), then either most protocols will >need to be changed to handle parameters (which none do now) NIST can define whatever they want, it doesn't mean anyone has to use it. Currently we have SHA2-256, SHA2-512, SHA2-384, SHA2-224, SHA2-chipotle, SHA2- streaky-bacon, SHA2-thousand-island, SHA2-chunky, SHA2-extra-chunky, SHA2- barbeque, SHA2-salt-and-vinegar, SHA2-balsamic-vinaigrette, SHA2-caesar, SHA2- organic-sea-salt, and SHA2-barium-enema, but what's mostly implemented in practice is SHA2-256 and... nope, can't actually recall seeing anything else in use in practice [0]. Again, referring back to my TLS 1.2 post, if you simply default to SHA2-256 you can talk to anything that actually does SHA2. So all we need to do is choose one standard mode with 256 bits of output to match SHA2-256, and probably another one for SHA2-512. Just because NIST hands us a really long coil of rope, doesn't mean we have to use it. Peter. [0] OK, I've seen -512 and -384 in obscure, isolated implementations, but I've also seen Whirlpool and Tiger and others. I think I saw SHA-224 on display at the Ripley's Odditorium, but it may have been Haval. From hallam@gmail.com Wed Apr 6 07:34:07 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DCBB28C0EB for ; Wed, 6 Apr 2011 07:34:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.52 X-Spam-Level: X-Spam-Status: No, score=-3.52 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBPz2rSnacUe for ; Wed, 6 Apr 2011 07:34:05 -0700 (PDT) Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 9D3213A6905 for ; Wed, 6 Apr 2011 07:34:05 -0700 (PDT) Received: by vws12 with SMTP id 12so1423520vws.31 for ; Wed, 06 Apr 2011 07:35:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vBspq+/NFuqGSC386BZZ8NPoJRvj0uNwTgjy3dvQGZI=; b=vioTA+r4nfPitwqAzOwAqfhwBTS6SAaFs36kLiG0h0aVhUgKJqjDU+f/WlM1Lrb9of +ix7LkVJYFgRhVpe/NzFVTCk5ncXST9Hr8ZbZhSeeICQdP4b7aTCx7nb++g7IlTYTPD2 dA7W9qCN1eHfgu83b8N1IlSUuhWEFcx2Ls0eI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=UZN7OY44EMdiftLA7zeKA/l+jhEZ9dA06/ylNTtkY8sMNGl9+IXyD1rcy5oo0UYgog bKXWFvzqZqPA8kXxVosnFC5OQUCcHicYT++2OM67s2l63D213h5BaDKP9rHKYDnpTFGy KPwnryP3Cbr4VZOuxFW2aSTer7VMQjch4IN98= MIME-Version: 1.0 Received: by 10.52.18.11 with SMTP id s11mr185996vdd.269.1302100549181; Wed, 06 Apr 2011 07:35:49 -0700 (PDT) Received: by 10.52.166.230 with HTTP; Wed, 6 Apr 2011 07:35:49 -0700 (PDT) In-Reply-To: References: Date: Wed, 6 Apr 2011 14:35:49 +0000 Message-ID: From: Phillip Hallam-Baker To: Peter Gutmann Content-Type: multipart/alternative; boundary=20cf3054a113b2294c04a040e8e8 Cc: paul.hoffman@vpnc.org, saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 14:34:07 -0000 --20cf3054a113b2294c04a040e8e8 Content-Type: text/plain; charset=ISO-8859-1 As I pointed out in the original post, the thing that makes this non trivial is that may protocols have multiple algorithms specified, some have suites. Parameters are a non-starter when you have suites. If there is a choice of parameters and nobody can tell the difference, a standards organization should pick ONE, not create a mechanism for allowing a choice. The process of standardization is to limit choices and in particular to eliminate choices that don't matter or don't matter much. I would like to see the approach to suites to be that the group picks exactly one algorithm of a given type and no more than two variations thereof to support different cipher strength, roughly corresponding to 128 bit and 256 bit work factor (accepting that we can't do 256 bit for RSA) Even so, we end up with rather a lot of suites since we have 3 public key building blocks (encryption, signature, key exchange) and 2 approaches (Finite field + ECC). If we implement all of them at both work factors we end up with 4 suites which is still more than I would like. I can see an argument for adding algorithms because they have different properties (DSA results in more compact signatures than RSA and is thus more appropriate for DNSSEC than RSA2048). But I cannot see a good argument for proliferating parameters to chase marginal performance issues. Unless a performance issue creates a difference of at least an order of magnitude, it is not worth considering in IETF. That is a justification for considering ECC, it is not a justification for bikeshedding digest algorithm parameters. Given that each set of parameters is going to create different security properties, I can't see it being very likely that the final choice will have optional parameters in any case. It makes sense to have parameters during the selection process as otherwise the competition degenerates into guessing and gaming what use cases are going to have the most weight in the selection process. We have to make choices and so does NIST. And if NIST does not end up making choices for parameters then we are going to have to. On Wed, Apr 6, 2011 at 1:56 PM, Peter Gutmann wrote: > Phillip Hallam-Baker writes: > > >At the moment at least 50% of the arguments I see in WGs are repetition of > >arguments I have seen before. And the ones that consume the most time are > the > >ones that everyone can have an opinion on (what color to paint the > bikeshed). > > > >* Choice of ECC curves > > For an example of this, see my recent posting to the TLS WG > (http://permalink.gmane.org/gmane.ietf.tls/8390), the single biggest > shopping- > list of problems in TLS 1.2 is caused by ECC, and every single one can be > solved by the same single change which gets rid of the unnecessary > flexibility > (and complexity) that's involved. > > >[...] > >* Format of URI identifiers > > You forgot the ultimate bikeshedding trigger: > > * PKI > > Peter :-). > > > -- Website: http://hallambaker.com/ --20cf3054a113b2294c04a040e8e8 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable As I pointed out in the original post, the thing that makes this non trivia= l is that may protocols have multiple algorithms specified, some have suite= s.

Parameters are a non-starter when you have suites. If= there is a choice of parameters and nobody can tell the difference, a stan= dards organization should pick ONE, not create a mechanism for allowing a c= hoice. The process of standardization is to limit choices and in particular= to eliminate choices that don't matter or don't matter much.


I would like to see the approach to suit= es to be that the group picks exactly one algorithm of a given type and no = more than two variations thereof to support different cipher strength, roug= hly corresponding to 128 bit and 256 bit work factor (accepting that we can= 't do 256 bit for RSA)

Even so, we end up with rather a lot of suites since we= have 3 public key building blocks (encryption, signature, key exchange) an= d 2 approaches (Finite field + ECC). If we implement all of them at both wo= rk factors we end up with 4 suites which is still more than I would like.


I can see an argument for adding algorit= hms because they have different properties (DSA results in more compact sig= natures than RSA and is thus more appropriate for DNSSEC than RSA2048). But= I cannot see a good argument for proliferating parameters to chase margina= l performance issues.

Unless a performance issue creates a difference of at l= east an order of magnitude, it is not worth considering in IETF. That is a = justification for considering ECC, it is not a justification for bikesheddi= ng digest algorithm parameters.


Given that each set of parameters is goi= ng to create different security properties, I can't see it being very l= ikely that the final choice will have optional parameters in any case. It m= akes sense to have parameters during the selection process as otherwise the= competition degenerates into guessing and gaming what use cases are going = to have the most weight in the selection process.

We have to make choices and so does NIST. And if NIST d= oes not end up making choices for parameters then we are going to have to.<= br>
On Wed, Apr 6, 2011 at 1:56 PM, Peter Gut= mann <pgu= t001@cs.auckland.ac.nz> wrote:
Phillip Hallam-Baker <= hallam@gmail.com> writes:

>At the moment at least 50% of the arguments I s= ee in WGs are repetition of
>arguments I have seen before. And the ones that consume the most time a= re the
>ones that everyone can have an opinion on (what color to paint the bike= shed).
>
>* Choice of ECC curves

For an example of this, see my recent posting to the TLS WG
(http://permalink.gmane.org/gmane.ietf.tls/8390), the single biggest = shopping-
list of problems in TLS 1.2 is caused by ECC, and every single one can be solved by the same single change which gets rid of the unnecessary flexibil= ity
(and complexity) that's involved.

>[...]
>* Format of URI identifiers

You forgot the ultimate bikeshedding trigger:

* PKI

Peter :-).





--
Website: http://hallambaker.com/

--20cf3054a113b2294c04a040e8e8-- From archwisp@gmail.com Wed Apr 6 07:35:45 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1AE2B28C0FD for ; Wed, 6 Apr 2011 07:35:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.876 X-Spam-Level: X-Spam-Status: No, score=-2.876 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENUO7LjX7Y80 for ; Wed, 6 Apr 2011 07:35:44 -0700 (PDT) Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by core3.amsl.com (Postfix) with ESMTP id 27F8728C0F5 for ; Wed, 6 Apr 2011 07:35:44 -0700 (PDT) Received: by yic13 with SMTP id 13so713381yic.31 for ; Wed, 06 Apr 2011 07:37:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=jEdsXDL+3NPbBz2Bs4YADU6hmUO9+LqAXp9H1R4xFaE=; b=gdWnc1KX8TNeHbRAPuRaFntRf4Q8aB5ycrTuiC3TnT2qDpRnPDvIiJgtCX4WFJpnX4 ambPyeq+H9B5TEI6N0ndW4SGmG8EoOcHHqyijD8Q8g2fyF9z8EUPs3AXb7D+tLXOOH7V PfBN4kpRYAET5ZqDXgZMItdnZq4rCee9FbRSQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=q++B0D5LqWo2wAvOCFUdFzACIaYaeKUmDBAKHE2y/T72MvYnXmldVvVWUXfBVmE2uI E+qDW0EgnhVC82o54Cvj+Js+RSmCu1i2PdiOZh9QAo48NTB5AcDOL6AfZA87Rn0zeotY DeJb6PuKAZUKQbNDfwoBpgbnpjtW0UGHtIEm8= MIME-Version: 1.0 Received: by 10.42.240.66 with SMTP id kz2mr1646392icb.467.1302100647690; Wed, 06 Apr 2011 07:37:27 -0700 (PDT) Sender: archwisp@gmail.com Received: by 10.42.164.67 with HTTP; Wed, 6 Apr 2011 07:37:27 -0700 (PDT) In-Reply-To: <7263A3CC-8CAA-4840-B75B-0E77D42B4B20@vpnc.org> References: <0365D9CC-BCA6-4ADC-8F0C-D2A3ACD00F67@vpnc.org> <7263A3CC-8CAA-4840-B75B-0E77D42B4B20@vpnc.org> Date: Wed, 6 Apr 2011 09:37:27 -0500 X-Google-Sender-Auth: A2KxeB0IdnTwvO7OrbUCgev5imU Message-ID: From: Bryan Geraghty To: Paul Hoffman Content-Type: multipart/alternative; boundary=20cf3054ab3f9140a704a040eeb4 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 14:35:45 -0000 --20cf3054ab3f9140a704a040eeb4 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Apr 6, 2011 at 8:45 AM, Paul Hoffman wrote: Correct. And that short document discusses algorithm-specific parameters in > section 3. > They don't need to change it: the use of parameters is documented. > Yes, but in section 4.1, it says: This API uses a function called Init() to initialize the hashState structure. As stated above, the hashState structure contains the hashbitlen of this particular instantiation, as well as any algorithm specific parameters that are needed. Any algorithm-specific parameters are initialized within the Init() call and do not need to be known to the implementer. Those parameters are meant for extremely specific implementations and the algorithm byte-code will actually be modified. Those parameters cannot be set at run-time, and therefore, are not exposed by the API. If you're talking about the Tunable Security Parameter mentioned in the selection process, that is a separate concept and we should not confuse the two. I'm positive that once the final algorithm is chosen, that "tunable" parameter will become constant (number of rounds, for instance). The security of the algorithm depends heavily on the configuration of said parameter and to allow implementers to modify it at-will would be ludicrous. We've seen what happens when algorithms are implemented with reduced rounds. > We won't know about turnable parameters until NIST makes its final decision > more than a year from now. Many (most?) of us hope that there will be no > parameters, but designing changes in protocols based on an assumption like > that will cause our work to be more error-prone. > I honestly can't see any reasonable place for external parameters that wouldn't destroy the integrity of the algorithm. But I understand the wisdom of getting the final word. Perhaps there is a way we can get a final answer from NIST. -- Bryan C. Geraghty bryan@ravensight.org Cell: (702) 715-4574 --20cf3054ab3f9140a704a040eeb4 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Wed, Apr 6, 2011 at 8:45 AM, Paul Hoffman= <paul.hoffma= n@vpnc.org> wrote:

Correct. And that short document discusses algorithm-specific parameters in= section 3.
They don't ne= ed to change it: the use of parameters is documented.

Yes, but in section 4.1, it says:

This API uses a function called Init() to initialize the hashState stru= cture. As stated above, the
hashState structure contains the hashbitlen = of this particular instantiation, as well as any
algorithm specific parameters that are needed.

Any algorithm-s= pecific parameters are initialized within the Init() call and do not need t= o be known to the implementer. Those=A0 parameters are meant for extremely = specific implementations and the algorithm byte-code will actually be modif= ied. Those parameters cannot be set at run-time, and therefore, are not exp= osed by the API.

If you're talking about the Tunable Security Parameter mentioned in= the selection process, that is a separate concept and we should not confus= e the two. I'm positive that once the final algorithm is chosen, that &= quot;tunable" parameter will become constant (number of rounds, for in= stance). The security of the algorithm depends heavily on the configuration= of said parameter and to allow implementers to modify it at-will would be = ludicrous. We've seen what happens when algorithms are implemented with= reduced rounds.
=A0
We won't know about turnable parameters until NIST makes its final deci= sion more than a year from now. Many (most?) of us hope that there will be = no parameters, but designing changes in protocols based on an assumption li= ke that will cause our work to be more error-prone.

I honestly can't see any reasonable place for ex= ternal parameters that wouldn't destroy the integrity of the algorithm.= But I understand the wisdom of getting the final word. Perhaps there is a = way we can get a final answer from NIST.

--
Bryan C. Geraghty
bryan@ravensight.org
Cell: (702) 715-4574

--20cf3054ab3f9140a704a040eeb4-- From pgut001@login01.cs.auckland.ac.nz Wed Apr 6 08:05:35 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42F7F28C102 for ; Wed, 6 Apr 2011 08:05:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.569 X-Spam-Level: X-Spam-Status: No, score=-103.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EF5YVL1HfYk9 for ; Wed, 6 Apr 2011 08:05:34 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 9B0863A67E7 for ; Wed, 6 Apr 2011 08:05:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302102438; x=1333638438; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20hallam@gmail.com,=20pgut001@cs.auckland.ac.nz |Subject:=20Re:=20[saag]=20SHA-3=20Upgrade=20group|Cc:=20 paul.hoffman@vpnc.org,=20saag@ietf.org|In-Reply-To:=20 |Message-Id:=20|Date:=20Thu,=2007=20Apr=202011=2003:07:15=20+1200; bh=beFyJKwFR0OKmMqS/KqLmtnwSG7tXzwZGzBHgifk5t4=; b=hhzq4ewVYSvr0EJhW1bnvzVcEDE8ki5QT7YjN1U8dtEeBFxhs7R2XEfr SgiCOpT5GRqGHbjdfE9dAe0Cz1kPMACdJwkyjAuh+nPuIf0y/ZLn0iMWz +nyFoCMzUgDhgQwJjJm2xXqT3fvdUISUWgwBu5wbrMc2kdHyGtRpRSTg/ w=; X-IronPort-AV: E=Sophos;i="4.63,310,1299409200"; d="scan'208";a="55487442" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Apr 2011 03:07:16 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q7UKB-0003iw-IK; Thu, 07 Apr 2011 03:07:15 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q7UKB-0005td-Ka; Thu, 07 Apr 2011 03:07:15 +1200 From: Peter Gutmann To: hallam@gmail.com, pgut001@cs.auckland.ac.nz In-Reply-To: Message-Id: Date: Thu, 07 Apr 2011 03:07:15 +1200 Cc: paul.hoffman@vpnc.org, saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 15:05:35 -0000 Phillip Hallam-Baker writes: >Even so, we end up with rather a lot of suites since we have 3 public key >building blocks (encryption, signature, key exchange) and 2 approaches >(Finite field + ECC). If we implement all of them at both work factors we end >up with 4 suites which is still more than I would like. Eventually the invisible hand of the market will decide. From the SSL Observatory: Number of deployed DSA TLS servers with certs \ chaining to a trusted root: 25 Number " " ECC " " ": Zero Number " " RSA " " ": Millions So to a good approximation, for SSL/TLS use, there is only one PKC algorithm and that's RSA. Furthermore, pretty much everything can do either 3DES (older) or AES (newer). So you should be able to communicate with pretty much anything that talks SSL/TLS with: SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA and if you're really keen on PFS (which 99.99% of your users don't even know exists, but anyway): TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA and finally if you can find anything that does TLS 1.2 you could throw in two SHA-2 suites as well. In practice though, for anyone but crypto-geeks, the first two suites will talk to virtually anything out there. SSH is similar. (This is Grigg's (Other) Law, "There is only one cipher suite and that is Suite #1". I have, oh I dunno, about six million cipher suites in my code, including smoky-bacon, and the only one I'd need in practice is #1. I'm not sure why I even bother advertising the others, all it does is bloat up the handshake unnecessarily...). >We have to make choices and so does NIST. And if NIST does not end up making >choices for parameters then we are going to have to. Yup. Peter. From hotz@jpl.nasa.gov Wed Apr 6 14:03:19 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7257028C0DE; Wed, 6 Apr 2011 14:03:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qstllsd083b4; Wed, 6 Apr 2011 14:03:18 -0700 (PDT) Received: from mail.jpl.nasa.gov (sentrion3.jpl.nasa.gov [128.149.139.109]) by core3.amsl.com (Postfix) with ESMTP id 750413A67C3; Wed, 6 Apr 2011 14:03:18 -0700 (PDT) Received: from dhcp-137-79-176-182.jpl.nasa.gov (dhcp-137-79-176-182.jpl.nasa.gov [137.79.176.182]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id p36L50NG027499 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Wed, 6 Apr 2011 14:05:01 -0700 From: "Henry B. Hotz" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Wed, 6 Apr 2011 14:05:00 -0700 References: <20110406204159.E04043A69B9@core3.amsl.com> To: saag@ietf.org, "ietf-krb-wg@anl.gov Group" , pkix PKIX Message-Id: <7D21A6AA-04C3-4A2B-9424-22F9FD2231D4@jpl.nasa.gov> Mime-Version: 1.0 (Apple Message framework v1082) X-Mailer: Apple Mail (2.1082) X-Source-IP: dhcp-137-79-176-182.jpl.nasa.gov [137.79.176.182] X-Source-Sender: hotz@jpl.nasa.gov X-AUTH: Authorized Subject: [saag] Fwd: New Version Notification for draft-hotz-kx509-02 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 21:03:20 -0000 This is an individual submission, but I'm treating this as a "last call" = for comments before I forward it up the chain. I think I've addressed = all the issues I can without making it incompatible with the deployed = base. The remaining issues are in Appendix C. (Yes, I intend to start = work on an incompatible upgrade once this draft has gotten published.) Changes from the Previous Draft: 1. The retry behavior was made slightly less specific. 2. The traditionally used SAN extensions were moved to a new appendix, = leaving only the id-pkinit-san as the RECOMMENDED SAN. 3. The absolute prohibition against digital signatures in the Security = Considerations section was relaxed since there are legitimate situations = where a signature based on the KX509 certificate is still useful. (E.g. integrity protection where the = actual signing identity is not important.) 4. Reference to TAGPMA in the abstract was replaced with a reference to = its parent, the International Grid Trust Federation, and more detailed = informative references were expanded in the Introduction. 5. Assorted other wording changes were made for clarity, but are not = believed to have changed the meaning. Begin forwarded message: > From: IETF I-D Submission Tool > Date: April 6, 2011 1:41:59 PM PDT > To: "Hotz, Henry B (173H)" > Subject: New Version Notification for draft-hotz-kx509-02=20 >=20 >=20 > A new version of I-D, draft-hotz-kx509-02.txt has been successfully = submitted by Henry Hotz and posted to the IETF repository. >=20 > Filename: draft-hotz-kx509 > Revision: 02 > Title: KX509 Kerberized Certificate Issuance Protocol > Creation_date: 2011-04-06 > WG ID: Independent Submission > Number_of_pages: 11 >=20 > Abstract: > This rfc describes a protocol, called kx509, for using Kerberos > tickets to acquire X.509 certificates. >=20 > While not (previously) standardized, this protocol is already in use > at several large organizations, and certificates issued with this > protocol are recognized by the International Grid Trust Federation. >=20 >=20 >=20 > The IETF Secretariat. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu From turners@ieca.com Thu Apr 7 08:42:14 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C630E3A6A14 for ; Thu, 7 Apr 2011 08:42:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.54 X-Spam-Level: X-Spam-Status: No, score=-102.54 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AP4PEP9vj1lm for ; Thu, 7 Apr 2011 08:42:14 -0700 (PDT) Received: from nm1.bullet.mail.ac4.yahoo.com (nm1.bullet.mail.ac4.yahoo.com [98.139.52.198]) by core3.amsl.com (Postfix) with SMTP id EF1183A6A11 for ; Thu, 7 Apr 2011 08:42:13 -0700 (PDT) Received: from [98.139.52.195] by nm1.bullet.mail.ac4.yahoo.com with NNFMP; 07 Apr 2011 15:43:55 -0000 Received: from [98.139.52.136] by tm8.bullet.mail.ac4.yahoo.com with NNFMP; 07 Apr 2011 15:43:55 -0000 Received: from [127.0.0.1] by omp1019.mail.ac4.yahoo.com with NNFMP; 07 Apr 2011 15:43:55 -0000 X-Yahoo-Newman-Id: 869778.13740.bm@omp1019.mail.ac4.yahoo.com Received: (qmail 88492 invoked from network); 7 Apr 2011 15:43:55 -0000 Received: from thunderfish.local (turners@96.231.126.25 with plain) by smtp111.biz.mail.mud.yahoo.com with SMTP; 07 Apr 2011 08:43:55 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: CP5e8XkVM1nifrRpEoscIEpWyRODbt_51X1F44jUuLrnctR L8MlaamEbN3T4ZHKd1wJ.K3QjfUWCa08Nqfs68Fqs6_HlUZBnkuRLoO8TlvG 694aLrC684W5_YtFqZBAqLy5RCrTfpC63W.PYz_8CNzdEIGTsrGQoTUf7tNW aSj7bUsqAkzhYk61Km9xb_fA7NqIb6uVmM4r8_M75OAQyqpZgTTiVG86a3yn 5QcwuJsdwb7DJcoFQnocbuhfeOSclPZZkjNsnFOf3m6zQofdtcqwXA0JtME_ 3aURcNZ_LmU4y6ErM9u5CpzQQCqw8GIk2jLVoOzotAEj9UrUVgy8XCSg9jw3 mVRTrA_X81xMf7vRr1N8PZH2q X-Yahoo-Newman-Property: ymail-3 Message-ID: <4D9DDBBA.4020602@ieca.com> Date: Thu, 07 Apr 2011 11:43:54 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: Peter Gutmann References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hallam@gmail.com, saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 15:42:14 -0000 On 4/6/11 1:09 AM, Peter Gutmann wrote: > Phillip Hallam-Baker writes: > >> Since all the current WGs have already considered how to deploy SHA256, there >> is really no reason that SHA3 should require more than a new code point and >> some test vectors.... That said, I bet that it is going to turn out otherwise! > > +1. Having a SHA3-upgrade WG would solve the killer problem of crypto geeks > deciding they're going to reinvent half the protocol they're dealing with as a > side-effect of adding a new algorithm (oh yeah, and we can change the key wrap > mechanism, and mandate new key sizes, and add some more message subtypes, and > ...). So the single biggest advantage of having a dedicated SHA3 upgrade WG > would be that it would ensure that that's the only thing that changes in the > protocol. As you say, we need a new algorithm ID and some test vectors, not > an excuse for every WG to start bikeshedding every security protocol ever > invented. My hope for this possible WG is that it would simply define the code points and it would not modify the required algorithm for any protocol. spt From paul.hoffman@vpnc.org Thu Apr 7 09:53:30 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C46FD28C163 for ; Thu, 7 Apr 2011 09:53:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.109 X-Spam-Level: X-Spam-Status: No, score=-102.109 tagged_above=-999 required=5 tests=[AWL=0.490, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id is6d1K2RffkP for ; Thu, 7 Apr 2011 09:53:30 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id D199F28C160 for ; Thu, 7 Apr 2011 09:53:29 -0700 (PDT) Received: from [10.20.30.150] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p37GmYQR078052 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 7 Apr 2011 09:48:35 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Paul Hoffman In-Reply-To: <4D9DDBBA.4020602@ieca.com> Date: Thu, 7 Apr 2011 09:48:34 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D9DDBBA.4020602@ieca.com> To: Sean Turner X-Mailer: Apple Mail (2.1084) Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 16:53:30 -0000 On Apr 7, 2011, at 8:43 AM, Sean Turner wrote: > On 4/6/11 1:09 AM, Peter Gutmann wrote: >> Phillip Hallam-Baker writes: >>=20 >>> Since all the current WGs have already considered how to deploy = SHA256, there >>> is really no reason that SHA3 should require more than a new code = point and >>> some test vectors.... That said, I bet that it is going to turn out = otherwise! >>=20 >> +1. Having a SHA3-upgrade WG would solve the killer problem of = crypto geeks >> deciding they're going to reinvent half the protocol they're dealing = with as a >> side-effect of adding a new algorithm (oh yeah, and we can change the = key wrap >> mechanism, and mandate new key sizes, and add some more message = subtypes, and >> ...). So the single biggest advantage of having a dedicated SHA3 = upgrade WG >> would be that it would ensure that that's the only thing that changes = in the >> protocol. As you say, we need a new algorithm ID and some test = vectors, not >> an excuse for every WG to start bikeshedding every security protocol = ever >> invented. >=20 > My hope for this possible WG is that it would simply define the code = points and it would not modify the required algorithm for any protocol. So, who will decide when (in the simplest cases) SHA3-256 and = RSA-with-SHA3-256 become SHOULD-level or MUST-level for security = protocols, and when? Defining codepoints for Shiny Objects without = telling developers what they mean will sow confusion in the marketplace. = We already have widely diverging views more than a year before the Shiny = Objects even exist. --Paul Hoffman From nico@cryptonector.com Thu Apr 7 10:09:04 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01A463A68D5 for ; Thu, 7 Apr 2011 10:09:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.935 X-Spam-Level: X-Spam-Status: No, score=-1.935 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKP0htBXLqMm for ; Thu, 7 Apr 2011 10:08:57 -0700 (PDT) Received: from homiemail-a73.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by core3.amsl.com (Postfix) with ESMTP id 9AAB43A67CF for ; Thu, 7 Apr 2011 10:08:57 -0700 (PDT) Received: from homiemail-a73.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTP id 64E9D1F0084 for ; Thu, 7 Apr 2011 10:10:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=Lb59kQIkJ1eUSsNRL9pQo lZmKNhMnrP61dO3k58k3YAsDi1oPmp1M63kH2yKhtTNx7Xm7QxL2lqlNOJQS7v1Z o/E1VGDsHLov8OfpYoFeBll33dyTxIesU5AGEhvsEt5sjJqPrefnI4y6CQPqFFNu a0adufzUkc6rDy2YeGIIqk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=gQyrk/TNdpMyL0RUHpGg aeJGTJE=; b=i+mvTCp7gx8t+4dGvYDSZVU4JdF0GvvLDYtKTdavJsoJ7ejgMU0K jVuYmm98UeILklYWJBRxRqdBkfL+gni5gUeZ6C31wm/9YysS+bJliSRKbR/2oDsm 4E2RAAWwAxvluJJaetc9YXMac+6UNC76DDD5J4Vrnd983slOdpqYX7A= Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTPSA id 39C1A1F0081 for ; Thu, 7 Apr 2011 10:10:42 -0700 (PDT) Received: by vws12 with SMTP id 12so2564889vws.31 for ; Thu, 07 Apr 2011 10:10:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.176.134 with SMTP id ci6mr1674033vdc.190.1302196241491; Thu, 07 Apr 2011 10:10:41 -0700 (PDT) Received: by 10.52.157.100 with HTTP; Thu, 7 Apr 2011 10:10:41 -0700 (PDT) In-Reply-To: References: <4D9DDBBA.4020602@ieca.com> Date: Thu, 7 Apr 2011 12:10:41 -0500 Message-ID: From: Nico Williams To: Paul Hoffman Content-Type: text/plain; charset=UTF-8 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 17:09:04 -0000 New alg codes defined by this WG should be REQUIRED to implement for the corresponding protocols. Moving _old_ algorithms to HISTORIC should be left to other WGs, except perhaps in cases where there's no currently chartered WG that could own such work. Addition of algorithm agility should probably be out of scope for this putative WG. From turners@ieca.com Thu Apr 7 11:12:09 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C3F03A69B4 for ; Thu, 7 Apr 2011 11:12:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.54 X-Spam-Level: X-Spam-Status: No, score=-102.54 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMDBtVY+uAR5 for ; Thu, 7 Apr 2011 11:12:08 -0700 (PDT) Received: from nm3-vm0.bullet.mail.bf1.yahoo.com (nm3-vm0.bullet.mail.bf1.yahoo.com [98.139.212.154]) by core3.amsl.com (Postfix) with SMTP id 7DDA63A696A for ; Thu, 7 Apr 2011 11:12:08 -0700 (PDT) Received: from [98.139.212.146] by nm3.bullet.mail.bf1.yahoo.com with NNFMP; 07 Apr 2011 18:13:49 -0000 Received: from [98.139.212.217] by tm3.bullet.mail.bf1.yahoo.com with NNFMP; 07 Apr 2011 18:13:44 -0000 Received: from [127.0.0.1] by omp1026.mail.bf1.yahoo.com with NNFMP; 07 Apr 2011 18:13:44 -0000 X-Yahoo-Newman-Id: 838194.91536.bm@omp1026.mail.bf1.yahoo.com Received: (qmail 83117 invoked from network); 7 Apr 2011 18:13:44 -0000 Received: from thunderfish.local (turners@96.231.126.25 with plain) by smtp101.biz.mail.bf1.yahoo.com with SMTP; 07 Apr 2011 11:13:44 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: PFXS2lwVM1lxeVk6nHrmYBFfGO6rb8671brW986LJ0SxX_E LWBgDJQQRcp.EHcxuGxjDT76cf2VETX1ewDqtvgHAvpWJ2BgSvSLVj61WwXu SR.8Hv9e.5N6wlJu7dM3WBItzImCC_isiKyFVShq.7_zyu59tUqx3NRIv2kN D2lHexRUieXWWFG7awWWCP9EfPnFehGRlsYItwtjvdX7iXPChdFbqLcXhj8d LFwErnk0CktkkB_hZ3OTzxIRXT52_aa3OLNcH2DFz9E4R8Jn.tWpWdJLpAOZ Mfq9zMiGHK2cTQR3NJg2UQv79NGYvepPuBQ4g6m9IJcMAyzfLDGMPUPKhIe2 iVLAtr7qm8_A4MM6gbx43hE.6 X-Yahoo-Newman-Property: ymail-3 Message-ID: <4D9DFED7.50401@ieca.com> Date: Thu, 07 Apr 2011 14:13:43 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: Paul Hoffman References: <4D9DDBBA.4020602@ieca.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 18:12:09 -0000 On 4/7/11 12:48 PM, Paul Hoffman wrote: > > On Apr 7, 2011, at 8:43 AM, Sean Turner wrote: > >> On 4/6/11 1:09 AM, Peter Gutmann wrote: >>> Phillip Hallam-Baker writes: >>> >>>> Since all the current WGs have already considered how to deploy SHA256, there >>>> is really no reason that SHA3 should require more than a new code point and >>>> some test vectors.... That said, I bet that it is going to turn out otherwise! >>> >>> +1. Having a SHA3-upgrade WG would solve the killer problem of crypto geeks >>> deciding they're going to reinvent half the protocol they're dealing with as a >>> side-effect of adding a new algorithm (oh yeah, and we can change the key wrap >>> mechanism, and mandate new key sizes, and add some more message subtypes, and >>> ...). So the single biggest advantage of having a dedicated SHA3 upgrade WG >>> would be that it would ensure that that's the only thing that changes in the >>> protocol. As you say, we need a new algorithm ID and some test vectors, not >>> an excuse for every WG to start bikeshedding every security protocol ever >>> invented. >> >> My hope for this possible WG is that it would simply define the code points and it would not modify the required algorithm for any protocol. > > > So, who will decide when (in the simplest cases) SHA3-256 and RSA-with-SHA3-256 become SHOULD-level or MUST-level for security protocols, and when? Defining codepoints for Shiny Objects without telling developers what they mean will sow confusion in the marketplace. We already have widely diverging views more than a year before the Shiny Objects even exist. I assumed it would be up to the WGs to decide to migrate and then they'd use the usual IETF process to progress to RFC. My memory might not be as good as others, but have we drawn a line in the sand before with other algorithms? If we did who did it? spt From paul.hoffman@vpnc.org Thu Apr 7 11:18:14 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9503B3A69CC for ; Thu, 7 Apr 2011 11:18:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.116 X-Spam-Level: X-Spam-Status: No, score=-102.116 tagged_above=-999 required=5 tests=[AWL=0.483, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zR1wjf+jR-0W for ; Thu, 7 Apr 2011 11:18:14 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id B9F093A6962 for ; Thu, 7 Apr 2011 11:18:13 -0700 (PDT) Received: from [10.20.30.150] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p37IJtXe082052 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 7 Apr 2011 11:19:56 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Paul Hoffman In-Reply-To: <4D9DFED7.50401@ieca.com> Date: Thu, 7 Apr 2011 11:19:55 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D9DDBBA.4020602@ieca.com> <4D9DFED7.50401@ieca.com> To: Sean Turner X-Mailer: Apple Mail (2.1084) Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 18:18:14 -0000 On Apr 7, 2011, at 11:13 AM, Sean Turner wrote: > I assumed it would be up to the WGs to decide to migrate and then = they'd use the usual IETF process to progress to RFC. That would be sensible. > My memory might not be as good as others, but have we drawn a line in = the sand before with other algorithms? =20 Who do you mean by "we"? That's a serious question. > If we did who did it? Well, we already have Nico proposing one... --Paul Hoffman From turners@ieca.com Thu Apr 7 11:20:59 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 681313A696A for ; Thu, 7 Apr 2011 11:20:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.54 X-Spam-Level: X-Spam-Status: No, score=-102.54 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id po2tgQs20CLa for ; Thu, 7 Apr 2011 11:20:58 -0700 (PDT) Received: from nm6-vm0.bullet.mail.ac4.yahoo.com (nm6-vm0.bullet.mail.ac4.yahoo.com [98.139.52.70]) by core3.amsl.com (Postfix) with SMTP id 4842D3A67B0 for ; Thu, 7 Apr 2011 11:20:54 -0700 (PDT) Received: from [98.139.52.194] by nm6.bullet.mail.ac4.yahoo.com with NNFMP; 07 Apr 2011 18:22:36 -0000 Received: from [98.139.52.158] by tm7.bullet.mail.ac4.yahoo.com with NNFMP; 07 Apr 2011 18:22:36 -0000 Received: from [127.0.0.1] by omp1041.mail.ac4.yahoo.com with NNFMP; 07 Apr 2011 18:22:36 -0000 X-Yahoo-Newman-Id: 269415.85351.bm@omp1041.mail.ac4.yahoo.com Received: (qmail 33411 invoked from network); 7 Apr 2011 18:22:36 -0000 Received: from thunderfish.local (turners@96.231.126.25 with plain) by smtp115.biz.mail.re2.yahoo.com with SMTP; 07 Apr 2011 11:22:35 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: .QFsn0UVM1lktIn.OPufJK.eqarXM7xsKzKqAQtnqZMxZXz RkAFAWNg.4svJpbG5IEa5invL1losQGO6U5kT_vfiTobkmKayVSivIWBvaCK moEX.BM4gzmJxm6qqJiySt9T9b_iJbosc32fTgS0ySsxF4raV72jzcUT7Dgx BKr57Og76S4Xl9Hzs16u69R3AO1M6fj9CFL.Ye7wrOxyU2oAyqxH3P0tCcjP vQzwk.kk5OUgXeKZ6NbHYjwMoOwaQvMeq30b6N3JMc2XgQeNh9JwoSErz9i2 CBzazAjcCXyx0wADa_DP0Jyr_h6Nu_jOW4MbMDZvWZKuN12ie8V8Ndwx2aO7 2eL3.Zu32g_WM7lg- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4D9E00EB.6030402@ieca.com> Date: Thu, 07 Apr 2011 14:22:35 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: Paul Hoffman References: <4D9DDBBA.4020602@ieca.com> <4D9DFED7.50401@ieca.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 18:20:59 -0000 On 4/7/11 2:19 PM, Paul Hoffman wrote: > On Apr 7, 2011, at 11:13 AM, Sean Turner wrote: > >> I assumed it would be up to the WGs to decide to migrate and then they'd use the usual IETF process to progress to RFC. > > That would be sensible. > >> My memory might not be as good as others, but have we drawn a line in the sand before with other algorithms? > > Who do you mean by "we"? That's a serious question. We = IETF ;) I can remember some dates in PKIX about using UTF8String for names after a certain date ;) >> If we did who did it? > > > Well, we already have Nico proposing one... > > --Paul Hoffman > > From stephen.farrell@cs.tcd.ie Thu Apr 7 11:56:11 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 069503A6A27 for ; Thu, 7 Apr 2011 11:56:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.939 X-Spam-Level: X-Spam-Status: No, score=-105.939 tagged_above=-999 required=5 tests=[AWL=0.661, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mX8tnYGcU4Gi for ; Thu, 7 Apr 2011 11:56:10 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by core3.amsl.com (Postfix) with ESMTP id 70FFC3A6A1E for ; Thu, 7 Apr 2011 11:56:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 3A0483E4095; Thu, 7 Apr 2011 19:57:50 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1302202670; bh=IKSvUS0F7NX7Zm jDG5iBYfClPXo49y9IpqXfMERCX0Y=; b=5/t+dLZJjw+rf8ilEfYR16bGGxloIx r8DEgPhZzoXJ+8JJGlmm2pX8YV37KnqTSJW+bMAdFCSR2beMwnRTvsLfHk8SRvQ6 L4b7lVJ4VKsbGIRaRnF7dwfybfApUySphUOT+fFfmUWOzT5DOY1A276Ta/zJ4EIF aVaJh9jsNUkYQrJhYpBNQvh6+BQc/e4EZZkHYsu0U1NtSjF3PLTk6WiRiFSN8lV5 z+bT26C7B/VPrbVEI7JMn7C71tL3CmvsiZlDNkghcf4+dOOWe44yD4g0jBQB2hNn ThOF+O4Q8J1Qy3BG5KoVkl+p9AcGh9J9IV0t2GjTlGLoKBUYuvaOk82g== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id Lta3kDyLtpPL; Thu, 7 Apr 2011 19:57:50 +0100 (IST) Received: from [10.87.48.10] (unknown [86.42.22.194]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 698123E4092; Thu, 7 Apr 2011 19:57:48 +0100 (IST) Message-ID: <4D9E092C.3090503@cs.tcd.ie> Date: Thu, 07 Apr 2011 19:57:48 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: Sean Turner References: <4D9DDBBA.4020602@ieca.com> <4D9DFED7.50401@ieca.com> <4D9E00EB.6030402@ieca.com> In-Reply-To: <4D9E00EB.6030402@ieca.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Paul Hoffman , saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 18:56:11 -0000 On 07/04/11 19:22, Sean Turner wrote: > I can remember some dates in PKIX about using UTF8String for names after > a certain date ;) Can't see that working really - look how well DSA deployment spread in TLS for example:-) I'd guess the best we can do is have the putative group define the ciphersuites/codepoints and then as an when it makes sense to update/obsolete other RFCs for whatever reason, then alg choices can be updated. S. From pgut001@login01.cs.auckland.ac.nz Thu Apr 7 20:31:12 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 869213A6A37 for ; Thu, 7 Apr 2011 20:31:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.571 X-Spam-Level: X-Spam-Status: No, score=-103.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nn6dyePAGnKU for ; Thu, 7 Apr 2011 20:31:11 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 343D23A6A34 for ; Thu, 7 Apr 2011 20:31:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302233576; x=1333769576; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20paul.hoffman@vpnc.org,=20turners@ieca.com|Subject: =20Re:=20[saag]=20SHA-3=20Upgrade=20group|Cc:=20saag@ietf .org|In-Reply-To:=20|Message-Id:=20|Date:=20Fri,=2008=20Apr=202011=2015:32:45 =20+1200; bh=ffWYpK71LIWuccp1dw1vn2Kh1rUEoSfgjYqVNDpUK8M=; b=jbBg9Fv1pDQ4/bN6IAv1grSMllUXvLGaCx6Q8pRpD5OqZqxWT/7Ewk4G osW0/Bvu1H5DK8yGqjcl4uSGC5SH4gxQvPEJ1FF4BH+CcBCbKN3lKbTs0 ug7mr7iwtx9nJG63eUZvXDUfVDDH7OpImp1ebHgJMTtm51zL98kczm2sY g=; X-IronPort-AV: E=Sophos;i="4.63,321,1299409200"; d="scan'208";a="55844885" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Apr 2011 15:32:45 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q82RB-00051P-Gz; Fri, 08 Apr 2011 15:32:45 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q82RB-0006en-79; Fri, 08 Apr 2011 15:32:45 +1200 From: Peter Gutmann To: paul.hoffman@vpnc.org, turners@ieca.com In-Reply-To: Message-Id: Date: Fri, 08 Apr 2011 15:32:45 +1200 Cc: saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2011 03:31:12 -0000 Paul Hoffman writes: >So, who will decide when (in the simplest cases) SHA3-256 and >RSA-with-SHA3-256 become SHOULD-level or MUST-level for security protocols, >and when? The people writing the code. This has been the practice for years (look at any protocol like TLS or S/MIME, and then the tiny subset of features that, by mutual unspoken agreement, everyone implements, and all the mission-critical, must-implement stuff that everyone simply ignores). SHA3 won't be any different. Create a basic common feature set that matches existing experience with SHA2, ready for use when SHA3 appears, and everyone can bikeshed any additional modes for as long as they like afterwards, and implementers can ignore them for even longer. Peter. From kent@bbn.com Mon Apr 11 10:19:00 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E8D63A6B2C for ; Mon, 11 Apr 2011 10:19:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.571 X-Spam-Level: X-Spam-Status: No, score=-102.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pE5ICB6e4pw for ; Mon, 11 Apr 2011 10:19:00 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id E751D3A6B28 for ; Mon, 11 Apr 2011 10:18:59 -0700 (PDT) Received: from dhcp89-089-127.bbn.com ([128.89.89.127]:49164 helo=[128.89.89.213]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Q9KlP-000D9T-8z; Mon, 11 Apr 2011 13:18:59 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <4D9E00EB.6030402@ieca.com> References: <4D9DDBBA.4020602@ieca.com> <4D9DFED7.50401@ieca.com> <4D9E00EB.6030402@ieca.com> Date: Mon, 11 Apr 2011 12:56:02 -0400 To: Sean Turner From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Paul Hoffman , saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 17:19:00 -0000 Sean, Yes, we mandated support for UTF-8 in Directory Name in RFC 2459, with a drop dead date of 12/31/2003. That didn't work out, so we relaxed the requirement in 5280. PKIX also mandated a drop dead date for 2-digit dates in certs and CRLs, to deal with a Y2K whoops. That was in 2459, and 3280, and in 5280. We still have 39 years to go before we learn if this requirement will be followed :-). Steve From nico@cryptonector.com Mon Apr 11 10:21:31 2011 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3D8D28C13A for ; Mon, 11 Apr 2011 10:21:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.883 X-Spam-Level: X-Spam-Status: No, score=-1.883 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0TaqVLyPjjk for ; Mon, 11 Apr 2011 10:21:30 -0700 (PDT) Received: from homiemail-a64.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by core3.amsl.com (Postfix) with ESMTP id 24EC128C135 for ; Mon, 11 Apr 2011 10:21:30 -0700 (PDT) Received: from homiemail-a64.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTP id 6F44343807C for ; Mon, 11 Apr 2011 10:21:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=BWfkGGBS485kD3uC4JaZSNE2meYKZj5XEdfMGo+4mAki lM+GxN6tvKD3sAikTMw2XfvQcMRpoynqop2NSfF+AzDqctF1nsZMGV/ONHVvfFjC RNTNfC4oaA9ezmH5Q9pi3ewcgIQ9RzN2qv+fYlfHahe72J6TCOH0+Ar8HidD13U= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=p0ukhsMjihrDh9brWf/pTMvDOgw=; b=k3DmZQ0YyQ3 LinZw364QloQ1Ecmy4B82RuhoYy/4/dJzIsbiHXKkCuscwDjBnylHlQSvuFESNrJ J/Z9UGz2ezZuvV98ApfI2g96Xq2GlYeJt83SYKyjydlJilOXTySyiOmLezZSkGAG M59ip6L6o19DxJ2oMzyqXoydJG4qIB6U= Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTPSA id 4313143806C for ; Mon, 11 Apr 2011 10:21:25 -0700 (PDT) Received: by vxg33 with SMTP id 33so5345700vxg.31 for ; Mon, 11 Apr 2011 10:21:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.101.168 with SMTP id fh8mr2164056vdb.134.1302542484647; Mon, 11 Apr 2011 10:21:24 -0700 (PDT) Received: by 10.52.166.42 with HTTP; Mon, 11 Apr 2011 10:21:24 -0700 (PDT) In-Reply-To: References: <4D9DDBBA.4020602@ieca.com> <4D9DFED7.50401@ieca.com> <4D9E00EB.6030402@ieca.com> Date: Mon, 11 Apr 2011 12:21:24 -0500 Message-ID: From: Nico Williams To: Stephen Kent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Paul Hoffman , saag@ietf.org Subject: Re: [saag] SHA-3 Upgrade group X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 17:21:31 -0000 On Mon, Apr 11, 2011 at 11:56 AM, Stephen Kent wrote: > Yes, we mandated =C2=A0support for UTF-8 in Directory Name in RFC 2459, w= ith a > drop dead date of 12/31/2003. =C2=A0That didn't work out, so we relaxed t= he > requirement in 5280. For a second I read that as "relaxed the requirement to [year] 5280". :) From mundy@tislabs.com Fri Apr 15 07:59:19 2011 Return-Path: X-Original-To: saag@ietfc.amsl.com Delivered-To: saag@ietfc.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 0B71EE0745 for ; Fri, 15 Apr 2011 07:59:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MAxouRFn+A1E for ; Fri, 15 Apr 2011 07:59:18 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfc.amsl.com (Postfix) with ESMTP id 5EE50E06C2 for ; Fri, 15 Apr 2011 07:59:18 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p3FExIoD013058; Fri, 15 Apr 2011 09:59:18 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p3FExHoH003976; Fri, 15 Apr 2011 09:59:17 -0500 Received: from [192.168.145.215] ([74.202.225.34]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 15 Apr 2011 10:59:17 -0400 From: Russ Mundy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Fri, 15 Apr 2011 10:59:16 -0400 Message-Id: To: saag@ietf.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-OriginalArrivalTime: 15 Apr 2011 14:59:17.0830 (UTC) FILETIME=[B18A3660:01CBFB7D] Subject: [saag] ISMS Report for IETF-80 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2011 14:59:19 -0000 I thought that I had sent this during the meeting but don't see it on = the list - sorry for the delay. Russ -------------------- ISMS did not meet during IETF-80. The current WG activity is completing = the Interoperability Report for RFC 5343, RFC 5590, RFC 5591, and RFC = 5953 as an essential action for the goal of advancing the specifications = to the Draft Standard level. There has been basically no discussion on = the mail list about the proposal for a Kerberos security model that was = presented at IETF-79 so there does not appear to be sufficient interest = to take on that work in the WG. From housley@vigilsec.com Tue Apr 19 09:13:46 2011 Return-Path: X-Original-To: saag@ietfc.amsl.com Delivered-To: saag@ietfc.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 80FE5E07AE for ; Tue, 19 Apr 2011 09:13:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.534 X-Spam-Level: X-Spam-Status: No, score=-101.534 tagged_above=-999 required=5 tests=[AWL=-1.012, BAYES_00=-2.599, SUBJ_ALL_CAPS=2.077, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsjRu6V1T5fG for ; Tue, 19 Apr 2011 09:13:46 -0700 (PDT) Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfc.amsl.com (Postfix) with ESMTP id 36B69E07B3 for ; Tue, 19 Apr 2011 09:13:06 -0700 (PDT) Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 9DDA9F2407B for ; Tue, 19 Apr 2011 12:13:06 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 0KFoiByHgsAK for ; Tue, 19 Apr 2011 12:13:05 -0400 (EDT) Received: from [192.168.2.100] (pool-71-178-218-117.washdc.fios.verizon.net [71.178.218.117]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id F2406F2407A for ; Tue, 19 Apr 2011 12:13:05 -0400 (EDT) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 19 Apr 2011 12:13:04 -0400 Message-Id: <57753D84-E073-49FF-BA09-AF03D0DA81C5@vigilsec.com> To: IETF SAAG Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: [saag] NDSS 2012 CFP X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2011 16:13:46 -0000 Network and Distributed System Security will take place in San Diego on = :6-8 February 2012. Here is the Call for Papers: = http://www.cs.sunysb.edu/~sion/tmp/NDSS.12.cfp.pdf From turners@ieca.com Tue Apr 26 06:00:27 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F60E0758 for ; Tue, 26 Apr 2011 06:00:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.668 X-Spam-Level: X-Spam-Status: No, score=-101.668 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QxW0wBk5yE0r for ; Tue, 26 Apr 2011 06:00:27 -0700 (PDT) Received: from nm25-vm0.bullet.mail.sp2.yahoo.com (nm25-vm0.bullet.mail.sp2.yahoo.com [98.139.91.228]) by ietfa.amsl.com (Postfix) with SMTP id 2CB3AE072B for ; Tue, 26 Apr 2011 06:00:27 -0700 (PDT) Received: from [98.139.91.65] by nm25.bullet.mail.sp2.yahoo.com with NNFMP; 26 Apr 2011 13:00:27 -0000 Received: from [98.139.91.40] by tm5.bullet.mail.sp2.yahoo.com with NNFMP; 26 Apr 2011 13:00:27 -0000 Received: from [127.0.0.1] by omp1040.mail.sp2.yahoo.com with NNFMP; 26 Apr 2011 13:00:27 -0000 X-Yahoo-Newman-Id: 114509.56199.bm@omp1040.mail.sp2.yahoo.com Received: (qmail 80352 invoked from network); 26 Apr 2011 13:00:27 -0000 Received: from thunderfish.local (turners@96.231.122.68 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 26 Apr 2011 06:00:25 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: 08nIUcsVM1lrf57wB1LzdeDaJAiBr0Of2X.8w8UVbqpUaZM oCMbS9llf3Ans1CJtgQsvhy7nAkrEXipfLzLu59zFk9QF5ivQu.41SL8_3c1 BMzuoFIFNnfs_8rp6XcgXXkItFSvZhBA.sz5XauQ3eIcV3Snmoaatou3jxqx FN0MvXMhvYl8Gp_9xI7N0LUf03V0770oexIqxBA_laysv1B5qVfqFz9PQE9r IgrY4cWEBM_furnu5z5iGQ6MnHqSc48p45B5Jf_OLlLooUQeT.Iuyr7WCPZ1 U1hwLsmyf1Yah2GCvrmcQtDxZZBHkbmyMxyyfk728efxdK.apvVfZGRn1h3x GAT1z5A4QOqicA.mRQR1JCh3LW.qBGgYjr4sMVj6dGn0T X-Yahoo-Newman-Property: ymail-3 Message-ID: <4DB6C1E7.9050805@ieca.com> Date: Tue, 26 Apr 2011 09:00:23 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 13:00:27 -0000 Please find below a paper Stephen and I are hoping to submit to the W3C Identity in the Browser Workshop (24-25 May in Mountain View, California). We'd like to submit it as the IETF Security Area Directors, but we'd obviously like to get comments from the saag list. The deadline for submissions is April 27th. I apologize for the very short deadline. spt ===================================================================== Abstract This position paper aims to provide some motivations for an Application Programming Interface (API) that will allow developers access to cryptographic algorithms already present in today's web browsers. Motivations More and more applications are moving to the "web" (i.e., http://www.example.com:80 and http://www.example.com:443). Developers are working within the confines of browsers to secure these applications and most use Secure Sockets Layer (SSL)/Transport Security Layer (TLS) to do so. For applications whose architectures are not strictly client-server this reliance is not always optimal. As a work around, developers are investigating the use of JavaScript Object Notation (JSON) for application layer security protocols and cryptographic algorithms. Use of JSON makes some sense in an application layer security protocol but developers rolling and then delivering their own cryptographic algorithms is not only wasteful but is possibly insecure when the browser's security "goodies" (i.e., the cryptographic algorithms) are just an Application Programming Interface (API) away. Downloading cryptographic algorithms is wasteful in terms of bandwidth used. Application and browser developers are both very interested in ensuring their applications are speedy in the eyes of users; nobody wants to loose a speed war on cnet®. If web developers end up rolling their own cryptographic algorithms to support a JSON application layer security protocol, then the code may end up being downloaded during application initialization. Cryptographic code could include: message digest/hash algorithms, digital signature algorithms, content encryption algorithms, key wrap algorithms, keyed-Hash Message Authentication Code (HMAC) algorithms, etc. Developers rolling their own cryptographic code could be insecure. As Steve Bellovin pointed out in RFC 5406: The design of security protocols is a subtle and difficult art. In fact, it is worse: coding security protocols is even more subtle and difficult than designing the security protocol. There is no doubt that some developers will get it right the first time but there is also no doubt that some will get it wrong. With cryptographic algorithms already coded in browsers and some having been National Institute of Standards and Technology (NIST) Federal Information Processing Publication (FIPS PUB) 140 evaluated, it seems unnecessarily risky to not utilize the cryptographic algorithms already present in the browser. Greedy Goals An API that allows web developers to access browser-embedded cryptographic algorithms would include the following: o Support for hash/message digest algorithms (e.g., SHA-256); o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA); o Support for confidentiality algorithms (i.e., AES); o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, ECDH); o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); o Support extracting keys from TLS sessions ala RFC 5176; o Support for PKI path validation (i.e., input/output of base64 certificate/crl/ocsp blobs), and; o Support for Cryptographic Message Syntax (CMS). From rbarnes@bbn.com Tue Apr 26 06:51:44 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE905E07C8 for ; Tue, 26 Apr 2011 06:51:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZrAPrEOntB3 for ; Tue, 26 Apr 2011 06:51:44 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDF9E07C6 for ; Tue, 26 Apr 2011 06:51:44 -0700 (PDT) Received: from ros-dhcp192-1-51-22.bbn.com ([192.1.51.22]:63850) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QEig3-000O3S-8P; Tue, 26 Apr 2011 09:51:43 -0400 Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=iso-8859-1 From: "Richard L. Barnes" In-Reply-To: <4DB6C1E7.9050805@ieca.com> Date: Tue, 26 Apr 2011 09:51:40 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <317F2A34-E8BB-49B2-9F85-3A60C3342945@bbn.com> References: <4DB6C1E7.9050805@ieca.com> To: Sean Turner X-Mailer: Apple Mail (2.1082) Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 13:51:44 -0000 Overall, this paper looks great to me. I would love to see such an API = deployed and widely used. =20 Couple of minor comments inline below. On Apr 26, 2011, at 9:00 AM, Sean Turner wrote: > Please find below a paper Stephen and I are hoping to submit to the = W3C Identity in the Browser Workshop (24-25 May in Mountain View, = California). We'd like to submit it as the IETF Security Area = Directors, but we'd obviously like to get comments from the saag list. = The deadline for submissions is April 27th. I apologize for the very = short deadline. >=20 > spt >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > Abstract >=20 > This position paper aims to provide some motivations for an = Application Programming Interface (API) that will allow developers = access to cryptographic algorithms already present in today's web = browsers. >=20 > Motivations >=20 > More and more applications are moving to the "web" (i.e., = http://www.example.com:80 and http://www.example.com:443). Developers = are working within the confines of browsers to secure these applications = and most use Secure Sockets Layer (SSL)/Transport Security Layer (TLS) = to do so. For applications whose architectures are not strictly = client-server this reliance is not always optimal. As a work around, = developers are investigating the use of JavaScript Object Notation = (JSON) for application layer security protocols and cryptographic = algorithms. Use of JSON makes some sense in an application layer = security protocol but developers rolling and then delivering their own = cryptographic algorithms is not only wasteful but is possibly insecure = when the browser's security "goodies" (i.e., the cryptographic = algorithms) are just an Application Programming Interface (API) away. Technically, JSON is not being used for the cryptographic algorithms, = since it's just an encoding. The concern is new ad-hoc Javascript = crypto libraries. Suggested text: " Developers are investigating the creation of new Javascript-based = cryptography libraries and new formats for signed and encrypted objects = based on JavaScript Object Notation (JSON). " > Downloading cryptographic algorithms is wasteful in terms of bandwidth = used. Application and browser developers are both very interested in = ensuring their applications are speedy in the eyes of users; nobody = wants to loose a speed war on cnet=AE. If web developers end up rolling = their own cryptographic algorithms to support a JSON application layer = security protocol, then the code may end up being downloaded during = application initialization. Cryptographic code could include: message = digest/hash algorithms, digital signature algorithms, content encryption = algorithms, key wrap algorithms, keyed-Hash Message Authentication Code = (HMAC) algorithms, etc. Probably also worth pointing out the obvious security risk that if = someone forgets to use HTTPS for the crypto library download, then an = attacker can feed them a bad library. > Developers rolling their own cryptographic code could be insecure. As = Steve Bellovin pointed out in RFC 5406: The design of security protocols = is a subtle and difficult art. In fact, it is worse: coding security = protocols is even more subtle and difficult than designing the security = protocol. There is no doubt that some developers will get it right the = first time but there is also no doubt that some will get it wrong. With = cryptographic algorithms already coded in browsers and some having been = National Institute of Standards and Technology (NIST) Federal = Information Processing Publication (FIPS PUB) 140 evaluated, it seems = unnecessarily risky to not utilize the cryptographic algorithms already = present in the browser. >=20 > Greedy Goals How about just "Goals"? > An API that allows web developers to access browser-embedded = cryptographic algorithms would include the following: >=20 > o Support for hash/message digest algorithms (e.g., SHA-256); > o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, = ECDSA); > o Support for confidentiality algorithms (i.e., AES); s/i.e./e.g./ > o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 = v1.5, ECDH); > o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); > o Support extracting keys from TLS sessions ala RFC 5176; s/ala RFC 5176/(e.g., using RFC 5176)/ > o Support for PKI path validation (i.e., input/output of base64 = certificate/crl/ocsp blobs), and; > o Support for Cryptographic Message Syntax (CMS). > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From carl@redhoundsoftware.com Tue Apr 26 07:54:03 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1E2DE077E for ; Tue, 26 Apr 2011 07:54:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGFcMmvgK5DQ for ; Tue, 26 Apr 2011 07:54:03 -0700 (PDT) Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id F27ABE077A for ; Tue, 26 Apr 2011 07:54:02 -0700 (PDT) Received: by qyk29 with SMTP id 29so1325349qyk.10 for ; Tue, 26 Apr 2011 07:54:02 -0700 (PDT) Received: by 10.224.201.201 with SMTP id fb9mr645242qab.196.1303829642238; Tue, 26 Apr 2011 07:54:02 -0700 (PDT) Received: from [192.168.1.4] (pool-173-79-111-27.washdc.fios.verizon.net [173.79.111.27]) by mx.google.com with ESMTPS id l10sm3019027qck.38.2011.04.26.07.53.54 (version=SSLv3 cipher=OTHER); Tue, 26 Apr 2011 07:54:01 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.10.0.110310 Date: Tue, 26 Apr 2011 10:53:51 -0400 From: Carl Wallace To: Sean Turner , Message-ID: Thread-Topic: [saag] Paper for W3C Identity in the Browser Workshop In-Reply-To: <4DB6C1E7.9050805@ieca.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 14:54:03 -0000 > >o Support for PKI path validation (i.e., input/output of base64 >certificate/crl/ocsp blobs), and; Add support for providing path validation algorithm inputs and receiving path validation algorithm outputs. It probably wouldn't hurt to try to break reliance on unconstrained trust anchors in a new API too. From lear@cisco.com Tue Apr 26 08:06:55 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49499E07DB for ; Tue, 26 Apr 2011 08:06:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -109.866 X-Spam-Level: X-Spam-Status: No, score=-109.866 tagged_above=-999 required=5 tests=[AWL=0.733, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6SvQBZ-mWQq for ; Tue, 26 Apr 2011 08:06:54 -0700 (PDT) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 50559E0757 for ; Tue, 26 Apr 2011 08:06:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lear@cisco.com; l=1281; q=dns/txt; s=iport; t=1303830384; x=1305039984; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=/u1vs3dGmkVcO/OpVVFLObFNhDPcQFd6SkanYxkVfLY=; b=PF2uVSE+ncW3gUXjgSKCwdxIZPhkhMZxSMD+wnQl0qA6fKxNzQQXiQTx KE1tAmgAGWTys7s/Xw51FLGPnaSPi9nqSv6//mnTjPpi0QOO89XgSrAb7 0FaEBkNmZqrCyEv46wDvWJurTMdu/LOzHCHaM2Rpd6aWTOs+bScW5oFFg s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Au8DADfftk2Q/khNgWdsb2JhbACEU6B1FAEBFiYlqDqLYJE8gSmBV4F5fQSOQY4i X-IronPort-AV: E=Sophos;i="4.64,268,1301875200"; d="scan'208";a="27255554" Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-2.cisco.com with ESMTP; 26 Apr 2011 15:05:44 +0000 Received: from ams3-vpn-dhcp8029.cisco.com (ams3-vpn-dhcp8029.cisco.com [10.61.95.92]) by ams-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p3QF5iZq013436; Tue, 26 Apr 2011 15:05:44 GMT Message-ID: <4DB6DF2F.5060304@cisco.com> Date: Tue, 26 Apr 2011 17:05:19 +0200 From: Eliot Lear User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: Sean Turner References: <4DB6C1E7.9050805@ieca.com> In-Reply-To: <4DB6C1E7.9050805@ieca.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 15:06:55 -0000 Sean, On 4/26/11 3:00 PM, Sean Turner wrote: > > More and more applications are moving to the "web" (i.e., > http://www.example.com:80 and http://www.example.com:443). Developers > are working within the confines of browsers to secure these > applications and most use Secure Sockets Layer (SSL)/Transport > Security Layer (TLS) to do so. For applications whose architectures > are not strictly client-server this reliance is not always optimal. > As a work around, developers are investigating the use of JavaScript > Object Notation (JSON) for application layer security protocols and > cryptographic algorithms. Use of JSON makes some sense in an > application layer security protocol but developers rolling and then > delivering their own cryptographic algorithms is not only wasteful but > is possibly insecure when the browser's security "goodies" (i.e., the > cryptographic algorithms) are just an Application Programming > Interface (API) away. I would in this case suggest stronger language. "possibly insecure" is too wishy washy. I would consider using the term "dangerous". For supporting information, consider every last update it took to get openssl as correct as it is today. Now imagine some script kiddy doing that sort of stuff. From turners@ieca.com Tue Apr 26 08:16:49 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2FAE07D3 for ; Tue, 26 Apr 2011 08:16:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.482 X-Spam-Level: X-Spam-Status: No, score=-102.482 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tGpyrxw-9JbD for ; Tue, 26 Apr 2011 08:16:48 -0700 (PDT) Received: from nm26-vm0.bullet.mail.ac4.yahoo.com (nm26-vm0.bullet.mail.ac4.yahoo.com [98.139.52.242]) by ietfa.amsl.com (Postfix) with SMTP id 6BDA6E07CB for ; Tue, 26 Apr 2011 08:16:48 -0700 (PDT) Received: from [98.139.52.196] by nm26.bullet.mail.ac4.yahoo.com with NNFMP; 26 Apr 2011 15:16:45 -0000 Received: from [98.139.52.184] by tm9.bullet.mail.ac4.yahoo.com with NNFMP; 26 Apr 2011 15:16:45 -0000 Received: from [127.0.0.1] by omp1067.mail.ac4.yahoo.com with NNFMP; 26 Apr 2011 15:16:45 -0000 X-Yahoo-Newman-Id: 135763.67016.bm@omp1067.mail.ac4.yahoo.com Received: (qmail 24298 invoked from network); 26 Apr 2011 15:16:44 -0000 Received: from thunderfish.local (turners@96.231.122.68 with plain) by smtp115.biz.mail.mud.yahoo.com with SMTP; 26 Apr 2011 08:16:42 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: rz6iJgEVM1lc2.1fDh9aT5NAGdlmBPT5ChEv0D5z3D0.o4U RJ8Xip0XCJxw6Zq3.NZk.tzT0dkOCGaTTWms0YxJyVkk42txFKnrVkynXYBv cEpZW852BbLqSwrKDQojSwHJKjHF9c2JrvPJWp.peTKWknr5do8yjICrnLRm mN8lej0CM4gVq8zF31Pl8GwumYpdvD1S6CV6Ie2uUZ.4EJZKVCsxwpWrZfKR Pjz.yq6n4DpaoJx5FjSdwsvS9ScP5AhzNdI6xO7XzEgPs3gzCxi9Qc7R._Ns uEnv6Vg9bUUbVWvh24HWVzu9bVAeFuSSuFaDnBnIYX1cAeoQ3IZVmaYOO.Ju RMBioiGZWwl21Ic5N_v550fEjjUvT5mBfpAEb6igAZYOpEg-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4DB6E1D9.4090107@ieca.com> Date: Tue, 26 Apr 2011 11:16:41 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: "Richard L. Barnes" References: <4DB6C1E7.9050805@ieca.com> <317F2A34-E8BB-49B2-9F85-3A60C3342945@bbn.com> In-Reply-To: <317F2A34-E8BB-49B2-9F85-3A60C3342945@bbn.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 15:16:49 -0000 Richard, Thanks for the review. Responses inline. spt On 4/26/11 9:51 AM, Richard L. Barnes wrote: > Overall, this paper looks great to me. I would love to see such an API deployed and widely used. > > Couple of minor comments inline below. > > > > On Apr 26, 2011, at 9:00 AM, Sean Turner wrote: > >> Please find below a paper Stephen and I are hoping to submit to the W3C Identity in the Browser Workshop (24-25 May in Mountain View, California). We'd like to submit it as the IETF Security Area Directors, but we'd obviously like to get comments from the saag list. The deadline for submissions is April 27th. I apologize for the very short deadline. >> >> spt >> >> ===================================================================== >> >> Abstract >> >> This position paper aims to provide some motivations for an Application Programming Interface (API) that will allow developers access to cryptographic algorithms already present in today's web browsers. >> >> Motivations >> >> More and more applications are moving to the "web" (i.e., http://www.example.com:80 and http://www.example.com:443). Developers are working within the confines of browsers to secure these applications and most use Secure Sockets Layer (SSL)/Transport Security Layer (TLS) to do so. For applications whose architectures are not strictly client-server this reliance is not always optimal. As a work around, developers are investigating the use of JavaScript Object Notation (JSON) for application layer security protocols and cryptographic algorithms. Use of JSON makes some sense in an application layer security protocol but developers rolling and then delivering their own cryptographic algorithms is not only wasteful but is possibly insecure when the browser's security "goodies" (i.e., the cryptographic algorithms) are just an Application Programming Interface (API) away. > > Technically, JSON is not being used for the cryptographic algorithms, since it's just an encoding. The concern is new ad-hoc Javascript crypto libraries. Suggested text: > " > Developers are investigating the creation of new Javascript-based cryptography libraries and new formats for signed and encrypted objects based on JavaScript Object Notation (JSON). > " Yeah that makes sense. Done. >> Downloading cryptographic algorithms is wasteful in terms of bandwidth used. Application and browser developers are both very interested in ensuring their applications are speedy in the eyes of users; nobody wants to loose a speed war on cnet®. If web developers end up rolling their own cryptographic algorithms to support a JSON application layer security protocol, then the code may end up being downloaded during application initialization. Cryptographic code could include: message digest/hash algorithms, digital signature algorithms, content encryption algorithms, key wrap algorithms, keyed-Hash Message Authentication Code (HMAC) algorithms, etc. > > Probably also worth pointing out the obvious security risk that if someone forgets to use HTTPS for the crypto library download, then an attacker can feed them a bad library. Err yeah. I'll add: Obviously, downloading cryptographic algorithms is also an easy attack vector if not done over https. >> Developers rolling their own cryptographic code could be insecure. As Steve Bellovin pointed out in RFC 5406: The design of security protocols is a subtle and difficult art. In fact, it is worse: coding security protocols is even more subtle and difficult than designing the security protocol. There is no doubt that some developers will get it right the first time but there is also no doubt that some will get it wrong. With cryptographic algorithms already coded in browsers and some having been National Institute of Standards and Technology (NIST) Federal Information Processing Publication (FIPS PUB) 140 evaluated, it seems unnecessarily risky to not utilize the cryptographic algorithms already present in the browser. >> >> Greedy Goals > > How about just "Goals"? I was trying to be cheeky. We are asking them to do all the work after all. But, I see you're point. >> An API that allows web developers to access browser-embedded cryptographic algorithms would include the following: >> >> o Support for hash/message digest algorithms (e.g., SHA-256); >> o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA); >> o Support for confidentiality algorithms (i.e., AES); > > s/i.e./e.g./ I actually did this on purpose because I hope to avoid the "please include my vanity crypto too" discussion. But, they can probably figure that out. > > >> o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, ECDH); >> o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); >> o Support extracting keys from TLS sessions ala RFC 5176; > > s/ala RFC 5176/(e.g., using RFC 5176)/ done. >> o Support for PKI path validation (i.e., input/output of base64 certificate/crl/ocsp blobs), and; >> o Support for Cryptographic Message Syntax (CMS). >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > > From yaronf.ietf@gmail.com Tue Apr 26 11:13:23 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D296E06A6 for ; Tue, 26 Apr 2011 11:13:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.474 X-Spam-Level: X-Spam-Status: No, score=-102.474 tagged_above=-999 required=5 tests=[AWL=1.125, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmRdIPLv0j3I for ; Tue, 26 Apr 2011 11:13:22 -0700 (PDT) Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 708A3E076A for ; Tue, 26 Apr 2011 11:13:22 -0700 (PDT) Received: by wwa36 with SMTP id 36so686332wwa.13 for ; Tue, 26 Apr 2011 11:13:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=SBzXIBkMV444lrGVj2IgfS+h8tWz7TsGZYoWX3lf9qQ=; b=gcxokMdsCBiXr1q49y3kXq//rRaVu+JWpChmiNUWx/KZh/9Gck257E0J/8TS7d7S5e eetVQgICxcvHaKYlZKeLVKKU3s81xHCJUeryKm+M/YGrGE+fwDITNPq50TgL3kGf1oJG 6/BxuWbDLAGuFuyxBTsxLcOAX1TufKhsY89sk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=HG6acgLpjZYjMPkNWchVM/ZF+V3UWLQ9W1QeqOtG+iOSrjJKtvBU0Dv0JcZHBigEfB oaW8cAl78UO11/7qcz6EXzQ5+sox/Z8PqCKvYQYMm/eBpV8nlzovXsUKh1Fx5TJcSneq UCJ1SglKaGl5tnD0QY+HYHc50zxn+1nQfrP30= Received: by 10.227.101.32 with SMTP id a32mr1176886wbo.28.1303841599626; Tue, 26 Apr 2011 11:13:19 -0700 (PDT) Received: from [10.0.0.1] (bzq-79-178-30-144.red.bezeqint.net [79.178.30.144]) by mx.google.com with ESMTPS id bs4sm4007606wbb.1.2011.04.26.11.13.05 (version=SSLv3 cipher=OTHER); Tue, 26 Apr 2011 11:13:18 -0700 (PDT) Message-ID: <4DB70B2C.20503@gmail.com> Date: Tue, 26 Apr 2011 21:13:00 +0300 From: Yaron Sheffer User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: Sean Turner References: <4DB6C1E7.9050805@ieca.com> In-Reply-To: <4DB6C1E7.9050805@ieca.com> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 18:13:23 -0000 Hi Sean, last I checked, JavaScript did not provide any sort of reasonable crypto-quality random number generator, nor even a lower quality PRNG, for that matter. The JavaScript community is used to downloading major libraries along with the Web page (e.g. JQuery). This is arguably inelegant, but it works. It could also work fine for the crypto algorithms you list. The only case where you MUST use the local resources is random number generation. In other words: please add RNG to your list of goals. Thanks, Yaron On 04/26/2011 04:00 PM, Sean Turner wrote: > Please find below a paper Stephen and I are hoping to submit to the W3C > Identity in the Browser Workshop (24-25 May in Mountain View, > California). We'd like to submit it as the IETF Security Area Directors, > but we'd obviously like to get comments from the saag list. The deadline > for submissions is April 27th. I apologize for the very short deadline. > > spt > > ===================================================================== > > Abstract > > This position paper aims to provide some motivations for an Application > Programming Interface (API) that will allow developers access to > cryptographic algorithms already present in today's web browsers. > > Motivations > > More and more applications are moving to the "web" (i.e., > http://www.example.com:80 and http://www.example.com:443). Developers > are working within the confines of browsers to secure these applications > and most use Secure Sockets Layer (SSL)/Transport Security Layer (TLS) > to do so. For applications whose architectures are not strictly > client-server this reliance is not always optimal. As a work around, > developers are investigating the use of JavaScript Object Notation > (JSON) for application layer security protocols and cryptographic > algorithms. Use of JSON makes some sense in an application layer > security protocol but developers rolling and then delivering their own > cryptographic algorithms is not only wasteful but is possibly insecure > when the browser's security "goodies" (i.e., the cryptographic > algorithms) are just an Application Programming Interface (API) away. > > Downloading cryptographic algorithms is wasteful in terms of bandwidth > used. Application and browser developers are both very interested in > ensuring their applications are speedy in the eyes of users; nobody > wants to loose a speed war on cnet®. If web developers end up rolling > their own cryptographic algorithms to support a JSON application layer > security protocol, then the code may end up being downloaded during > application initialization. Cryptographic code could include: message > digest/hash algorithms, digital signature algorithms, content encryption > algorithms, key wrap algorithms, keyed-Hash Message Authentication Code > (HMAC) algorithms, etc. > > Developers rolling their own cryptographic code could be insecure. As > Steve Bellovin pointed out in RFC 5406: The design of security protocols > is a subtle and difficult art. In fact, it is worse: coding security > protocols is even more subtle and difficult than designing the security > protocol. There is no doubt that some developers will get it right the > first time but there is also no doubt that some will get it wrong. With > cryptographic algorithms already coded in browsers and some having been > National Institute of Standards and Technology (NIST) Federal > Information Processing Publication (FIPS PUB) 140 evaluated, it seems > unnecessarily risky to not utilize the cryptographic algorithms already > present in the browser. > > Greedy Goals > > An API that allows web developers to access browser-embedded > cryptographic algorithms would include the following: > > o Support for hash/message digest algorithms (e.g., SHA-256); > o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA); > o Support for confidentiality algorithms (i.e., AES); > o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, > ECDH); > o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); > o Support extracting keys from TLS sessions ala RFC 5176; > o Support for PKI path validation (i.e., input/output of base64 > certificate/crl/ocsp blobs), and; > o Support for Cryptographic Message Syntax (CMS). > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From stpeter@stpeter.im Tue Apr 26 12:44:03 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B55A8E07CE for ; Tue, 26 Apr 2011 12:44:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.266 X-Spam-Level: X-Spam-Status: No, score=-102.266 tagged_above=-999 required=5 tests=[AWL=0.333, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h80oa11QGX4s for ; Tue, 26 Apr 2011 12:44:03 -0700 (PDT) Received: from stpeter.im (stpeter.im [207.210.219.233]) by ietfa.amsl.com (Postfix) with ESMTP id EB709E0767 for ; Tue, 26 Apr 2011 12:44:02 -0700 (PDT) Received: from dhcp-64-101-72-185.cisco.com (dhcp-64-101-72-185.cisco.com [64.101.72.185]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id EEC4140022; Tue, 26 Apr 2011 13:48:11 -0600 (MDT) Message-ID: <4DB7207B.8010005@stpeter.im> Date: Tue, 26 Apr 2011 13:43:55 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Yaron Sheffer References: <4DB6C1E7.9050805@ieca.com> <4DB70B2C.20503@gmail.com> In-Reply-To: <4DB70B2C.20503@gmail.com> X-Enigmail-Version: 1.1.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070708050508060405030503" Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 19:44:03 -0000 This is a cryptographically signed message in MIME format. --------------ms070708050508060405030503 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 4/26/11 12:13 PM, Yaron Sheffer wrote: > Hi Sean, >=20 > last I checked, JavaScript did not provide any sort of reasonable > crypto-quality random number generator, nor even a lower quality PRNG, > for that matter. >=20 > The JavaScript community is used to downloading major libraries along > with the Web page (e.g. JQuery). This is arguably inelegant, but it > works. It could also work fine for the crypto algorithms you list. The > only case where you MUST use the local resources is random number > generation. >=20 > In other words: please add RNG to your list of goals. How about: o Methods for using local resources to generate random (or pseudo-random) numbers Here is a revised version of the position paper. (I've added myself as a submitter because Sean and Stephen can't participate in the workshop due to other obligations, so I offered to present the topic if the proposal is accepted.) ### Submitters Sean Turner Stephen Farrell Peter Saint-Andre Abstract This position paper advocates an Application Programming Interface (API) that will enable developers access to cryptographic algorithms already present in today's web browsers. Motivations More and more applications are moving to the "web" (e.g., http://app.example.com:80 and https://app.example.com:443). Developers are working within the confines of various browsers to secure these applications, and most use Secure Sockets Layer (SSL)/Transport Security Layer (TLS) to do so. This reliance is sub-optimal for applications whose architectures are not strictly client-server (e.g., IM and VoIP). As a workaround, developers are currently investigating the creation of new Javascript-based cryptography libraries, along with new formats for signed and encrypted objects based on JavaScript Object Notation (JSON). Use of JSON makes some sense in an application layer security protocol. However, it makes less sense for developers to roll (and deliver) their own cryptographic algorithms -- it's not only wasteful, it's also dangerous when the browser's security "goodies" (i.e., the cryptographic algorithms) are just an API away. Downloading cryptographic algorithms is wasteful in terms of bandwidth used. Application and browser developers are both very interested in ensuring their applications are speedy in the eyes of users; nobody wants to lose a speed war on CNET. If web developers end up rolling their own cryptographic algorithms to support a JSON application layer security protocol, then the code may end up being downloaded during application initialization. Such cryptographic code could include message digest/hash algorithms, digital signature algorithms, content encryption algorithms, key wrap algorithms, and keyed-Hash Message Authentication Code (HMAC) algorithms. This kind of code is typically not small because of the significant math involved in producing strong security. However, the greatest danger here is not a waste of bandwidth, but possible security breaches. Obviously, downloading cryptographic algorithms is an easy attack vector if not done over SSL/TLS. But the real challenge is that security is hard. As Steve Bellovin pointed out in RFC 5406, the design of security protocols is a subtle and difficult art. In fact, coding security protocols is even more subtle and difficult than designing security protocols. There is no doubt that some developers will get it right the first time, but there is also no doubt that some will get it wrong. Given that cryptographic algorithms alread coded into browsers (and that some of them have already been evaluated by the U.S. National Institute of Standards and Technology (NIST) for compliance with Federal Information Processing Publication (FIPS PUB) 140), it seems unnecessarily risky to not make use of the cryptographic algorithms already present in the browser. A consistent API for access to those algorithms would provide a strong foundation for securing the web. Goals We propose that a consistent web security API would support the following algorithms and functions: o Hash/message digest algorithms (e.g., SHA-256) o Digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA) o Confidentiality algorithms (e.g., AES) o Key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, ECDH) o HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256) o Methods for extracting keys from TLS sessions (e.g., using RFC 5176) o Methods for PKI path validation (e.g., input/output of base64 certificate/CRL blobs) o Methods for generating and processing Cryptographic Message Syntax (CMS= ) o Methods for using local resources to generate random (or pseudo-random) numbers --------------ms070708050508060405030503 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITzjCC BjQwggQcoAMCAQICASMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDMzM1oXDTE3MTAyNDIxMDMzM1owgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjSW4SPiDKlAinvVeL ZOVfItiuP1aRHL530E7QUc9icCwL33+PH+Js1HAh8CgWFl34sOxx1FJyS/C4VLPRsqDfP72j tzCVUAL0DAxZ7wgzQvFz7x61jGxfhYhqYb1+PPOLkYBbkRIrPMg3dLEdKmXIYJYXDH+mB/V/ jLo73/Kb7h/rNoNg/oHHSv5Jolyvp5IY2btfcTBfW/telEFj5rDTX2juTvZ3Qhf3XQX5ca3Q 7A10zrUV/cWJOJ7F5RltbEIaboZmX5JBUb3FhUiAdBotehAX6DbDOuYoJtVxmGof6GuVGcPo 98K4TJf8FHo+UA9EOVDp/W7fCqKT4sXk/XkCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7iZySlyShhEcCy3T8LvSs3DLl8zAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQELBQADggIBAGpd SbdLFMhirxK37V4gE00+uW74UdAXtDgQI3AsRZWtaRtKHgAxFBSteqz4kDkeAjH/1b+K8tQR 6cxSI2nho7qOaPW/UpzOfSS/MeKK/9vfM2lfs+uItXH7LWtvS9wD1erfH1a+BXHCrCp4LA1l fADDhRIiGTSS3i0Zu5xV3INNRHrCCCl6patltQ8RZTqzDMri7ombgIxjN51Zo7xV77EZcThV 0GA8iIN+7T53uHhUJpjfLIztHs/69OclRvHux9hCflfOm7GY5Sc4nqjfES+5XPArGGWiQSEk ez37QfXqsxO3oCHK4b3DFZysG4uyOuC/WL80ab3muQ3tgwjBhq0D3JZN5kvu5gSuNZPa1WrV hEgXkd6C7s5stqB6/htVpshG08jRz9DEutGM9oKQ1ncTivbfPNx7pILoHWvvT7N5i/puVoNu bPUmLXh/2wA6wzAzuuoONiIL14Xpw6jLSnqpaLWElo2yTIFZ/CU/nCvvpW1Dj1457P3Ci9bD 0RPkWSR+CuucpgxrEmaw4UOLxflzuYYaq1RJwygOO5K0s2bAWOcXpgteyUOnQ3d/EjJAWRri 2v0ubiq+4H3KUOMlbznlPAY/1T8YyyJPM88+Ueahe/AW1zoUwZayNcTnuM7cq6yBV8Wr3GOI LFXhtT0UVuJLChPMJKVKVsa7qNorlLkMMIIGxzCCBa+gAwIBAgICAIswDQYJKoZIhvcNAQEF BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMDEwMTQwMTM2MzRa Fw0xMjEwMTQxMjAxMDdaMIHAMSAwHgYDVQQNExcyNzQ1ODEtOU5YMDRxeExEYjBvNDY5VDEL MAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxLDAqBgNV BAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRowGAYDVQQDExFQZXRl ciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBldGVyLmltMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuERvnrkpQTx9wbJfgxbNKEYvt0IilecZRUM6 wrbCzIUPCocuYhaAJcQoqIyHaKybPQ7f+DIGIAolAa3dHnNdlsXP2smTft/ZNpj10PIG5bil NAqLUYwmLJaEaqY7BMW8423U3blW43/luLJk/Pq4OsWcw7AK3LeVh1U/HOgqhin26N3h72X1 nbLEpZFrgcp8egmWtXLCbLBDMqUK3j6wjLldni79muzYEVqU0A5GqSeb8Wc4kIx8VI5yL24J KzinG2iVRP5ZDEbOZETzBXJabUsV56XSxqPG9DK6ke+ybCiL/wKV1HFqdtFB1y25lfvHgOP2 gyEApBKEDNjgLmKyyQIDAQABo4IC+zCCAvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYD VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBS2EW2iNB+g0EibKJLBdv8I eLovVDAfBgNVHSMEGDAWgBR7iZySlyShhEcCy3T8LvSs3DLl8zAdBgNVHREEFjAUgRJzdHBl dGVyQHN0cGV0ZXIuaW0wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEF BQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYB BQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1 My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z dGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBADVtbXJG tKAr55xc/OUM546gXUybI72Bank0w739Mv+9BBNtq9rMEvCnLmSKhBi76c1mdXh6zXs8RQDo 6nR/aPabE3llF2T4z80smi9jfnl3y9dpu9TcgDoqDLZ7a2lBlW656XAAQzHjvLp2MC7/mxlg PYH2axa+q40mAYM20GbNsAEGbWQT1IqIh0BcLLsgbaMJHbyG/57zd9JLyMX3Vry1L1fJRQr3 GeLxMV5RtxN+mBgxrwFz/cOc09COiFExlsHgekpB5O43gqsAU16MXypyoSt4MrSfKTMHIGx6 2RF/M6vqUlvhi28gk2ZUvQ/+OX5+gjcZyooEzAAn4RuOKNswggbHMIIFr6ADAgECAgIAizAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTEw MTAxNDAxMzYzNFoXDTEyMTAxNDEyMDEwN1owgcAxIDAeBgNVBA0TFzI3NDU4MS05TlgwNHF4 TERiMG80NjlUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRl bnZlcjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBNZW1iZXIxGjAY BgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQHN0cGV0 ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RG+euSlBPH3Bsl+DFs0o Ri+3QiKV5xlFQzrCtsLMhQ8Khy5iFoAlxCiojIdorJs9Dt/4MgYgCiUBrd0ec12Wxc/ayZN+ 39k2mPXQ8gbluKU0CotRjCYsloRqpjsExbzjbdTduVbjf+W4smT8+rg6xZzDsArct5WHVT8c 6CqGKfbo3eHvZfWdssSlkWuBynx6CZa1csJssEMypQrePrCMuV2eLv2a7NgRWpTQDkapJ5vx ZziQjHxUjnIvbgkrOKcbaJVE/lkMRs5kRPMFclptSxXnpdLGo8b0MrqR77JsKIv/ApXUcWp2 0UHXLbmV+8eA4/aDIQCkEoQM2OAuYrLJAgMBAAGjggL7MIIC9zAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLYRbaI0 H6DQSJsoksF2/wh4ui9UMB8GA1UdIwQYMBaAFHuJnJKXJKGERwLLdPwu9KzcMuXzMB0GA1Ud EQQWMBSBEnN0cGV0ZXJAc3RwZXRlci5pbTCCAUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGB tTcBAgIwggEgMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMIG3BggrBgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExp YWJpbGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMGA1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NydHUzLWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL2NydHUzLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0 dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MzL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMy5jbGllbnQuY2Eu Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF AAOCAQEANW1tcka0oCvnnFz85QznjqBdTJsjvYFqeTTDvf0y/70EE22r2swS8KcuZIqEGLvp zWZ1eHrNezxFAOjqdH9o9psTeWUXZPjPzSyaL2N+eXfL12m71NyAOioMtntraUGVbrnpcABD MeO8unYwLv+bGWA9gfZrFr6rjSYBgzbQZs2wAQZtZBPUioiHQFwsuyBtowkdvIb/nvN30kvI xfdWvLUvV8lFCvcZ4vExXlG3E36YGDGvAXP9w5zT0I6IUTGWweB6SkHk7jeCqwBTXoxfKnKh K3gytJ8pMwcgbHrZEX8zq+pSW+GLbyCTZlS9D/45fn6CNxnKigTMACfhG44o2zGCA80wggPJ AgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMAkGBSsOAwIa BQCgggIOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDQy NjE5NDM1NVowIwYJKoZIhvcNAQkEMRYEFIAOUk2Jdg0WuWKv8x0MzENvOdrOMF8GCSqGSIb3 DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIAizANBgkqhkiG 9w0BAQEFAASCAQCLDTa9bJnyRTATLcynqLxGeZIonpBjVsQz+iByW0NESepgZ9GoVpBOAEXk VHQfoHzDjqABMDhj336ZYqXUUhqIyheQbbBKfZRGsiRSmbbHzodccTk9AMBe1Frilzi2LNRX BdFU6QvT9c2jsyG1LEP9jptEL5V0rb8SBE+rVydt7mTpoImYhjRU3exqC9nCTTu+W7unrogM LKCW1dHjzsB7PkwX3JTZv6weukoYDvHWBxEVYwd/1dzIMdHWXxMmsxkP9kXk3pHWaccCBjCs +FBMoDgbGTaviSv21a2ubKizOBfvE4PsiPprlCGVW1gUdJseCpiu49DIhq8TAI1IVT8zAAAA AAAA --------------ms070708050508060405030503-- From yaronf.ietf@gmail.com Tue Apr 26 13:35:01 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA631E07DD for ; Tue, 26 Apr 2011 13:35:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.849 X-Spam-Level: X-Spam-Status: No, score=-102.849 tagged_above=-999 required=5 tests=[AWL=0.750, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id atKrKUROnS-p for ; Tue, 26 Apr 2011 13:35:00 -0700 (PDT) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by ietfa.amsl.com (Postfix) with ESMTP id 74277E07AA for ; Tue, 26 Apr 2011 13:35:00 -0700 (PDT) Received: by wwk4 with SMTP id 4so2667748wwk.1 for ; Tue, 26 Apr 2011 13:34:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=rb7mfsz7vzSwmMLCIM4hXSDT1UayP+MVKOSuJmVkiQ4=; b=XJTdV/ZDiYwFRV/rYIqmzaePXuwgYWofRrbtGgm/SkbAj0TgWPxWQBsz+NxZj30O0t dpLL3kobld1QepSp342AYWmSpPuRzsKGTNuzkW5MHsUWeZETvcwL5mTDL4EItxOxCRRN 7rFLzcUhjg50QykQ+8uJHJ9z1TtMT/BnQsN1U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=blLAY/aPgNUFSlN5kqkZRtNvCwD9K6E9s26bpLhB7eXwfAXzdD0MT8GvTpgBk6YOwf rYebYyGPQIkIUhjZaHhogues6EmV91R4QbhLnRaXlJ9e16aiNZS5bAyrDcV0aiWb6Llc zWu1+Mk0G+4IeCMZmeDR6f+iXpKxgbMUoamqg= Received: by 10.216.59.147 with SMTP id s19mr5129742wec.25.1303850099332; Tue, 26 Apr 2011 13:34:59 -0700 (PDT) Received: from [10.0.0.1] (bzq-79-178-30-144.red.bezeqint.net [79.178.30.144]) by mx.google.com with ESMTPS id z13sm46151wbd.63.2011.04.26.13.34.56 (version=SSLv3 cipher=OTHER); Tue, 26 Apr 2011 13:34:58 -0700 (PDT) Message-ID: <4DB72C6E.8040401@gmail.com> Date: Tue, 26 Apr 2011 23:34:54 +0300 From: Yaron Sheffer User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: Peter Saint-Andre References: <4DB6C1E7.9050805@ieca.com> <4DB70B2C.20503@gmail.com> <4DB7207B.8010005@stpeter.im> In-Reply-To: <4DB7207B.8010005@stpeter.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 20:35:01 -0000 Sounds good. Although it's obvious to us, I would add "of cryptographic strength". Thanks, Yaron On 04/26/2011 10:43 PM, Peter Saint-Andre wrote: > On 4/26/11 12:13 PM, Yaron Sheffer wrote: >> Hi Sean, >> >> last I checked, JavaScript did not provide any sort of reasonable >> crypto-quality random number generator, nor even a lower quality PRNG, >> for that matter. >> >> The JavaScript community is used to downloading major libraries along >> with the Web page (e.g. JQuery). This is arguably inelegant, but it >> works. It could also work fine for the crypto algorithms you list. The >> only case where you MUST use the local resources is random number >> generation. >> >> In other words: please add RNG to your list of goals. > > How about: > > o Methods for using local resources to generate random (or > pseudo-random) numbers > > Here is a revised version of the position paper. (I've added myself as a > submitter because Sean and Stephen can't participate in the workshop due > to other obligations, so I offered to present the topic if the proposal > is accepted.) > > ### > > Submitters > > Sean Turner > Stephen Farrell > Peter Saint-Andre > > Abstract > > This position paper advocates an Application Programming Interface (API) > that will enable developers access to cryptographic algorithms already > present in today's web browsers. > > Motivations > > More and more applications are moving to the "web" (e.g., > http://app.example.com:80 and https://app.example.com:443). Developers > are working within the confines of various browsers to secure these > applications, and most use Secure Sockets Layer (SSL)/Transport Security > Layer (TLS) to do so. This reliance is sub-optimal for applications > whose architectures are not strictly client-server (e.g., IM and VoIP). > As a workaround, developers are currently investigating the creation of > new Javascript-based cryptography libraries, along with new formats for > signed and encrypted objects based on JavaScript Object Notation (JSON). > Use of JSON makes some sense in an application layer security protocol. > However, it makes less sense for developers to roll (and deliver) their > own cryptographic algorithms -- it's not only wasteful, it's also > dangerous when the browser's security "goodies" (i.e., the cryptographic > algorithms) are just an API away. > > Downloading cryptographic algorithms is wasteful in terms of bandwidth > used. Application and browser developers are both very interested in > ensuring their applications are speedy in the eyes of users; nobody > wants to lose a speed war on CNET. If web developers end up rolling > their own cryptographic algorithms to support a JSON application layer > security protocol, then the code may end up being downloaded during > application initialization. Such cryptographic code could include > message digest/hash algorithms, digital signature algorithms, content > encryption algorithms, key wrap algorithms, and keyed-Hash Message > Authentication Code (HMAC) algorithms. This kind of code is typically > not small because of the significant math involved in producing strong > security. > > However, the greatest danger here is not a waste of bandwidth, but > possible security breaches. Obviously, downloading cryptographic > algorithms is an easy attack vector if not done over SSL/TLS. But the > real challenge is that security is hard. As Steve Bellovin pointed out > in RFC 5406, the design of security protocols is a subtle and difficult > art. In fact, coding security protocols is even more subtle and > difficult than designing security protocols. There is no doubt that > some developers will get it right the first time, but there is also no > doubt that some will get it wrong. Given that cryptographic algorithms > alread coded into browsers (and that some of them have already been > evaluated by the U.S. National Institute of Standards and Technology > (NIST) for compliance with Federal Information Processing Publication > (FIPS PUB) 140), it seems unnecessarily risky to not make use of the > cryptographic algorithms already present in the browser. A consistent > API for access to those algorithms would provide a strong foundation for > securing the web. > > Goals > > We propose that a consistent web security API would support the > following algorithms and functions: > > o Hash/message digest algorithms (e.g., SHA-256) > o Digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA) > o Confidentiality algorithms (e.g., AES) > o Key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, ECDH) > o HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256) > o Methods for extracting keys from TLS sessions (e.g., using RFC 5176) > o Methods for PKI path validation (e.g., input/output of base64 > certificate/CRL blobs) > o Methods for generating and processing Cryptographic Message Syntax (CMS) > o Methods for using local resources to generate random (or > pseudo-random) numbers > From stpeter@stpeter.im Tue Apr 26 13:39:50 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 456F1E0787 for ; Tue, 26 Apr 2011 13:39:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.296 X-Spam-Level: X-Spam-Status: No, score=-102.296 tagged_above=-999 required=5 tests=[AWL=0.303, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9lxMb7qTIsCp for ; Tue, 26 Apr 2011 13:39:49 -0700 (PDT) Received: from stpeter.im (stpeter.im [207.210.219.233]) by ietfa.amsl.com (Postfix) with ESMTP id 5C839E06A6 for ; Tue, 26 Apr 2011 13:39:49 -0700 (PDT) Received: from dhcp-64-101-72-185.cisco.com (dhcp-64-101-72-185.cisco.com [64.101.72.185]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id EC55C40022; Tue, 26 Apr 2011 14:43:59 -0600 (MDT) Message-ID: <4DB72D92.8050307@stpeter.im> Date: Tue, 26 Apr 2011 14:39:46 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Yaron Sheffer References: <4DB6C1E7.9050805@ieca.com> <4DB70B2C.20503@gmail.com> <4DB7207B.8010005@stpeter.im> <4DB72C6E.8040401@gmail.com> In-Reply-To: <4DB72C6E.8040401@gmail.com> X-Enigmail-Version: 1.1.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms080008020900090700050508" Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 20:39:50 -0000 This is a cryptographically signed message in MIME format. --------------ms080008020900090700050508 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Changed in my working copy to: o Methods for using local resources to generate random (or pseudo-random) numbers of cryptographic strength On 4/26/11 2:34 PM, Yaron Sheffer wrote: > Sounds good. Although it's obvious to us, I would add "of cryptographic= > strength". >=20 > Thanks, > Yaron >=20 > On 04/26/2011 10:43 PM, Peter Saint-Andre wrote: >> On 4/26/11 12:13 PM, Yaron Sheffer wrote: >>> Hi Sean, >>> >>> last I checked, JavaScript did not provide any sort of reasonable >>> crypto-quality random number generator, nor even a lower quality PRNG= , >>> for that matter. >>> >>> The JavaScript community is used to downloading major libraries along= >>> with the Web page (e.g. JQuery). This is arguably inelegant, but it >>> works. It could also work fine for the crypto algorithms you list. Th= e >>> only case where you MUST use the local resources is random number >>> generation. >>> >>> In other words: please add RNG to your list of goals. >> >> How about: >> >> o Methods for using local resources to generate random (or >> pseudo-random) numbers >> >> Here is a revised version of the position paper. (I've added myself as= a >> submitter because Sean and Stephen can't participate in the workshop d= ue >> to other obligations, so I offered to present the topic if the proposa= l >> is accepted.) >> >> ### >> >> Submitters >> >> Sean Turner >> Stephen Farrell >> Peter Saint-Andre >> >> Abstract >> >> This position paper advocates an Application Programming Interface (AP= I) >> that will enable developers access to cryptographic algorithms already= >> present in today's web browsers. >> >> Motivations >> >> More and more applications are moving to the "web" (e.g., >> http://app.example.com:80 and https://app.example.com:443). Developer= s >> are working within the confines of various browsers to secure these >> applications, and most use Secure Sockets Layer (SSL)/Transport Securi= ty >> Layer (TLS) to do so. This reliance is sub-optimal for applications >> whose architectures are not strictly client-server (e.g., IM and VoIP)= =2E >> As a workaround, developers are currently investigating the creation= of >> new Javascript-based cryptography libraries, along with new formats fo= r >> signed and encrypted objects based on JavaScript Object Notation (JSON= ). >> Use of JSON makes some sense in an application layer security protoc= ol. >> However, it makes less sense for developers to roll (and deliver) th= eir >> own cryptographic algorithms -- it's not only wasteful, it's also >> dangerous when the browser's security "goodies" (i.e., the cryptograph= ic >> algorithms) are just an API away. >> >> Downloading cryptographic algorithms is wasteful in terms of bandwidth= >> used. Application and browser developers are both very interested in >> ensuring their applications are speedy in the eyes of users; nobody >> wants to lose a speed war on CNET. If web developers end up rolling >> their own cryptographic algorithms to support a JSON application layer= >> security protocol, then the code may end up being downloaded during >> application initialization. Such cryptographic code could include >> message digest/hash algorithms, digital signature algorithms, content >> encryption algorithms, key wrap algorithms, and keyed-Hash Message >> Authentication Code (HMAC) algorithms. This kind of code is typically= >> not small because of the significant math involved in producing strong= >> security. >> >> However, the greatest danger here is not a waste of bandwidth, but >> possible security breaches. Obviously, downloading cryptographic >> algorithms is an easy attack vector if not done over SSL/TLS. But the= >> real challenge is that security is hard. As Steve Bellovin pointed ou= t >> in RFC 5406, the design of security protocols is a subtle and difficul= t >> art. In fact, coding security protocols is even more subtle and >> difficult than designing security protocols. There is no doubt that >> some developers will get it right the first time, but there is also no= >> doubt that some will get it wrong. Given that cryptographic algorithm= s >> alread coded into browsers (and that some of them have already been >> evaluated by the U.S. National Institute of Standards and Technology >> (NIST) for compliance with Federal Information Processing Publication >> (FIPS PUB) 140), it seems unnecessarily risky to not make use of the >> cryptographic algorithms already present in the browser. A consistent= >> API for access to those algorithms would provide a strong foundation f= or >> securing the web. >> >> Goals >> >> We propose that a consistent web security API would support the >> following algorithms and functions: >> >> o Hash/message digest algorithms (e.g., SHA-256) >> o Digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA) >> o Confidentiality algorithms (e.g., AES) >> o Key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, ECDH) >> o HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256) >> o Methods for extracting keys from TLS sessions (e.g., using RFC 5176)= >> o Methods for PKI path validation (e.g., input/output of base64 >> certificate/CRL blobs) >> o Methods for generating and processing Cryptographic Message Syntax >> (CMS) >> o Methods for using local resources to generate random (or >> pseudo-random) numbers >> --------------ms080008020900090700050508 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITzjCC BjQwggQcoAMCAQICASMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDMzM1oXDTE3MTAyNDIxMDMzM1owgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjSW4SPiDKlAinvVeL ZOVfItiuP1aRHL530E7QUc9icCwL33+PH+Js1HAh8CgWFl34sOxx1FJyS/C4VLPRsqDfP72j tzCVUAL0DAxZ7wgzQvFz7x61jGxfhYhqYb1+PPOLkYBbkRIrPMg3dLEdKmXIYJYXDH+mB/V/ jLo73/Kb7h/rNoNg/oHHSv5Jolyvp5IY2btfcTBfW/telEFj5rDTX2juTvZ3Qhf3XQX5ca3Q 7A10zrUV/cWJOJ7F5RltbEIaboZmX5JBUb3FhUiAdBotehAX6DbDOuYoJtVxmGof6GuVGcPo 98K4TJf8FHo+UA9EOVDp/W7fCqKT4sXk/XkCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7iZySlyShhEcCy3T8LvSs3DLl8zAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQELBQADggIBAGpd SbdLFMhirxK37V4gE00+uW74UdAXtDgQI3AsRZWtaRtKHgAxFBSteqz4kDkeAjH/1b+K8tQR 6cxSI2nho7qOaPW/UpzOfSS/MeKK/9vfM2lfs+uItXH7LWtvS9wD1erfH1a+BXHCrCp4LA1l fADDhRIiGTSS3i0Zu5xV3INNRHrCCCl6patltQ8RZTqzDMri7ombgIxjN51Zo7xV77EZcThV 0GA8iIN+7T53uHhUJpjfLIztHs/69OclRvHux9hCflfOm7GY5Sc4nqjfES+5XPArGGWiQSEk ez37QfXqsxO3oCHK4b3DFZysG4uyOuC/WL80ab3muQ3tgwjBhq0D3JZN5kvu5gSuNZPa1WrV hEgXkd6C7s5stqB6/htVpshG08jRz9DEutGM9oKQ1ncTivbfPNx7pILoHWvvT7N5i/puVoNu bPUmLXh/2wA6wzAzuuoONiIL14Xpw6jLSnqpaLWElo2yTIFZ/CU/nCvvpW1Dj1457P3Ci9bD 0RPkWSR+CuucpgxrEmaw4UOLxflzuYYaq1RJwygOO5K0s2bAWOcXpgteyUOnQ3d/EjJAWRri 2v0ubiq+4H3KUOMlbznlPAY/1T8YyyJPM88+Ueahe/AW1zoUwZayNcTnuM7cq6yBV8Wr3GOI LFXhtT0UVuJLChPMJKVKVsa7qNorlLkMMIIGxzCCBa+gAwIBAgICAIswDQYJKoZIhvcNAQEF BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMDEwMTQwMTM2MzRa Fw0xMjEwMTQxMjAxMDdaMIHAMSAwHgYDVQQNExcyNzQ1ODEtOU5YMDRxeExEYjBvNDY5VDEL MAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxLDAqBgNV BAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRowGAYDVQQDExFQZXRl ciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBldGVyLmltMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuERvnrkpQTx9wbJfgxbNKEYvt0IilecZRUM6 wrbCzIUPCocuYhaAJcQoqIyHaKybPQ7f+DIGIAolAa3dHnNdlsXP2smTft/ZNpj10PIG5bil NAqLUYwmLJaEaqY7BMW8423U3blW43/luLJk/Pq4OsWcw7AK3LeVh1U/HOgqhin26N3h72X1 nbLEpZFrgcp8egmWtXLCbLBDMqUK3j6wjLldni79muzYEVqU0A5GqSeb8Wc4kIx8VI5yL24J KzinG2iVRP5ZDEbOZETzBXJabUsV56XSxqPG9DK6ke+ybCiL/wKV1HFqdtFB1y25lfvHgOP2 gyEApBKEDNjgLmKyyQIDAQABo4IC+zCCAvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYD VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBS2EW2iNB+g0EibKJLBdv8I eLovVDAfBgNVHSMEGDAWgBR7iZySlyShhEcCy3T8LvSs3DLl8zAdBgNVHREEFjAUgRJzdHBl dGVyQHN0cGV0ZXIuaW0wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEF BQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYB BQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1 My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z dGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBADVtbXJG tKAr55xc/OUM546gXUybI72Bank0w739Mv+9BBNtq9rMEvCnLmSKhBi76c1mdXh6zXs8RQDo 6nR/aPabE3llF2T4z80smi9jfnl3y9dpu9TcgDoqDLZ7a2lBlW656XAAQzHjvLp2MC7/mxlg PYH2axa+q40mAYM20GbNsAEGbWQT1IqIh0BcLLsgbaMJHbyG/57zd9JLyMX3Vry1L1fJRQr3 GeLxMV5RtxN+mBgxrwFz/cOc09COiFExlsHgekpB5O43gqsAU16MXypyoSt4MrSfKTMHIGx6 2RF/M6vqUlvhi28gk2ZUvQ/+OX5+gjcZyooEzAAn4RuOKNswggbHMIIFr6ADAgECAgIAizAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTEw MTAxNDAxMzYzNFoXDTEyMTAxNDEyMDEwN1owgcAxIDAeBgNVBA0TFzI3NDU4MS05TlgwNHF4 TERiMG80NjlUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRl bnZlcjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBNZW1iZXIxGjAY BgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQHN0cGV0 ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RG+euSlBPH3Bsl+DFs0o Ri+3QiKV5xlFQzrCtsLMhQ8Khy5iFoAlxCiojIdorJs9Dt/4MgYgCiUBrd0ec12Wxc/ayZN+ 39k2mPXQ8gbluKU0CotRjCYsloRqpjsExbzjbdTduVbjf+W4smT8+rg6xZzDsArct5WHVT8c 6CqGKfbo3eHvZfWdssSlkWuBynx6CZa1csJssEMypQrePrCMuV2eLv2a7NgRWpTQDkapJ5vx ZziQjHxUjnIvbgkrOKcbaJVE/lkMRs5kRPMFclptSxXnpdLGo8b0MrqR77JsKIv/ApXUcWp2 0UHXLbmV+8eA4/aDIQCkEoQM2OAuYrLJAgMBAAGjggL7MIIC9zAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLYRbaI0 H6DQSJsoksF2/wh4ui9UMB8GA1UdIwQYMBaAFHuJnJKXJKGERwLLdPwu9KzcMuXzMB0GA1Ud EQQWMBSBEnN0cGV0ZXJAc3RwZXRlci5pbTCCAUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGB tTcBAgIwggEgMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMIG3BggrBgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExp YWJpbGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMGA1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NydHUzLWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL2NydHUzLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0 dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MzL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMy5jbGllbnQuY2Eu Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF AAOCAQEANW1tcka0oCvnnFz85QznjqBdTJsjvYFqeTTDvf0y/70EE22r2swS8KcuZIqEGLvp zWZ1eHrNezxFAOjqdH9o9psTeWUXZPjPzSyaL2N+eXfL12m71NyAOioMtntraUGVbrnpcABD MeO8unYwLv+bGWA9gfZrFr6rjSYBgzbQZs2wAQZtZBPUioiHQFwsuyBtowkdvIb/nvN30kvI xfdWvLUvV8lFCvcZ4vExXlG3E36YGDGvAXP9w5zT0I6IUTGWweB6SkHk7jeCqwBTXoxfKnKh K3gytJ8pMwcgbHrZEX8zq+pSW+GLbyCTZlS9D/45fn6CNxnKigTMACfhG44o2zGCA80wggPJ AgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMAkGBSsOAwIa BQCgggIOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDQy NjIwMzk0NlowIwYJKoZIhvcNAQkEMRYEFBysVDg6AefVEGv56F4cHSEVgMp3MF8GCSqGSIb3 DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIAizANBgkqhkiG 9w0BAQEFAASCAQB6OofZD60BIdLTZ9I3ry5kUPJuE/c1oEEXgHc7KEVBvIeIh2E7y/FFq520 tLShwikF4k44S7pBnNiT99emYNI7m/8pBo8FW4IjKFHlkBuJcOfw5h2Fc8LqRRWe7BDhdzCf w5qoTV5Tsy5sj8F4OfekqOunAZk+srZfQpbt09mpV2zTiiP1zurdd7lGhwFI8+rNzuyJk7ml NxODB5kDfVoKpCzkOCxpqfk/x3WG+/Q/sapbZQbBxAqnZMLkfIBdCwMZSrGI4Trpl6ZUi7fm zjdfTgbfAHvaZ//uU7Ga6D8oJHU9rG+iDci76H2+1uviwXw++owhptYCP0iOsOYV/AwNAAAA AAAA --------------ms080008020900090700050508-- From simon@josefsson.org Tue Apr 26 13:49:43 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0809FE07AA for ; Tue, 26 Apr 2011 13:49:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5plIJn7zWgBr for ; Tue, 26 Apr 2011 13:49:42 -0700 (PDT) Received: from yxa-v.extundo.com (yxa-v.extundo.com [213.115.69.139]) by ietfa.amsl.com (Postfix) with ESMTP id 1D30AE076F for ; Tue, 26 Apr 2011 13:49:41 -0700 (PDT) Received: from latte.josefsson.org (c80-216-4-108.bredband.comhem.se [80.216.4.108]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p3QKnTZ4001780 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 26 Apr 2011 22:49:31 +0200 From: Simon Josefsson To: Sean Turner References: <4DB6C1E7.9050805@ieca.com> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:110426:turners@ieca.com::o2onDInzBgON3RAI:0KTB X-Hashcash: 1:22:110426:saag@ietf.org::LibPyPaviOrbqdES:4wUF Date: Tue, 26 Apr 2011 22:49:29 +0200 In-Reply-To: <4DB6C1E7.9050805@ieca.com> (Sean Turner's message of "Tue, 26 Apr 2011 09:00:23 -0400") Message-ID: <87bozs20x2.fsf@latte.josefsson.org> User-Agent: Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Virus-Scanned: clamav-milter 0.97 at yxa-v X-Virus-Status: Clean Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 20:49:43 -0000 Sean Turner writes: > An API that allows web developers to access browser-embedded > cryptographic algorithms would include the following: > > o Support for hash/message digest algorithms (e.g., SHA-256); > o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA); > o Support for confidentiality algorithms (i.e., AES); > o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 > v1.5, ECDH); > o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); > o Support extracting keys from TLS sessions ala RFC 5176; Shouldn't this be RFC 5705? > o Support for PKI path validation (i.e., input/output of base64 > certificate/crl/ocsp blobs), and; > o Support for Cryptographic Message Syntax (CMS). My wishlist would include: o Support for getting TLS channel binding ala RFC 5056/5929 /Simon From stpeter@stpeter.im Tue Apr 26 13:56:08 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 045C0E0787 for ; Tue, 26 Apr 2011 13:56:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.321 X-Spam-Level: X-Spam-Status: No, score=-102.321 tagged_above=-999 required=5 tests=[AWL=0.278, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9rRoMlvk0ort for ; Tue, 26 Apr 2011 13:56:07 -0700 (PDT) Received: from stpeter.im (stpeter.im [207.210.219.233]) by ietfa.amsl.com (Postfix) with ESMTP id 42943E076F for ; Tue, 26 Apr 2011 13:56:07 -0700 (PDT) Received: from dhcp-64-101-72-185.cisco.com (dhcp-64-101-72-185.cisco.com [64.101.72.185]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id A771640022; Tue, 26 Apr 2011 15:00:18 -0600 (MDT) Message-ID: <4DB73164.1050007@stpeter.im> Date: Tue, 26 Apr 2011 14:56:04 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Simon Josefsson References: <4DB6C1E7.9050805@ieca.com> <87bozs20x2.fsf@latte.josefsson.org> In-Reply-To: <87bozs20x2.fsf@latte.josefsson.org> X-Enigmail-Version: 1.1.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050200000401010901080700" Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 20:56:08 -0000 This is a cryptographically signed message in MIME format. --------------ms050200000401010901080700 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 4/26/11 2:49 PM, Simon Josefsson wrote: > Sean Turner writes: >=20 >> An API that allows web developers to access browser-embedded >> cryptographic algorithms would include the following: >> >> o Support for hash/message digest algorithms (e.g., SHA-256); >> o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, EC= DSA); >> o Support for confidentiality algorithms (i.e., AES); >> o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 >> v1.5, ECDH); >> o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); >> o Support extracting keys from TLS sessions ala RFC 5176; >=20 > Shouldn't this be RFC 5705? Indeed. >> o Support for PKI path validation (i.e., input/output of base64 >> certificate/crl/ocsp blobs), and; >> o Support for Cryptographic Message Syntax (CMS). >=20 > My wishlist would include: >=20 > o Support for getting TLS channel binding ala RFC 5056/5929 Yes, that is desirable as well (probably the reference to RFC 5929 is sufficient). Peter --=20 Peter Saint-Andre https://stpeter.im/ --------------ms050200000401010901080700 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITzjCC BjQwggQcoAMCAQICASMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDMzM1oXDTE3MTAyNDIxMDMzM1owgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjSW4SPiDKlAinvVeL ZOVfItiuP1aRHL530E7QUc9icCwL33+PH+Js1HAh8CgWFl34sOxx1FJyS/C4VLPRsqDfP72j tzCVUAL0DAxZ7wgzQvFz7x61jGxfhYhqYb1+PPOLkYBbkRIrPMg3dLEdKmXIYJYXDH+mB/V/ jLo73/Kb7h/rNoNg/oHHSv5Jolyvp5IY2btfcTBfW/telEFj5rDTX2juTvZ3Qhf3XQX5ca3Q 7A10zrUV/cWJOJ7F5RltbEIaboZmX5JBUb3FhUiAdBotehAX6DbDOuYoJtVxmGof6GuVGcPo 98K4TJf8FHo+UA9EOVDp/W7fCqKT4sXk/XkCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7iZySlyShhEcCy3T8LvSs3DLl8zAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQELBQADggIBAGpd SbdLFMhirxK37V4gE00+uW74UdAXtDgQI3AsRZWtaRtKHgAxFBSteqz4kDkeAjH/1b+K8tQR 6cxSI2nho7qOaPW/UpzOfSS/MeKK/9vfM2lfs+uItXH7LWtvS9wD1erfH1a+BXHCrCp4LA1l fADDhRIiGTSS3i0Zu5xV3INNRHrCCCl6patltQ8RZTqzDMri7ombgIxjN51Zo7xV77EZcThV 0GA8iIN+7T53uHhUJpjfLIztHs/69OclRvHux9hCflfOm7GY5Sc4nqjfES+5XPArGGWiQSEk ez37QfXqsxO3oCHK4b3DFZysG4uyOuC/WL80ab3muQ3tgwjBhq0D3JZN5kvu5gSuNZPa1WrV hEgXkd6C7s5stqB6/htVpshG08jRz9DEutGM9oKQ1ncTivbfPNx7pILoHWvvT7N5i/puVoNu bPUmLXh/2wA6wzAzuuoONiIL14Xpw6jLSnqpaLWElo2yTIFZ/CU/nCvvpW1Dj1457P3Ci9bD 0RPkWSR+CuucpgxrEmaw4UOLxflzuYYaq1RJwygOO5K0s2bAWOcXpgteyUOnQ3d/EjJAWRri 2v0ubiq+4H3KUOMlbznlPAY/1T8YyyJPM88+Ueahe/AW1zoUwZayNcTnuM7cq6yBV8Wr3GOI LFXhtT0UVuJLChPMJKVKVsa7qNorlLkMMIIGxzCCBa+gAwIBAgICAIswDQYJKoZIhvcNAQEF BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMDEwMTQwMTM2MzRa Fw0xMjEwMTQxMjAxMDdaMIHAMSAwHgYDVQQNExcyNzQ1ODEtOU5YMDRxeExEYjBvNDY5VDEL MAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxLDAqBgNV BAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRowGAYDVQQDExFQZXRl ciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBldGVyLmltMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuERvnrkpQTx9wbJfgxbNKEYvt0IilecZRUM6 wrbCzIUPCocuYhaAJcQoqIyHaKybPQ7f+DIGIAolAa3dHnNdlsXP2smTft/ZNpj10PIG5bil NAqLUYwmLJaEaqY7BMW8423U3blW43/luLJk/Pq4OsWcw7AK3LeVh1U/HOgqhin26N3h72X1 nbLEpZFrgcp8egmWtXLCbLBDMqUK3j6wjLldni79muzYEVqU0A5GqSeb8Wc4kIx8VI5yL24J KzinG2iVRP5ZDEbOZETzBXJabUsV56XSxqPG9DK6ke+ybCiL/wKV1HFqdtFB1y25lfvHgOP2 gyEApBKEDNjgLmKyyQIDAQABo4IC+zCCAvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYD VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBS2EW2iNB+g0EibKJLBdv8I eLovVDAfBgNVHSMEGDAWgBR7iZySlyShhEcCy3T8LvSs3DLl8zAdBgNVHREEFjAUgRJzdHBl dGVyQHN0cGV0ZXIuaW0wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEF BQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYB BQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1 My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z dGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBADVtbXJG tKAr55xc/OUM546gXUybI72Bank0w739Mv+9BBNtq9rMEvCnLmSKhBi76c1mdXh6zXs8RQDo 6nR/aPabE3llF2T4z80smi9jfnl3y9dpu9TcgDoqDLZ7a2lBlW656XAAQzHjvLp2MC7/mxlg PYH2axa+q40mAYM20GbNsAEGbWQT1IqIh0BcLLsgbaMJHbyG/57zd9JLyMX3Vry1L1fJRQr3 GeLxMV5RtxN+mBgxrwFz/cOc09COiFExlsHgekpB5O43gqsAU16MXypyoSt4MrSfKTMHIGx6 2RF/M6vqUlvhi28gk2ZUvQ/+OX5+gjcZyooEzAAn4RuOKNswggbHMIIFr6ADAgECAgIAizAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTEw MTAxNDAxMzYzNFoXDTEyMTAxNDEyMDEwN1owgcAxIDAeBgNVBA0TFzI3NDU4MS05TlgwNHF4 TERiMG80NjlUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRl bnZlcjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBNZW1iZXIxGjAY BgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQHN0cGV0 ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RG+euSlBPH3Bsl+DFs0o Ri+3QiKV5xlFQzrCtsLMhQ8Khy5iFoAlxCiojIdorJs9Dt/4MgYgCiUBrd0ec12Wxc/ayZN+ 39k2mPXQ8gbluKU0CotRjCYsloRqpjsExbzjbdTduVbjf+W4smT8+rg6xZzDsArct5WHVT8c 6CqGKfbo3eHvZfWdssSlkWuBynx6CZa1csJssEMypQrePrCMuV2eLv2a7NgRWpTQDkapJ5vx ZziQjHxUjnIvbgkrOKcbaJVE/lkMRs5kRPMFclptSxXnpdLGo8b0MrqR77JsKIv/ApXUcWp2 0UHXLbmV+8eA4/aDIQCkEoQM2OAuYrLJAgMBAAGjggL7MIIC9zAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLYRbaI0 H6DQSJsoksF2/wh4ui9UMB8GA1UdIwQYMBaAFHuJnJKXJKGERwLLdPwu9KzcMuXzMB0GA1Ud EQQWMBSBEnN0cGV0ZXJAc3RwZXRlci5pbTCCAUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGB tTcBAgIwggEgMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMIG3BggrBgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExp YWJpbGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMGA1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NydHUzLWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL2NydHUzLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0 dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MzL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMy5jbGllbnQuY2Eu Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF AAOCAQEANW1tcka0oCvnnFz85QznjqBdTJsjvYFqeTTDvf0y/70EE22r2swS8KcuZIqEGLvp zWZ1eHrNezxFAOjqdH9o9psTeWUXZPjPzSyaL2N+eXfL12m71NyAOioMtntraUGVbrnpcABD MeO8unYwLv+bGWA9gfZrFr6rjSYBgzbQZs2wAQZtZBPUioiHQFwsuyBtowkdvIb/nvN30kvI xfdWvLUvV8lFCvcZ4vExXlG3E36YGDGvAXP9w5zT0I6IUTGWweB6SkHk7jeCqwBTXoxfKnKh K3gytJ8pMwcgbHrZEX8zq+pSW+GLbyCTZlS9D/45fn6CNxnKigTMACfhG44o2zGCA80wggPJ AgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMAkGBSsOAwIa BQCgggIOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDQy NjIwNTYwNFowIwYJKoZIhvcNAQkEMRYEFOfnW4I4jZwJrkkRRdWL2zCK06IcMF8GCSqGSIb3 DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIAizANBgkqhkiG 9w0BAQEFAASCAQApsagLASVYAPKf/n1VZVPUlAuxaaSusRVcbaegLsfI/XARS6bEti4/TRXX nyNQZhWg63nK/ZRCSKyl5gJwnivaL6HE5jpIozIpcWRK75ZZDPL5+9DrXL5Y2x2028U6K+I4 80oBfI/91FDfrpoxIfNjhS7Y04WOxIAYtgpMUwpw/FRIaz4UfulIc4a6wDcFTcPnfMvyVHyu dZa1bPDmirT0NaXNFGD9o1guWZgxg8eVSFYEt/uuOiCLR0Ne2LjMcVlLI7zKEB9EspLgYr1L uXCkndZkbHtHA/2tVhk3TVDxMK3VTu/yZzDBUWqbzTGkEHHTSVMOi15nmQJw32AXwNyLAAAA AAAA --------------ms050200000401010901080700-- From stephen.farrell@cs.tcd.ie Tue Apr 26 14:27:15 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67CCFE07AA for ; Tue, 26 Apr 2011 14:27:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.369 X-Spam-Level: X-Spam-Status: No, score=-104.369 tagged_above=-999 required=5 tests=[AWL=2.230, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iH1yetkeYqOV for ; Tue, 26 Apr 2011 14:27:09 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2918DE076F for ; Tue, 26 Apr 2011 14:27:08 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 6AC7B171C69; Tue, 26 Apr 2011 22:27:06 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1303853226; bh=o2sJGOjLEYUJT2 iads0NXRmOk5AbzTTPHmNZjcD/MiU=; b=Vma2EJEAgfJ4kyGRC90/AIyd0Px+Es COzVQ4Qy9Dp4yO/Y2eKLog/GDD9ryPQ4DN3NB8n31IRt3wZsqiq2x3vJWrTTMxMD 1j16u0AohuECP04uTQ79MagyA9PcgyNGRZkOZvimQiWAgAesErkpEmhR0pWVzY08 J1sEWy5HjzsBjZ1fX+ZqRORRRqIhOOumDvFM56M4kgYoy0j0PNrBtf67y5/gJ7uU z11PTnNFGCewRhgoy+Mu8gRyA92ceF189d+JYTIxWgJAEvuSi40vk6KJiUr8apFO B0gYOCZ5QUXc6vHzh8YHbu7l8/v5SGnKYSXJLRyIiynXc9t6S4BEN0Bg== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id kFz51GptmZCJ; Tue, 26 Apr 2011 22:27:06 +0100 (IST) Received: from [10.87.48.3] (unknown [86.41.9.67]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id D4F0E171C6A; Tue, 26 Apr 2011 22:27:04 +0100 (IST) Message-ID: <4DB738A6.2070002@cs.tcd.ie> Date: Tue, 26 Apr 2011 22:27:02 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: Peter Saint-Andre References: <4DB6C1E7.9050805@ieca.com> <87bozs20x2.fsf@latte.josefsson.org> <4DB73164.1050007@stpeter.im> In-Reply-To: <4DB73164.1050007@stpeter.im> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Simon Josefsson , saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 21:27:15 -0000 On 26/04/11 21:56, Peter Saint-Andre wrote: > On 4/26/11 2:49 PM, Simon Josefsson wrote: >> My wishlist would include: >> >> o Support for getting TLS channel binding ala RFC 5056/5929 > > Yes, that is desirable as well (probably the reference to RFC 5929 is > sufficient). Hmmm. I'm less sure that javascript application developers will want/get the point of 5969 but let's put it in and not debate that now. But in any case, I'd like us not to extend the list too much or include things that might be perceived as arcane. I suspect that getting the idea of a such an API accepted will require that it be quite simple to use and understand. S. From pgut001@login01.cs.auckland.ac.nz Wed Apr 27 01:44:57 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7A3DE0697 for ; Wed, 27 Apr 2011 01:44:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.463 X-Spam-Level: X-Spam-Status: No, score=-3.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nr22s36SWwIG for ; Wed, 27 Apr 2011 01:44:53 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id 9034BE06B6 for ; Wed, 27 Apr 2011 01:44:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1303893893; x=1335429893; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20carl@redhoundsoftware.com,=20saag@ietf.org,=20turn ers@ieca.com|Subject:=20Re:=20[saag]=20Paper=20for=20W3C =20Identity=20in=20the=20Browser=20Workshop|In-Reply-To: =20|Message-Id: =20|Date: =20Wed,=2027=20Apr=202011=2020:44:52=20+1200; bh=cpv+uasy5xLCsninTJ+UDjMI4DzPPMbmtimcAUlm1b8=; b=UELWY9fbHAoEkXodxEC3cQAV/wrP+ja0+3tZXDAJSPMOcIML4infVZ7w tdheiMAUE2G7etPqt5xOrRXJbaJ4EFrQ+xg0vCuLJ3Dhx7UcITeOaaWTR 3hLA9MVYh+2g/E9/aWo2nOsQUBhmFKbdCEGFTkjNl8IQ2vZ3HVDLVMqTp k=; X-IronPort-AV: E=Sophos;i="4.64,273,1301832000"; d="scan'208";a="58367175" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 27 Apr 2011 20:44:52 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1QF0Me-0004iv-IR; Wed, 27 Apr 2011 20:44:52 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1QF0Me-00041s-Lc; Wed, 27 Apr 2011 20:44:52 +1200 From: Peter Gutmann To: carl@redhoundsoftware.com, saag@ietf.org, turners@ieca.com In-Reply-To: Message-Id: Date: Wed, 27 Apr 2011 20:44:52 +1200 Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2011 08:44:57 -0000 Carl Wallace writes: >Add support for providing path validation algorithm inputs and receiving path >validation algorithm outputs. It probably wouldn't hurt to try to break >reliance on unconstrained trust anchors in a new API too. As we slowly move towards reinventing CDSA in Javascript, might I suggest: - Encrypt and decrypt a blob in CMS or PGP format. - MAC/Verify a blob in CMS or PGP format (actually you'd need CMS for this). - Salted-iterated-hash a password. Then see how things go with that, and if it's necessary to go any further. Peter. From Jeff.Hodges@KingsMountain.com Wed Apr 27 17:22:46 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B113EE08DE for ; Wed, 27 Apr 2011 17:22:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.502 X-Spam-Level: X-Spam-Status: No, score=-101.502 tagged_above=-999 required=5 tests=[AWL=0.763, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id psPGCPz0PcV6 for ; Wed, 27 Apr 2011 17:22:45 -0700 (PDT) Received: from oproxy5-pub.bluehost.com (oproxy5-pub.bluehost.com [67.222.39.38]) by ietfa.amsl.com (Postfix) with SMTP id A6995E07BC for ; Wed, 27 Apr 2011 17:22:45 -0700 (PDT) Received: (qmail 20137 invoked by uid 0); 28 Apr 2011 00:22:45 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 28 Apr 2011 00:22:44 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=DYSYmZsceSu0rslA8l8f8zg9Y55uH81r+6gwRriPPI/mPAqOg9DA9zbNGNDbS7ZWKw54CBUAtTLlhzwktb3gnpjSqXXlk/Jaw3mOlrnWbodgiORBLwZ3kejCdgWeQGIp; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.202]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QFF0G-0001sj-JC for saag@ietf.org; Wed, 27 Apr 2011 18:22:44 -0600 Message-ID: <4DB8B355.7040505@KingsMountain.com> Date: Wed, 27 Apr 2011 17:22:45 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 To: IETF Security Area Advisory Group Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 00:22:46 -0000 Glad you folks are putting this together and that PSA will be there with = an=20 IETF hat on. I'm supportive of everyone's feedback on this so far. Below's my editoria= l=20 suggestions, applied to the original version of the writeup. I found it a= bit=20 confusing terminology- and organization-wise. I'm sorta guessing about so= me of=20 the intent/context, but took a stab at enhancing it. Basically, I'd spell things out in a bit more contextual detail because i= f one=20 isn't mired in the middle of all this web and web browser stuff, it can b= e=20 pretty confusing. take what you will of the below, hope it helps a bit, =3DJeffH > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Abstract > > This position paper aims to provide some motivations for an Applicatio= n > Programming Interface (API) that will allow developers access to > cryptographic algorithms already present in today's web browsers. Today, Web applications are constructed from a combination of server side= code=20 and dynamically-downloaded client side amalgamations of HTML and Javascri= pt=20 (plus other components). The formally standardized environment the client= -side=20 Javascript programmer has to work with is provided by the browser=20 implementation (e.g. the DOM Core [1], CSS Selectors, Geolocation,=20 localStorage, etc APIs [2]). Additionally, various de-jure standard Java= script=20 libararies are often downloaded and utilized (e.g. JQuery []). But again,= those=20 libraries are limited to the same native client side APIs that main web=20 application client-side Javascript modules have access to. The standardiz= ed=20 native client side APIs do not include cryptographic functions at this ti= me. This position paper presents motivations for specifying a native in-brows= er=20 cryptographic Application Programming Interface (API) facilitating develo= per=20 access to basic cryptographic functions -- that are already part of the b= rowser=20 or its execution environment -- similar to what is available to applicati= on=20 programmers developing directly on typical operating system platforms. > Motivations > > More and more applications are moving to the "web" (i.e., > http://www.example.com:80 and http://www.example.com:443). More and more applications are moving to the "web" (i.e., HTTP + HTML + Javascript + other stuff as appropriate). > Developers > are working within the confines of browsers to secure these applicatio= ns > and most use Secure Sockets Layer (SSL)/Transport Security Layer (TLS)= > to do so. For applications whose architectures are not strictly > client-server this reliance is not always optimal. ^ insert: For example, for some applications there is a need to apply data-origin=20 message-level authentication and possibly encryption to objects exchanged= =20 between the browser and other network entities. > As a work around, > developers are investigating the use of JavaScript Object Notation > (JSON) for application layer security protocols and cryptographic > algorithms. As a work around, developers are investigating the use of JavaScript Object Notation (JSON) for application layer security protocols, as well as implenting va= rious=20 cryptographic functions directly in Javascript libraries (Javascript libr= aries=20 are typically stored at well-known web addresses and fetched as needed by= any=20 web application needing them). New para here: > Use of JSON makes some sense in an application layer > security protocol but developers rolling and then delivering their own= > cryptographic algorithms is not only wasteful but is possibly insecure= > when the browser's security "goodies" (i.e., the cryptographic > algorithms) are just an Application Programming Interface (API) away. Use of JSON as an object encoding construct makes sense in a web applicat= ion=20 layer security protocol. Hoever, developers rolling and then delivering t= heir=20 own cryptographic libraries is wasteful when the browsers' already existi= ng=20 cryptographic functions are just an "Application Programming Interface (A= PI)=20 away". The various functions that could be made available via such APIs a= re:=20 message digest/hash algorithms, digital signature algorithms, content=20 encryption algorithms, key wrap algorithms, keyed-Hash Message Authentica= tion=20 Code (HMAC) algorithms, etc. > Downloading cryptographic algorithms is wasteful in terms of bandwidth= > used. delete above -- it was already said immediately above. combine this.. > Application and browser developers are both very interested in > ensuring their applications are speedy in the eyes of users; nobody > wants to loose a speed war on cnet=AE. If web developers end up rolli= ng > their own cryptographic algorithms to support a JSON application layer= > security protocol, then the code may end up being downloaded during > application initialization. =2E.with "Use of JSON..." para. s/algorithms/libraries/ > Cryptographic code could include: message > digest/hash algorithms, digital signature algorithms, content encrypti= on > algorithms, key wrap algorithms, keyed-Hash Message Authentication Cod= e > (HMAC) algorithms, etc. above sentence was moved upwards. > > Developers rolling their own cryptographic code could be insecure. Developers rolling their own new cryptographic code will almost certainly= begat=20 insecure functionality. > As > Steve Bellovin pointed out in RFC 5406: The design of security protoco= ls > is a subtle and difficult art. In fact, it is worse: coding security > protocols is even more subtle and difficult than designing the securit= y > protocol. There is no doubt that some developers will get it right th= e > first time but there is also no doubt that some will get it wrong. Wi= th > cryptographic algorithms already coded in browsers and some having bee= n ^^^^^^^^^^ ^^^^^ functions implemented > National Institute of Standards and Technology (NIST) Federal > Information Processing Publication (FIPS PUB) 140 evaluated, it seems > unnecessarily risky to not utilize the cryptographic algorithms alread= y > present in the browser. ^^^^^^^^^^ functions > > Greedy Goals > > An API that allows web developers to access browser-embedded > cryptographic algorithms would include the following: > > o Support for hash/message digest algorithms (e.g., SHA-256); > o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, EC= DSA); > o Support for confidentiality algorithms (i.e., AES); > o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1.= 5, > ECDH); > o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); > o Support extracting keys from TLS sessions ala RFC 5176; > o Support for PKI path validation (i.e., input/output of base64 > certificate/crl/ocsp blobs), and; > o Support for Cryptographic Message Syntax (CMS). add references: [1] http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/ [2] http://blog.frontendforce.com/2010/04/html5-javascript-api-whats-new= / see also pages 20 & 21 of.. http://www.ietf.org/proceedings/80/slides/plenaryt-6.pdf > _______________________________________________ end From nico@cryptonector.com Wed Apr 27 18:05:18 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2639E080B for ; Wed, 27 Apr 2011 18:05:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5BWsBVjD70S2 for ; Wed, 27 Apr 2011 18:05:17 -0700 (PDT) Received: from homiemail-a35.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id 3565AE0800 for ; Wed, 27 Apr 2011 18:05:17 -0700 (PDT) Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id 9CBDC54055 for ; Wed, 27 Apr 2011 18:05:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :date:message-id:subject:from:to:content-type; q=dns; s= cryptonector.com; b=SmP3EU9ky9jRF/sC8sl/cTOjFm1SFl1vgr5GywhT5/s7 XYlYW8TaBjO1IJsZD4kUkKVKH4kKCfcY+WeVcM6J4C65GZfpCjZqMnhetcML5fkA Eguan4OURb5P2wqEJkD3I9TwRbv7D5uwZBujNmQmh32JNFHnF9fqK9r6MOUaHzc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:content-type; s= cryptonector.com; bh=q6G7behMbGHaMCkQre23SwsRl3I=; b=AgpYG688uMh 6YK6FMuNk5oqkAlVggsj9E/8JmhNCsNV5hUBKAWRmecV8e9WBMKbXBFhx1VnwNFc PYW2lPYZqpACYRYIa5aTWXwNjVYgTsdAqWz00WhQnpXGViIdY1WPmvhNsSzvxsGP b4WRgml1D2rnEo5bk1659NnEUDfCxXq4= Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPSA id 1F33C5406F for ; Wed, 27 Apr 2011 18:05:14 -0700 (PDT) Received: by wwa36 with SMTP id 36so1711929wwa.13 for ; Wed, 27 Apr 2011 18:05:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.157.146 with SMTP id o18mr2658221wek.109.1303952713624; Wed, 27 Apr 2011 18:05:13 -0700 (PDT) Received: by 10.216.241.200 with HTTP; Wed, 27 Apr 2011 18:05:13 -0700 (PDT) Date: Wed, 27 Apr 2011 20:05:13 -0500 Message-ID: From: Nico Williams To: saag@ietf.org Content-Type: multipart/mixed; boundary=0016e649c86c4cae4204a1f026c6 Subject: [saag] W3C Identity paper on GSS-REST X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 01:05:18 -0000 --0016e649c86c4cae4204a1f026c6 Content-Type: text/plain; charset=UTF-8 I wrote the attached paper in a hurry, as I hadn't realized the deadline was upon me. Even so, I think it will be of interest to SAAGers. The abstract: Applications often require context-specific authentication decisions, particularly HTTP applications. TLS provides limited authentication facilities, and only at the transport-layer, which is often inconvenient. GSS-REST is a method that obtains pluggable application-layer authentication for HTTP-based applications, using off-the-shelf authentication mechanisms and without replacing TLS for transport protection. Additionally, GSS-REST provides a method by which to get away from cookies. GSS-REST, as its name indicates, consists of POSTing GSS-API "security context tokens" to a resource in order to authenticate the client user and the service and to exchange cryptographic key material, the latter needed only optionally to strengthen cookies. Additionally, we discus some aspects of identity selection UI issues. Nico -- --0016e649c86c4cae4204a1f026c6 Content-Type: application/pdf; name="GSS-REST.pdf" Content-Disposition: attachment; filename="GSS-REST.pdf" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gn0zre4y0 JVBERi0xLjQKJdDUxdgKMyAwIG9iaiA8PAovTGVuZ3RoIDE1MzkgICAgICAKL0ZpbHRlciAvRmxh dGVEZWNvZGUKPj4Kc3RyZWFtCnjazVffk5s2EH7PX+FHPHMQkIQQb71kkvYyaXtT+56aPshYPjPB yAWcy/333R/ChxO76TTNpC9ILNLq291vd8WL5bPnrzM9y4pEZLmaLTezLJczrfNEmGK2XM9+j35c LOLfXi2WV/NYZjKyPNx2fj+PhY5879Ys+tkNWw+yIgqCje948tNyeTv/Y/lmJmWidDGLRZaUmWH9 1/t9U1d2qH0bv7VzUPmIDxf2Xh+GrWtRMoRVqAlQF7MMtOS5QNR5mRhhQLFJjAmK27ryP1Td437w rasG3yWV3xEMIZPUSFgtE1nkI4yubuBIOEgUaCvYIdIs49NAt0lKrYOL4FywQuaJ0VnYvuqHzlZD WF5MlsdZJhKjYMwTfcbqfh7ncJjfDGAnTTv352EeZ1HdORZUYLUoo8F9HOIe/V5GrqrfpVJVvMAG L5knL5F8Dct6POOKDI8zCX6CIQULSkaytx3sOTS2ax55E4WL1U5QJoAI/BEt3y74477zCOpDvXbB hKZG1Ls5IB9whsyYoisZHZnGcZylp2A2tqqbeqgdAIatJrIt6FCliHyL8FSZRagAR9AZJp1tg1d8 N8SNxZMe0RmuC2oetnWFgi3vqHseg89J1JKTTfQBd7u2Du5MzsEccwJokgvShqPlYRfywFAegGDY ImSc+dVg6zYs3zeH+3u7alzYPckDNMGgCSXnAX4mH8bn0DyFXImcs04JRWGMV5byEz9MgwluUSqP Dn3d3vNXD2ySMZwR91vXbFgFHIrBmgbvQuB2rsIlW9tSdPsdejhVIX5pHj0wJbYeVaKgc/sGok3n wyvRCicboA+ZAPPTyLIMaDdAOgMOYKRWKrrGg9fr+oJvfGsboI7JoyssWPkkeEJpZrEZWYwSy8MY xhLDiIIV0wrmReBTiXzCT4Pn8d4N/J0o+ICK7XGXjjYdFCCaVazZvwemM8OmmWk+r7yos+exHmhi otZiqjl+qds1hocSB9+BzX3dD2GP3/B4++tiSS7HF9CPIYmvQcvtDcvepSLtXXyxWlSHDgJJ5AQG hcpkqDKxYPDvKfPaHlRlkH1SknuUQl/Qks71/tBVjt+oZrQ8990a+Y5rec9nlS1sGrZUXwKGZkzW cww49JRCQjIXpRBcOVACnz7Ulfv0s2eB+zjGGIrOnEBmEGJexI3lvrN7pAKtf0/5+sgvO8Da1bYJ rSQcKaLGDueJSiiVjFrn1tRS1Vj0UOr3RybTO2GEFdB1XHtPLiJ5xZXnArHCWWPGoD1PCaKjK9bx QHbwfF331aEPZ/ldkFpKSohyxQSTgWBQC9djsEaW0E7XcMry4rubsLjvDwHm89cynWUqkUpTQ4+l SQqBTVYkpRKM+yUokCmEmUKPAZFgQB/2Z7MSeq7QuD0NdwzNG4GHJdS4G9gA4e0ovtH6ECAJnYLx Itwr8okaAFSqDDs43jSCriTDTgihxPy8psSReCGqdxjCAsoqFKY8TXFQZTl5+/bDV56X5aaI5JGe J1aLYPVLqPGta9jqF1h2qJ5MXJCn4n9j0WUz1RnaxGPAiTzBdMHkmbQNbaAP5V/iS+CeOPLljeX7 RQ69eFF19X44cWLPb3xrhsnkkmG+C5nATTrSfGOGLEzNKSXAMDIt4x4MLadyfX9kw3jfmtTO1sGM mKOi1ZQ5azvYYD21SJz15CG8RqjyX1lPUdbnyIzIRUB+KSirc0FRoY6H6FDyqxO2/zcx+nvoMkC/ 484GYOrQhDu4PzsG+i7N07sbeGYhHHgfgO46/nKgjDse7p9W7YKqNkbgqWprbb6MSwVct6jKAxX4 bguaGu5KlQ1lg7uHh+to7T6l/RELXSSBMBcgQUp9Ba0LvuGc5/VY6n6Bq/iLzvcP/C/BEPjvCF1M /3AA8Pgbp6T+joWdglOcBOdYgmSwaAEXHjYmXoCj2aKb3b5xu+D18CeBcurpYOdTIVKl/lZGEHrz T2uy5Jq8cHwfhW6OBDFQS13r8L+Y7iUm2GCmxTTTORQUM/ppqlVd0vryk+QRqdJyRHvaAXSZSK1n cZ4lWqjx+gELn71aPvsLYVBKqAplbmRzdHJlYW0KZW5kb2JqCjIgMCBvYmogPDwKL1R5cGUgL1Bh Z2UKL0NvbnRlbnRzIDMgMCBSCi9SZXNvdXJjZXMgMSAwIFIKL01lZGlhQm94IFswIDAgNTk1LjI3 NiA4NDEuODldCi9QYXJlbnQgMTEgMCBSCj4+IGVuZG9iagoxIDAgb2JqIDw8Ci9Gb250IDw8IC9G MTYgNCAwIFIgL0YxNyA1IDAgUiAvRjI4IDYgMCBSIC9GMjcgNyAwIFIgL0YzMCA4IDAgUiAvRjMx IDkgMCBSIC9GMTUgMTAgMCBSID4+Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCj4+IGVuZG9iagox NCAwIG9iaiA8PAovTGVuZ3RoIDIyODYgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3Ry ZWFtCnjatVhLk9vGEb7rV2xOAauWFN4kc5Njy95YclRZJjlYOswSsyQiEKCBwW5Yqfz3dPfXA4Jc bMWpci7ATM+rp/vr13yzefP2fRLeROkiSfP4ZvN4EyXJYpmvbpbhchHF2c2muPk5iGbzKArD4K6e JVHg2mY2p3/Rb13Z1LMvmz+9fR9lN+vFOo9z3iS8mcfRYhWtsHwzWyUBrYmXQUE7BWYWr4LT7zva JVkGP2w2n37+y3um/THOo/wLyOZ4rMqt4RNk4iro+s9hktgW449tc0DriZfa9oRZVXkonS0wtOWh fVNurR722OjyvqONiHPmNYoW6ywHr6Z3e1vzMqenL2bzNE2Dzd7yyhTcP82yPDBlZR4qISfYEBNe bIEZB+v2LIVVUHSgmNb+QcWXjsRH6linKfFFJK+Cz2G0nJA0txK6A+T84d4LMotTEWSaB62t7a5x peeESM+l26OlXFNra1tXkoBTYtl2fOlVHNw5DJYd/p15tGi5xlNEmUrcG3d7IVXlng9OSTSOhcgN QhKhwdm2tg6Ubmsqe0vtbK1cMfWSK9D2htdC66A8kiZsQTwv0+WANh54EHHbXann88XHZ0yw+uLE kABbF2iA/zAOjm0JCDiLka/Mkz3pApYO/3f6h8B5Ie1w0E1bXVo3Do0n2WMWBS1byQnEo1yhaR1D bTHF8buqa24BKNr9NEALaCz4Mvm2r2hfB5IaASGy6dwZvR1GRbNMqguiObq7bm62v/Rla32vLjCf li4mQDwHNAHi/NeDmN0B3TxKg2/vvv/ufjP/+G3GKksysjyhH03XPc9EKMX8wXRs7Ez3drcc2Z3M bxsHu9s2FUjP+xKuYRKtIp80CeVA+kHTbUlQpc1PIDaP+LfWdOKiuMMCrU5+gEVuxBdxXzBB/7/e 4S+Oyvu38Y7+uKbXgWePi4cpbh/IHdNVnlmDrJuIDiVEUCvMyFZYq2EOkDHF4OKlBdoKUJ/LwqJV 2GMlG54O6sQWkP47nl8UJXNsKr7biS1Nj1RlTTFICmTpJ0EBLbBVcVdY4sajJaSJJXFPVGvpAOmx 5fL/2BqKNltGX7xmoPOsXneqrCnKeocOdD1AOl7BY5DPHqYcTA2vNcHtGXXA+bYl7tSbk1yB+c9h rMMGvzEmMYXOMDsSkj0oJjFxT6yqCv4fZkMK/MZ0BG5q5tPBLM8jCmZlh9mjoASCIIYXq6/Lgm1V 6ibodxbucDSFZT2p+9ocGFfRUv1FlLOo2L2NxUXD7CGb3mGKqdXQuON4dmvqjszyAHthzMXhCAS8 wxF28FQCCkwaZQbUq0o3yaPjEJ6u1nSxbd+WDtAgmJCw1lHIwCfpSOZSshMF/j34MxYMxLlaqfRo L7YQaUBGNNSJKJhEnJIvP3R+gnFo/UC7b/gYUuWvQCad9V8RlP1vCHr7k6YK1icSaZatv9widjHW ic3v7+/n7z7dEbNvf7Sthti26TD6N+aOrquOmZumFx3u2YUN/nk+lX2p016FL5w2kew/na27YYb4 U/oL8qEt7ipLS2UpXUVs/oQ3tBFsad7eFGjcAduSiswlC5kS/ku3yDJZUlK6peSSEZnGaXC+Z2sJ rhZzLiUL04H9LSligDfCFVyqUCVfCSU9A6GpJazwwnoya2lanyjIEYwPTq04MMDOvsohvy1gPn4A MNgyuZUEn/58vxHzE7zAT8RBR6GuMq0IiVRbSWAj+hYabr6WknHmWTx4pvjaM8UqsoSiIDJOOdlM JnFub68znGdvv4WtTnNVJzsZRm9xmcMnl7mEhHFN49OBLylmmODz++FQRLCH39K937+7/zCYZBrH bJLZOmaOiYssWStCsjQc5MPtuqnnSB8e5qNEwadNPAWRg7fQkmvaSarfjenQ5pEMkTUTa2LLLeYQ rYNFfDN12R060ODkOPYan99ajNQN/h2VlfWO5T+eHyvKuCUom2BNgd85+H1SQNP6JFWVr06qc0o/ u1Jk1POYSq5weWkDqPhycjwSuqhmaG3XVw5EKYnyUDlNtKJQoiYcWqLItAZ/SQssFtiabiRZHo+I V+kP/PU+VUc4MeT5/+ITOKLeTvnOcQryb67HsuvchS+frrz6eEJTWzSO6jLnHRXP7EmX6+CdXJsG yWfuIVvqGDCHWE19su1jpbt4/qa0hPifRtepEiHwMnFHnQJbRcHKLrU6dpjspUzUq/TGggozpJk0 8Ukr/1QVgOGDHqtZxlRODQU4J3VozLZtarSoyEZjyGa57qSa4uUAugY/KgfIiQAS4suJpshVxw3a P5oHNKQciJMXSZx4V6K/lnLpndMwDXblUFLWSNQ02QjTc+7mQwtKcDxocO/K/6ZgiCuEhlUDJ0/6 bzCqeSMd0VMk9Ut6f1qDQRUsiGaK/U8/3p0fMVbhF3WpeLEgbzt+7aHM37Q79bqu7RFHfX2qjz/q 0TvrkC6dn1dGp973Uthma34vYYc/JO1ZmgSWH56oBO/Q5cvw/1y3cG/q2Yfpg6tNAk8axz09Vbyw uKIL9tS2yY6p8t46zM5gTLzTxTsEtj6IC+nr8+NZlsYDojUjACis8kPYPAmuZEvTutLqsuGgcnAk 7tXS6ZyBi4n6t5rV6K2GNjr4ab7+TCV2SnRnPZWu98U7d5uDfSbQyuMOFTcCKKb3UC96l09rqX// kPPqSSvZ21YvVJ2GGEGR6RwiO1inoAEPQvISmAU/NR5inONzAyFUSFevlqOHmBfh93evovHvnM/K svzqtUteRjGg7OES8/6Iwdr6t8/hqXP6PZJST4bA5ZPk0oczavm88Wq38TUmADv29nG+kgRkIvHg oUtZMQVltYxN8Mz0S0UzRTMFao2eEXgH4mBC78PLz5V2tu3p6Jpda440Qco79RpUEtoJv5FfairO l/rqwq3W/tL7ENbaSz6XyHhevePy0vHKdqbwPPE6n13t9FxfAN2ia4GV+nXlSD0SLUJZwO8wnHSl OUewBbey4CPVLiMjbXUmcM4TrnRHi31SSIN8/VLurW/CvmUxzoEZXhxyzdeLJM9vKMehlFd5jHno zXebN/8BgyKOXAplbmRzdHJlYW0KZW5kb2JqCjEzIDAgb2JqIDw8Ci9UeXBlIC9QYWdlCi9Db250 ZW50cyAxNCAwIFIKL1Jlc291cmNlcyAxMiAwIFIKL01lZGlhQm94IFswIDAgNTk1LjI3NiA4NDEu ODldCi9QYXJlbnQgMTEgMCBSCj4+IGVuZG9iagoxMiAwIG9iaiA8PAovRm9udCA8PCAvRjMwIDgg MCBSIC9GMTUgMTAgMCBSIC9GMTQgMTUgMCBSID4+Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCj4+ IGVuZG9iagoxOCAwIG9iaiA8PAovTGVuZ3RoIDIyNDUgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnjarVhLk+O2Eb7vr9AtnKqRhm9K65O95XWcyla2dlTJwesDRGIkeElQC5Ce nX+ffkEiFU4SV/kiAo1Go9Ho/rpbP+zfPLxPitVusyvTcrV/WiVZtqnK7aqKq02SFqt9s/olanRt Gn23zqosej5pyyPFn9Frx6PuLq1gOsjyOCBruo0GU6tBth+U1w0Pe5FTwwA2DvrbcA+UbRb5scZ9 JxHk+QvieADHJZG+SyKPgx4GIw5cDSPt737d/20Vr9ZJstkVcoHhpFCrXSVCdlVQe7eNjJcl92Ls UcY9f1Vday/rn+Mi9n0n+zuFSr/w5HC3Bn1l5TweWlPDVfIErjLbsF3e4Mzvd0URgZHgjGSzdIO/ 7vcfH0FkEUetJkm/4/lwXaIpWeoHHCSkPxIu5+Ck0d44tD5OjBVO7ToR0j+JsPO5xSczvWVCeCHX t8IpCoBox2LILRb0vvECw49eRSc4BHSDG1hPr76NlCXHKKMTiX/e3K2LKo/2J+30Xzwvqdb3LEAx oVXuqJlirB9U26ITNEy5OFtJd0PS/u+PMzVLVhPfVm+OG1QlSSIDQlDRuBSHiYvoqXcdj0gWfOue rNsIA+sPg89xlgMv3gF/lNMiduLXyO/5a2wQZ2sxlVND7zw6Q1CC/BeYSKIc2I/HE7EvujzaKYOg VF/IUXjGt0FyT3EKo/6JHS7JN7s8nwsh28PF0YHK6+F5mctLINXpr6MJLKwpjnyPTzEOGJpoz956 XiDPI1YjFH9WtYjtz+yxjhCDDhoCuxyhzmtSeL2k8dRz4xzcg4MOLeAwJNMUZ3DAwAxyDRiJ5jGd 9MI02wtJHRS7RBI1QTYrBAOAEh5QAAE3OhkRguc73b7cAbCJBr2TwxdfDnz49Rf5F4rBN8xLwA2x Vu+FgkGRV5E33bm9Mg3spzVGL5Ke8HzkmwT6+mIpjmlaXopd2B/CClh6u/AUElM9xEG2BhFrf9It xkyGSnQc973VDCqeFzh6cICfKjDi5YwcDYuD5giy5uuomfTFMlwIhxJ5n+M0Zl5lrW6ZeDC2WS/Z HIAfNiT3HBIj3w9GFJtZzkpl0acfH/dPYxsiCwQ7eqqH91m6YnkpZlGQnlab7VakJxuI4wTSafTT 4+P6+48/IxYV0UdnOrA17Z8lYVRuuwFMvEQhWKLIw+5fPr3Hi71Lqzz7lVcwkvCr+CPQ/MIzdge4 W1ruIEDG41EdWhFpIRAYqOBJ3BeRsvDwSAdfWr+GNexgaMBqFz2bgZJ3zDAdXz0SNCBkAhqFDQ4Q fMnQMJYkjzmn63oh1uBwAQ1R5sEDQtYDz8Ag90LnBBLTM8OLLpYCGKPpLkAqjug9cEBxgQPC7rEd DOmMFLj50amuowIh3RUALPY4qqP2kKXyLI0+adVo55nbn/qxbXhMEIKDSyqmExARfQtutqDiIRQK ZahXSpBDxRVpFiQlWAkhEyWkUm6CBN3qTh7Q8xLZdypPfOk7Jks6APoEE2Rrb1tRhnIJnrygNL8m 5ZNZyPgOczIPx4PXw5xrOAF4LcBdOXH9PM+vgZPn2S2m4TqlElj6ihA9GkoeMGW/e3u3LjFxMGvd GrENz9H9JiCCJOXla1kMgomxgEOYlxEoyBlfTUJe24aSe0oSsngqoeUFr+vRmSE8dSx18JbqYGYZ eja3xROxRpIyBsXKFgI4sKBlMliJF26lp1GnAxoa3zET2HAp/TBUSh6mXEBwOjPSFGmVvSIu1svn iY0IUHfRwE0DAvhJYHtAf6aComfCs2kFpfW3oOpRiwD/YkPpBF7f2370mFHzSNbVYqwDQosFcqy+ ZjbJkzSqqSwJzQdzXYzuea7kazV2Asq9BDb+YppqNbkbMi8AJ9Ip4cP3SZl2sbzfc5UJQCl2rw1W kTWixW4h9h1zszvEt64Tz26B86lJGyZxy+GMNFJIOoSWBhW58aB47kGLt/iHrTUXrIulA9Cp14Jv MJsUxlJkI0xJkIkYLqnLK0NwMJ6Jz0DJ5U/KBRb+oDt6vV6q9mc3K6ppB8qhludxqLkLbCzqdmyw 1cqKLZ/U8AoYyekhjL3ne8KErf/COzqoZR0CvqL8iDWtFQFcauIotIeL3StFD5Rb02dkCt5SGim3 7tBDw8rVBeROGbiBrd3LeeA2Fys82zz0r1R7Fx5OCMuJXwozKIb4aP9fe4mbLGUkwWCP/MzWhllH 7QaO2Em+hcRFOFOW1xQ2SwPYLeb5f5xSznPhq5ANb/pWKrF8+ndIYAVSeukVk2qhaMNRBgYing/g hBBev4U/KJxkO3pjCXH/ULfKg9u85WRzduBo5qwkW1rVaalHwcma8DTQsNyzMI+RK67MYZvNkoj/ buFCa1aTL1T8/xd6j33HaGuqCx46DXmbvK5B7YtkJ01FlaCy2Ctd+j7yI6Djfbg86wHEijL6TdeD l4JR1dhDmsC7cOFtfP3LZ9kXoag1/sQVWn6bYJEyh3tPBXFM+g6yK+HIJGa459hdpC3HGa7M4+x+ MaXaSzvxdZRbwgOG2OGsjUXRxDB/5uP9Ex8PoB6y5sVL/KCuBSKQRMccSlNfK429O9S4Wrbcuu7m f2n3B2Jlj9pdKgEMBMlxUzzLr3aW6UwfDCHEjukGI5FwnIA9ln+EoJjLEKbnoj3PsdjBB//w8zvB TvSZ5d7n+vhc7UDmeD6Zy/88Gf3/I4MvJlRBUvN8+B61eHfbAt8IaISbWgmsdg7siMrJgdeNTp3D CUGxRY+cnJAWXLrhXik0wasZ9TFnhfYP9FCDwqCpqBOkvwBNwxECqwvmRjKCtK6vQjjAYNCfkQho t6Ae+CeWPxMMuD5hll9kcjwTiXrIjd4IYoZEh3LCP6oQrZtdXM0dlGMPm+R5vQOUWb3jmaa/GU// Uhe7C67jZk5DnP3zUJYU2YyfERLba17l/4uQi7DydIE3zVQ2kJfdaLelEpezJf0dMbGQVt60khKu /zVjmDeNbt5yki53G0iQq3W22+Sx2CPDpTc/7t/8G6d3ZgYKZW5kc3RyZWFtCmVuZG9iagoxNyAw IG9iaiA8PAovVHlwZSAvUGFnZQovQ29udGVudHMgMTggMCBSCi9SZXNvdXJjZXMgMTYgMCBSCi9N ZWRpYUJveCBbMCAwIDU5NS4yNzYgODQxLjg5XQovUGFyZW50IDExIDAgUgo+PiBlbmRvYmoKMTYg MCBvYmogPDwKL0ZvbnQgPDwgL0YxNSAxMCAwIFIgL0YzMiAxOSAwIFIgL0YxNCAxNSAwIFIgPj4K L1Byb2NTZXQgWyAvUERGIC9UZXh0IF0KPj4gZW5kb2JqCjIyIDAgb2JqIDw8Ci9MZW5ndGggMjI3 NiAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNq1WEuX27YO3udXeFf5NHL1 tKS7c5NpOjedZk7H7aaZcw9t0WOdkSVHlDqZf1+8KEuK5jaLdGODIAiCIPAB1I/bVz/85EeLbJWt g/Vie1j4UbpK/GCReMnKD+LFNl/86Xz0/GR5v/0vyMYDWaTChccy73WzW7pB6uimNks3itbOH/Gf v/20BNabyA/8e2Z+9GKvPWocxM6pNi2zn4pcl89MP1Y1rnqqeKiqnInidC71SVc42Wphvru7Q9PA DNf3V1ksJp/0HsWOqirMCfb0xf7hWV0+gOtnq/U6+fqj3r35bXNjjxanXnD/eumGYego/Iuct9fv ru627s3b2C2XvlM8LoPE0Swysusb2gRucK82t7CJl8GCIAbK98B3zIGp7zebzfd3m5tfmLNTBl2I QiOb8Ch+REcBqSecqJtHFixE27mpHxptzLf0KRg29GKIWyeyNYxoa/j/2q3XX7/1BzzjpmuPr/n6 Lvun0/2jf+Pot+9/D34H7VFIyaGYvH1/7do7ioIv4xmNxeTg6YGzYETGRgNn9cp3XcuDaS7NpNAO 557FJy27odTKCFlXEtJ/oZyu8rr5xnlmz/y//AjIEibWPUiO84hY4i0k64r/86LR+7ZuCm1k4sD/ bwtIzI9euNbuz7osT0oWnLtdWeyZfqRzPZtvjR63v169+8Cuk0S9BN3Z6C6v3cnpcOZQN0xU+qFu C9UW1QMzEAFJx2iVWdGdukG0yryEzIy8lE24GQniab3ee0HG3oP/22UaOpv3VyKxr7tSJFRpaqYE 81lC5bnV8akrWuFqcLUyBaA7qFsBagOS3BDw02YHlqKaQLpZJZUADq1RcEpiH5XMM7L6a2sJ7obh 7ydf1gsUo2qCRK7PZY3rn2mT3GqRoIf1FPTAs0EPJAc96oZtevWJAzFGwJlZ/dPVM/nVUpGjxAXJ NHBUo5mwxRDpySHAf3HmOxsc5nnRFnWlSnYtGpBF6EjWE14UKv4jJd0Jf22t5gm8BFwAgHGGZGlV Axoj0DhjdlVXrmnhmKrJJwFo9L5rirbHjUm5MzbU6eZiuIuiVLtSYETJNOEu5OSKEykMFrx7gJkE tgTJKkkitsVfBUswLoidN7BFpUtQkUTOj0WVc3oksXPbFCc455dZiedKV2Ga2twNvF5LkICLWAvw /aULzqGKn0DF92K4/PU9SxWYHUmGLsZhKweuik+dZhZlLhL7+nTm2DZkHfLGLkPOXBZPrmADJwNL Ju4OcC1Ytkcre+gAGk3Ef8V/cMltTXbs65JZ7ZGilSfpeiACZZWpT5q1K6iREojFXmHoscRB7YsS QhE3N3P2QrBAcAZZ7Njzm2LXBy3y1flc9jqDFLJTtYopNBdAvJ/pdzOIJaBte6Q7gKmhgy8Lxlcy Y94e0T8aghkOOsJDpJ6K9liIiOI/vMBSBD/cXTNRaZvS0jggs1QXjEGMiGIonY0o20OvbP5RC6Aj 9pFDRbNu1p86wgKAnZiBReO6Ev0UZhQ1MLGHkAFXlzw6aNV2jUAowQCKSAByQgFj1ycUSFE4AVOC BjmwS2tRFS9LJKCsukXlQtS4cxh+KvIcnRikiJatom0fjWXwP9cFIMq6dwvCFrEUx771bZAhEsut 23VyqUb0Ub0Z6p2LauSP8vC7WYfvm+dzCy2WOh+xaSAU22FwsllU7nCZDzU4isZrL1ATBBf/4oCi Gf7PqgGLulI1eKfI6QDsIOvB2wekOlnNAAOE1FBY2jU2EYRDx4Z/RLkRsIXemrMPkYOOz3flzhk9 crisnQMF4OM9hF48vTacmtHSNqoyYnLT8soJvIHUF9UEpLAnJLd0PMdcKiawYvvL7OuQeqkoca5v YRPs7zBFIGg2hvkAfpAmEjk587iplsARBp66YSzNO8IoLMKxN8Qzd3rcCJAUnE2XicqwX0EMvrgv IsyesftYPBwpwQPMNIN31qAaqKJAap4gQ6Ek/rzd3jJnYI15zZjN5rQ83xnNSwgAAnYbMbjrDGYu CCYHyDyT3QQTUH+5V8Sy3FsPXLS+keKfxLYRBiFVMczRoMZmxqppdVPBGaQnJCaDJLWlpFQ2kvJW M5f6nUt0AOevoi51tde99IyryXvSsMKFbumTRexNHx7IsjUTbwKvJLcEZnQU+yPn2Stree04yJGD fsN/+gqS8FcQjChht9YQzGRaPV/TLhDOeR75fZkfPt4QC4xAl2TyKBSB39Yvo9g1xZp/OVaumUIm QQD84x5IeS90EFbS4w7FHxpP4RpK0oGEbW4q3Kdkcb5gatFhpD+PwtTjBuZFSJNGI/PEO0ixWwl1 YVSpEz0fUQSP2IuNyiQyGIgz+5gBYgLEwCEgnlu866MGwXnFdf+u4wPPXTFbHnocMvg/+HCGQyVs jJRxSQfmpaTDAFVJOUi5PfmndQbFyciQc4M2HF3vbM2X+hrJ0+DSqCKLVhOlKwM3gF6PInsxJFAI T64tkkcOsoy2qyn/gXN5nEYSQkgYdZIV1hR5cbZHEegTWc+iMKGkJy0GEpN49X2baR52S8QKnL4w 2lVFBY2Y4tapzyAqqZQuSOz3GhoMYRvsycnlsfS8tLcSvf1hcZBzgnv9g3auXfxs7X7gQEjhXU4P yzeGR3RQeNuwyekkaJFxiaKUo4geob7UjZQf/5+pRJ2AgqcsCQQcYwm23BbtM/x80OvCLf8/rF3w C8OR346EIwhl1eANyp9fZZDrpuC3pwW4yDl0FVWx74z91nfuWvN68t1FVbYawRL9WeG7HI70MjZu sXxgJEI/Ib07VYMnKWBI958xes7oqwDi/AXxSmb0PkdxzgOkwNCTao2w9UcvjCp6wcRyHUg86Eo3 ShRh2X8RF/nc2Rrhj28FmmvuC7JRxJv/LN04gRsrjdvJsxdlOYpBFieMbviQjaur3BVMlA6q/5Se Bdk9BPgaHLw9zn72GW4SJP4ERRN/0Ekn4svnc48CwOLnut9/7ko48ypRN27okSUf731+nkOxUdCH FEq2OzT1SfYSg/11tgrX6wVg+iq13xYinHp1tX31N3mFtV0KZW5kc3RyZWFtCmVuZG9iagoyMSAw IG9iaiA8PAovVHlwZSAvUGFnZQovQ29udGVudHMgMjIgMCBSCi9SZXNvdXJjZXMgMjAgMCBSCi9N ZWRpYUJveCBbMCAwIDU5NS4yNzYgODQxLjg5XQovUGFyZW50IDExIDAgUgo+PiBlbmRvYmoKMjAg MCBvYmogPDwKL0ZvbnQgPDwgL0YxNCAxNSAwIFIgL0YxNSAxMCAwIFIgL0YzMiAxOSAwIFIgPj4K L1Byb2NTZXQgWyAvUERGIC9UZXh0IF0KPj4gZW5kb2JqCjI1IDAgb2JqIDw8Ci9MZW5ndGggMTgx NCAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqtGMuS2zbsnq9wTivPVI7e j97adNNuJ2kzsTM9ND3QEr3irCw5opzt/n3xoi272vTQnASCIIg3QP24efHqTZguylWZRdlis1uE cbzKs2KRB/kqjNLFpl786W3erpd+lEde1XedrkbTdzeWMY3qatuoh2WUe/o7wBWJByjeNEI0NnrQ u37QuIy9Y2eWofd56YfeUTMFbDKgVbWMCq+5vo9Yp56Cg5a5ANPlX5tfF8HCD8NVmYqsfFzBuXbp x0nqbU1Xm+6eFyPK+XRAZp6+YWZxknmd2mumMPtDa7RdLf2kCLxNI+ixtb7Vwxfkrgdfd7XPXHrT IW5ksgr50+3Au2XeToAZYUc86sQB6jgmm8VxQuoR4nzrjWUMuQNpKrxlGNGQaNFPQZxUakQ34K62 VrNsRrXt0xI8syIhwmRVJsmlJBt33aBVrQe5ukHWPbA+ItACUDNvpGKaD2/witcidRqkGeMpCBBI y6hkiJyMwJ5CAelNB8i9Qg+TbK/exAHKB3aLMBx9J2scwTdmWSMQJgwC7+f12v9wu97wwYswBjtH 4aoIi4l2SRh5h6EXt1ldM8r27RHv5xWaPwlBfNnEcJCzqlaHM2G/4+8vm8172bfyZQ7joDorl6GP cIssgACIPhcPVlfHwXBUiIvB5nAlRNWo/x7ZfGP/QAHR2e/Zn9EqzEvgBPqj+sgphABOwUZ3nQH3 j/0gsfP+40aYNNoMzgkYPacwUi2jr4WJMR0pnkSSZCLJ6qQOCiHqRCIEmT/KMWycRTpLKEisnrfG RhAkIWIwbTCc7RUB5yqi0AfEY8K/Pw6VrJh16j025lxUUs8et76zWx4V1x74fNQuo6MsutQZEaRz jjrz2jb9sa0Z3uINmMm4cIE26hqrV555Zsc7qmOjFrEnO1wyJ9cp4/gr8v4TLwbNNSsk7jnbca6w nBzDjtoN/f7kd0nQqtIHCAz2nH8yxiSI4pkgiiJw0e9r9FGUoS0vLYa4i7hB+moawYhwNgRlSE04 Rc7CL/kSaCa+RBZQccCQz/ptO8mZk4oQSnPayZHEaQdeiYPSU0c4KAWzUpzpiN8p01qsqSGxFiyl C10Ei7OsuHKy0uIkGJ4h+jCQLAQMVXv4aoM9kuGuH59V88wa1HPl1Eg2GsnxWrcaiL6ieiqqr6/c l0SBK2gADbhlR8srClFGT5JYNvdK1MTFJIYZ0VBPEdItdzs1uJ54oadE3ru711goy+tIQQajktjm ZY8L6ZCMsUeX7sihVqMSDaBe+lmYTdyFaKonklXg5iQJzjmHDKqetX2AsYD2Q7LFXPkGyiTOPOoR cQ4NOUoZc4D5Rw9q2z7xWoQCmrFRI+MoOhClDjCCgEQuCBHXUHeJM+q8T0KHzaGCNi+cevBqnsJ8 0EAkzIgnRk3P1QGXPKBYt3OvORJxBWODoLl/Zlx/ZHLjyKBdUgGgvbiGiY8HYdPJF/USpWabn7Wc dGXumdqlIk41FPGA3YpbEOZkAuCqTwHmsk8BAmQF2xvbOEZGroHifMCsKQsv9EE1rHgZWHnd72fr 6kQFUn4a+bB4NLZhCMsZfo9WMzCNIsZAhR9pjMIFjxOB+CgoJ20GYy4qp12MrwLnzEi4PQ2Tecmm QRhG2b7D4EMstiHEsAXz8ko2xCh3ijn4dBgGSCyDZSgTKGwboSd7FqSukPD8h8wnA/lUXsn083hO k83VhPuIh5XUNZmTBxwZv1reMilvf1C1jkAa7ioAVJRZmvsRox6Ny/5G6gCd6Pnb9vf9USiNfH+6 fXu7ubVXrCcNqwzOlRq3XBNw9M+V93PDimDuDfJLte4ojwqXlgUUCMslKcbw0J0+l0HYJSMiwDNt gc6pGeI2RixODxbhuUVrdGiNmqB7LoJkJHevaqnSIbWLtiv+/XOuBk+mNLnj2+iZnpty+uA+hygg OCKSi3DCN1oZex+t0GAOIcnpXUDYR2it5EHcQjYzSUNhnKWgsq3Ah+qe6gQglGxQi4UvvEaxSo08 liIGXhQjPlEphGEtbxuASJxMiicC535KrMkYWTY7083Wb9SEM4GqxOkpkLs5L4aOkwat4SLcPrmX GOeS2lp4k1RiZNj4YvqWbA6nwuefhhNzwqFGyUi5d1MsoSUQOo3leuSHCbzJkss32TSaPwVhPvNy QygGWqJ56woTX3KzVy+xASfeb1IoXPjea3tZQXCKeTkjhM/8L8bc/yXJD20r0xhoHvvgbB/aTLtz L6a9m5UkzO1/SvUt7HM3up8F6LkdNWx8vn/Ly9+dAyCKr7swYPba5aqxe8s4eYcANGlnuCS/wffA 2AfsIjD2257+y8AGZdO/z3GjwvulO1Q0MPizv4boN4iMyNbcd26QdokF7yRd0z8VdXoN9517JMu/ CyhiLleSVZLCuzuJVkUu/yZS3Hpxu3nxD9/6DwAKZW5kc3RyZWFtCmVuZG9iagoyNCAwIG9iaiA8 PAovVHlwZSAvUGFnZQovQ29udGVudHMgMjUgMCBSCi9SZXNvdXJjZXMgMjMgMCBSCi9NZWRpYUJv eCBbMCAwIDU5NS4yNzYgODQxLjg5XQovUGFyZW50IDExIDAgUgo+PiBlbmRvYmoKMjMgMCBvYmog PDwKL0ZvbnQgPDwgL0YxNSAxMCAwIFIgL0YzMCA4IDAgUiAvRjE0IDE1IDAgUiA+PgovUHJvY1Nl dCBbIC9QREYgL1RleHQgXQo+PiBlbmRvYmoKMjggMCBvYmogPDwKL0xlbmd0aCAyNDE3ICAgICAg Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42o1YW3Pbxg5+z6/wW6WZiIdXUepbc6Zt 7NOcycTKnM60nQxFraytKVLhJY7+/cEHYHmx2TYPtpYAdheLywfsvtm9+tdPQXyz9bbrcH2zO94E 8cZLg/Am9VMvCJOb3eHmt8XvfpAu/9jdkWwyksUouvFF5l3XdlmxXCV+sMi69mTKZbhZtDbPWluV QreN/D6Y0tRZUVxVHJJflkmyyGyR7Qsj5GNdnWV0rppWVzjKb1kpgVaRwc/391CR1FkFgbdNVPWz ybH6KSttc6bt4yii4yS+LWW8X66IXbUn+cyr87lSVmPKxvCUeFEd3dTQP2NBPS1oL09LUsFrYiab fmLWrebUm84sH0ibaLtoQXrCv0oITqi1UIhFHCeT88kXncPUtHNIO2flAcTN4lIvVwGtBCPbQ79J viQiqRrFzD/Tp7qKVzqqVH29zGtePdTZ5WTz5SpKosUjljdX+TBfndEfjFCaLs9N05DlAw/+iha7 E6IBvDwrVaitTfnAJuFvGslgJp7GGq1FI6gcpbFOo0GDcxk6V/1lGaYLUyu/eibXDYIYkP2iDdjs ZyiZJmweMv+Degmkfj57ymSPJZ3QNEITZRLxU7o4ZNDg+p1yd7/MBuv7/9x6kmdReCOMEIm2CmNv 66f0m3qbjQqHXkDaUo4u7rJlFFICrcNFdp/X9tLK3m9sCXfrCY5VLQNkSrBYffjxfjeT1FBp40Wb jeyy40P6vuYgRmXWdjWCP9xucfZUEvgqXLYu5DMJCfnqGiPybBcikBKiAX8hG/G7rzlMnxpTr/ZZ Yw5Czi6XQh3fzNlNUqUrIE4jyWnsTLq1p7rqHk7C4Ugj4q/vfnnbtpcP5nNn+FiQ/9pSwnMCQETM RfRahMTtxPj5HkHSa48tqjmlMmJSAtFRvtjcyMfTqYIhohhWPCuR80BTGr+D+vRxMLX9woY8yDxB RZY/qczb3e69jFRXDjOSxd48t/5O98Cu3py2mo6bCMauqx5VQDllympM3tW2dd7eOPgkOAeOtCp2 sBRfnFPAGMmuBul1mEwqxNdIt23CmhW6anvKWjcyOmeIjDn1BUMIZ1syl5XSgs/HskKAPilT1qXR KPwI3efqFctXUh0e5fNSZLlaL6CEjOOpDj8gGggpqtrISG2vJaZRKqpPLgsfzOrJNgaoKLx91z5f hGsloyzIpj3pVCFMIj8ZR75AD36zA3PXhPYFOeHKB1hNTqAISpmtwUYTgnRR0XrJevGnyVshWDGS qY9kCXg72Mg2QaquClK27Q/vb1/35FJGXSM5RHN+fUeKcAoiNj4gNj5jpNlIwhxy2FG/zdfZKmQb BF2Yhs5XB8UiChnUQfp5sijuLAINMWgUJDG2QPZLYc4IAFJX6mMajEIEYgdbkxUKXpgqWBy6Cgbm NGVAQcrMl3sgWrI41FwQnvYy61GoGp9+MgjuYZZR7DNROhDB4/UC2XZ2JyB/CDUT0ZOhjCX0yuUT waec2hRWmq2J3Os5vQkM246igzJUg3WrdXRL6W5aCZBtn2HEHWXY1kEIJmlZKOUTKUXqG3RLPoGl Lml1EUlrEKiSUWYat4uZ03LYMqYTzSU16E3L68RkI5wgdtbGgMpUTd5dr30pfPHUgvi0uowUBbfo kIczjcmQlQFhqIWvvkdXmLCTQHNFO6DGoRRaJp+X7EEndlIOAzbtp9vStp8Ijz/llebk1xbOVfcE 6p6gb72OnYBiEH9TL8qb+po8ke+qDZGgEZcTIla1feDaTXTuN0HUOURyXWBpCmHth44kQNW/MN7x 6hw3AfqGVqaZv8ggAVKCY24lItfHEaErqVoWV0EZ+kaXxQOyUUkhSt5y7VUw7XjCxNtsw76vks4q 8QnSqbGC+VDQZF3qDHNQ+2OhOMmxtPplbSYjLdUb5+Dmn9ut+4q7gtR/nviNUC811zPq41XsRSdD yNV3MjpJOz/q7zkStIGF/YlzftlPq6kpcPqrhc+AHIYaByBMmwtQ2N6QyU3dWnQECCSgZeA7tAyl 3+EFOhJZ57aHLTBZV3DtGNIElLF70axkY/Tzq7lsM+VhdZGSa4eV19NgDFEsNRg9wZ63VX/rMnow VJBYahBWGBVbfPZpjcUutTnSnZbxFEwuR0RvjBJ6R83mnvMeNW0T70VqETDgPcQh91MAffYjGCIo 4R5P0s51gtNMjCaZyHtSg00r5lZLHIp3HHBOz/XbnOFxTFes7qK2drenFoxItIYEPNaVlg4oDNn4 0ADxqVDyRR70P7meuRlDcK1e+pMcltI95r8V43gc933aPGAAWeJIe8kYCT02Bj8CuPzFh+Qv5IYy O7wU6BLVvs1sCUAGSw5L5Ey+2RPynAA3wSwlXJdrwdDW0q1KoTynuQK+W58bVW1Ms2Z1ZfNoO8tW hIBtms7NcteCyF0L/g78ogH8QgW//loZj66VA9ppsy+6jVt17f++9W5Jvte7JY36u2UUh8/ulrEY DYyza58LoWdCvoOh3WPSeqR0PFE61tJBM1rMEC3CXm9Rabyvc/3sM4hzUaH3mWdFaaJrX7WiQeCO O0HRWChO198+/ATWv5M1xU4S/SErazCMVlDFv7G2Rerej42+eKCkUWaRr7WxFzeim/h4q/3Ehoto Q2Wn1mu43BVLvdIRQ1YgrKSfq7svFlJ2/zkW3lxhJp/SUt6pGPA3jG34uRu9Ed733fuWLyTpoDdI Aga+FqqNP/iV1+NXsY3fiyFL7mWIExNMk1UIqREZf4vWsAw/tQVaNPZSohrbaoU8aB0pKsEvruJg PNmiEOGhhqDEavVwr3tohkru/7hccmsAbtboenmrC/JrHTja86ba8/IT39wJPt5y2SPo/x/gHrpH YaC6R6HqnvKj2ER9SIn6GAnuhP744hnoOUBu5eWRx73S9ngVOQlgGuBaOrpqh4EGFg2OhhMnlDOC Qqorq6o14qNncTXqBiz1yZYA5WUARr7nh1v3fJ3X5uCaDcYf+CP/3FkyCQUw6mEU6P08YtWvM5sH 0dajP7foObvObByGXhgnTmb02uMiACPBlUCslvZWi5zVSKQYv064/psGbDK5428DLw6iqesdAIkd x4AypOsEqQbHcUunLfXEXo0Q+WHdM95r+bS9RMuvn892kcfgv3pNGeIScyQuUZ3ncgoMDUoWgZ7k d3lPohO6Iis1VG0c9dh9oKMdlPYkzxU998XjkHsASmIvDsMbur14ga/wugbr1Y+7V/8HnPi82Apl bmRzdHJlYW0KZW5kb2JqCjI3IDAgb2JqIDw8Ci9UeXBlIC9QYWdlCi9Db250ZW50cyAyOCAwIFIK L1Jlc291cmNlcyAyNiAwIFIKL01lZGlhQm94IFswIDAgNTk1LjI3NiA4NDEuODldCi9QYXJlbnQg MTEgMCBSCj4+IGVuZG9iagoyNiAwIG9iaiA8PAovRm9udCA8PCAvRjE0IDE1IDAgUiAvRjE1IDEw IDAgUiAvRjMyIDE5IDAgUiAvRjMxIDkgMCBSIC9GMzMgMjkgMCBSID4+Ci9Qcm9jU2V0IFsgL1BE RiAvVGV4dCBdCj4+IGVuZG9iagozMiAwIG9iaiA8PAovTGVuZ3RoIDIyMTkgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjatRjJrts28J6v8C0yUCval95SIGkStE3Q55yaHvgk 2mafFldLXvL3nY1a/BSkKNCTRsPhcPYZ8qfjsxev/XiXu3kSJLvjaedHmZv6wS71UtcP4t2x3P3h HC+60/tDGHqOIiDInb6tBVXsg8y5qKrSzVn3vDpv6PRZdaVpzrxgSt3sg9QZzIDbvgozXeliMG3D ez6+FTaqKRlz7XSvm8P+z+O73cGP3DyK4Ou7eSwiDspuD532hN8IuBZ73xk7PCqlo2CxB0rN4NAy 3XARxNjrzqUzto74+HZ/iEKfhULgnUK+n/dx4qi7ojPXgfGgTI1aZs7QIyZwHk1V8dr9/gB4zT+N 1qUWZigMfk+qMJVhIfGfDZaxwUgLxE4Gc79tkvcNqZU4Vzqz7Xtzj6yt3WHlEeF2rEr+ReFSR3ax dRLwLBJ93tuVGAzAK2+Ov/7C0EJjy2lxyMVwiKz5Dp05n3XHLD95sfd4ARaojSd6JOJack+Wk3sY Kipm+dDzP3k+yxwzACOfcT/f3Qlxpycbqopxy4CDfRxnvOnw+6u7I/+pcbjYnYWaze2tDf2yaYEO RIvS4BvGxpWFsaM0nI2Na+R9QE7GzuyK4s87WYjjRawBvgU2EH9/UagPzISZwdaiaOtrBQumv8gS 2HJDg17V2gWKyMNcx9zznpoNcOimVUCCcmLxgIMSDrN2DTxKGfyCm3znArrDcsnEc6wFmN4tpZKh dEDMFEAAD1akeyTLwJAHPAx4dVvKcLB1UJ9+gDPy3LkfBwQ8pzbniwQp/g7qQQyNf1zQECqqEesY gkq+prkyE0hQ4Cz7L7Lhqs4CtZ0wIxfR+ZnTjwVqd7EsBX1qN8XXXxQ4DWUPfYjoBshqW9x8LFYK c8yPxSyAumfrPXJ6AKKQlAYQckaoW0Zcu7HRNwx6LSxbsOmJwbX7+y1J2RIhlKNVige2oPo2Y7Fg XWyZgRSR5KWIiyTisDaKezc3gQwtYzuoNTUSSi0V4tWhz/utSsIytqbQHBjYKPB7G+qIY8/n1sm5 U+qTGquBf07s6BzTEz9nwwWy4d/eDORAD42MC6Nwq9UDtcIVZxGYRZlF3MpTg6HRSfuybavRXwbp ZAbz+FsNjA3tp849Vt5+4J9V+2ZUZaiPA2Qa/l5s4uHPMPFZOYx5pZx6/A8JBxFFFhgsQ4znGz4U Jt9u7RTxkUcu/soQ92BPvI4AsOCy2QlFJwsUKuMwgoZ2s5T1lMo6103o2libICSTKGNLISkU0Boz j4/qtJJjTbPlHoVdHrNWNMucN8D0eET2H+5Y107/DdVl6Hm9VqVQcn5mTtWqkiHFG7i4EKKRlak4 YoGwrLjkyA8PHOQjO3Cs5Dr+crcZXxr6FlWa2LM7B/Y8RreWFWYTY6U0c9uPxS0LiqVbMNvzxHl7 YopFpwUy6o2Ycrh0lbzGSNGlFUZGOGG+kd2raIy8wClNB00evJ6FDmRjBHp3Sjq1h1VKNQxZeyKs JJxsjwWUaSZO9I9dsNdT3Em/w5XA9bEd0mGU4M0cpRvmXkscJU5BEkWxxDdgOHoxV/HvobF5iH+S GEA+GxPxT8cWoW+p57YP/HutVIFVCucCPG9DQDSWBjfQLAI9Ye/T8IewKksB8BPd6ELEtg3z/0fY /JbB1biIm3liicnSBY++iL0Y7JWx74k90lgoI6eCuNwWGGIkmTpPgqnaS0AVGKWJNxPVWopfY/p6 2ldi5U5suiX+TH9jWF3aEwz0jaGVA2HsAlX1ddju7w3MWr3L94Lf2oF6gPUlQjX1i8qWJQMA1Hxc Sxd+Rsqnfu6FxXLOSVdzjridQeliCczPmxmFVYIvTVwXqLW8eB36iwsjbAliN8sD3gIZ4EYgtw95 +mEPKuJIgcNwRUN8CPUNZzmIdJrEI0x26NktDPTcdICExMI1GjVxnjBkDYC+8oKM74BtG5ZpdYlF NTIXBnuW6afbwrAKTUxw7Ko2ItuuZ2yt7IXLk+FdTTHrych+u5lR/cS5lROpMxDiZIuPUJza6rAV JhXLzBdndEHbUXGHLs/3WzYl0LAp4V+uHng3grjRQs3WhOXbwd1ekueh/UexZbR6EJCODCj7HvDJ 89MNsyMUgh5E8/vWlBau79rPRcRK0TAC2JpNPFqVnt5+ORwXzwXhrCEWDNEKBjDQyt1Q6MBiskLJ v1fo/ScvDJ+oQTcbtDe3Czwb8h/SZfnEEErkiMlvR2t2phJDVVRWAPPJC7zreA/uBMj/rirxf1El s7cAAGzLQ3jSIZObQxYvdMjm60HKI7PvELGtYyu+9toeQ6EVlnoa1ehgcqfe7EAL32pxLYiJNREN PzyXkzErhBDnpedi1LYzZ9P8T6ZLtkyX2PLfW4O0gv431pPKt34zYVvSexqsGDGhEvYdDQcIXmG2 2eyJNgYXEUuX58/UX0ha+xCmhtv4tpoBTEOgmh62VvENrcjynSbr+Z3t/8nD2A60cT7LCcgpeAFP AsbZwvxxvpGAQPEoNo5zyzVzyrZWpnkBc39VM4Zqr5Bs2JpjPUjYT0EilxxE4BsLQ2paop4PGLqI rogXt5k16UwiGuPyo+kv9GSRyJSXJDe3nEFvh4Zt6cGO8QG5JoCi76XwTd0si21nD7CvBzFMLc0B emr/uMfHTvQEDGZvjscPCEXOy+u1muaR7zbnxegKUc0DXxDNIzki6RkVAKbzndNYMaJRw9hp2hI6 cLGSOx4VHUUjR5QlK16LMfXAqzxaIrO2OXxnSj/cqx7LcxzAvoWaMM75HohAD9e02AgVMt16J8a1 lx8sOeW9JV8852zLwzIEMActZRAMxjACTTswULTz+22n+QEuwGKsO34gC+WBDGhp4rwIB7zt8iMb 0fdgabQu8cRbAAKmVlBgZcMjBunWrXKcH4civgdIzZb3/VBMQRPAPLvSaDDfWejX8CgrjxxJ7oZJ sjuEnpvnPp9GBeTZq+OzfwBrLZQjCmVuZHN0cmVhbQplbmRvYmoKMzEgMCBvYmogPDwKL1R5cGUg L1BhZ2UKL0NvbnRlbnRzIDMyIDAgUgovUmVzb3VyY2VzIDMwIDAgUgovTWVkaWFCb3ggWzAgMCA1 OTUuMjc2IDg0MS44OV0KL1BhcmVudCAzMyAwIFIKPj4gZW5kb2JqCjMwIDAgb2JqIDw8Ci9Gb250 IDw8IC9GMTUgMTAgMCBSIC9GMzEgOSAwIFIgL0YxNCAxNSAwIFIgL0YzMiAxOSAwIFIgPj4KL1By b2NTZXQgWyAvUERGIC9UZXh0IF0KPj4gZW5kb2JqCjM2IDAgb2JqIDw8Ci9MZW5ndGggMTg1MSAg ICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqtWE2bnDYMvudXzK3M8wQCGAbo LU2adNOvPN1pe2h68IJ3xg0LUwy7yb+vvswwG9L2kMuMLMuyZMmvZL7ZP3n2SqWbJImqPE83+9tN olRU7MpNERdRkuabfbP5I0gjtQ0TGAbXZrjfqiQwQ3htG7MNVZEHV3en1tyZbqvSYNSj7Tvm97f8 //r6Ovzl2+v99s/9m2evknxTRdUu3eF28SZMykiVJW/0jan15EBtFu+C7/b7t0gVgXX83/UjT931 2zAtg8a+i1VmmqfABeN0twXmR5bVp1O7TQJbi0HIc8d+ahumb0BDERgRvmll07GXLb1PoHFEw8lU Oic2dXYqVFkMepIAZItgtINpwQSlKtBKVvao4x5/DAuPR8MC7CFSbtQ1SryHcw6espge+b812o0s 9nA0HVOTs91B1LUudBgX3GEITdeEawaf2BgrLoVZlga051F3nWmRoYIb2zWg2EXbsCiSYI+WomDf oVNINWghuuvsIMcG6ygghQRkPnIQH1G8F9prk8gCdfZ7xeIHnOGIqVIFfJp4dGVKcUJmB3ux53Tq MGM+iKfDyCL7H655ZvbWu9CKYnFaNIvFRFOkQASzydawxKc38N7FeezEjPGoV7MEYzN19u8J9UB6 XRw4MhZ7Y15ryWAc6Ja0o5DPVRzA/Whg6wRClKmcQ0TiZKK3DxgNXxLjMJ+ShK8j2tBPgzNPL8zd sbmdMXjYChyua+Mc03TWKgs0DzHzn7+94sHFPaHNI77mKt4kWaSyXSr3XKVRmcixEJzEMcBJPQ12 RERBp3cFIEBnMIdG3Hu3w0AkwS3T/44jaQL6K9YPhzIYccQT43HwcTfsD5x2mOfBX/3AEk6sgbP+ yBxJuYVJSmJ9qfs09LjqHiCx8SslkHRguDHb/jUde5JGSVHB2VeRUnL2GNAczuS3LebbYPsJ9kuX ZpHCFA03Po+su8PwpjleQUQJnLa3vJDgMqXAQa63TPcy+XC0rERE0BXk18PH09gfBn0CAd3CrRKD i7S8TBY3Dn13MMN8Kh0f68ur1+Bo+OPLnFIBFvnFVbRTiS8p7O0r9NY0ZqDcecq6FrZRXAS2kR6M m9qRN7Id827NA2MfD+sB9HFCWrhDLHvrgwzXZ3iU13d4rzt9MNF8JxaWKrH0+uxuCdg+jYjFhPjz pQM+XbIqhqCBUkq4e8IN45jPuFV5Mwjss1hihQJ/TQT2C1XeYmDRatLu4d5Fn8Yn95cA62ZaJcHR tCch0Vc72oMeDTMI4pDgM9TvO7j3RqQpWc5CMWMpct5+fxUxdd6G/2PECRz6UD1WtAKTl7CoYg+L OIDFJ0F+OVFMZ0JpC0TffeVYzJk7LWGvCfNUwjVULWoor5YVbc9bgMnCkdIcz/ElbXq1oJ6R9uI+ IivHoAmmf5qOwOxB+8CkXBxYM3ooP4f3K5HnGobazDD6ImtkWb9m3aUD4wyCgn3nLeSSpllUxYVA UsE6fhYrP4eElKGgbNELYUno6nZqzNcC09kCpqEiVFl2ucm7OClWEB0pBU6RzPNzbQtbqZGLG796 GZHfthduE7K0JoqiFdtC3vHi7v8f20AbRwdddzPINI9wZxx055adyWNkBxz8kmZxX1AUi3Jd7NhA YJ7a6XDA9g3BrciC3wmGeQ77Bvwfj1auCgz6rpZp3TVMPPiWFvR25h6PnwICw6OmcjgLFIxcxW5W blfbJX3QtvuSp0B+9cN7icuDHaWm3HDFfoB7EEqydFJiOkgymi55+kbP0bxsA92XtFTeAlnOMcoy KQnAePTawcavqAR3UZD/8+CkARvqqdUD9cLAARW2NtymoyRdjMwjDRBnGJAxdDCrneEDd1RppZaN pmOOL9BIz106idLOSGH88f/yXUWsM3rgiEOEVCdLvPurILx4cFCMJdNU6e98Mb+y4P033UDTImBY UgNvPtRYV06jf3gBn4tGQR2VsLxSflzAdXDcS/KOfqdlGVuxddHrz+CpuJJ5fJo6aIXaj1L6/NuF oMI58JEb/5UGe8bvZZudfbbNfgHHZX3X5f67oX7etv6hQy+i7FFXipyaqrHzhfmsnWZ/eYWiL2SU p9kOj7baBXmcz2SVwsJKRnwhS25ZL/aGjGGOL7yrqcHdMfpb+Z4dqL4zTNzZw1GyEIcT2k1dG25f lJTmgsrwSkiD5yjcNBZ90i0venQIwKkvD5Z4g2k553bVZ4r1G83fCOA1oq/rwZ5GX0rJQjPc6tq4 C5zKgl+v3JessWs2ZGXxiQ3Io68kpWQ+EnORwQFY+AzLnp/gy42jH3/11E8/71dj1rYMvHjlFXWS 8OfEHKQJSCAH6DMRMigZkPik0Ur9w1woWYD9NOto+KuFEVl+LwFf45ejlgvEo8UneCasNoP9XPk5 OphJHzCn5DOUHfmzEKSzdAT3Vh7ULQNcrdvzE0XeldwvANye+wMIcBZlObwe0yoq/ZezEqeefLt/ 8g+9AzGjCmVuZHN0cmVhbQplbmRvYmoKMzUgMCBvYmogPDwKL1R5cGUgL1BhZ2UKL0NvbnRlbnRz IDM2IDAgUgovUmVzb3VyY2VzIDM0IDAgUgovTWVkaWFCb3ggWzAgMCA1OTUuMjc2IDg0MS44OV0K L1BhcmVudCAzMyAwIFIKPj4gZW5kb2JqCjM0IDAgb2JqIDw8Ci9Gb250IDw8IC9GMzIgMTkgMCBS IC9GMTUgMTAgMCBSIC9GMzAgOCAwIFIgL0YxNCAxNSAwIFIgPj4KL1Byb2NTZXQgWyAvUERGIC9U ZXh0IF0KPj4gZW5kb2JqCjM5IDAgb2JqIDw8Ci9MZW5ndGggMTc4NCAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNqVWEtz2zgMvvdX+LbyTK3qRUvaW5pN0oedZiJnO9PHgbZo m1NZ8ohy0/z7BQhIlhKn6Z4EgiAJgB8+0H67ePXm0o9GqZtOg+losR75UeLGfjCKvdj1AzFa5KOv zjfPj8ffFx/AVvRsUQpHHtl8kOMgcX6OhXBktqr1vhlPoiR2dIn6RtVruVKGdE3F360i4SrLJmc3 72kgy/xNVR8nbi+yBY3md610/WmBDsHhE993U8GOyqKo8Lj78SSIU0fSx7A7KOPRQZw48gCHg2vg hF7JRpGWZmGFqn9q6y6OKjCteflWlq3Ea94tFjfHVbijGvvO0b455ahdHYq48y0UU0cb0jX1gy43 LFc0ByY+xOM7xY924jUI09ApK15+r5ttdWhoWv3aF3qleXQwGAAayf2+rtBJuCkYFTRf8WyB8SfO CvQnnOZdwtDZW7MKTngghY3TSnQFsXNvaKwbl6HTh9mEsDPx4YuaP0XZ5TgJrbeRlzj7WhPe0AtU 1EqaqjSQmAjc6xA57SHSS58i0iNY4A6ESFAcEQnaDpE8cSo5jFIRtCgVvkWpVfVwiXpJ2vbuUbYO wFS1PKKIbIuCLbaswWv4y5ByVatcUTxaFuavU56Vcqf4Mo4QsXeGmFI0aDe1V0gYaau5ePEC/wdN 3L2nqlGF2rHjXGVzALfNHA6WFmBcYTLPVd4v0MRZ1gwyVRvW4F4PtPp+q1c43A4X6TLv1fpVhuEz vZxIm2lkc8A0BxHdTiD4DkCB6XLHk9hPnGvwu2pUa4B1gBam2rHtMFS0qkqakfTZyw2b7iRG9UCD LeOXsQAazgrySzlwmSuoWjZSl5irKEqddV3tUEpaAkMloQs2wbyhghgNrSg4UKE/FmC4tNYbXZL+ mxeIR6ZG2ihBZdTqUAPfWP9PpHMFhalzVctGg9QBrWACwTPCMOoRyUoaxqZk87wimwGK2w5hQTqa BJGbevEQlwtLtuHU+Ryek7CTjJYwBBChLOmCaNqSLnwBeGQiS1K8W8xnJPUulRTLbscp4y9G/PW3 ayCXG6LQ6bGznWpj3JwSak7a4gVougscBwwP2yki7hQRcT0JRC8GYJr4wskObUngnOQdVQFYokhi x248dYzlhQomDkXO5h1/PdfL+jgWXC9QBNQo1EqvH4ZlISwgmlrqXmVEXBniEa/xUsj5CpOB/B5B fIc2ybaWTK+mhFNow4VYrU+Vyk5ROmSpzY7xZQ57bmx1o3LSLbkgiTAZkB1F10yNoQcPJzeMpgES HhwVBm4aBdwZ1FrVqsRe85QcwTbw3cRPyPbr7SW6dR5M/en38UR4nnPr0qGXeCsar6vI6XkApYBU YJ8Gbtt93dckvXvg3EMsv7hWFtg9a1maddvIb+qq4Z5fFaSiKrdbwMvmje/6Xf56zbpzNI5CdvSD i9/UmekSr0iIyLlSJT+GyPUVqH3PyVqusBWDazJ6cNHgbI9vF8Y9KsDLTS13tPh9v31b1wT4mEyH oPwXQwWSs3tgMAHn5Y7Skts+gAoKb9Jt0iOOXpBRL0hc9ZlSSSGAyLtjwDUUvx1kfUpkDYeJA/u8 QOGpr/T5G3EunPPJEjtXuTGDi3jko/BEi5jr1kddFFruDPv2qaNYduCuJVgoEfs9h3IoVUFmb/FQ 7DQbw+uqXlhqsML8DiIiDdLfe/boXNveADHD49cVY3Yxy36biCBqEwFNYRLFofOPVvUPQzK85VCI nAuevFVmVdWFRMjCW882C9R3xYKAwSdyQ+tmfOm2tsh0iGc0+uYJD/yEj/8sRE/U3hMk+G7wMjxF 4gUc8TkEFYDuWt3v7C8V9LJhpUSyR34IoHNnsrAkhxOQ/6JQJbI3DiEjzIOlsarYORv+XMKLqXj7 OTPp5GmgDATLsS25CC87vz2b28zYe83OYDP7Fpsxh5X5sbV3RTIfEvbLSZmKlpjmGH+CpS/zbXd5 7RMAZ+yRKGTWFN7wEn5n4eO31JivNDhWtjUbXDhpuLJxtXUatXCfUXufz8EgsGUeDX5AU8hv27J/ QlwvRh/5ccLRz7DmEt/5YkM/4CAgTKC2w0SYhvxQAm2md/uCZboOEBCv0IAVD49UhwsGCcET2oQ8 F/aA5LkVEcnjYEjyFicIHUZEC54QcL6p4IVw3GUAkxN5esRNkRAtN33Eq0/xHjaylPxDH8ZUPiBw b/Ug2pvri6tPCNkJZG/Z/jQ39HsKiIsWfFQ1v9jryvAeJc9dL2Zzkuz/B89m6cRLsP9cntuuCttX 64Y0nwE09Fb7gyKJoqBljjMEROpDAotS/8BZ/pvAagkEIHxksy9KI2Mga0aeOAIGph5zhfW5v8cA LM9F/ohmWwRkZ9msY1XfT2AhvLYSN0n4BZXizKuLxav/AKIA4dwKZW5kc3RyZWFtCmVuZG9iagoz OCAwIG9iaiA8PAovVHlwZSAvUGFnZQovQ29udGVudHMgMzkgMCBSCi9SZXNvdXJjZXMgMzcgMCBS Ci9NZWRpYUJveCBbMCAwIDU5NS4yNzYgODQxLjg5XQovUGFyZW50IDMzIDAgUgo+PiBlbmRvYmoK MzcgMCBvYmogPDwKL0ZvbnQgPDwgL0YxNCAxNSAwIFIgL0YxNSAxMCAwIFIgL0YzMCA4IDAgUiA+ PgovUHJvY1NldCBbIC9QREYgL1RleHQgXQo+PiBlbmRvYmoKNDIgMCBvYmogPDwKL0xlbmd0aCAz ODYgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42nWRTU/DMAyG7/sVPSYS DXHSdC23UT40NqRpqxCC7dCVjFUq7ZRmk/j3JHUZAolT7Pd1YvvJdT66vAMVpCyNRRzkuwCkZOM4 CcZ8zECoIH8LXsnr8o6KhGRKJHxDQ8U5uWE0lCIlWUtDMSbtwR0J0QZVbXs7IUXNLlCaNtTVWW0a bdF7ZoqnGC6OWxoCqSmQqsT6mf5Eb9rsTNFZ4wuOpauwfWQ02pk2tlpzGYV0kz8EChgkcRACsFQN 45eF9cVSkqJ5w+B869uLyFKf/JJtv4jvU9iqbdCbV53Fi2uueLacuwNQWJjWv1Prvn147u+Q/sUX gYAB39zxiVJBXvbeOWLSU/MBUlMSSL7XKM202Q6I2w6lJ5pIl3b9lFEKRKF+rxttPEafrHR5NJX1 XT6/FXOqSv0vrcnhUFflefl+w3dTfGDivzHx37grygGcR3K/WoWTxfQHy6MufeG+aKru48p1jqLf A/si0Q8BoFicOnQiYlwOUwD33ug2H30BjeCqvAplbmRzdHJlYW0KZW5kb2JqCjQxIDAgb2JqIDw8 Ci9UeXBlIC9QYWdlCi9Db250ZW50cyA0MiAwIFIKL1Jlc291cmNlcyA0MCAwIFIKL01lZGlhQm94 IFswIDAgNTk1LjI3NiA4NDEuODldCi9QYXJlbnQgMzMgMCBSCj4+IGVuZG9iago0MCAwIG9iaiA8 PAovRm9udCA8PCAvRjE1IDEwIDAgUiA+PgovUHJvY1NldCBbIC9QREYgL1RleHQgXQo+PiBlbmRv YmoKNDMgMCBvYmogPDwKL0xlbmd0aCAyMTIgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+ CnN0cmVhbQp42k3OP4rCQBQG8G9IMfCaXEDIu4BOYgJqo+C6sCkWtLIQK7W0ULQLJGCRTm+wZ4k3 8QgpU4RkZ0ZBmx8f7x8v6veiiH0ecTdgncIBbwM6UGiKPofDZ2ezp2lMaslhROpHl0nFv3w6nnek pvMvDkjNeBWwv6Z4xkAFQDYaL+8AY0fHxFCJBsLglKghHxrXUogaXiGqJ5PM4lRIMz2Z4o0s0ZrF 5gPXUpg79+KFZ7lYshoTS54lSHMkaCXGonX1Z7crPFf+6W+dGqJECfqOaUH/XRpU+wplbmRzdHJl YW0KZW5kb2JqCjQ0IDAgb2JqIDw8Ci9MZW5ndGggMTg3ICAgICAgIAovRmlsdGVyIC9GbGF0ZURl Y29kZQo+PgpzdHJlYW0KeNqFzTEKwkAQBdAfUixM4V5A3LmAbhKMphOigikErSzESi0FFW014sXi TfYIKVMEcTc5gDOv+MwUP4oHwxEHPOZ+yFHCccyHkC4UBew2HrWf/YnSjPSGo4D0wp5JZ0u+Xe9H 0ulqyiHpGW9DDnaUzRheAWEgSkjLuOzn+Dsl/Bqih45Ct5FYE5xbT5QPGOsL1I5nVfBbpWsTTZU0 RhZGfoz6FOrVeOfKz5WA04HsQlTwDGie0Zp+Owo59QplbmRzdHJlYW0KZW5kb2JqCjQ1IDAgb2Jq IDw8Ci9MZW5ndGggMTcyICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNp9 zDEKwkAQheERi8AU5gJi5gK62YXoCoIQI5hC0MpCrNRSUFFIIZqj5Sg5gmWKEN3ZtRa+6n/wlBwo RSGNqC9JDSnSdJB4QalNDCkau2V/wjhFsSGpUSxMRpEu6Xa9H1HEqxlJFAltJYU7TBMCv/A+PxAY OZs6wF7W02qsmrWcirWdN/OckvlOwYL/9x3WGD2ou9YEag2VkUF2hkcJgbnKAecprvELGK5Fhwpl bmRzdHJlYW0KZW5kb2JqCjQ2IDAgb2JqIDw8Ci9MZW5ndGggMjY2ICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNpVz0FKxDAUBuA/ZFHIwl5gMLmAdjpCW6FMYRzBLgRduRBX 6lKootBVJ0fLUTJ4gYCLyaJ0fE1VxtVHXsL/v2T56Xmq5ipXJ6nK5+osV0+peBXZgoZ0LKabxxex qkVyp7KFSK5oLJL6Wr2/fTyLZHVzoVKRrNU9BT2Ieq2YxYDIIfJ8r2WPozKOTLvE8bLkWysxky3/ MlIXlWM7HZOW7RDrtjJsIJtJ01Sa9UFwD6ndZtJ24O5AdGNbpafWCugR2f/GFhuwYAfmKfTPYVQa esR/HUNZP5v0o7SJL0MJ90UI5e5Q2sw1oYTbJoRz6360oYRvjQxln/RzKsEeEVAAJcRlLW7FN+M3 eGAKZW5kc3RyZWFtCmVuZG9iago0NyAwIG9iaiA8PAovTGVuZ3RoIDIyNSAgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaVc+xasJQFAbgP9zhwhniC4g5L1BjMCQRQgNqoRkE O3UondqOhVYUMki84IvlUe4jZHQQ7bnJYF2+4b/n/+HGyTjJeMIpP0Qcz3ia8mdEvxRHEk54mvUv H980Lyl85Tii8FliCssVbze7Lwrn6wVLuuQ36bxTuWTP4gLok7oa+PlANxg95spiGFSqRVa0ntOK VdGIP+JJNJ2Qm/bgtPVN1NDiBdoC5zsHFp7YQOq9Qa+B6m1RHI1TdWojUwft6vV/fTe1993IftQ5 7MzcYF65qcBCy9cM6KmkF/oDknRVngplbmRzdHJlYW0KZW5kb2JqCjQ4IDAgb2JqIDw8Ci9MZW5n dGggMTc4ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpdzDEKwkAQBdAJ KQLT7AWEzAV0k01CFMSFGMEtBK0sxEotBRUFK7NHy1FyhJQWQhx0C/Hzqv/hq3yQjSiinPoxJYoy RfsYz6hSLiPKku+yO2JhUK5JpSjnXKM0C7pebgeUxXJKMcqSNjFFWzQlgW8hqEH8CJl1NAOnAnhA 1XWMAy/48tjT8VnrBKxxRPN33/sYazvUcNdw0tBqaLRXT/w6DKwQEPBtCzgzuMI3xKFCDgplbmRz dHJlYW0KZW5kb2JqCjQ5IDAgb2JqIDw8Ci9MZW5ndGggMjQzICAgICAgIAovRmlsdGVyIC9GbGF0 ZURlY29kZQo+PgpzdHJlYW0KeNpV0L9KxEAQBvAvbBGYwryAuPMCmsTkSIqDg/MEUwhnZSFWailE 0U4uPlo6X2MfYTtThOC3UTltfguz848ps5PiVDOt9DivtCy0qPQ+lycpFoxmuih/vu4eZd1Ieq3F QtILxiVtLvXl+fVB0vX2THNJN3qTa3YrzUbhAZgRUR8fwbgDi9gdBpaB2iJx9QpJ3+7pYHu/g313 MxPBiNUMopnhmw5mwA7G/2FC7JkZuz3RzPAPM+MJ041LiLeeTTsHdJ/EfhCuF+h/sT0nc58u7EOY y7HkDXxHoGV3tIZVdcyCJXORTOEG4RBy3siVfAGWb2IzCmVuZHN0cmVhbQplbmRvYmoKMjkgMCBv YmogPDwKL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUzCi9OYW1lIC9GMzMKL0ZvbnRNYXRyaXgg WzAuMDEyMDQgMCAwIDAuMDEyMDQgMCAwXQovRm9udEJCb3ggWyA3IC0xNyA3MCA1OCBdCi9SZXNv dXJjZXMgPDwgL1Byb2NTZXQgWyAvUERGIC9JbWFnZUIgXSA+PgovRmlyc3RDaGFyIDk3Ci9MYXN0 Q2hhciAxMjEKL1dpZHRocyA1MCAwIFIKL0VuY29kaW5nIDUxIDAgUgovQ2hhclByb2NzIDUyIDAg Ugo+PiBlbmRvYmoKNTAgMCBvYmoKWzQyLjQ0IDAgMCAwIDAgMCAwIDAgMjUuNDYgMCAwIDIxLjIy IDY3LjkxIDQ2LjY4IDAgMCAwIDAgMCAyNy41OSAwIDAgMCAwIDQwLjMyIF0KZW5kb2JqCjUxIDAg b2JqIDw8Ci9UeXBlIC9FbmNvZGluZwovRGlmZmVyZW5jZXMgWzk3L2E5NyA5OC8ubm90ZGVmIDEw NS9hMTA1IDEwNi8ubm90ZGVmIDEwOC9hMTA4L2ExMDkvYTExMCAxMTEvLm5vdGRlZiAxMTYvYTEx NiAxMTcvLm5vdGRlZiAxMjEvYTEyMV0KPj4gZW5kb2JqCjUyIDAgb2JqIDw8Ci9hOTcgNDMgMCBS Ci9hMTA1IDQ0IDAgUgovYTEwOCA0NSAwIFIKL2ExMDkgNDYgMCBSCi9hMTEwIDQ3IDAgUgovYTEx NiA0OCAwIFIKL2ExMjEgNDkgMCBSCj4+IGVuZG9iago1MyAwIG9iaiA8PAovTGVuZ3RoIDEwNSAg ICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzbUMzRSMFCwAGIjEwVDU4UU Q65CLiBtAIRACiSRnMvl5MmlHw7kc+l7gElPX4WSotJULn2nAGcFQy59F4VoQwWDWC5PFwX2A/If 7H/U//n/DxnW/7H/If+B/QCXqydXIBcA4ZoonQplbmRzdHJlYW0KZW5kb2JqCjU0IDAgb2JqIDw8 Ci9MZW5ndGggOTYgICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNtcz NlEwUDBUMLRQMDZUMDJXSDHkKuQysgQKGihYQiSSc7mcPLn0wxWMLLn0PRSAhKevQklRaSqXvlOA s4Ihl76LQrShgkEsl6eLwv///38QwlyunlyBXADPFjVeCmVuZHN0cmVhbQplbmRvYmoKNTUgMCBv YmogPDwKL0xlbmd0aCAyOTEgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4 2o3RMWrDMBSAYRkNgrf4CNIJahtSJ1liSFOoh0I7dSiZ2o4dWtqt2L5JruKj5AgePZi8Su9JcYnB VGD4JC//k1aLq+u1Sc3CfqvM5GvzmsEHLHO7T93W/Xh5h20JyZNZ5pDc2VNIynvz9fn9Bsn24cZk kOzMc2bSPZQ7I+zSjfBrVNFOVR/nhN1EEfYzkjhMpPA0oxgx6BCkD+ijtT4rDipi9PkbFVQp9NE/ o2TQIEN+H3lFfYiOulHCS1pxvjyKmqWsOFq1f1SwYivOjxuhMdy8z9duzgsVTpS/cfdBqpwouka7 LuTA+WdFpJ7jhbiQJA08huBBFOnE8YLzR8UujQYh0SCa1VC8zy9YLcV7Vfywraujd8Xuv4LbEh7h F8bBypIKZW5kc3RyZWFtCmVuZG9iago1NiAwIG9iaiA8PAovTGVuZ3RoIDIzNSAgICAgICAKL0Zp bHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjapdLBCoJAEAbgkQ7CXHoE5wlaBdE8CWaQh6BO HaJTdexQ1LkezUfxETx6ELdddYwUTwrCt+qO/wzrBwvPJZv07bvkLeni4B29QK1tvdQvzjeMEhQH 8gIUG/UURbKl5+N1RRHtVuSgiOnokH3CJCZZXwDQIGdUDPlhZABhCWDqjzQMWTSAd9kirFpYso+5 KjQCU6ZTMCw4/HsXrIvK4Q1ux+QGdcsQ6o7rne1YGsgO2egQrKprGThqv9OZ2v8PnWMUxTT0C85+ yDhYxplTHl2LkMNLyYOq+EgUjJyR9s+PmhOuE9zjF+zlEEMKZW5kc3RyZWFtCmVuZG9iago1NyAw IG9iaiA8PAovTGVuZ3RoIDMwNiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt CnjaxZI9TsRADIUdTRHJzRwhvgAkKchmq5GWRSIFElQUiAookQBBS3ITrpKj5AhTpljF2JPZLH89 UyRfPE/2i+26OF6XVFBFRyWtTqha032Jz1jVEixoFW/uHnHTYH5NVY35uYQxby7o9eXtAfPN5SmV mG/pRhLdYrMlkMMe4EneGTOAcMLMQyKQCoxGwAlMqYBesPUimST64UUiUSsPyz2Er0ySgBFwIhGh h3YXq/Co0HoNynHe8KCQ+fQAvYL1lrtvkPqQ+AsY7xaYfkI7Q/IXBDvq6F9hsRGNHcAv4H4DR4hN SBYYYqMWMENspulje9Pe7CGOwHZxKNnekIN5cPCuC6GJdjAPNxnnAUMadkREmSZjlnmqTpckeNG1 Cbl0kUIZXa0u/r+Ww7MGr/ATl7/LqAplbmRzdHJlYW0KZW5kb2JqCjU4IDAgb2JqIDw8Ci9MZW5n dGggMjA4ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqN0r0KwjAQAOCE DoVb+gbmnsC0FFsnC7WCHQSdHMRJHR0UBSf10XwUH6ODGBvstdC01kDgu4Rc/i70+wMfXdQ99DAY 4taDAwRhHrs61BObPcQpyCUGIchpPgoyneHpeN6BjOdj9EAmuPLQXUOaoPq2jHXjxZhQjHECiwgO wSJwAjNxJYza0avh0gCnE5nO0AhOsAiigL7w3yhXVXl4+6Y5+LM4oQnr0QVWwTZxr8MxIAxEhBs9 uKIfJNgEoagAFJVEifcvwCSFBXwArrHfZAplbmRzdHJlYW0KZW5kb2JqCjU5IDAgb2JqIDw8Ci9M ZW5ndGggMzAwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNrN0r1OhEAQ B/DdUFwyDY9w8wIKxAhYkZxnIoWJVhbmKrU0UaM19yb3KjwKj7DlFRfGmR1gufhRewX5sSzs3My/ LE/Tc0wxx5MMyzPML/Apgzcocl5MsRiePL7AqobkHosckmtehqS+wY/3z2dIVreXmEGyxocM0w3U azT8I2fMq2BJZAzfGEtEnRUtWPtIVLH6hUieUexkW8/rOyfb+BLrpR1ul/wxE4mq3n+T1RzGA2kv apyu8x7HeztfheP3g1oRnxbT9lhciz9iLq60Cuq/q1HZX+TL8yX+DzXcdNcE9X9J/6X0cyYatfxB 2sljacdV3aBokk7LThMMU7XTpCOd/nZQSERIiSaHNE3O0m5MmM+VT90hGpPofCYlna1JZ12Cqxru 4AvqpPlyCmVuZHN0cmVhbQplbmRvYmoKNjAgMCBvYmogPDwKL0xlbmd0aCAxMjEgICAgICAgCi9G aWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42rMw1zO1VDBQMAFiCxMFMwuFFEOuQi5zkJgB iAuSSM7lcvLk0g9XMLfk0vcAinLpe/oqlBSVpnLpOwU4Kxhy6bsoRBsqGMRyeboo/AeCBmYg8Y9Y FoP9PwYg+P+DYeSx/oMBKayRG1b4WKSnOi5XT65ALgDWCjRuCmVuZHN0cmVhbQplbmRvYmoKNjEg MCBvYmogPDwKL0xlbmd0aCAxMDQgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVh bQp42jMx1DM3UjBQMAZhSwUzC4UUQ65CLmNTIN8AxAVJJOdyOXly6YcrGJty6XsARbn0PX0VSopK U7n0nQKcFQy59F0Uog0VDGK5PF0U/gPBA2wEg/x/BoZRAg+BM+i4XD25ArkAi2mDJQplbmRzdHJl YW0KZW5kb2JqCjYyIDAgb2JqIDw8Ci9MZW5ndGggMTcyICAgICAgIAovRmlsdGVyIC9GbGF0ZURl Y29kZQo+PgpzdHJlYW0KeNozNdezMFMwUDBW0DVUMDVSMLNQSDHkKuQysQAKGiiYWUJkknO5nDy5 9MMVTCy49D2Awlz6nr4KJUWlqVz6TgHOCoZc+i4K0YYKBrFcni4KDOz/gQAnycAgDyJGSRAp/wBE 2n8AkfU/EOT/PzhJ+39QEqiy/g9D/QcQw/4Bw3+gxgOM/z8w8P9h/38AHNgNDMz///8D2lQPlGRg 4AcKMHC5enIFcgEA7oeOAAplbmRzdHJlYW0KZW5kb2JqCjYzIDAgb2JqIDw8Ci9MZW5ndGggMjc3 ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpt0jFOhFAQxvEhFCTTcATm BALJKmyiIVnXRAoTrSw2VmppodFkOzzaHmWPYElh9jkzbxgsKEh+PML/K6Btzs7XVNGKr3ZFFy29 1PiOjZxVcisPnt9w02P5SM0ay1s+xbK/o8+Pr1csN/fXVGO5pV1N1RP2WwohAEASwon17Tos6BgF XfjhV2APrNF0FX5dJ9PlrCFM6mREVUhalUtalWk6ajSlrkRHRKBplaZVmjYdTIVLR1Q6otK0StMq TZvCpMElI1GSjpJ0lKQnjabUJSNRMmLitInTJk67jqbcxSMmTps4beK0K0waXPrJVIUrd2WudEGJ C2YNrs5VLCh3ZSPEvw5SV+KCWft/wpseH/APWE3R1wplbmRzdHJlYW0KZW5kb2JqCjY0IDAgb2Jq IDw8Ci9MZW5ndGggMTg1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNoz N9MzNVYwUABhc0MFMwuFFEOuQi4zcyDfAMQFSSTncjl5cumHK5iZc+l7AEW59D19FUqKSlO59J0C nBUMufRdFKINFQxiuTxdFP6DAQMDA4TxAcb4B2P8b4AxHjAwyANV8oMUgRiM/39AGAz1f6AM+39Q BogAM/iB+tEZByAMdiyMB9RmoFuBzT3obob7AuYvuE+hfgeBAzAGA5TxB8Y4ADULDIYpA5oeiGNw uXpyBXIBANr1z1wKZW5kc3RyZWFtCmVuZG9iago2NSAwIG9iaiA8PAovTGVuZ3RoIDI1MSAgICAg ICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjardExboMwFIDhhzogvYUblHeB1qA0 yFmKRKkUhkjtlCHqlGTMkKqZ4Wg5CkfIyGDxarAxUmFLjWR9MjKyf+TieZlQRAt6ikm+UCLpEOMZ ZUTdk6zMm/0JswLFlmSEYq2XURQb+vm+HFFkH28Uo8hpF1P0hUVO3I0G9OjFV6fGqXXiSjNkgJRr qwe+WUG/pVepBqXtoPmpsgpmdf0XTb88N40nTdXkHp67pe9untoa3YBBjVP9d00HUuD2DgpcU7+P b5rWE40n8OaK3yV1lwKrdqpyFENo6zI8mj76778aBVwrI1/nMvKYb7ZjaWJC16jC9wI/8RdpBglo CmVuZHN0cmVhbQplbmRvYmoKNjYgMCBvYmogPDwKL0xlbmd0aCAzMDUgICAgICAgCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42m2RvUrEUBCFT9gicJu8gJB5Ac1miZEFYWFdwRSCVhZi pZYWinYLyaPlUfIIKSNc7jgzd4kueJuPzO85k3p1tqpoSTWdlnReU72ml9K9u2otwSVdHDLPb27b uOKBqrUrbiTsiuaWPj++Xl2xvbui0hU7eixp+eSaHQE84ARIOeAS2DB3e4kxDx6J4NtjwV3OHqkG PLIJaD3yUYo9NgOQCXpovhUsBN2MJAIe/Af7Gf0RZJiI4DFiivDQ14YIqxHYp6gdI1iQq+oI6ckE QX3J68SDvN4caU3L1qmlU6zRLQdkHKcfkNpw7UHcacjMgSQNcqLxF8kRMGP6B/BHCNYH3ZEEu9Ii 2HnknipcjqyK5Seoqs0INSCJ0Jo/n9spptScaFZWD1Glu27cvfsB9/PXCmVuZHN0cmVhbQplbmRv YmoKNjcgMCBvYmogPDwKL0xlbmd0aCAxNjIgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+ CnN0cmVhbQp42jM317M0VDBQMAFicxMFM3OFFEOuQi4zSyDfAMQFSSTncjl5cumHK5hZcul7AEW5 9D19FUqKSlO59J0CnBUMufRdFKKBxsRyeboo2P+HgAdEMf4x8P9vYP7/oP4BiMFg/6H+AJgh/6Ge AcxgRzDqIAzmDzUQBiMWRgWEwYCP8QPK+PEByqgghsEAZTCMMqjJYAcnBOIYXK6eXIFcAFTSyy4K ZW5kc3RyZWFtCmVuZG9iago2OCAwIG9iaiA8PAovTGVuZ3RoIDIzMiAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjafc+9TsMwEAfwqzxEuiWP4HsBcCKSshGpFIkMSDAxICZg 7ACCOXm0PkoeoWwZrPy5sztUAmEPP/ns+3DbnDdrqeRCzmppG9HDa83v3FZiu7nMNy873vQcHqWt ONxqmEN/J58fX28cNvfXUnPYylMt1TP3W6EVJtLlsRgDMJLGYFG30DATFZF8VBYq9U0JKnCK04xf rLC3BMPFBB0y9B8OCSSKTIdvAzEVw5RKYzR87tDlDt2cGI7kfjgy/Y074aBlU3qZ8RrpFrrSKTzG OGCvE82KTjl5e4PRMspoH+Cbnh/4B+VsoZcKZW5kc3RyZWFtCmVuZG9iago2OSAwIG9iaiA8PAov TGVuZ3RoIDIxNCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjarZAxCsJA EEUnbBGYJkfIXEA3kUWxMRAjmELQykKs1NJCUbAQkqPtkVKmCBlnE0XsheEVf3Y+/6+ZDidTisjQ ICYzITOmY4wXNCMRo05xm8MZ0xz1lswI9VJk1PmKbtf7CXW6nlOMOqNdTNEe84wAkgYAPGYLEDBX IjCLVFSqBWDrMSguFYPvpvRbx6Bj2HyZ1G/Ky6IGr3WEh9iI+5v8JzrnXyY9JbayPUMJ79vAsQxY qpUSD0KJZ2EmdSt4ynGj6q5v1XWXH1DMHz9c5LjBFwLmdMEKZW5kc3RyZWFtCmVuZG9iago3MCAw IG9iaiA8PAovTGVuZ3RoIDIyMSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt CnjaxdAxCsIwFAbglA6Ft+QIeRfQtNIqTgWtYAdBJwdxUkcHRed4A6/kDbyCN9CxQ+nzPRVxKDiJ GfLBCwn/n3ar2YoxxBgbESZdbHdxGcEGEhmG2HmdLNbQy8FOMYnBDnkMNh/hbrtfge2N+xiBzXAW YTiHPEPFy69kD+gryjzR/yC9CD6VgiY6MinRmaFCAnp08hifDspVHJmPq8dVTq3LxyvmSVrU4F7c PqEf4GqpiyRxzRupwo0CxklN7k1S2icq+W1zZRz/C2Oo0kxAhaDcSRcKBjlM4A53brZpCmVuZHN0 cmVhbQplbmRvYmoKNzEgMCBvYmogPDwKL0xlbmd0aCAyMjYgICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42nWPPW7CQBCFZ+VipWl8BM8FkmXFBtJZ4keKi0ihokBUgZICRGr7 aD6Kj7ClC+TJ21gKFMkWn1bvvXmaefHP3stEpvLkJbxKmMnB85lDgDiRMB+dzxMvKnZbCYHdG2R2 1btcL19HdouPpXh2K9mhaM/VSojKnogy1YYoV+0gqEaiuk+GtvZGRptsQAQfsgPEJr8lFmDdFn1i CpfdyHpk/GVMLKI+Mr2/CBfd/7B+ZH9neWdMW400Mce2prOKA7sMF9rWaEt5k+pKDA8GgUIVYftz tVH4kCDzuuINfwPuRIoTCmVuZHN0cmVhbQplbmRvYmoKNzIgMCBvYmogPDwKL0xlbmd0aCAxNjcg ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM20TMyVjBQAGETYwVzA4UU Q65CLmNLIN8AxAVJJOdyOXly6YcrGFty6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0U GBgY/jcwMPD/f8DAUP//AwPj//8/GJj/9/9h4P/H/49B/o88kPgBJOxBRP0HBMH/h+H/AzDB/AFI MBwAEQykE/9BNmIjyDRvAIj6/0ASG8Hl6skVyAUA6PyuoAplbmRzdHJlYW0KZW5kb2JqCjczIDAg b2JqIDw8Ci9MZW5ndGggMjgxICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0K eNqVkT1OxDAQhR/awpIbHyFzAUgCm7SWlkUiBRJUFIgKKClA0BLfYK/ko+QIKbeIPMzYixDFFiTF J8/Pe89J1581LTV0QafnLXVrWnf03No32zWkb98fWk+vdjPY+p66xtbXUrf1cEMf758vtt7cXlJr 6y09iNSjHbYE8IQvwHFacYBn3glYn3jCcWQfV4xq76NJcIuPboFJVagE7KQBaf/AK8L/8VclS0si NQKyLZBDABpp1hNL7IwgIzuWQZigNTipHEUsmArmAr1rgRgZzqIZU3bgWWxLsyAXU15giSUqI8NH 3cUYNGRQgAPjF+MRlMmygDHqOrxeLmVps8Cl/GmN/pFDlqiezCX9PivpwV4N9s5+A93oyPEKZW5k c3RyZWFtCmVuZG9iago3NCAwIG9iaiA8PAovTGVuZ3RoIDE2NyAgICAgICAKL0ZpbHRlciAvRmxh dGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzPSMzJRMFAAYTMgslRIMeQq5DI1BfLBXJBEci6XkyeXfriC qSmXvgdQlEvf01ehpKg0lUvfKcBZwZBL30Uh2lDBIJbL00WBof4AAxD8/0+QYoZQjANGsf8DU/b/ G0DU//8PgNTB//9/AKnjH+z/AKnzDfIg6j4D/z8gdQ9C/YFQPxjY/wOpDyjUA2zUgaFE/f//v/n/ /3/4KC5XT65ALgBK5ddtCmVuZHN0cmVhbQplbmRvYmoKNzUgMCBvYmogPDwKL0xlbmd0aCAxMzEg ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM21DM0UjBQMAFiI0sFcwOF FEOuQi4jEN8AxAUxknO5nDy59MMVjEy49D2Aolz6nr4KJUWlqVz6TgHOCoZc+i4K0YYKBrFcni4K DDUMjP8ZmP83sP8/AET8/x8gI4ggUBaoBqiSAKg/UP8fBTH/P8BIe/QfFXC5enIFcgEA2fB/RApl bmRzdHJlYW0KZW5kb2JqCjc2IDAgb2JqIDw8Ci9MZW5ndGggMTA3ICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNtQzNFIwUDABYmMDBTNLhRRDrkIuI1MgH8wFSSTncjl5 cumHKxiZcul7AEW59D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFBjqDzD8/4+JmYGYcQTg//// N6BjLldPrkAuAIRTl5wKZW5kc3RyZWFtCmVuZG9iago3NyAwIG9iaiA8PAovTGVuZ3RoIDIwOSAg ICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja7dE/CsJQDAbwiEMhyztCcwJf 6x9aQSxUBTsIOjmIkzo6KApuPidHb6AXcehReoSOHUpjqoO4CO4Ogd+XZPvajVqjRQ41Zdp1arZo 6eIGfU+yU8bysFhjGKGeku+hHsoWdTSi3Xa/Qh2Oe+Si7tPMJWeOUZ/gaKwCQOUAzCbgGI5sSjKn FeZEeGLOqhKF59TOVRJkwkusCtvYOVT5Boq7YBdQ4StY3AFV8i48vJjJUyrxk6kweTERxt8YC82f b/KzF5Zeil+Igwgn+AD47/wjCmVuZHN0cmVhbQplbmRvYmoKNzggMCBvYmogPDwKL0xlbmd0aCAx NjIgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMz0jMyUTBQAGEzIGWq kGLIVchlagrkg7kgieRcLidPLv1wBVNTLn0PoCiXvqevQklRaSqXvlOAs4Ihl76LQrShgkEsl6eL AkN9A/s/Bob//xvs/zeAqP//HwCpxv//fwCp9g/2f4BUf4P8Hwbm//MZ+P8xMP6fB6H2QKgfDOz/ gdQHFOoBNurAUKL+///f/P//P3wUl6snVyAXAONbqxsKZW5kc3RyZWFtCmVuZG9iago3OSAwIG9i aiA8PAovTGVuZ3RoIDIxMyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja pZAxCsJQDIYjDkKWHqG5gL4WW6VToVbwDYJODuKkjg6KzvVoPUqP0LFDMSa21UVcfBA++PPzkj/h ZOT55NGYhj6FYwomdPDxjEEkokfBtOnsT5hYNBsKIjQLkdHYJV0vtyOaZDUjH01KW/lohzYlALcG eT3mXDBgLgUus6pZ5bCA8x7fQUs8/QdAXMBAUYIjNrcCpwItV1F3iBUPdak7U/B38Av3P/FrQrdL g27P+pW+zdAmatHXtIWEluz5+xIxs7TBYa4+N2suiHOLa3wCXcWPZgplbmRzdHJlYW0KZW5kb2Jq CjgwIDAgb2JqIDw8Ci9MZW5ndGggMjI3ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+Pgpz dHJlYW0KeNq10bFqAkEQBuBZLIRpfATnBXTv9E60EoyCVwRiZSFWJmWKiNbnoy34AD5CfIQtr1gc /5VEhMRUsVg+2Nll55/tddqdTBLpSisdSN6XLJfXlD84j7uJ9LKv0uqdRwXbueQZ2yn22RbPsllv 39iOXp4kZTuWRSrJkouxUOkaFZGqU92BveoRHFQr8OmGASg1T1TTQHUlg0JNd0Y9cAansYy6b0j9 LWV1n2H4f35/z//s7NJubN5do1TIh2CBGjHmKYY2GEEZAAbiAcYTr2JYFGn6C0SPQeOf/A1PCp7x GQil3MYKZW5kc3RyZWFtCmVuZG9iago4MSAwIG9iaiA8PAovTGVuZ3RoIDE2MSAgICAgICAKL0Zp bHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHVMzdVMFAwBmITYwUTU4UUQ65CLmNLIN8A xAVJJOdyOXly6YcrGFty6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0UGOob6hn+/2/8 /+D//+b/H/7/7///A0j0//n/f778P+b/++T/Mf7fAyJ+wIkPYIL/D+P/B+w/gATjAyDBwIBMHKA3 8f8/0GJsBJerJ1cgFwBukIEXCmVuZHN0cmVhbQplbmRvYmoKODIgMCBvYmogPDwKL0xlbmd0aCAy MjMgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42kWPMU7EQAxFP5piJTc5 wvgCMDva7CKqkZZFIgUSVBSICii3AEFL3HGtHCVHSJkiirEVtDRvNN/f/nZdX+QrXnPN55lre3f8 mumdNlsT7Xu5VF6OtG8oPfJmS+nWZErNHX9+fL1R2t9fc6Z04KfM62dqDow4BYHqjwRVlcoRh6BS OhgERVogyrdjBqoTVqL/EEcPQK2CVgeHlYpq5xgQVSfY+BkehDMPco+42LnTEJYZvbWXBaPlOqoF 0wm+RmcJ8Q++qXW30DHMdpClTaojhmJqvzI73TT0QL8qnX8JCmVuZHN0cmVhbQplbmRvYmoKODMg MCBvYmogPDwKL0xlbmd0aCAxNzMgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVh bQp42jMx1jM1UzBQMFLQNVQwtlAwM1ZIMeQq5DI2BQoaKJiZQGSSc7mcPLn0wxWMTbn0PYDCXPqe vgolRaWpXPpOAc4Khlz6LgrRhgoGsVyeLgoMjA8YGLASzFgIdjjBDyfk4YQ9iKgHEf+BBDOI4P// /3/DfywEWAmdCKB3iCeA/vz/gfkAQz2EYD/AYP+Dv4FB/o882DdA7///Awyh/z8gHuZy9eQK5AIA DSyPdAplbmRzdHJlYW0KZW5kb2JqCjg0IDAgb2JqIDw8Ci9MZW5ndGggMjE2ICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNp9zT1qw2AMBmAZDwEtvkGsE+Szi00pmBryA/VQ SKcMIVPasUNDChkCydF8lBzBowcn6quvobgEAhIPkhBv/jRKHyQR6/xRskzeU/7iPMOc2GiH9SeP K3YLyTN2L9iyq15lu/n+YDeeTyRlN5VlKsmKq6moKoXa3SPQE9EzkVGAxnMAO9D+gSrR2JcdBSAG +IkvFIII1EBpAAbgaBwjEAIy6isxQO7wF4RbfOFp9sah2Xna1ijbxnP2xOeTRz2R1rcgt0eo1CO4 9KHuH5bKs4rf+AfglXBICmVuZHN0cmVhbQplbmRvYmoKODUgMCBvYmogPDwKL0xlbmd0aCAyNzYg ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42o3QzUrDQBAH8Ak5BOaSNzD7 BCaR0lgQArWCOQh68iCebI8eFIUKhaxvFuiL7K3XPaYQM/532xxSEDws+5sd2Pm4zM5nucrUBU4x U5OJWub8xsUUceZCl3h55XnF6aMqppze4pXT6k59vH+uOJ3fX6uc04V6wjfPXC2USJ+I6ETsfxVI Q6Uh2pCXJVpDxqslghJcCMQ6BVBtKe4oMCO1lHQUQiXUU9hAHZU9RRBSpVCkR+rpSyiGYicdEyS0 R1dQJGSlOfPSR4XybermapA5aAttoEC2TWnXXrujSHY6sXZQexAq7L1q1P8xg8TLdYxF/CE3o+ix YmxF6ERuYV4R1J8o9Pv2wq9uDL6p+IF/AQ6ZtoUKZW5kc3RyZWFtCmVuZG9iago4NiAwIG9iaiA8 PAovTGVuZ3RoIDEyNiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzXT MzBUMFCwBGITCwUzU4UUQ65CLmMLIN8AxAVJJOdyOXly6YcrGFtw6XsARbn0PX0VSopKU7n0nQKc FQy59F0UooHGxHJ5uigwMDAfYGBgYAcR8iCiHkgw/wcS9kDi/38sxOH/MCUjjAB6//8fbASXqydX IBcA2AaanwplbmRzdHJlYW0KZW5kb2JqCjg3IDAgb2JqIDw8Ci9MZW5ndGggMjY2ICAgICAgIAov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpt0LFOwzAQBuCLPES6JY8QPwFJpKarpbZI ZECCiQExAWMHEEgdkOJH86P4ETx2iHr8d6KABEM+xfbvs8/j+qIffO9H/Qa/Hv3TwC+80nGvQ/15 3PNm4u7Or0burjDL3XTt317fn7nb3Gz9wN3O36PMA087TySZiBo5wSASMSGYcvBI9eKw0GSahdqI 9Rg0m2aiGiaY54JwlkKVFGw5e4T0n8jDkNU2qTj5LNa0wi/1du5LpHFitPvSt+2iBisQdBPN2Yol K6C/TrtDN7bJIq1FQrQ40YHopFaL6lALzSNSqEkqmodoHn6gasE6uVLhlaToW0muzcZszWDOpvyY /sqXE9/yJweJxCYKZW5kc3RyZWFtCmVuZG9iago4OCAwIG9iaiA8PAovTGVuZ3RoIDI1OCAgICAg ICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjahZCxToVgDIV7w0DS5X8E+gIKJPdn JbleExlMdHIwTnpHB43O8Gg8Co/AyECoPYUQ4+LyDe3p6WljdV2UUkiUq1JiKVWUt5I/+BitWEhV rZ3Xdz41nD/JMXJ+Z2XOm3v5+vy+cH56uJGS87M8m9ELN2ch0pGIUlVjptoTtYqSUjtRMlG9UDpY BwxKYTJtFxYwA3u0/qPr+3TGlHkG7WxbwEo4gwtYz6DtpS3WQQcXdki4eM5pT5t62k25zQb3Wf1T Z+KixI1WHjbrldNvhh6sR9Bi7NT5D8edycYB7zKOuLQdwLpDkmzEjRZM8QRVGPqHW8+f+V1+KN82 /Mg/+mS1owplbmRzdHJlYW0KZW5kb2JqCjE5IDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBl IC9UeXBlMwovTmFtZSAvRjMyCi9Gb250TWF0cml4IFswLjAxMDA0IDAgMCAwLjAxMDA0IDAgMF0K L0ZvbnRCQm94IFsgMSAtMjEgOTIgNzAgXQovUmVzb3VyY2VzIDw8IC9Qcm9jU2V0IFsgL1BERiAv SW1hZ2VCIF0gPj4KL0ZpcnN0Q2hhciA0NQovTGFzdENoYXIgMTE5Ci9XaWR0aHMgODkgMCBSCi9F bmNvZGluZyA5MCAwIFIKL0NoYXJQcm9jcyA5MSAwIFIKPj4gZW5kb2JqCjg5IDAgb2JqClszNy4z NCAzMS4xMiAwIDAgNTYuMDEgNTYuMDEgNTYuMDEgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA4 NC41OSA3OS42NCA4MC45MSAwIDczLjUzIDAgODguMDUgODcuNTkgNDEuNzIgNTcuODYgMCAwIDAg ODcuNTkgMCA3Ni41MyAwIDgzLjU2IDYyLjI0IDc3LjkxIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDU0LjQ2IDAgNDkuNzkgNjIuMjQgNTEuMTEgMzQuMjMgNTYuMDEgNjIuMjQgMzEuMTIgMCAwIDMx LjEyIDkzLjM1IDYyLjI0IDU2LjAxIDYyLjI0IDAgNDUuNzUgNDQuMTkgNDMuNTYgMCA1OS4xMiA4 MC45MSBdCmVuZG9iago5MCAwIG9iaiA8PAovVHlwZSAvRW5jb2RpbmcKL0RpZmZlcmVuY2VzIFs0 NS9hNDUvYTQ2IDQ3Ly5ub3RkZWYgNDkvYTQ5L2E1MC9hNTEgNTIvLm5vdGRlZiA2NS9hNjUvYTY2 L2E2NyA2OC8ubm90ZGVmIDY5L2E2OSA3MC8ubm90ZGVmIDcxL2E3MS9hNzIvYTczL2E3NCA3NS8u bm90ZGVmIDc4L2E3OCA3OS8ubm90ZGVmIDgwL2E4MCA4MS8ubm90ZGVmIDgyL2E4Mi9hODMvYTg0 IDg1Ly5ub3RkZWYgOTcvYTk3IDk4Ly5ub3RkZWYgOTkvYTk5L2ExMDAvYTEwMS9hMTAyL2ExMDMv YTEwNC9hMTA1IDEwNi8ubm90ZGVmIDEwOC9hMTA4L2ExMDkvYTExMC9hMTExL2ExMTIgMTEzLy5u b3RkZWYgMTE0L2ExMTQvYTExNS9hMTE2IDExNy8ubm90ZGVmIDExOC9hMTE4L2ExMTldCj4+IGVu ZG9iago5MSAwIG9iaiA8PAovYTQ1IDU0IDAgUgovYTQ2IDUzIDAgUgovYTQ5IDg2IDAgUgovYTUw IDg3IDAgUgovYTUxIDg4IDAgUgovYTY1IDU1IDAgUgovYTY2IDU2IDAgUgovYTY3IDU3IDAgUgov YTY5IDU4IDAgUgovYTcxIDU5IDAgUgovYTcyIDYwIDAgUgovYTczIDYxIDAgUgovYTc0IDYyIDAg UgovYTc4IDYzIDAgUgovYTgwIDY0IDAgUgovYTgyIDY1IDAgUgovYTgzIDY2IDAgUgovYTg0IDY3 IDAgUgovYTk3IDY4IDAgUgovYTk5IDY5IDAgUgovYTEwMCA3MCAwIFIKL2ExMDEgNzEgMCBSCi9h MTAyIDcyIDAgUgovYTEwMyA3MyAwIFIKL2ExMDQgNzQgMCBSCi9hMTA1IDc1IDAgUgovYTEwOCA3 NiAwIFIKL2ExMDkgNzcgMCBSCi9hMTEwIDc4IDAgUgovYTExMSA3OSAwIFIKL2ExMTIgODAgMCBS Ci9hMTE0IDgxIDAgUgovYTExNSA4MiAwIFIKL2ExMTYgODMgMCBSCi9hMTE4IDg0IDAgUgovYTEx OSA4NSAwIFIKPj4gZW5kb2JqCjkyIDAgb2JqCls1MDBdCmVuZG9iago5MyAwIG9iaiA8PAovTGVu Z3RoIDE4OSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjanY8xCsJAEEV/ sAhMoTcwcwHd7AqSQLCIEdxC0MpChIBaWigKFhY5Wo6SI1haOklWm3TCq/4MM+9PzNjEHHLEIxOy iXhq+KjpQrpOJTdudDhTakltWceklpKTsiu+Xe8nUul6zppUxjvN4Z5sxkAOVPBK9Ar4QB8YAgnw aHjBq2p6ZY0vFBgIqAmaXWH25dnh/RfdO78X7ccAzkFkRMkvnWFrK9rOP2m2pZRUk4JSU8oip4Wl DX0AR6tAFQplbmRzdHJlYW0KZW5kb2JqCjk0IDAgb2JqIDw8Ci9MZW5ndGggMTg4ICAgICAgIAov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqdjzEKwkAQRb+kCEwRLyA6F9DNrkEiiEWM 4BaCVhZipZaCioKFRY6Wo+QIHsHNJLHQTnjVzGfm/aEZmDGHHHHfhGwiHhk+aLqQLqchx6Ze7U+U WFIb1mNSCzcnZZd8u96PpJLVjDWplLeawx3ZlHOgAM5ADHSAAGgDfgYvL2m53Ut4CE9gAkyBrtCT dElW4+ffeMU//N75vKg+9hqHqSg9G0OxddqVvy/xQKrFUtMVcpVpbmlNb0XLQnMKZW5kc3RyZWFt CmVuZG9iago5NSAwIG9iaiA8PAovTGVuZ3RoIDEwNCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnjaMzLWMzBXMFAwV9A1MlQwMlIwM1JIMeQq5DI0AYoaKFgYQ6WSc7mcPLn0 wxUMTbj0PYDiXPqevgolRaWpXPpOAc4Khlz6LgrRhgoGsVyeLgr///z/84dhMEOQC7lcPbkCuQC2 CWgdCmVuZHN0cmVhbQplbmRvYmoKOTYgMCBvYmogPDwKL0xlbmd0aCAxMDIgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42s2OOw5AUBQF1WcVZwPcdx9B7ZN4hYRKISqUCsLu JT6JRch0M83YMDAJDZW+VWrM2HJSrNDosYZp+KVxQeYgHTWCVI+HuJr7dsyQrMmpkIK90gxwBa/z Or1f8x6idGhxA1/+aBQKZW5kc3RyZWFtCmVuZG9iago5NyAwIG9iaiA8PAovTGVuZ3RoIDE3NyAg ICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHUMzVSMFAwU9A1MlQwNlMw M1JIMeQq5DKyBIoaKFgYQ6WSc7mcPLn0wxWMLLn0PYDiXPqevgolRaWpXPpOAc4Khlz6LgrRhgoG sVyeLgoMDIw/GBj4gdi+gYHhD4TL/IGBgf0BBPOD8AHaY3kQboA4o56BgeEf0BlAp9QDrf/PAKFB fJA4WB6kDqRe/gB93Mf/ABEmoPABhRMovMAOAYUf4w8uV0+uQC4AUeVY2QplbmRzdHJlYW0KZW5k b2JqCjk4IDAgb2JqIDw8Ci9MZW5ndGggMTc0ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNozMdQzNVIwUDBT0DUyVDA2UzAzUkgx5CrkMrIEihooWBhDpZJzuZw8ufTDFYws ufQ9gOJc+p6+CiVFpalc+k4BzgqGXPouCtGGCgaxXJ4uCn8YGBj+H2BgYP/AwMAI4tQBsT0INzAw yIMwUJKfHvgB0BEPIA5h/oHkGHmgAPsPCF0HEQfJg9SB1IP00cN9oHAAhQcoXOwZ4E4BOQMUfiDX crl6cgVyAQCwFFffCmVuZHN0cmVhbQplbmRvYmoKOTkgMCBvYmogPDwKL0xlbmd0aCAxMDMgICAg ICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMz0TO1UDBQMFfQNbRUADJ1DU0V Ugy5CrlMDRRA0AQqlZzL5eTJpR+uYGrApe+hYMKl7+mrUFJUmsql7xTgrGDIpe+iEG2oYBDL5emi UP8fBBrA5P8DUAoqyOXqyRXIBQAtCSu0CmVuZHN0cmVhbQplbmRvYmoKMTAwIDAgb2JqIDw8Ci9M ZW5ndGggMTA5ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMtYzMFcw UABhQ3MFMwOFFEOuQi5LINcAxAOJJ+dyOXly6YcrWHLpewAFufQ9fRVKikpTufSdApwVDLn0XRSi DRUMYrk8XRRkGOoZ/jegwnoGbNAOK5TBCtEBqi31QD6XqydXIBcAyu4v5AplbmRzdHJlYW0KZW5k b2JqCjEwMSAwIG9iaiA8PAovTGVuZ3RoIDEzMCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUK Pj4Kc3RyZWFtCnjaLcmxCsIwFIXhGwoKZ/AJMpwnMLktpZlrBTMIOjmIIFRHQUXn5tHyZtqifNv/ l9XSN/RsWFXUwDrwonhAPSdl/Tv9DW2EO1A93GbMcHHL1/N9hWt3Kypcx6PSnxA7Whnkk0Z5MmSb 5c9kk0wqUiFzmclCrAS5y1mwjtjjCyxQI4wKZW5kc3RyZWFtCmVuZG9iagoxMDIgMCBvYmogPDwK L0xlbmd0aCAxMDUgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMz0TO1 UDBQMFXQNVMwM1AwsVBIMeQq5DI1AQoChU0gMsm5XE6eXPrhQAEufQ8w6emrUFJUmsql7xTgrGDI pe+iEG2oYBDL5emiwMDAYMAABkOJ+g8Gf6DU0PQDl6snVyAXAJfhKdAKZW5kc3RyZWFtCmVuZG9i agoxMDMgMCBvYmogPDwKL0xlbmd0aCAxMzEgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+ CnN0cmVhbQp42i3JMQrCQBRF0T8EFF7hCqZ4G9CZH4mJbYzgFIJWFiII0VJQ0TqztNmZJhBOd2++ XPiSniXnuqJWXPOmeEE9B3kxnvaBOsCdqB5u13e4sOfn/b3D1YcNFa7hWekvCA2tdPKLvTTokk0y MslEE7OYyVQmMhMrlTzlKtgGHPEHQtsjtAplbmRzdHJlYW0KZW5kb2JqCjEwNCAwIG9iaiA8PAov TGVuZ3RoIDk0ICAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzLWMzBX MFAAYUNzBUuFFEOuQi5LIM8AyAGJJudyOXly6YcrWHLpe4AIT1+FkqLSVC59pwBnBUMufReFaEMF g1guTxcFGYZ6hv8NMFjPIMPA5erJFcgFAFtcGXcKZW5kc3RyZWFtCmVuZG9iagoxMDUgMCBvYmog PDwKL0xlbmd0aCAxNTMgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42oXM vQ4BQRTF8REJyYmoFYrzAsyXZeu1ElNIqBQikaCUIPQezaN4FHez006m+DXn5v5ndlo4GhacOEu/ 4NzxYvGAt7Ialj6ezjdUAXpPb6HXskOHDV/P9xW62i4pa82DPB0RaiqletFQDKKxGIlSmOguTtFP fFudxqfVbcjcz2RT6Uw2lc5lE+lcNpVOZBVWATv8AXjUKsYKZW5kc3RyZWFtCmVuZG9iagoxMDYg MCBvYmogPDwKL0xlbmd0aCAxMDEgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVh bQp42jMy1jMwVzBQAGFDcwVjM4UUQ65CLksg1wDEA4kn53I5eXLphytYcul7AAW59D19FUqKSlO5 9J0CnBUMufRdFKINFQxiuTxdFGQY6hn+N8BgPYMMAzEAUxeXqydXIBcAZnAiuAplbmRzdHJlYW0K ZW5kb2JqCjEwNyAwIG9iaiA8PAovTGVuZ3RoIDE0MCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnjaMzLWMzBXMFAwV9A1NFMwtFAwNlNIMeQq5DI0UABBUyOoVHIul5Mnl364 gqEBl74HUJxL39NXoaSoNJVL3ynAWcGQS99FIdpQwSCWy9NFQYahnuF/AwzWM8gwEAPgug6AYP0B mQMMUMh4gLGBsYG5gZmBnYGNgQ+o0oKhgCGBgcvVkyuQCwB/JiyVCmVuZHN0cmVhbQplbmRvYmoK MTA4IDAgb2JqIDw8Ci9MZW5ndGggMTYyICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+Pgpz dHJlYW0KeNpVzEEKgkAYBeA3CAn/wnULwf8EjY5Y00owg2YR1KpFBEK1DCxq7RxtjuIRvEFp0iIe 3+Y9eGoxm2uO+6QpqyVnmi8J3UmNpcrG5XyjwpA8sNIkN31N0mz5+XhdSRa7FSckSz4mHJ/IlBzC R4PIvW3efrm8+2lc1IXOj+HwRzjUwqIaeBatBzgfwk0gbADPDp8aAWqEqDAFrQ3t6QNiKzEyCmVu ZHN0cmVhbQplbmRvYmoKMTA5IDAgb2JqIDw8Ci9MZW5ndGggOTQgICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNpNyT0OQFAQReH+ruKuwLyZeKj9JF4hoVKICqWCsHsJEo3k VN+xNEoyOio1ocU05azYYPaio//GtCIPkJ5mkJoeEhoe+7lA8ragQkoOSjcilLzv6x+qgA4P0Gkg iwplbmRzdHJlYW0KZW5kb2JqCjExMCAwIG9iaiA8PAovTGVuZ3RoIDE2NSAgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzLXM7NQMFDQNVQwNlYwslAwtVBIMeQq5DICiRoo GJlCpZJzuZw8ufTDgWq49D2A4lz6nr4KJUWlqVz6TgHOCoZc+i4K0YYKBrFcni4KjA0MCcwNDA/Y GRgP8DEwN8gwsDNIMLAxWDDwMRgw8DAUMMgwJABFQPgBUPQAUBQZn2MwbvjfYP/g/wH7DzBcf0Ae jO0b+B+AzORy9eQK5AIAO2cw9wplbmRzdHJlYW0KZW5kb2JqCjExMSAwIG9iaiA8PAovTGVuZ3Ro IDkwICAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHUMzVSMABCI0MF EyMFI2OFFEOuQi4TQ4ggRCI5l8vJk0s/XMHEkEvfQ8GIS9/TV6GkqDSVS98pwFkBKOiiEA3UEcvl 6aLwHwQaICSXqydXIBcAUgQciAplbmRzdHJlYW0KZW5kb2JqCjExMiAwIG9iaiA8PAovTGVuZ3Ro IDE3MiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHTMzRWMFAwBGIT EwVTS4UUQ65CLhMjIN8AxAVJJOdyOXly6YcrmBhx6XsARbn0PX0VSopKU7n0nQKcFQy59F0UooEq Y7k8XRQYGPh/MABB/T8gwfiDvYGBgf0B4wEGBvkGhgcMDPZAHgNDHQP/Bxj5B0Ey/oCSQDVAkrEB RIKNIZlk/sDwHwhQSbj5zEOBZP7DwP6Dof7/g///DyCTXK6eXIFcAF7liNMKZW5kc3RyZWFtCmVu ZG9iagoxMTMgMCBvYmogPDwKL0xlbmd0aCAxNzUgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp42jOx0DMxUTBQMARiU2MFU0uFFEOuQi5TEN8AxAUxknO5nDy59MMVTA259D2A olz6nr4KJUWlqVz6TgHOCkBRF4VooMpYLk8XBQYG/h8MfxgYGOr/s/9nYGD8wX6/+QAD+wPG//wH GOQb2P/JP2CwZ+D/A6Tq4NQPIPUHTn1gb2D8wcD+AaSbgZna1H8Q+IFG0cKiAaKY/zCw/wAF/4P/ /z+gUVyunlyBXADgB6ANCmVuZHN0cmVhbQplbmRvYmoKMTE0IDAgb2JqIDw8Ci9MZW5ndGggMjA4 ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNrl0bGKwkAQBuA/pFiYZh8h 8wS3RkjESvAimELQyuK4Si0t7tDWBHwxfQJfYR9hyxTBdRIFPc7SzoFlv9n9Z5tN+x9d7nAsK+1x 0udlTD+UJtJ3mra5WKxpmJOZc5qQGcspmXzCm9/tisxw+skxmYy/JPlNecaAdogcpIozfC17UOm9 0wJlg9MhLIGohEdwAAZQZ2jBDrpGZB9QQ1d/EFTt0y2Ua6YEoUOIG/BqKAt/rWe4ZiJ7D78hwhqq /ZfCW++P3pf/QaOcZnQB4PnLQwplbmRzdHJlYW0KZW5kb2JqCjExNSAwIG9iaiA8PAovTGVuZ3Ro IDIzNSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjabdDBagIxEAbgCQEX BulePQg7T9BkLZH1JKiF7kFoTz2UgtD2WKjS3oTNo+2j+Ah79LCYTiK4UTYQPmZCJj+ZTu4nBWl6 4G1mNNX0meMWjeFa+9IffHzjokT1SsageuIuqnJNv7u/L1SL5yXlqFb0lpN+x3JFAFBAWNfs+zj1 IFwPsrIRSVV7BvOYu/nBM8xixlnjGaUxRXr06CTmJ2k9GxlTy5CpFhHChkzCQoQEcDZQdQwYjpY4 5zpShqMNAbKOEfebWzTfOd6y4enthcMFjibOyCb8Wtr6J63jWM6drsHHEl/wHyWwbbwKZW5kc3Ry ZWFtCmVuZG9iagoxMTYgMCBvYmogPDwKL0xlbmd0aCAyMDkgICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42pWQsQ6CMBCGjzCQ3OIjcE9gQW1kM0FMZDDRycE4qaODRmf6aDwK j8DIQKiFqwYSF9q0X67t3f39ZTSNZhTQ3Cy5ILmka4gPlAG104TtxeWOcYriSDJAsTWnKNIdvZ7v G4p4v6YQRUKnkIIzpglpMwqAFjVDAzhaQZabEMAvOkzKDl7Vwa37cJoB9Fhwntv0a9pGtq0VsWJJ Rhyw3B8AMtV/6XGey1WcgU7QQ6gOmUU+FqpfhfH3Yx6L8Ct2t2Sv86/l7W7U4ibFA34AVgKfUApl bmRzdHJlYW0KZW5kb2JqCjExNyAwIG9iaiA8PAovTGVuZ3RoIDI2MCAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjardGxSsRAEAbgPwQMTGFaC+HmBTSJ3KpbLZwnmELQykKs 1FJQ0dbMm/gqvol5BMsrxHV2smchlkLgI5PNzO6/zu/6A27Z8c4eO8fO801HDzT3Wmx5v5u+XN/R oqfmgueemhMtU9Of8tPj8y01i7Mj1vclX3bcXlG/ZKCIUghQx7FUhrhStPZSCcpP1LWg/kD5KpiN KN4FQVdFwQBdLPhSghQTuh6YSbVS6jX6N1Ct0SY/lBIyb8aQKH4jRkzY4H9nyPw1PWRGI+96Anai TAU7bWYDlsQmLJdtWEpbsMwOYQneI+UJfVK6OiVlLXYbwXYTUwe9ldQ9VQE67umcvgGaZXOWCmVu ZHN0cmVhbQplbmRvYmoKMTE4IDAgb2JqIDw8Ci9MZW5ndGggMTk0ICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNozM9YzMVYwUABhUwsFU3OFFEOuQi5TEyDfAMQFSSTncjl5 cumHK5iacOl7AEW59D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFP4DwQEGBhD1A0L9Y2Bg/N8A REAuA4P9AzDF/wFMMf8AU4x/wBTDPwhVj0LZN0CoA2BKHko9AFP8UOoDFor9Bx7qDw0oPPahORDF 8VCvQD0G820DchD8Qw4laJhBQxAYnqCgBSEQQAl5YDxwuXpyBXIBAD0wlGQKZW5kc3RyZWFtCmVu ZG9iagoxMTkgMCBvYmogPDwKL0xlbmd0aCAxODEgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp42nXQsQrCMBAA0AsdCrf0E7wvMK0YHQu1ghkEnRxEEKqjg6Kz/TQ/xS9pTHNx iI2B8JK7HElOzcaqoJwmdqopqTmdCryii+X9tk80F6w0yh2pAuXKRlHqNd1vjzPKarMgG61pb0sO qGsy/eggRJgW0g7AAICnZEZMxqQxkiitQzheUQAGiICEyRzGRPC578mwfHDDMcbbvdMu/iJi+P95 0oCMKZln67pruNe/4FLjFj9Vn5J+CmVuZHN0cmVhbQplbmRvYmoKMTIwIDAgb2JqIDw8Ci9MZW5n dGggMTY2ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNdEzUjBQMAZi U0MFU3OFFEOuQi4TcyDfAMQFSSTncjl5cumHK5iYc+l7AEW59D19FUqKSlO59J0CnBUMufRdFKIN FQxiuTxdFP6DwA9kkvF/A4P8D4b/DAyMYJLhD5isAZM2YFIGieTBQfKBSTY4ydiATDJgJZmRSHYw KQ8i//9HJyHiUDXIuhiJIEGASiTj/wMMYEcdQCW5XD25ArkATf941wplbmRzdHJlYW0KZW5kb2Jq CjEyMSAwIG9iaiA8PAovTGVuZ3RoIDI1NCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4K c3RyZWFtCnjardGxSsRAEAbgP2wRmCaPkHkBTSImYLVwnmAKQSsLsTotLRStN2Dha01n6SvkDbzy iuPW2c0mIFia5ktmks3sv1173HRc8ykfnXDXcHvGDw09UxuKdajEzuaJVj1Vt9x2VF1qmar+il9f 3h6pWl2fsz6v+a7h+p76NQPwAwQo/DZTrN8H/GCNwOyRfwiKLcyXoByBb4HVthO4AeHW6wKlZIeI vq8LSb5T8hn9GjAzYZGZTGxCIi6Av9EhMc36T3i9JsIfEnBjxErCJsZI+Yu4o4W424WYhJ1ySSml zNyUoF/yLHYwn5r1Afl7bNh0DulUlonpoqcb+gHuFpTbCmVuZHN0cmVhbQplbmRvYmoKMTIyIDAg b2JqIDw8Ci9MZW5ndGggMTI1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0K eNozM9IzslAwUDAGYlNLBVNzhRRDrkIuU1Mg3wDEBUkk53I5eXLphyuYmnLpewBFufQ9fRVKikpT ufSdApwVDLn0XRSiDRUMYrk8XRT+///P+P//P1SK8X8DA/N/BgYgYvw3OCkgwKQGr3ORKWjoYg15 LldPrkAuACG7pTcKZW5kc3RyZWFtCmVuZG9iagoxMjMgMCBvYmogPDwKL0xlbmd0aCAxMDYgICAg ICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jOy1LO0VDBQMAJhSwVTc4UUQ65C LiMzIN8AxAVJJOdyOXly6YcrGJlx6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0U/v// fwCGGYCIob5h6GOQV5D8xeXqyRXIBQAzdlyCCmVuZHN0cmVhbQplbmRvYmoKMTI0IDAgb2JqIDw8 Ci9MZW5ndGggMTY1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdIz M1cwUDBW0DVSMLZUMDVXSDHkKuQyNgUKGiiYWkJkknO5nDy59MMVjE259D2Awlz6nr4KJUWlqVz6 TgHOCoZc+i4K0YYKBrFcni4KDPb//z9AIhjk/zAwMLD/GOKEPYiobwAS/w9gI/g/MPxvABL1DPwP GAoY5B8wWDDIH2CQYbBvYOADijKwNwLDgfH/B6Bx9Q0MDFyunlyBXACfzmCsCmVuZHN0cmVhbQpl bmRvYmoKMTI1IDAgb2JqIDw8Ci9MZW5ndGggMjQzICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29k ZQo+PgpzdHJlYW0KeNpd0c1Kw0AQB/BZcgjMob5AoPsEJkFbc5AGagVzEOzJg3hqPQpR9Gr20fIo eYQcPUjH7cz/0JRl9seyzMx+LK8vF5Uv/FWMZekXN35f8gdHizgix43dO68bzp/jmvMHnZtH//X5 /cb5+unOl5xv/Evpi1duNl5EyMU410kg6kYiIaI6mCsyb2EFWziYrjeTYKZkzmAGK9jCwdT0aBpM TYtmcAV/oJgOJmJ5aWd1ZjCrrX41H9UWDhe/ap/+qQFScsB5ZCoJ7tX1U2vcXwufqA1O1AbH9zlM 1QYaeG/p4aD/4WTU/5mLhHP5vuEt/wM1ipVQCmVuZHN0cmVhbQplbmRvYmoKMTI2IDAgb2JqIDw8 Ci9MZW5ndGggMTQwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNdSz VDBQMAZiE0sFU3OFFEOuQi4TUyDfAMQFSSTncjl5cumHK5iYcul7AEW59D19FUqKSlO59J0CnBUM ufRdFKINFQxiuTxdFP7///+AgQGZZPx/gAEI/jMMZVICL2kBJg0wyAIM8gOCZASTzGCSH0zKP2D8 38Dw/8F/EEAhuVw9uQK5AEFmbPcKZW5kc3RyZWFtCmVuZG9iagoxMjcgMCBvYmogPDwKL0xlbmd0 aCAyNDQgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42nXRP2vCUBAA8Hs8 MHAUsgoO3ifwJQYTnAT/gBkKdXIoBcF2dLDU2YCrH+qVDh1d3cxHyOgQfL2oWCN5D+743T04Di4K W36bPAo4ooA6Eb37uMSwy7VXlMXHfIH9GNWUwi6qMXdRxc/09bn6QNV/GZCPakivPnlvGA/JGODn mKMxCcO9g7ggBzhoRuN4h13KCCrxmzHmlfjhOKcbvnm62FRCnwCkLGENULOgl8CTBU0N9TLcFDwL nAxmZXDSFohcJBbAScID1jUrettHNPdWuFk1RApOWkBmV/DtpAYnB2O01NIUx/0Hb8rAUYwT/AOm FcIhCmVuZHN0cmVhbQplbmRvYmoKMTI4IDAgb2JqIDw8Ci9MZW5ndGggMjQzICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpV0L9KxEAQBvAvBC4whfsGZp/ATU7WP42B8wRT CGdlIVZqaaFoa1L5XBFBSx/BVNapJEXYdXf2ik0x/PhmYIrvYLm3PJKF3Hejj6U+lHclPZLWLhc+ +sPtA61qUldSa1LnbkuqvpDPTy/3pFabU1mSWsvrUhY3VK+ltUBmjbVtoPPAgaaH7YG8xc8ACDAL 4HtkvqaYD8O825jOPfU0XUzVM/kQGBkRyKaAYdJAYre0HmxpukDPVIF8YMQYk01MamISy8C+xTSf TPUbk/8xwsRkgXRGEsCcVySuR5wgHRjhKsMufNfYmbEAndV0Sf82RIZjCmVuZHN0cmVhbQplbmRv YmoKMTI5IDAgb2JqIDw8Ci9MZW5ndGggMjM5ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNqtkbEOgjAQhs84mNzCI/ReQAEDRCcS1EQGE50cjJM6Omh0FR6NR+ERHBkIeFfa GJxtmn7p3d/2+l8UTMIZeRTSeEoRc05nH28YBhz0KPK7zOmKSYrunsIA3TWH0U039Lg/L+gm2wXx fkkHn7wjpksCGLYgQ7WloBnUvA4qeDFGJagcwClkQpzD6A2Q8ZGKhayqQasb0QOfkDjnRcVqA0fu VYWB0igV3wdOGWu8+8g0qiyXCn7QatR/hX3BPNtDvzJbfA+O/mZhP60tyI0T1p4OxjProPGTrRBv jNecyL59sF3RPcJVijv8AJRLickKZW5kc3RyZWFtCmVuZG9iagoxMzAgMCBvYmogPDwKL0xlbmd0 aCAxNjcgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM10zM1VDBQMAJi UyMFU3OFFEOuQi4TSyDfAMQFSSTncjl5cumHK5hYcul7AEW59D19FUqKSlO59J0CnBUMufRdFKKB xsRyeboo/AeCAwwMIOoPhPrPwMD4v4EBLMrAIP8ATPF/AFPMPyDUHzDF+A+ZAmFkqoFUClk7qtFQ +6C2Q90CdRlQN8jZ/xjA1AeICQyDmQKFLsS1mBSXqydXIBcAjkuAvwplbmRzdHJlYW0KZW5kb2Jq CjEzMSAwIG9iaiA8PAovTGVuZ3RoIDIyMSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4K c3RyZWFtCnjaldG9CsIwEAfwloKBG+wjeC+gaSpVnAp+gB0EnRzESR0dFJ3to/kofYSOHUrj2UsL zSImhR/kSHL/dKJGKsQAxzgMcaIwmuJZwQ3IgGY048rpCvME5J7qINe0DDLZ4OP+vICcbxeoQC7x oDA4QrJErXXl0CB1ZixIV6eCC/SlbPxmBxnr56wounqlZfWn1n77/Obepo/Y9Ke5X1GaQJnxzev1 NtIrTK42n/Fl5WzzWrl/mv+rm3YsWL/VS+l/UH7vG4feRdS6Za/WqfpOPeKSFbkDqwR28AGZPJvC CmVuZHN0cmVhbQplbmRvYmoKMTMyIDAgb2JqIDw8Ci9MZW5ndGggMjU2ICAgICAgIAovRmlsdGVy IC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpVz7FOxDAMBuC/yhApSx6hfgFoez3uxEKk45DogATT DYgJGBlAsCFa3syPEokX6EYlUI1zd6CyfErsOLbni8OqppLmdDCj+YyOjumuco+uXmqwpEW1y9w+ uFXjig3VS1eca9gVzQU9P73cu2J1eUp6X9N1ReWNa9YEP4ARxowh8s5msB9sIz7ZM1rOOwQOQM4n gOc3wO54BQx/78kmjAAmyJZObTkRE4MSUjCXIaFHLxJhRe9GRCtFJL3RjAa1sk1Yib9/hF7JEz5h hy36xvyRTYj/6Ps9ptc6E3VwG8e0lqQttWneffUI6EeMiEGnil57c6Z5d9a4K/cDPZ+GIwplbmRz dHJlYW0KZW5kb2JqCjEzMyAwIG9iaiA8PAovTGVuZ3RoIDE1MCAgICAgICAKL0ZpbHRlciAvRmxh dGVEZWNvZGUKPj4Kc3RyZWFtCnjaM7XUszRXMFAwBmJTcxBKMeQq5DIF8cEiIEZyLpeTJ5d+uIKp MZe+B1CUS9/TV6GkqDSVS98pwFnBkEvfRSHaUMEglsvTRcH+Pwg8QKMOMP9nkH9gx8D4j4H5QQ2I YvxQAaIYPhSAqQJUKgFMGWClHoApiwNgSgIrxQCmGEYMxf6/AUjKg4IajeJy9eQK5AIAV85ysApl bmRzdHJlYW0KZW5kb2JqCjEzNCAwIG9iaiA8PAovTGVuZ3RoIDE5MSAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja5dA9CsJAEAXgFwQXBtHWQshcQDeJrMZK8AdMIWhlIVZq KahoqzmaR8kRLFOI62wExTNYLN/yZpjidaJWFHPAbW5GbHpsurwJ6UDGSBi4pJisdzRISC/YGNIT iUknUz4dz1vSg9mQQ9IjXoYcrCgZsbUWyj5/8WwKXDNYAH5aUENB+Y+pSidCRUg/NID+l7r0dQPi N3upLQPugJInv1IOT3LvASXLeLpW3ZmLw7e5Q9kM7xSgcUJzegHYeGG6CmVuZHN0cmVhbQplbmRv YmoKMTM1IDAgb2JqIDw8Ci9MZW5ndGggMjQwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNpt0DFqwzAUxvFnBDE8QrxmCORdoJVsSNIuDaQp1EOgnTKUQqDtWEhCO9tH01F0 BI8ZjNUna6gUjBA/0Lf80bK4Le5IUUE3BS0VLVb0meMJWcVnce+Xj2/clCj3vKN85meU5Y5+zr9f KDcvj5Sj3NJbTuodyy1Z2wJUtr5W2BogayGxAJAar9AAzoQ3twu+lRMCtXfNjkINwISds2Nn483Y aejFm7IqlLuOroE9BCYdgA61Xg51mYG16K1ql/fvWo9ijXduxrHNrDdrppHpRcW2XtEeYjvTm3Q6 sv/JISsY9uHK2ZD4VOIr/gEK7WSbCmVuZHN0cmVhbQplbmRvYmoKMTM2IDAgb2JqIDw8Ci9MZW5n dGggMzA3ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNp10TFLxDAUAOBX Ag2E47p2OMj7A9r0zmKdCucJdhB0chDhQB0dFJ0b/4U/J+IfKQjOnaRDufiSo+IFTUj4SF7CS15Z 7C8OUOEc9+ZYLrA4xNtcPIhSoevF0Xbn5l4sa5FdYqlEdkrLIqvP8Onx+U5ky/NjzEW2wqsc1bWo V2jtwK3tImv/Erca5AZA9ozmpAfgbUTiJGZ+pCM7CkhsoAG/pb04QKPBnYp3ZEZVBhidmuyoHSVb cPmkXnETKOlgSjcpr0kViJKb0U1rr1QGouRS2YHxUkkgSk4lfaS91jwQPZNEj3QybAilSdypedHR Jg70Rpo6Ve8UOwn0QZo5yU+KfQ30NSqhv626/8QH/4mwrZAMxJyMF0UngSIn7UXRPBC0vqauGV9n ECe1uBDf0cap0QplbmRzdHJlYW0KZW5kb2JqCjEzNyAwIG9iaiA8PAovTGVuZ3RoIDI3OSAgICAg ICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaXdFBSsQwFAbgFwITCEO7nYXQnMCm BccuhMI4gl0I48qFCAPq0oWi6/YGHsGr9CbmCHVXsPT5kjwXM4v049GQv/m7Lk/LylhT0lpbc3Zu ngr9qklrwuhfPL7oTaPzO5p1fh2ezY15f/t41vlmd2kKnW/NfWHsg262pkWEGic4FnAEhR1A60DS CLUDMZDZAMKxPZmOIGgbqAkkqwiQMyzYxCsQTryA3Yqtgm1vg7Xbsy6YDX0w/emiv1GFEJ2jkhV4 KGDcTwGHYjwfvqPia4jnfI7RNLpQUzDhgCW74oAKopaD9hzg2N5XBr6czAfIf0Nl4MsJAQm75JtQ ScJ7wTeZvV34F4q+HGnViN2x+qrRt/oPUhJ93QplbmRzdHJlYW0KZW5kb2JqCjEzOCAwIG9iaiA8 PAovTGVuZ3RoIDIzMiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaVdAx SsRAFMbxL6QIvCZH2HcCk0BCLMSBdQVTCFpZiCCopaCiYJccLUfZI2xpEXZ834sb3MD8YGbIn5lp ypO21lIbG3WrTavPlbxLXdm85JQbT6+y7qS407qS4spWpeiu9fPj60WK9c2F2upG7+2XB+k2GqJ9 OHJCskcYkZoDsgnnoGdA/uPucAqsdvgGwhZvB/vRHfAIRJpELFqMToDH4LFFi9EtDa7FFi1GSeIy dnCOZcexZPjTYnSkvWux2XRgzNzT1GVsNvNYxssi9/Ot/GTB7T0Wedk8Ivq7/VcuO7mVX7WadPMK ZW5kc3RyZWFtCmVuZG9iagoxMzkgMCBvYmogPDwKL0xlbmd0aCAyMDQgICAgICAgCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42m3MOwrCQBAG4AkLLgyBtFZmLqCbjRG0MeADTCFoZSFW ammhKFgIm6PlKHuElBbBOOujEZflG/iH+RPd6cUUUZfampKYun3aaTwiz8jFg/dme8BRhmrFe1Qz jlFlczqfLntUo8WYNKoJrTVFG8wmBKEFgLoCEDYFkBDk/KWFsBAlL1949y9QQVAwMmf4/cEw0hWm lnlwJu7urGRCd5s6jCsw8MF//OJ9qEFUvgF5803eGDbTojVsBvYalqIuA8s1ssBphkt8AqT4VKMK ZW5kc3RyZWFtCmVuZG9iagoxNDAgMCBvYmogPDwKL0xlbmd0aCAxOTggICAgICAgCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMx0zM0VjBQMFLQNVQwMVYwtVBIMeQq5DIxUABBU0uI THIul5Mnl364gokBl74HUJhL39NXoaSoNJVL3ynAWcGQS99FIdpQwSCWy9NFgfkDAwPDf1SCH0Qw U52QfwAk6n8wMH98YMfA/LlBvoH5OwP/AeZ/DOwPmP8A5Zh/MDD+ACoGEwx/4MQ/OFEHIupJJupQ TQEZyvgHYtsPkL1gy9+BnHEM5KDjDfIMzI0P6hiYGf7/ADpd/gADl6snVyAXAMhja0EKZW5kc3Ry ZWFtCmVuZG9iagoxNDEgMCBvYmogPDwKL0xlbmd0aCAxODIgICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42o3OQQqCYBAF4Cc/KAyRFwicC5T9/BS6EswgF0GtWkSrahlY1C7M o3kUj+DShVRjdYAW3+YNjzdmOgo1j9nwULOZsAn4oOlMpgslDr+X/YnilPwNG03+QmLy0yVfL7cj +fFqxpImvJXOjtKEoVrAexXIVWU1yFSNxqms1i3Vh1eoNurAah5ALdDJxfNP+a/TiQA7KmB7Bfpe iZ5bYuBUCGQ3k/0Kd6eUfwCnAc1TWtMbBLs9EAplbmRzdHJlYW0KZW5kb2JqCjE0MiAwIG9iaiA8 PAovTGVuZ3RoIDE5OCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHT MzRWMFAwVtA1VDAxUTC1UEgx5CrkMjFQAEFTS4hMci6XkyeXfriCiQGXvgdQmEvf01ehpKg0lUvf KcBZwZBL30Uh2lDBIJbL00WBgYGB/wADA/N/FILB/gBUgnoE8w8gIf8fSNSx9x9g+MH4/gDzB4b6 A+wPgLaBpCCEfANQsT2YAGmrhxN1IOIfyUQdqin2cAJokTyEANprD3JGPchB7z8w/mA8/5+hhr3/ P4P8P/7/DOxAh3O5enIFcgEAb1hoSQplbmRzdHJlYW0KZW5kb2JqCjE0MyAwIG9iaiA8PAovTGVu Z3RoIDE4OSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaXc4xCsJAEAXQ HxZcmEIvIDgX0E2yKNoY0AimELSyECu1FFS0k+jRcpQcIeUWYhxJCnHhwTIz/Bk76I0C9jnkbsC2 z3bI+4DOZEMp+mxHVWd3pElCZs02JDOXMplkwdfL7UBmspxyQCbmjQRtKYkZ2gGdEri3Ms+pXBVe oXPPtTK4zhP3rwhIxfhRiVLx/lHWT/74l9YeNclR0RNKcrXsaOgMTZ2j7RUYwuGEVOVyj0y8QLOE VvQBvaNACwplbmRzdHJlYW0KZW5kb2JqCjE0NCAwIG9iaiA8PAovTGVuZ3RoIDE0MSAgICAgICAK L0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzLVMzZXMFAwBGJjAwVTS4UUQ65CLiML IB/MBUkk53I5eXLphysYWXDpewBFufQ9fRVKikpTufSdApwVDLn0XRSigSpjuTxdFBgY6hgYmP83 MPAffMAg3/6AwZ7/A0MdFP+BYMYfzAcYfzAwkIr///8Dx+TopxQz/2FgqP//A465XD25ArkAoiZb BAplbmRzdHJlYW0KZW5kb2JqCjE0NSAwIG9iaiA8PAovTGVuZ3RoIDIzNyAgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjajY+/SgQxEMa/EDAwhfENdl5Asznv5IrDhfMEtxC0 shArtRRUtFu4fbQ8Sh4hZYrFODmEA7GQwC9D5vtD5v5kMeOWZ3zslzz3fLrkJ09vJHcrZ3H2s3p8 oXVP7k4E5K7knVx/zR/vn8/k1jcX7Mlt+N5z+0D9hgHoBJtsRjetVsjN66CSjYOOJgwm6HhkQ1VU NKPK/8HeUQNQo6TFjtC5AUw3AQc2AYfS/ht2jyAwpYSKDF3KF1QpZZSpBEnbRkmz6bx+YQDUDjmL 609MdbvTVUfsJDxKih1NRAc1KRFsS6qdAF32dEvf0ElqtwplbmRzdHJlYW0KZW5kb2JqCjE0NiAw IG9iaiA8PAovTGVuZ3RoIDE1NSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt CnjaMzHTMzRWMFAwAmITEwVTC4UUQ65CLhNDIN8AxAVJJOdyOXly6YcrmBhy6XsARbn0PX0VSopK U7n0nQKcFYCiLgrRQC2xXJ4uCswfGIDgPwbJDyaZaU6C7GH+YP8HRH6wB5IfD8g3MDB/buA/wMD8 nQFE/gOTfxjYH8DIHxjkh4Ek2X+Aguv//4P//zcgk1yunlyBXAAPH3kdCmVuZHN0cmVhbQplbmRv YmoKMTQ3IDAgb2JqIDw8Ci9MZW5ndGggMTIyICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNozMtYzMFcwUDACYUMFUzOFFEOuQi5DCyDfAMQFSSTncjl5cumHKxhacOl7AEW5 9D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFJgbGPgfMMh/QEFAEaA4fsD8geE/DLF/AHGpjth/ MPz/fwCCuFw9uQK5AChDRWAKZW5kc3RyZWFtCmVuZG9iagoxNDggMCBvYmogPDwKL0xlbmd0aCAx NTAgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMy1TM2VzBQ0DVR0DU0 VzC0UDA1U0gx5CrkMjIEChsomBvD5JJzuZw8ufTDFYwMufQ9gBJc+p6+CiVFpalc+k4BzgpAUReF aKCuWC5PFwUGxgMM7B8Y+H+gIKAIUBw/YPzB8B+G2H+AuPRFNow/6hh//Gf88J8Zgh78Yz9Qw37A hp+B/x8D8w8GLldPrkAuAP+nV/UKZW5kc3RyZWFtCmVuZG9iagoxNDkgMCBvYmogPDwKL0xlbmd0 aCAxOTYgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42rXNMQrCQBAF0JUU gWlyAzMncBONkC4QI5hC0MpCrNRSUFGwEM3RchSPELEwRcg6PyDqAWTZB7Mz8zfodcIue4wb9Lgf 8sqnHQUe40iJxnJDcUp6xoFHeiSvpNMxH/bHNel4MmCfdMJzn70FpQlbhVLK/OIA6z+0TPWNuuYA 3TPYghvmcsHKBBtrbRCCE6iEO3jUwjMS6kiGSxcbDnYdpNhAEiWvBBXiGy7q/W/UkAlubpcqKozJ jflAw5Sm9AJEHXIFCmVuZHN0cmVhbQplbmRvYmoKMTUwIDAgb2JqIDw8Ci9MZW5ndGggMTA4ICAg ICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMtYzMFcwUDACYUMFUwuFFEOu Qi5DCyDfAMQFSSTncjl5cumHKxhacOl7AEW59D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFJg/ MPyHIf4PDMyDD7H/YPj//wAEcbl6cgVyAQDGglEuCmVuZHN0cmVhbQplbmRvYmoKMTUxIDAgb2Jq IDw8Ci9MZW5ndGggMTc3ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNoz s9QzUjBQAGEzcwVjc4UUQ65CLjMTIN8AxAVJJOdyOXly6YcrmJlw6XsARbn0PX0VSopKU7n0nQKc FQy59F0Uog0VDGK5PF0UmD/wf2CQf8Dw/4P9H4b6H0D6gz3jgzqG/x8PyDc32DPwf27gP84g38D8 nYH/HIj+x8B/B0T/YWD/wcB/AE7/YGD/gI3+wMD+YAjQIE+AAuL//4P//zf//49Oc7l6cgVyAQAj 34gUCmVuZHN0cmVhbQplbmRvYmoKMTUyIDAgb2JqIDw8Ci9MZW5ndGggMTQ3ICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdMzNFYwUDACYhMTBWNzhRRDrkIuE0Mg3wDE BUkk53I5eXLphyuYGHLpewBFufQ9fRVKikpTufSdApwVgKIuCtFALbFcni4KzB/4PzAw/P9g/wdE frAHkh8PyDcw8H9u4D/AwPydAUT+A5N/GNgfwMgfGOSHgSTZfzAAvfH//8H//xuQSS5XT65ALgB/ h2UlCmVuZHN0cmVhbQplbmRvYmoKMTUzIDAgb2JqIDw8Ci9MZW5ndGggMTg4ICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqNjjEOgkAQRb+hIJmGIzAX0GUFgzaQICZuYaKV hbFSSwuNdgY5GkfhCJRU4mQpSKzMTl5m/u7++ZGezKYc8JTHmqOAwzmfNd0ojEWUcdHfnK6UGVJ7 DmNSa5FJmQ0/7s8LqWy7ZE0q54Pm4EgmZzgfAF5XAolTA62cUYMXZEjgVvDhlVK+oPIhSiqoLQrA aX4gbk77L4Zvb/FrBme7ze71JEHp1kjlEYo+Hwrp4XcVbHpaGdrRFwhJS9oKZW5kc3RyZWFtCmVu ZG9iagoxNTQgMCBvYmogPDwKL0xlbmd0aCAxOTYgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp42p3OsQrCQAwG4EiGQhYfoXkBvZ6tdRRqBTsIOjmIkzo6KLraPlofpY9wItgb iuddcdBRCXxDQpI/ivsy5IAH3JMxRyGHI95JOlIUsKth+B5tD5RkJFYcBSRmtk8im/P5dNmTSBYT liRSXksONpSljMqvwKhcg7lVVzD3wi+8GrolPsGrsAFUqAE1Kui0NBZoeX6T/8z3gfaypf2m3d8G PGVjdCt8uEB1MQZ0IVEZN/dLcLt/4GmLMeUnNM1oSS+v62+GCmVuZHN0cmVhbQplbmRvYmoKMTU1 IDAgb2JqIDw8Ci9MZW5ndGggMjAyICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJl YW0KeNozMdazMFIwUDBW0DU0UzAxUTA2V0gx5CrkMjFQAEFTY6hUci6XkyeXfriCiQGXvgdQnEvf 01ehpKg0lUvfKcBZwZBL30Uh2lDBIJbL00WBgfkHwwEG+X+MBxjq2BsPMPxhPHyA+QPD4wPsHxjK D/A/YDA/wH+Awf6APFDRAfsGCMF/oJ4BhfhHMoFmgD2YABkvDyZAVoLtZX/AUA9y0PsDjD8Yz4Mc 2Q9yLlCO/QeQAGkji5B/wMDA/P8/guBy9eQK5AIARrpmIwplbmRzdHJlYW0KZW5kb2JqCjE1NiAw IG9iaiA8PAovTGVuZ3RoIDE0MCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt CnjaMzbSMzVSMFAAYWNDBWNzhRRDrkIuIwsg3wDEBUkk53I5eXLphysYWXDpewBFufQ9fRVKikpT ufSdApwVDLn0XRSiDRUMYrk8XRTYH8gz/H9Qf+D/w8cP/j9u/8D/nP0D8zMgfgfEb5gfMP9haGD+ wcCAgj9QF7MDzfz//wMcc7l6cgVyAQBq2UaECmVuZHN0cmVhbQplbmRvYmoKMTU3IDAgb2JqIDw8 Ci9MZW5ndGggMTk1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNo9zrFK xEAQBuAftliYZt/AzAt4e5tgVBAC8QRTCHfVFYeVWgoqClcI7qPto8TKNmCTIjjOJUeKj5n5/2aK fHF+xksu+DRwofOCHwO9Ul5qqOfl1Dw8U92Q33Jekr/VmHxzx+9vH0/k6/U1B/Ir3gVe3lOzYoiB kR+4KDhBhStk2MPhBRbdzKA/GpQA+GqVLpW0yKSHE23kDxANrURtVRYTXEqwoxZm1k1iDxuHkcPh g9/0iW/pkKoIumloQ/+AQ0elCmVuZHN0cmVhbQplbmRvYmoKMTU4IDAgb2JqIDw8Ci9MZW5ndGgg MTUxICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNtIzslQwUDBU0DVU MLJQMDVUSDHkKuQyMgMKGiiYGkFkknO5nDy59MMVjMy49D2Awlz6nr4KJUWlqVz6TgHOCoZc+i4K 0YYKBrFcni4KDBIMDBjYAglXIOEfDAyMQMwMxOxALP//P8N/KGaEylEBHyCEGf4wgnADQw1zA0Md MwODPTsDA/8/sGYuV0+uQC4AF3VIlgplbmRzdHJlYW0KZW5kb2JqCjE1OSAwIG9iaiA8PAovTGVu Z3RoIDE1MyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHTMzRWMFAw UtA1VDAxUTA2V0gx5CrkMjEEChooGFtAZJJzuZw8ufTDFUwMufQ9gMJc+p6+CiVFpalc+k4BzgpA UReFaKCeWC5PFwXmDwzsDxj+f2D8j0ryf2CQf8AAkR1wkh+DBLqNEUL+YLB/wMDwg6H8BwPDH4bn /xsY7JmPA0n5/+1AkvkP0AQuV0+uQC4AEzFjAwplbmRzdHJlYW0KZW5kb2JqCjE2MCAwIG9iaiA8 PAovTGVuZ3RoIDE4MyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaVcyx CoJQFMbxIxcSDpFrW+cF6qpXSifBDHIIamqIIKjGhqK2iPtoPoqPYJtQaJe6l2r5Df8PvkAMQp9c 8qnvUeCTGNLOwyOKSEWXxOizbA+YZMiXJCLkU5WRZzM6ny575Ml8TB7ylFYeuWvMUmoaGddfnAqc 0i7BLlgJLGcVMGkp4A08oaWpoQNwg7Ymhq5BhgA96WqcfGMoFHaRa9hd/mI9wNAo1L/h+k+owUmG C3wBRqM/6gplbmRzdHJlYW0KZW5kb2JqCjE2MSAwIG9iaiA8PAovTGVuZ3RoIDIzMyAgICAgICAK L0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaVc49S8NQGMXxcwlYeBCzdijm+QJ6E8vt y2KgrWAGQScHEQrWUXxBN6mRfLGA0H6NTJ0E73iHYLw3VdNOPzhn+avh4bDPIR/xQcRqwN0ezyJ6 JKXsGHK3v35u7miUkLxkpUie2plkcsbPTy+3JEfnY45ITvgq4vCakglXVVAV8fc2vkEF37Q05vCK NbmncQyR/iIMYnjYBiXidMdxv8EcX/muY/lHB4jFsmg7spr3TA+AIMt06BA1H8I8AP4CZvpPa4Uy t3zitcEr8ZZabEVD3WTRCBqgse8osOeYwhbRSUIX9AOlWV+ZCmVuZHN0cmVhbQplbmRvYmoKMTYy IDAgb2JqIDw8Ci9MZW5ndGggMjEwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJl YW0KeNpNzr0KwkAMB/B/KSgEoauD0DyBbW0Rt4IfYAdBJwdxUkdBRcFJC75YN0dfwUeom6D0TOrS g/uRhFwuUdjuddjnQG4UctjldUB7ijT3NdVgtaV+Qt6co4C8sVTJSyZ8PJw25PWnA5bqkBfSuaRk yMakV4OqdoE4h1XATQERwAUtMUZTdFNfzXaikz3F+jNTX9IO+6NaBnqKitfS+B+npfoKD9W66xz7 lusc+y3WLLWBr9iS/4FeOeJcjsh1N+lwMzhv3dYUunxVGiU0ox/DI06kCmVuZHN0cmVhbQplbmRv YmoKMTYzIDAgb2JqIDw8Ci9MZW5ndGggMjE5ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNpVzsFqwkAQBuBZAgYGaa4eCs4L6G6yWvUkqAVzENpTD0UIqEfBFr2J5tH2UXyE eBMMibOySenlO/zD/Pw93R1GpCiiTjigXkT6jdYh/qAecaqor91ptcVJjPKL9AjlnHOU8YL2v4cN ysnHlEKUM/oOSS0xnlFZpuPij+AGQeZn4BsvAy8VNweInIEcGo4TNB1nyxhajnaqKswOIDCJw7+Y iivjXVOHuENFyUBRc/zPsEbV7CxJjXEcBVMIbi+8J7aSZ0P+Yp9ebZFtamdg5zH4HuMnPgDan0v4 CmVuZHN0cmVhbQplbmRvYmoKMTY0IDAgb2JqIDw8Ci9MZW5ndGggMTg4ICAgICAgIAovRmlsdGVy IC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNq1kDEKwkAQRX9IIUyTI2QuoJvNuoiNQoxgCkErC7FS SwtFwUJijrZHyRFSplLXbBGQtDavmBmY//5QDnTMESvux6zGrDUfJJ1JaTuMWI/cZn+iJCOxYaVJ LOyYRLbk6+V2JJGsZixJpLyVHO0oSxl+DSB8W+SBAWq/hFeigm9wR8/ggaDAxCG0lw5Ti6JFDgSm Cy+L8n/oevm0gcxPvjZ4K9O4WdsafuXVztx10LTx7YXmGa3pA8LVYPoKZW5kc3RyZWFtCmVuZG9i agoxNjUgMCBvYmogPDwKL0xlbmd0aCAxMjEgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+ CnN0cmVhbQp42jMx1DM1UjBQMAdiYzMFU1OFFEOuQi4jCyDfAMQFSSTncjl5cumHKxhZcOl7AEW5 9D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFBgYDzAwMAMxOxDLA/H/Awz/YVgeKjZUsP0Dhvr/ /z/AMJerJ1cgFwC+nU7aCmVuZHN0cmVhbQplbmRvYmoKMTY2IDAgb2JqIDw8Ci9MZW5ndGggMjI4 ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNptzrFKxEAQxvFv2SIwTV7g uJsncBP3AlcIgfMEUwhaWYggqKWgomBl8mg+Sh7hyiuOjPPpNYJFfrA7/1myrI+aY6106V9eadPo Qy0vkrOfKx45uH+SdSfpWnOWdO63kroLfXt9f5S0vjzVWtJGb2qtbqXbKMotgH4CgtmAOLYjSl7O UewwQ9xjhTDh+RcY7shEzBcHX/qfntMZwQHvD/g633P2Tvxh5xT8mXIkX86CWy0XPgmzwCywiCwK FiWHc4QBJ+SDbBEHzyKzyMzxHKWZYUFa0ptNsL/IWSdX8g1Un2N8CmVuZHN0cmVhbQplbmRvYmoK MTY3IDAgb2JqIDw8Ci9MZW5ndGggMjM1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+Pgpz dHJlYW0KeNp10DFOxDAQBdCJUliaAt9gMxcAJxssoFppWSRSIEFFgaiAEgkQtNhH81FyhJRbrDB/ vIQCiSJPyozzx5Pj7sgvpZVeDpfSn4n38tjxK/cexVb8yb7z8Mzrgd2t9J7dJcrshit5f/t4Yre+ PpeO3UbuOmnvedgImS0RrTLIOVG1tRPVCUUT6x0dUPVFNoJmpEzN9A9WuyaRxuDwzA7UBR1iJmUE NoKAp9Fmk/XVjvOR8lkJKHkU4i9pZlUYCwsF/R+wxV8SCAljQvzUqBdNPtUZi/2CuJ+ZsHml/4CC jrW4Ml8MfMPfx5tqaAplbmRzdHJlYW0KZW5kb2JqCjE2OCAwIG9iaiA8PAovTGVuZ3RoIDE4OCAg ICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjalc69CsJADAfwKwULQXQtKJgn 8K62tZ1rBW8QdHIQoVAdBT/BUfDFBF/Ex+gg6P2LrbMH+ZHkCEng9cMBK0YEisMhrz3akx+Zuizx kW8p0SQX7EckJ6ZLUk/5dDhvSCazEXskU156rFakUxZCxKLiAooKC9jAqWmDHugAHxxBDh4Gq+Rm sDHrgAZogi5wgQI7kIG7wQL2FWCvA1qgCVwQAwUy8ARv84of35v/wnmZBLM1NNY0pw/y/WD2CmVu ZHN0cmVhbQplbmRvYmoKMTY5IDAgb2JqIDw8Ci9MZW5ndGggMjI2ICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNqVz79qAkEQBvDvEG5hCNwLiM4LmL1zPWIhCGogVwimSiGC YFIKGhTsbh/NR7lHsLQ43MycRUg6m18xO3/2G2TPeZ9THnCvz27Iec6fGe3JOSmmnL/cXzZbmhRk P9g5sm9SJlvM+fB9/CI7WUw5IzvjZcbpiooZx8ATjMcI5tK6woTQcFEqxSsQaiAuKwF4FHMVujfh lHjElZHN55bc8JFcgyB9tXLT/oaglL/4f7SVUgkN/i86FnRLrax16e5OVGOoJ9uQvB2JjcQn8qFq 7BFpVJQyg65EpdeC3ukHFCtY0QplbmRzdHJlYW0KZW5kb2JqCjE3MCAwIG9iaiA8PAovTGVuZ3Ro IDI0MyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjabY+9SsRAFIVP2CJw m7zBzn0BnWSzg9oYWFcwhaCVhQgLaimoaOvk0fIo8wgpU4Qdz0QEhW0+hnvn/Nx1dexWWmqtRyut z9Q5farkTWrHYanu5Gfz+CKbVuyd1k7sFcdi22v9eP98Fru5udBK7FbvKy0fpN0q0PRAFgcgjxNQ hHOOuhz4ggEmvrMRvlsMRD4jEEVAg6LHEoZymA5J9Q9+BhIyGvs8dohLquNpNiC+YkTcMSAGRsWe fgkdf80w/R8wIRyCPwQqQvOLfoZJpibZFymI7T3YZA+eNSEbeSL2vA6eHWDojQU7y2Urt/INTfpv fwplbmRzdHJlYW0KZW5kb2JqCjE3MSAwIG9iaiA8PAovTGVuZ3RoIDE5NyAgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjalc6xCsJADAbgSMFCBn0B0byA3l31pJOFqmAHQScH EQR1FKoouNlH81HuEXyDmlRa6ODgkfuGPyR3IzOwAWmy1A9oZMiO6WjwgkPLIcfht3M4Y5yg2tDQ olpwjCpZ0u16P6GKV1MyqGa0NaR3mMxIA59QmAhRnueuzutZkgmQAjRhD9ASOkIIDkDDC7jHOIEL GoKXMb7sbgotoVNRvPwQUuEtOBmt8Apkk1/RrtMryEqiXzz/IZKvdPniPME1fgBs+lEtCmVuZHN0 cmVhbQplbmRvYmoKMTcyIDAgb2JqIDw8Ci9MZW5ndGggMjY1ICAgICAgIAovRmlsdGVyIC9GbGF0 ZURlY29kZQo+PgpzdHJlYW0KeNpNj8FKw0AURW+YxcBbOH/QvB/QJI1BhNJCrWAWQl25EFfq0oWi 0EXB+bT5lAF/IDsjBMebKtbNefPue3fmznF11Ey11FoPp1qfatPofSVPUjcUS21OfiZ3j7JspbjW upHigrIU7aW+PL8+SLFcn2klxUpvKi1vpV0pTA8gT8RbCsBgO2Qx62ECtrAeM1hgDgdMcMBNFjZ7 5Ht41jxQziPhenrdwFtcwgY2+Q4mvUfiwwNp9+QXsUhsXYrjqQM+U88EnJiwSHCe7nx0T5ClMKMx bLkZNswSCRf5ARtpNH/I/oHTLOzAZTN6jZ/T4XeZnWdSGxnS9KYbU8XfQHYA5LyVK/kGCP9j5Qpl bmRzdHJlYW0KZW5kb2JqCjE3MyAwIG9iaiA8PAovTGVuZ3RoIDIzNyAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjadc8xTsQwEAXQsVJEmsYXQPJcAJxs1kJUlpZFIgUSVBSI CrakAEFLchOu4pvsHCFliggzswmIAppnaRKP/1/XJ2FFFTV0vKLmjEKgxxqfsQkyrCiczl8ennDT or+lJqC/lDH69opeX9526DfX51Sj39JdTdU9tluCYgQAl4UuJzBTyTIqBijZjGAZJnAJ3sH1Quwh znQg54G84NJ/8F/o3V/oUqVjp9gEmSXJngs2ezZD8SFJrGOIk8QpB0HXfxMP9D+A1gGrzMGT9FiQ WjFJwdjLA04rHulPVuuU+RPA5HFZiRct3uAX+gxtOQplbmRzdHJlYW0KZW5kb2JqCjEwIDAgb2Jq IDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMwovTmFtZSAvRjE1Ci9Gb250TWF0cml4IFsw LjAxMjA0IDAgMCAwLjAxMjA0IDAgMF0KL0ZvbnRCQm94IFsgLTQgLTIxIDgzIDYyIF0KL1Jlc291 cmNlcyA8PCAvUHJvY1NldCBbIC9QREYgL0ltYWdlQiBdID4+Ci9GaXJzdENoYXIgMTYKL0xhc3RD aGFyIDEyNQovV2lkdGhzIDE3NCAwIFIKL0VuY29kaW5nIDE3NSAwIFIKL0NoYXJQcm9jcyAxNzYg MCBSCj4+IGVuZG9iagoxNzQgMCBvYmoKWzI3LjY4IDI3LjY4IDAgMCAwIDQxLjUyIDAgMCAwIDAg MCA0OC40NCA0Ni4xMyAwIDY5LjIgMCAwIDIzLjA3IDAgMCAwIDAgMCAyMy4wNyAzMi4yOSAzMi4y OSAwIDY0LjU4IDIzLjA3IDI3LjY4IDIzLjA3IDQxLjUyIDQxLjUyIDQxLjUyIDQxLjUyIDQxLjUy IDQxLjUyIDQxLjUyIDQxLjUyIDQxLjUyIDQxLjUyIDQxLjUyIDIzLjA3IDIzLjA3IDAgMCAwIDAg MCA2Mi4yOCA1OC44MiA1OS45NyA2My40MyA1Ni41MSA1NC4yIDY1LjE2IDYyLjI4IDI5Ljk5IDQy LjY3IDY0LjU4IDUxLjkgNzYuMTIgNjIuMjggNjQuNTggNTYuNTEgMCA2MS4xMiA0Ni4xMyA1OS45 NyA2Mi4yOCA2Mi4yOCA4NS4zNCA2Mi4yOCAwIDUwLjc0IDIzLjA3IDAgMjMuMDcgMCA2NC41OCAw IDQxLjUyIDQ2LjEzIDM2LjkxIDQ2LjEzIDM2LjkxIDI1LjM3IDQxLjUyIDQ2LjEzIDIzLjA3IDI1 LjM3IDQzLjgyIDIzLjA3IDY5LjIgNDYuMTMgNDEuNTIgNDYuMTMgNDMuODIgMzIuNTIgMzIuNzUg MzIuMjkgNDYuMTMgNDMuODIgNTkuOTcgNDMuODIgNDMuODIgMCA0MS41MiAwIDQxLjUyIF0KZW5k b2JqCjE3NSAwIG9iaiA8PAovVHlwZSAvRW5jb2RpbmcKL0RpZmZlcmVuY2VzIFsxNi9hMTYvYTE3 IDE4Ly5ub3RkZWYgMjEvYTIxIDIyLy5ub3RkZWYgMjcvYTI3L2EyOCAyOS8ubm90ZGVmIDMwL2Ez MCAzMS8ubm90ZGVmIDMzL2EzMyAzNC8ubm90ZGVmIDM5L2EzOS9hNDAvYTQxIDQyLy5ub3RkZWYg NDMvYTQzL2E0NC9hNDUvYTQ2L2E0Ny9hNDgvYTQ5L2E1MC9hNTEvYTUyL2E1My9hNTQvYTU1L2E1 Ni9hNTcvYTU4L2E1OSA2MC8ubm90ZGVmIDY1L2E2NS9hNjYvYTY3L2E2OC9hNjkvYTcwL2E3MS9h NzIvYTczL2E3NC9hNzUvYTc2L2E3Ny9hNzgvYTc5L2E4MCA4MS8ubm90ZGVmIDgyL2E4Mi9hODMv YTg0L2E4NS9hODYvYTg3L2E4OCA4OS8ubm90ZGVmIDkwL2E5MC9hOTEgOTIvLm5vdGRlZiA5My9h OTMgOTQvLm5vdGRlZiA5NS9hOTUgOTYvLm5vdGRlZiA5Ny9hOTcvYTk4L2E5OS9hMTAwL2ExMDEv YTEwMi9hMTAzL2ExMDQvYTEwNS9hMTA2L2ExMDcvYTEwOC9hMTA5L2ExMTAvYTExMS9hMTEyL2Ex MTMvYTExNC9hMTE1L2ExMTYvYTExNy9hMTE4L2ExMTkvYTEyMC9hMTIxIDEyMi8ubm90ZGVmIDEy My9hMTIzIDEyNC8ubm90ZGVmIDEyNS9hMTI1XQo+PiBlbmRvYmoKMTc2IDAgb2JqIDw8Ci9hMTYg MTEwIDAgUgovYTE3IDEwOCAwIFIKL2EyMSAxMTEgMCBSCi9hMjcgMTEzIDAgUgovYTI4IDExMiAw IFIKL2EzMCAxMTQgMCBSCi9hMzMgMTAwIDAgUgovYTM5IDEwMSAwIFIKL2E0MCA5MyAwIFIKL2E0 MSA5NCAwIFIKL2E0MyAxMDIgMCBSCi9hNDQgMTAzIDAgUgovYTQ1IDEwOSAwIFIKL2E0NiAxMDQg MCBSCi9hNDcgMTA1IDAgUgovYTQ4IDE2NCAwIFIKL2E0OSAxNjUgMCBSCi9hNTAgMTY2IDAgUgov YTUxIDE2NyAwIFIKL2E1MiAxNjggMCBSCi9hNTMgMTY5IDAgUgovYTU0IDE3MCAwIFIKL2E1NSAx NzEgMCBSCi9hNTYgMTcyIDAgUgovYTU3IDE3MyAwIFIKL2E1OCAxMDYgMCBSCi9hNTkgMTA3IDAg UgovYTY1IDExNSAwIFIKL2E2NiAxMTYgMCBSCi9hNjcgMTE3IDAgUgovYTY4IDExOCAwIFIKL2E2 OSAxMTkgMCBSCi9hNzAgMTIwIDAgUgovYTcxIDEyMSAwIFIKL2E3MiAxMjIgMCBSCi9hNzMgMTIz IDAgUgovYTc0IDEyNCAwIFIKL2E3NSAxMjUgMCBSCi9hNzYgMTI2IDAgUgovYTc3IDEyNyAwIFIK L2E3OCAxMjggMCBSCi9hNzkgMTI5IDAgUgovYTgwIDEzMCAwIFIKL2E4MiAxMzEgMCBSCi9hODMg MTMyIDAgUgovYTg0IDEzMyAwIFIKL2E4NSAxMzQgMCBSCi9hODYgMTM1IDAgUgovYTg3IDEzNiAw IFIKL2E4OCAxMzcgMCBSCi9hOTAgMTM4IDAgUgovYTkxIDk1IDAgUgovYTkzIDk2IDAgUgovYTk1 IDk5IDAgUgovYTk3IDEzOSAwIFIKL2E5OCAxNDAgMCBSCi9hOTkgMTQxIDAgUgovYTEwMCAxNDIg MCBSCi9hMTAxIDE0MyAwIFIKL2ExMDIgMTQ0IDAgUgovYTEwMyAxNDUgMCBSCi9hMTA0IDE0NiAw IFIKL2ExMDUgMTQ3IDAgUgovYTEwNiAxNDggMCBSCi9hMTA3IDE0OSAwIFIKL2ExMDggMTUwIDAg UgovYTEwOSAxNTEgMCBSCi9hMTEwIDE1MiAwIFIKL2ExMTEgMTUzIDAgUgovYTExMiAxNTQgMCBS Ci9hMTEzIDE1NSAwIFIKL2ExMTQgMTU2IDAgUgovYTExNSAxNTcgMCBSCi9hMTE2IDE1OCAwIFIK L2ExMTcgMTU5IDAgUgovYTExOCAxNjAgMCBSCi9hMTE5IDE2MSAwIFIKL2ExMjAgMTYyIDAgUgov YTEyMSAxNjMgMCBSCi9hMTIzIDk3IDAgUgovYTEyNSA5OCAwIFIKPj4gZW5kb2JqCjE3NyAwIG9i aiA8PAovTGVuZ3RoIDIwMCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja lY87CsJQEEVvsAhMkw0ImQ3oy3sRPyAEYgRTCFpZiJVaWijaxiwtS8kSUqYQdfIp1E441QzMnOOP +nrAHk+4ZzT7hoeGD5rOZIxMPR777Wp/ojAmtWFjSC1kTipe8vVyO5IKVzPWpCLeavZ2FEcMdIEp UMIq0Mlh53AyuClcIAAS4Ak8YAklOjV2UeEIOdyGDMEH9/SL1//8XPg8Lr+ap/LdKVqZRkwMxVNs K+ek9pcKaZEi6ZI6aZTSqrdL85jW9AbvKmO4CmVuZHN0cmVhbQplbmRvYmoKMTc4IDAgb2JqIDw8 Ci9MZW5ndGggMTk2ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqVjz0K wkAQRr9gEZgmR8hcQDe7/qVS8AfcQtDKQqzU0kLRLsQczaPsEVKmCOK4CmopvGoGZt5r91u6wwl3 uWk0m5R7hneajmSMTBNO2+/V9kAjS2rFxpCayZyUnfP5dNmTGi3GrElNeK052ZCdsANKIAMGQCwU iG4IHRpCiaBCUAPCHciBq2dYeG6IBfckEsoPYfVL/T+/F76PR+79VL6Lw0vmJZZ7z/rpLObiLxXS IkXSFfvGzPdKNU0tLekBEjdaowplbmRzdHJlYW0KZW5kb2JqCjE3OSAwIG9iaiA8PAovTGVuZ3Ro IDEwMiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzLTMzVWMFAwB2Ij QwVDY4UUQ65CLkOQmAGIC5JIzuVy8uTSDwfyufQ9wKSnr0JJUWkql75TgLOCIZe+i0K0oYJBLJen iwJ/g/2D+g/1H/7/gEEQz/4BfwOXqydXIBcAIZEkhwplbmRzdHJlYW0KZW5kb2JqCjE4MCAwIG9i aiA8PAovTGVuZ3RoIDk2ICAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja fckrDoAwFERRP6uYFfD62jRU80moIAGFIChAIiDg2XkhwSOuOddpFhwNleppc1rHRbHD+hcNwzfm DUWEDLQe0jBAYsvzuFZI0ZVUSMVRaSbEiiml+y/UET0elt4tmAplbmRzdHJlYW0KZW5kb2JqCjE4 MSAwIG9iaiA8PAovTGVuZ3RoIDE3MCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3Ry ZWFtCnja1ZAxCgJBDEX/sl0ar5ATODvqwHYD6wpOIWhlIVZqaaFoq3u0OYpHsLQQ42SxUcTekDx+ fiCEuH63cFxwL5Wz7EpeW9rRoEx9oa0OVluqApk5D0oy4+SSCRM+7I8bMtV0yJZMzQvLxZJCzUAu EcBZrirlDnQED8Df4JN9gTSQmEmTvaiZa8Zc0Oo3QqA8tcQveomi8YXtnr9h+prXsz9Jo0AzegLz 1brDCmVuZHN0cmVhbQplbmRvYmoKMTgyIDAgb2JqIDw8Ci9MZW5ndGggMjU2ICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNp90LFOwzAQgOGLPFi6JY/gewKcFCXA0kilSGRA gokBMQEjAwg21OTR8ijtG0TqkiHqYfvaIRbBUqTP9uA/d7E4W1BG5+4rr6i4pNccP7As3D7zW3/x 8o6rGu0jlQXaW3eKtr6jr8/vN7Sr+2vK0a7pKafsGes1AYDagizdx0iHWZgxRnWYRcMxmNsZJMyd YH+E2rMkql0MvWNp1d0RaceSmLZNBNM20mqgElSnxCWYCBsw0voDqWB0CIkD6CkSD9+a9KACFLu1 /RPaow/J7qf7kOwwhFI3oQmMxxiSQaKr01yX/nSCjQeHZJDoQ0DrZjuEd9t/gDc1PuAvR7CeJQpl bmRzdHJlYW0KZW5kb2JqCjE4MyAwIG9iaiA8PAovTGVuZ3RoIDIwOCAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjandE9CsIwFADgSofCW3IE3wlMS6mlU6FWMIOgk4M4qaOD onN7NI/SI3TsUBqT9qUYcWogfOSH98NbxoskRB/1XoYYxXgJ4A5Ros6+PuqH8w0yAfyAUQJ8o26B iy0+H68r8Gy3wgB4jscA/ROIHKVeb8fpbUlpVA9F7biy6nVkPVg0g2k7ODd2tkxO8zeOiW/ymfxU z4zqZLJUDn1Y9vdf9aeNHZdRHk8ay15XBf5vNVE7jkcyyjf2TxYd9dfSPOpxLtac1FdYC9jDB3VS 1uQKZW5kc3RyZWFtCmVuZG9iagoxODQgMCBvYmogPDwKL0xlbmd0aCAyNjMgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42r2RPU7EQAyFHaUYyc0cIb4ATCKxy25DpGWRSIEE FQWiAkoKELQkR/NRcoQttxit8Yw3EHEARhp9I1vjn/eWq9P1OdW0oJOGlme0WNFzg2+orFN4bZmn V9x0GO41j+Fawxi6G/p4/3zBsLm9pAbDlh4aqh+x2xIAtBEKBihFuFRWIjunFJHoWcMRpGVwwprS ewDwSv2lOYZ+B1AoZdRSwumZWGb27GRILdgLzFhxKvNLz+3EOKfj/i/3kI/8E6d+1n9ieZxvxoPR 9nE/tH3dYPSD6eHB9KnA9LoA0+/r2DBmV6DYJzu0rGqc9PcjmB+phvpjGorNqv6NecQ8Cl51eIff s6CdPQplbmRzdHJlYW0KZW5kb2JqCjE4NSAwIG9iaiA8PAovTGVuZ3RoIDE4NCAgICAgICAKL0Zp bHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjafdCxCsIwEAbgKw7CLX0DvScwrdp0CQq1ghkE nRzESR0dFAWHgq/smKEQ26SFplYDx8flchl+Ph7FUwpoUhQPKIrpFOIVI170pi0HxwsmEtmOIo5s Vdwik2u63x5nZMlmQSGylPYhBQeUKWlz3p3ASwFUDJWhb+lZPAdweX4jILOIP0BJ5pAbegatf1M9 qRdav4gav4tBA2gxcxCWzCFv4jkp+Za5wdPKpqs6I8elxC1+AAMFt8oKZW5kc3RyZWFtCmVuZG9i agoxODYgMCBvYmogPDwKL0xlbmd0aCAyNjIgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+ CnN0cmVhbQp42r3RsU7DMBAG4KsyRLolj+B7AXA8uC2TpVIkMiDBxICYgJEBBHP6aH6UPELHDlaO s+NaqbKTJV98ulxy/8Zet1tqydKVoY0hu6V3g1+4tnIoxzdT5e0Tdx3qZ1pb1PdyjLp7oJ/v3w/U u8dbMqj39GKofcVuTwDgAqy83CtmX0Uo5mMdwcyh8bESgJ2gZi9VgRoBmghplrKgPwKsIniInX56 iEhl6L10H+I4L50wh/LpfTPIUFcQLiAf1i9xguni/4GTzRwK+oIwQ/pvt8SYoRZI27hA2lh13mGV tjrkhRfE8fU5iwTFOZ2SV0kwZjo2OeVTlXMfwKdE0s7xrsMn/AMVlsDtCmVuZHN0cmVhbQplbmRv YmoKMTg3IDAgb2JqIDw8Ci9MZW5ndGggMTAxICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNozNtMzMlQwUDAGYRMFU3OFFEOuQi5jAwUQBHJBEsm5XE6eXPrhCsYGXPoeQFEu fU9fhZKi0lQufacAZwVDLn0XhWigMbFcni4K/////4OMGep/MAx1jO4nLldPrkAuAJX1eTkKZW5k c3RyZWFtCmVuZG9iagoxODggMCBvYmogPDwKL0xlbmd0aCAxNjcgICAgICAgCi9GaWx0ZXIgL0Zs YXRlRGVjb2RlCj4+CnN0cmVhbQp42t3QOw7CMAyAYSOGSl5yBHwBSFNSHlOlUiQyIMHEgJiAkQEE c3O0HqVHyMiAMLEYWHoClm/4LXuwnY/GE0rJ0NCQtZRP6WTwijaLMaV89p0cL1g61DuyGepVzKjd mu63xxl1uVmQQV3R3lB6QFcRKGZuOoQet/CvKi8WrViHn/zsson2xSDWIWEfdxMGGHj1BlCheAEk zEGuy+9AAuDS4RY/Lx6ZRgplbmRzdHJlYW0KZW5kb2JqCjE4OSAwIG9iaiA8PAovTGVuZ3RoIDE2 NSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzPVM7JQMFAwBmIzAwVT c4UUQ65CLlMzIB/MBUkk53I5eXLphyuYmnHpewBFufQ9fRVKikpTufSdApwVDLn0XRSiDRUMYrk8 XRT+gwADA5j6AKH+Qaj/DQz1Pxj4/x8AUYz/H4AoBqAaEAXEIMr+DzIl/w+F+k8mhWIKqg1QayGO gDoJ7ECIJ0DUHwj1AKwYBAYfBXEldorL1ZMrkAsAML6qKAplbmRzdHJlYW0KZW5kb2JqCjE5MCAw IG9iaiA8PAovTGVuZ3RoIDIzMyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt CnjapdG9CsIwEAfwBofCLT5C7wU0jWLbreAH2EHQyUEEQR0dFJ3r5mv5KD5CR4fQM82HgnVQPGj4 kYTk/mks2lEHQ+xiS2DcwV6MGwF7iBI1GWIvMSvrHfQz4HOMEuBjNQ08m+DxcNoC708HKIAPcSEw XEI2RFIlPVUV6OYgHahay+9ek64GTG9S8KiwqD49pPIdQVkD/Yfaga9LXRu5a8y12nDNByaOy5zb yBqFTZrKZ2QLn85v57Daa3x4lq9w/w0rh8JAWuQvMIO0ZDedMygbBk26XDV8orMGM79XVSA9GGUw gwc+rN9/CmVuZHN0cmVhbQplbmRvYmoKMTkxIDAgb2JqIDw8Ci9MZW5ndGggMjYzICAgICAgIAov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNplz7FOw0AMBuA/6hDJA3mDxi8AaUoilaWR SpHIgEQnBsQEjAwgWHv3aHmUPELGDNEZ+yBlYPkk2+e7/+rLi1XNK675vORqw/WGX0p6p2qtTW1f /Uye32jXUvHA1ZqKW21T0d7x58fXKxW7+2suqdjzY8mrJ2r3jFRwBjTSLwGRcYuFSDginRIJyAbk AXmPLKDpsFA9kgDnARWzR8jJ7ayfXUK6aB8ddAyZTGctNURt0ogVqi7maodMbJCqo2WzRZkPqTYG kqgVPl7lY6Gv6oqZRDWHPe7+2fw6/umnk87HfPFfLv4o2F+SCRZJFZ+PmDRCj7GxzENq0Xo4vZZu WjrQNxcHoTYKZW5kc3RyZWFtCmVuZG9iagoxOTIgMCBvYmogPDwKL0xlbmd0aCAxNTIgICAgICAg Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMz0zMxVjBQAGEzYwVTM4UUQ65CLlNL IN8AxAVJJOdyOXly6YcrmFpy6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0U7P+DQQNO +gfD/w/M/xvqDwBphvoD9Q0gWv5AHQOI5ofTNWCaHU5XgGlmnPQPCP3gA5hmxEkzgGkwGJk0Pyga cNNcrp5cgVwAd0ez5gplbmRzdHJlYW0KZW5kb2JqCjE5MyAwIG9iaiA8PAovTGVuZ3RoIDE5NiAg ICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja7dExDoJQDADQEgeSLhyBXkA/ BAUnSRATGUx0cjBO6uig0c0IR+MoHoHRgVBbiImTk6ND+1/btMuPgsEwJI8C6vsUeTSKaO/jCUNt SjnuJrsjJhmaNYUhmrm00WQLupyvBzTJcko+mpQ2PnlbzFJi5hpc5vILIH8CgFtCB6f442dwBXEL ibj+RKyFYqILjaT7GzcJmyXpuMcFWHrCkq+yKwFwBe5DkTcgTT0kv6mvrHHTApirDo4cAMBZhit8 AZy8nVQKZW5kc3RyZWFtCmVuZG9iagoxOTQgMCBvYmogPDwKL0xlbmd0aCAxOTkgICAgICAgCi9G aWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42nXOvQrCMBAH8CsZhFvyCLknMK0WHQN+gB0E nRzESR0dFJ3tm5lH6SN07CA976qgiyH5Qf65HJeP+vmAUhrKyUc0HNMhwzN2WapXfdifcFKg31A+ QL+QFH2xpOvldkQ/WU0pQz+jbUbpDosZQWgBwDBXAJa5AXC1lSjUhsUm4VIEjl/v1UdXq7ZSTanK +jF8mop3NeFG8h6X+qv99gldn/fmt/GvrDVJV6aGuidDu6d7cLTcOo6GG6uDVoYjzgtc4ws4LnkI CmVuZHN0cmVhbQplbmRvYmoKMTk1IDAgb2JqIDw8Ci9MZW5ndGggMTkxICAgICAgIAovRmlsdGVy IC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNq1z7EKwjAQANBIhsIt/QTvC0yrlroFagUzCDo5iJM6 Oig6t5/WT8knZOxQe16KQ0WcxJA8uNwluSSTUZRghGNeCc8ZHmO4wDTluAt94nCGzIDa4jQFteRd UGaFt+v9BCpbzzEGleMuxmgPJkdBggd9MeiUf3RAJRuSYzU1bMspyTGVkqwoKskV2vp67bzDumfj Dfu2P/hx29tbruuErURhX709HH9A1k3QCuk01ULakDOy8idgYWADT3TthIAKZW5kc3RyZWFtCmVu ZG9iagoxOTYgMCBvYmogPDwKL0xlbmd0aCAxODQgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp42pXOOwrCQBAG4AkpAtPkAkLmBG5iEsQqECO4haCVhVippYWirdmj5Sg5QsoU S8ZZI1hbzAfzgj+bTbOMYkpdLSid0znBG6a59LFr3eJ0xVKj2lOao1rLFJXe0OP+vKAqt0tKUFV0 SCg+oq4IPG4AQrYANTMAGzb+ANwEVjZhL0QfOqEYkaO6hRqEiUO+/qH+0QnFF6+N+hG/DS0ETTBA YHyGyEicl8tnXVI599gArjTu8A0r0lyoCmVuZHN0cmVhbQplbmRvYmoKMTk3IDAgb2JqIDw8Ci9M ZW5ndGggMTk2ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNq1kD0KwkAQ RhNSBKbJETIncLMkIXaBGMEtBK0sxEotLRStE2+Wo+gNtIuQZJyx8q8TF+bBtzPsPDYOe0GMAYZc sca4jysNW4gSzoFEaSw3kBlQM4wSUCO+BWXGuN8d1qCyyQA1qBznGoMFmBwtPkUpoO90HrT/RJuO TI+uzJRaJlW81yHLp9JtLJdKrxEHv5Z5/yJMn1ic3kk/8OW1j13swCZeLVbs5rFnx54Vt1rq+L9u JPnMtMmmDoYGpnAHIGilwQplbmRzdHJlYW0KZW5kb2JqCjE5OCAwIG9iaiA8PAovTGVuZ3RoIDE5 MSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaXc69CsIwFAXgUzoId8kj 5D6BbanQsaAV7CDo5CBO6uigKLil4Iv1UfIIGTMU460K/lzIByeBmzPKh0XBKedyRhnnBe8yOlLe 36V97B+2BxrXlKwkUzJ7Ws/5fLrsKRkvJpxRUvE643RDdcWIQwPo4AATOkThdkd8h2kGHcpGeZSt 9tBWO6F0UO6JsW+8MPDhg8w3FsAf5hfZ9+Kqe+RLeNUBThrELgpQFqE1rfQLgJKS0tKCpjUt6QFR bGWACmVuZHN0cmVhbQplbmRvYmoKMTk5IDAgb2JqIDw8Ci9MZW5ndGggMTU1ICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozstQztFAwUDAGYQsFUwuFFEOuQi5jEyDfAMQF SSTncjl5cumHKxibcOl7AEW59D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFBgY5D8wMDD+/8PA wP7/P5D3o76Bwf7B/waG/wf/HwATjP8boQTzf0YQwfC/AUbYMQAJBmKI/yDT0Qhi9dKN+P//HwbB 5erJFcgFAI5YbzUKZW5kc3RyZWFtCmVuZG9iagoyMDAgMCBvYmogPDwKL0xlbmd0aCAyNjQgICAg ICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42oWQvU7EMAzHXTFE8nJvcPULQFq1 VZmIdBwSHZBgYjgxASMDCOb0DXilbIy8QiQegI43nGLstEJiIop+sey/P+K2P+k7qqih47qntqfm lB5qfMa2EW9FXbeE7p9wM6C9pbZBeyl+tMMVvb68PaLdXJ9TjXZLu5qqOxy2BHJKAJOAA3j+4lAw 83c0yfB7XO0LLmM5gdhO+BldBP8RlCKP/99ZuXDSJlptBK2sbaUxrJj3Qs8RYK0OWOtYC88y3cwx zxsyc5ZQqimj1hGXER7gSJiynXKUwQURgJdMHqU1+DH90v3hHFWll1f0mlskndwcdFXyEd2SjOFZ xYYnALwY8AZ/AHKBmNQKZW5kc3RyZWFtCmVuZG9iagoyMDEgMCBvYmogPDwKL0xlbmd0aCAxNTcg ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM11jMwVTBQMAZiUyMFUwuF FEOuQi4TCyDfAMQFSSTncjl5cumHK5hYcOl7AEW59D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxd FBj+MwDBfxwkO5hkpiVZfwBIMv//AST5//8DkvJAQeb/Noz/G5j/V4DJDwwg8gHD/wPM/w8gkQ1I JMMAkv///7H//x+T5HL15ArkAgAKV55ICmVuZHN0cmVhbQplbmRvYmoKMjAyIDAgb2JqIDw8Ci9M ZW5ndGggMTIyICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMtMzNVYw UABhI1MFU0uFFEOuQi4jQyDfAMQFSSTncjl5cumHKxgZcul7AEW59D19FUqKSlO59J0CnBWAoi4K 0UAtsVyeLgqMHxjY/zDw/wMh+f8oCCIIlAWqwQf+M9QjIfb/DMzURv///4AjLldPrkAuAJ0bTnEK ZW5kc3RyZWFtCmVuZG9iagoyMDMgMCBvYmogPDwKL0xlbmd0aCAxMDUgICAgICAgCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMy0zM1VjBQAGEjMwVTC4UUQ65CLiMjIN8AxAVJJOdy OXly6YcrGBlx6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0UGP4z/EdC7P8ZmAcZ+v// DxxxuXpyBXIBAMoaV/kKZW5kc3RyZWFtCmVuZG9iagoyMDQgMCBvYmogPDwKL0xlbmd0aCAxODgg ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42t3NPQrCYAwG4IhDIYtHaE7g 1yLaCoKgFewg6OQgTurooCi4tdLBa3kDbyA9wjc6lL6mxcnBAziEPPkhCfrtbiiedDRCTYFsfT5w 0NO6LqvBZs+jmM1Sgh6bqXbZxDM5Hc87NqP5WHw2kax88dYcR0IlJTm1CiKUDRQ0RKpyAAJylXtF ZodWNSDcUteSU14ID3Jf1Cy1/6ylu0lRnWniTsnrWykl9lv0efwvAgoXyAD7WzyJecFvqFK1gApl bmRzdHJlYW0KZW5kb2JqCjIwNSAwIG9iaiA8PAovTGVuZ3RoIDE1MSAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzXWMzBVMFAwBmJTIwVjc4UUQ65CLhMLIN8AxAVJJOdy OXly6YcrmFhw6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0UGP4x1B9g+P+P+f8PIMn/ /x+QlGf+DyRtGP83sP+rAJLM/z4wAMn/Dxj+H2D+fwCJbEAiGQaQ/P//j/3//5gkl6snVyAXAI7h iQ4KZW5kc3RyZWFtCmVuZG9iagoyMDYgMCBvYmogPDwKL0xlbmd0aCAxNzYgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMx1zM3VTBQMAZiE1MFY3OFFEOuQi4TQyDfAMQF SSTncjl5cumHK5gYcul7AEW59D19FUqKSlO59J0CnBWAoi4K0UAtsVyeLgoMjP8PMDAw8P//ASTr //8Hkv8b/jcwMP9jsH/AwP6HQf4DA/8PEAIyIFwgaQ8kwQqAyuqB5H8U8j+IbCCVxDQHYj7ELmTb Ie6BcCHuZAQacgDmfvn/f4Ak2F9crp5cgVwALWluqwplbmRzdHJlYW0KZW5kb2JqCjIwNyAwIG9i aiA8PAovTGVuZ3RoIDE5MyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja rdC/DoIwEAbwmg4kt/AI3gtoWwEZSRATO5jo5GCc1NFBozM+Go/CIzAyEM4rmmjUTYf+hvv650uj YKgj1DjCgRljpDGIcWfgCGHMU41R8Ii2B0gtqBWGMagZz0HZOZ5Plz2odDFBAyrDtUG9AZuhoB5d BZFPFZtQw7YesRUHkkpBheQdeSlJiLxyJvXTfvOu3/7gx239l7eSqmvCFl2fezc3lNR4rZDcv2Z9 TiS5E279Q+J/+SZMLSzhBhoDiwplbmRzdHJlYW0KZW5kb2JqCjIwOCAwIG9iaiA8PAovTGVuZ3Ro IDE0NCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaM7bUMzZWMFAwAmJj cxBKMeQq5DI2AfLBIiCJ5FwuJ08u/XAFYxMufQ+gKJe+p69CSVFpKpe+U4CzgiGXvotCtKGCQSyX p4sCwz/mDwz///H/AxL2/4FETX3D/38//h9g//fh/wHm/w9AxAE40VDfACTsGYAED4hgABIMNCf+ //+HQXC5enIFcgEAFzhX1gplbmRzdHJlYW0KZW5kb2JqCjIwOSAwIG9iaiA8PAovTGVuZ3RoIDE4 NyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaJYw9CsJQEIQ3pBC28QjZ E5iEh8Yu4A+YQtDKQqzU0kJRsBCTo3mUHOGVW4SM+0jxwc7MzrhiMiskExeYiivkkvOdXW46CzIE 5xsvKk4P4nJON+ZyWm3l+XhdOV3slmLuSo5WOXG1Eir9PEavY0CT31hLivVLkX6ItBt49wYCDRHM AFqq7aiBpgR+CeBDPzYs7CgJX7XVRr2nyKBeB77dwMfCzjYVTaTwIw/bUYDaRInXFe/5D9QEYRcK ZW5kc3RyZWFtCmVuZG9iagoyMTAgMCBvYmogPDwKL0xlbmd0aCAxNTAgICAgICAgCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM21zM0UTBQMAJiYyMFU2OFFEOuQi4jSyDfAMQFSSTn cjl5cumHKxhZcul7AEW59D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFBj4GRgwsDwatofieiD+ D8GMQMwOxPL//z/4j4SZgWJUwhUE8A/G/w0fGP83fmD4f/gBg/3/A0DHNDAw/2PgcvXkCuQCAM5w UhcKZW5kc3RyZWFtCmVuZG9iagoyMTEgMCBvYmogPDwKL0xlbmd0aCAxNDkgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM11jMwVTBQMAZiUyMFY3OFFEOuQi4TCyDfAMQF SSTncjl5cumHK5hYcOl7AEW59D19FUqKSlO59J0CnBUMufRdFKINFQxiuTxdFBj+MzDYH/j/n8H+ PxaS/T8D4/8DzEA1A0oyIpHMMJLxPwM7iGzg//8AqMwO6OL6/3+ApPz/D/9BKhr+/+dy9eQK5AIA 8IyBfwplbmRzdHJlYW0KZW5kb2JqCjIxMiAwIG9iaiA8PAovTGVuZ3RoIDE5OSAgICAgICAKL0Zp bHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaZcyxisJAFAXQN6QIvCZ/YN4XOMmaoIUoqAub QlgrC7FSSwtFwULQDxPJp+QTppwiON5xYQNa3AP3Pbh50s4kkS8k60mnK+uUd5zl6Imv/rHa8qhg PZcsZ/2DK+tiKof9ccN69DuWlPVEFqkkSy4m4pxRzn4aOKKYvC14pQEp2IclnYngCVZkiS4VGWgU HBpVQeuNbVD+W4cwqsMrfEQwfEQEXQwD13p5h8rdXtaQnH33YhqHVWNcNvr5P/m74Bk/ARQjWmgK ZW5kc3RyZWFtCmVuZG9iagoyMTMgMCBvYmogPDwKL0xlbmd0aCAyNDUgICAgICAgCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42mXPsUrEQBCA4VlSBKbJG9zOC+gmXqIWh4HzBFMIWlmI lVpaKApXnCSdLyUS8UXyCFtuEW6cWeQC2nzFLPwzW+X7JeV0QHvFIZXHND+i+wKfsKxkmlM1/326 e8Rlg+6aygrduczRNRf08vz6gG55eUoFuhXdFJTfYrMiZm84/DdhAAvqTOzgBIy4EHvYAIhrcYAA 0A7gRW/E2ptBDKoNSb9zTMVsTDtxm4npNgORrZjwLPopGv6IjiJw+GvrJ+th0vaTmt8Jkzaqq2r5 j1S6hXb7TXQd1SX8pXn+1nD7rsk3q7GaYyVelsYL8KzBK/wBmn5v7AplbmRzdHJlYW0KZW5kb2Jq CjIxNCAwIG9iaiA8PAovTGVuZ3RoIDEyMiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4K c3RyZWFtCnjaMzHXMzdVMFAwB2ITQwVTE4UUQ65CLmNjIN8AxAVJJOdyOXly6YcrGBtz6XsARbn0 PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0UGBjkGIDADkT8A2J2EFEPJP7/RyX6QRL8w4io//// fwMaweXqyRXIBQBClVwZCmVuZHN0cmVhbQplbmRvYmoKMjE1IDAgb2JqIDw8Ci9MZW5ndGggMjMx ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNptz89KxDAQBvCvFCzMJY/Q PIFtaZceC+sK9iDoyYN4cj16UHbBg5A+Wh4lj5BjD4vjN6II4iG/MH8ySYbxfNz41tsaer8Z/L6T F+lHxq2FVnh8lu0szZ3vR2mumJVmvvaH1+OTNNubC99Js/P3nW8fZN55uA8AQSMK1YxK9QSXJkW9 OF0mlBrDUmoKqdCkCZrZ9UtY/xASmSI549gV37D2QwKv+iKC4xeD+cre4U6ktraaHeAcnueCFQsr lhlvqBJxkdQLmYAV70DmRjKKzM9oLo3KcEZtTEYgSf9BLme5lU/VrJe0CmVuZHN0cmVhbQplbmRv YmoKMjE2IDAgb2JqIDw8Ci9MZW5ndGggMjM3ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNp9j7FKxEAQhv+QYmGaPELmBXQTbsNxVeA8wRSCVhZidVpaeJz15tHyKHmELVMs GWcIWInNBzv/v/PPH/a3+44bDnzTcgjcBX5v6Yt2Bx023HWbcv6k40D+hXcH8g86Jj888vXy/UH+ +HTHLfkTv7bcvNFwYpQCoJYERMkoshOUqZTRzYVMboLM1WLIkFSv/8EsszNzmQqZAV0A3T9iC3Gr Qk1Ar2mViZWJlYVvamFvmAJbgGhKXOxL/sVaT4p+Vqjer7L8jbwhIWb1xSVqmdSPdu5UWCOnLUVE U7W51tcwbQ+6H+iZfgBAEpERCmVuZHN0cmVhbQplbmRvYmoKMjE3IDAgb2JqIDw8Ci9MZW5ndGgg MTg4ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqVz7EKwkAMBuCWGwpZ +gY2T2BbvNKlVKgVvEHQyUGc1NFBUehQsI/WR+kjdHSrl3+qdPIgHyThQqLTeZpwxAsbOuFE8yWm O+nY5pGk0jjfqDAUHljHFG5slUKz5efjdaWw2K3YVks+2i8nMiU7juO1FscfGcAlfMNBdEcq6EEf BjCHGaxgL7pQdbAVvUb0MTmAOaxhBXvR7UQF7apiI/rYagYzWMMPHOQ1U3+v+FOFCRNpbWhPX29g jXsKZW5kc3RyZWFtCmVuZG9iagoyMTggMCBvYmogPDwKL0xlbmd0aCAyMjkgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42oXPsU7DQAwGYEcZInloXwDp/AJwjZIoWyuVIjUD Ep06VJ0KIwMI1l4e7R4lj3BjBhTzu0hlYGD5Btv3+1y3d20jC2nktpS6kqaW55LfuGpRRLn56Zxe ed2x30vVst+izL57lI/3zxf266d7Kdlv5FDK4sjdRm6IKLqeiuhGCtGpan+FwGR8GckYjB5MBBJA wH/kNuzsbdCR3FQgL+WIjxkW9aQRcxpnYMB8uJCujL84YxUBhsKoF9IfkjUMTQHxw9nil5RpXFFu KwuleXITFYoPZXYWBZxFc6zhh453/A3UNIRzCmVuZHN0cmVhbQplbmRvYmoKMjE5IDAgb2JqIDw8 Ci9MZW5ndGggMjUyICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpF0DtO BDEMBmBHKUZykyOMLwCzo53RaqtIyyIxBRJUFIgKKClAUGeOlqPkCClThBh7QWzzKQ/H+ZNpd7mb aUMTXYw0TTRP9DLiO273srihef7deX7Dw4LDA233ONzIMg7LLX1+fL3icLi7ohGHIz2OtHnC5Uhg eAVwnAE8V4BmGEyBsNoMPnYJ+iS45CK4LHS5P5OUrBSlSknPUtxzVFIfHRcvtLB2zA2ECpblNqMj YGaAwBLBM0edJvst210OXFzyXLRF9avlGlaQPlKu9K0BdIpVzD9wprIixUbPGgkCtvi/zPKiBiHa U4JTFq9/YCUKXi94jz99z5OFCmVuZHN0cmVhbQplbmRvYmoKOSAwIG9iaiA8PAovVHlwZSAvRm9u dAovU3VidHlwZSAvVHlwZTMKL05hbWUgL0YzMQovRm9udE1hdHJpeCBbMC4wMTIwNCAwIDAgMC4w MTIwNCAwIDBdCi9Gb250QkJveCBbIDEgLTIxIDgwIDYyIF0KL1Jlc291cmNlcyA8PCAvUHJvY1Nl dCBbIC9QREYgL0ltYWdlQiBdID4+Ci9GaXJzdENoYXIgMjgKL0xhc3RDaGFyIDEyMQovV2lkdGhz IDIyMCAwIFIKL0VuY29kaW5nIDIyMSAwIFIKL0NoYXJQcm9jcyAyMjIgMCBSCj4+IGVuZG9iagoy MjAgMCBvYmoKWzUzLjA1IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAzNy4xNCAzNy4xNCAwIDAgMCAz MS44MyAyNi41MyAwIDAgNDcuNzUgNDcuNzUgNDcuNzUgNDcuNzUgNDcuNzUgMCAwIDQ3Ljc1IDAg MCAwIDAgMCAwIDAgMCA3Mi4yIDY3LjkzIDY4Ljk3IDAgNjIuNzQgMCA3NS4wOCAwIDM2LjIxIDQ5 LjM2IDAgMCAwIDAgMCA2NS4yOCAwIDcxLjYyIDUzLjA1IDY2LjQzIDczLjQ2IDAgMCAwIDAgMCAw IDAgMCAwIDAgMCA0Ni40MiA1My4wNSA0Mi40NCA1My4wNSA0My43NyAyOS4xOCA0Ny43NSA1My4w NSAyNi41MyAwIDAgMjYuNTMgNzkuNTggNTMuMDUgNDcuNzUgNTMuMDUgMCAzOS4zMyAzNy42NyAz Ny4xNCA1My4wNSA1MC40IDAgMCA1MC40IF0KZW5kb2JqCjIyMSAwIG9iaiA8PAovVHlwZSAvRW5j b2RpbmcKL0RpZmZlcmVuY2VzIFsyOC9hMjggMjkvLm5vdGRlZiA0MC9hNDAvYTQxIDQyLy5ub3Rk ZWYgNDUvYTQ1L2E0NiA0Ny8ubm90ZGVmIDQ5L2E0OS9hNTAvYTUxL2E1Mi9hNTMgNTQvLm5vdGRl ZiA1Ni9hNTYgNTcvLm5vdGRlZiA2NS9hNjUvYTY2L2E2NyA2OC8ubm90ZGVmIDY5L2E2OSA3MC8u bm90ZGVmIDcxL2E3MSA3Mi8ubm90ZGVmIDczL2E3My9hNzQgNzUvLm5vdGRlZiA4MC9hODAgODEv Lm5vdGRlZiA4Mi9hODIvYTgzL2E4NC9hODUgODYvLm5vdGRlZiA5Ny9hOTcvYTk4L2E5OS9hMTAw L2ExMDEvYTEwMi9hMTAzL2ExMDQvYTEwNSAxMDYvLm5vdGRlZiAxMDgvYTEwOC9hMTA5L2ExMTAv YTExMS9hMTEyIDExMy8ubm90ZGVmIDExNC9hMTE0L2ExMTUvYTExNi9hMTE3L2ExMTggMTE5Ly5u b3RkZWYgMTIxL2ExMjFdCj4+IGVuZG9iagoyMjIgMCBvYmogPDwKL2EyOCAxODEgMCBSCi9hNDAg MTc3IDAgUgovYTQxIDE3OCAwIFIKL2E0NSAxODAgMCBSCi9hNDYgMTc5IDAgUgovYTQ5IDIxNCAw IFIKL2E1MCAyMTUgMCBSCi9hNTEgMjE2IDAgUgovYTUyIDIxNyAwIFIKL2E1MyAyMTggMCBSCi9h NTYgMjE5IDAgUgovYTY1IDE4MiAwIFIKL2E2NiAxODMgMCBSCi9hNjcgMTg0IDAgUgovYTY5IDE4 NSAwIFIKL2E3MSAxODYgMCBSCi9hNzMgMTg3IDAgUgovYTc0IDE4OCAwIFIKL2E4MCAxODkgMCBS Ci9hODIgMTkwIDAgUgovYTgzIDE5MSAwIFIKL2E4NCAxOTIgMCBSCi9hODUgMTkzIDAgUgovYTk3 IDE5NCAwIFIKL2E5OCAxOTUgMCBSCi9hOTkgMTk2IDAgUgovYTEwMCAxOTcgMCBSCi9hMTAxIDE5 OCAwIFIKL2ExMDIgMTk5IDAgUgovYTEwMyAyMDAgMCBSCi9hMTA0IDIwMSAwIFIKL2ExMDUgMjAy IDAgUgovYTEwOCAyMDMgMCBSCi9hMTA5IDIwNCAwIFIKL2ExMTAgMjA1IDAgUgovYTExMSAyMDYg MCBSCi9hMTEyIDIwNyAwIFIKL2ExMTQgMjA4IDAgUgovYTExNSAyMDkgMCBSCi9hMTE2IDIxMCAw IFIKL2ExMTcgMjExIDAgUgovYTExOCAyMTIgMCBSCi9hMTIxIDIxMyAwIFIKPj4gZW5kb2JqCjIy MyAwIG9iaiA8PAovTGVuZ3RoIDk1ICAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3Ry ZWFtCnjaMzHWszBVMFAwVDAyVDA2VzA2Ukgx5CrkMgYJAoUNITLJuVxOnlz64QrGplz6HkBhLn1P X4WSotJULn2nAGcFIN9FIdpQwSCWy9NF4T8QPCCd4HL15ArkAgDsV0d6CmVuZHN0cmVhbQplbmRv YmoKMjI0IDAgb2JqIDw8Ci9MZW5ndGggMjEwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNrtkrEOgkAMho8wkHThEegTeBAMsJkgJjKY6ORgnNTRQaOzPto9io/gyECo7QEu Liw62eRyX3v9217SNB6FGYYY80lDzMa4j+AEScK+deVhd4S8BL3GJAE95yjocoGX8/UAOl9OMQJd 4CbCcAtlgYrtVitrAdFdboeIHgIeQyUwIePbJKqV09iUJ+tsilEuMfis9UQfUOuwqIemA2n0hoCV Uq+NSJ9P8KSygNt0oKoe1JeAP20UtTYMuplNP/Mffg6yqLKtZgjArIQVvAAwrVSQCmVuZHN0cmVh bQplbmRvYmoKMjI1IDAgb2JqIDw8Ci9MZW5ndGggMjY3ICAgICAgIAovRmlsdGVyIC9GbGF0ZURl Y29kZQo+PgpzdHJlYW0KeNq1kz1ug0AQhceiQJpmj+A5QRZsJSIVkkMkU1iyKxdWKjtlikRJHR+N o3AESgrEetawA/La7syK1bf87Jt5D17nT88UkT2TF0pmdIjxG5OI7OClvbH/wkWOektJhHrJV1Hn K/r9+ftEvVi/UYw6o11M0QfmGZnz0QJAR6YSaoXMUagEUKYAmNoHzxSYuqeJaXqC/1bIOEp5m46m PF+S4q1vU8hyj6H7uuNKj14fQ29Dv+LB4EsorqV2Up2T4Ki+QizhfC7F3dpXS6UCdcXJoctgRHVP Nq5LAk79HpmHka82GZFfaSAUSkfjVCvJrZS0CuekS1CxhPuyG6FKqPD/BX4L33Pc4Al1zXnrCmVu ZHN0cmVhbQplbmRvYmoKMjI2IDAgb2JqIDw8Ci9MZW5ndGggMzM4ICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNrNkz9OhUAQxmdDsck2HIG9gAJR49q4yfOZSGGilYWxUksL jXZGOBre5CVegJKCMM7sHyCRvFqg+C07OzN883F2cliUutCn+qDUxmhzpJ9K9apMofk2x37n8UVt KpXfaVOo/Ipeq7y61u9vH88q39xc6FLlW31PiR5UtdVAV4IdgGSqEQFSAomIO8iILFEPlogAR6g5 HtsEgUNpC+w3clhLyx/kMJcSQeBAJIgSDnM7krK6OpDxAT5HT8OUMTFQVqhHR5KqDOB7FAty6Si1 69yRDAQLSn0xKjdTKLskO1NoZUnZTPU+4m/6Q/iPqF6lZg+taTDTpNoa2Unxmc6nycz0FawB8Bmn CkOcNPRx+qKPjki66BJHrhm5i25K2+iwrImusxCcCGPUQwwQHCt75zda287bthU+FbsdgwwY2uC/ oosqRSG8B9VlpW7VL9nP7eMKZW5kc3RyZWFtCmVuZG9iagoyMjcgMCBvYmogPDwKL0xlbmd0aCAy MjggICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42pXSPQ7CIBQH8Nd0IHkL RygnEKvGdjPxI7GDiU4OxkkdHTQ6l6P1KB7B0UkE0776gaQSSH6FAAX+ab/VjUVb9ExLO7ZuYzxg kpjvZ48d2OxxmKFciiRBOTW9KLOZOB3PO5TD+UjEKMdiZZZZYzYWuix3aCrg+gLAtC4FOSkiMVJI CkhQK3dooL4VecWbKLgCLyqxhgL4UOgVI3FSRNKlTPlT9dzX9bhjX///vZ/o5pO9rh+yj+lQ6NLl W8wrXquglyYNHMpJuqCsKUqionQqSmwpc8WqSrZT4BJOMlzgA+7AVVwKZW5kc3RyZWFtCmVuZG9i agoyMjggMCBvYmogPDwKL0xlbmd0aCAzNDkgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+ CnN0cmVhbQp42tWTsU7EMAyGXXWolKWPUL8AtFWRrp0iHYdEBySYGBATMDKAYG55s+NNTuIBuPGG qsZJ3Lu0RcBKB/eT4zh24j/PiuOiwgwXeJRjtcCywPtcPanSODMsT9zK3aNa1iq9xrJS6Tm7VVpf 4Mvz64NKl5enmKt0hTc5ZreqXiHwF9IWIAL7NUQAscWIiDaQWNbMO9CWGamHxu2kdUhAhmMOAP1O LnzNjg9y4S6QbUCdtc6z269GfI49m01itpoM1rRgXYPDnGICeynQJOjAVTKkH9im57/0JxwJw4Rj VwKYvnyWcsasxyxljjkZc/MbD/1/w/RPeF5/Y2aldT3+zHrGLoeWezac/IGHt5vy8NZTljG0HIy4 O/RB/YEbj2UmG29W/Rn2Z9ub+WCmBV8jnIg3xJ+iKQ7STke8vAnojfYaFN1ZbXaiTaPZrejX3GYL IYgmXG/qrFZX6gs/piGQCmVuZHN0cmVhbQplbmRvYmoKMjI5IDAgb2JqIDw8Ci9MZW5ndGggMTA1 ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozsdAzMVEwUDAGYhNTBQsj hRRDrkIuE0Mg3wDEBUkk53I5eXLphyuYGHLpewBFufQ9fRVKikpTufSdApwVgKIuCtFALbFcni4K /0GgARfJwP7/AwPDKDlUSPyxyeXqyRXIBQCSOtWwCmVuZHN0cmVhbQplbmRvYmoKMjMwIDAgb2Jq IDw8Ci9MZW5ndGggMjkwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNq1 07FOxCAYAGBIhyb/0kfo/wJKa43XTk3OM7GDiU4OxkkdTdTo3Hs0HqWPwNjhIlKg3N/IjSUp+QoB fvih2ZxvrrDASzwrsamxvsDXEj6hqUxjgXXlel7eYduBeMSmAnFrmkF0d/j99fMGYnt/jSWIHT6V WDxDt0Nty8Cm4qypFfEvsd5PP+nU70dbZ26AdaIPwcwNdu710a2dyDlfWAZndoGYVfDpelzZ8Tpb mMYso3uke2/J+fTk3Mh5JjaE+cwHkgufl5Avb0UsI+3KfAdG5jm6Jbl2If9fN13kfYyak/j54m6c uCerWK/jj+A9GyPul+ZjyLXkKuJcD4nyD83cpXTwNlnKpTef6vkx9iaK2ZlPvXvII4ObDh7gD3U7 jW4KZW5kc3RyZWFtCmVuZG9iagoyMzEgMCBvYmogPDwKL0xlbmd0aCAzNDYgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42n3RsUrEQBAG4D+kCGyTFxB2X0CTcN5dCiFwnmAK QSsLsVJLC0U7Ifdo8U3ON0i54JJxZndPj6Cm+WB2djIzu5wdlbUpzdIcVmaxMPXM3FfqSc0lWJr6 OJzcPapVq4prM69Vcc5hVbQX5uX59UEVq8tTU6libW4qU96qdm2AfAQOABANOAEyIoc3QBMRHNCx 7ywNCX04JLSB/nRISVIdMj5K2NxKCQc9sE1UOzRbNv+xE/lS17PpxMSBfpP7oO1Eqc99fmujLjrC fx3t7KM2yoNIqxQCrM+QsaVEzkqGd/Br8QepOMrMMcHbhz1Jc3r/go2JNvzRV85CAR/wSknEHhAD vjfsbKI6msdhsmhKvd03+UPepvvfzTiRwv2d8B2I/t3G8B7iEN41LM+G/WtWEpsB1HEHnDzyDNL2 6PfDL5mEtVhZB9cYZON8hct2UkqdtepKfQHhSRqxCmVuZHN0cmVhbQplbmRvYmoKMjMyIDAgb2Jq IDw8Ci9MZW5ndGggMTc2ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqz NNQzMVcwUDAFYgszBQtDhRRDrkIuCwMFEARyQRLJuVxOnlz64QoWBlz6HkBRLn1PX4WSotJULn2n AGcFIN9FIdpQwSCWy9NFwf4/FPwhnnWAof4/AzOQ9YcBxGKw/1P/AcLi/1f/AMJi/1d/AMJi/lff AGEx/qtngLAYkFh1MFYdNlYNjGVHLOsPjGX/A8aSJ53FAGMxjLKGJYsRkpwPEM3icvXkCuQCAOND 7DwKZW5kc3RyZWFtCmVuZG9iagoyMzMgMCBvYmogPDwKL0xlbmd0aCAyNzAgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42pWRsUrEQBCGJ6QITHOPsPMCmgRMrgycJ5hC0MpC rDxLC0XrvbxZ4F7k4F5gO68IGee/TeAKLdxl+diZ2Z3/Z+rqcrmUQq7kopS6kqqSTcnvXBeCXdUx 8/LGq5bzR6kLzm8tzHl7J58fX6+cr+6vpeR8LU+lFM/croWoGQkrU92DTnUAvaoaEu0X2hOlI6Uo yCyoAdySPxIh6YdI/HROp79zYW/xHkxPsS0lYyTWP2nKwVQjfSSuoNNwqvMa681d7BsmHVHPfNyk p5k56YoeZ3ZBZx7/pjun1TdGP3OEpC7g/2/dBeuXHHS3d9pnBxtFpsF1qj1sEIxgLOYBfqgZMBgT H4hvWn7gH5/fzqIKZW5kc3RyZWFtCmVuZG9iagoyMzQgMCBvYmogPDwKL0xlbmd0aCAyNDMgICAg ICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42rWQsU7DMBCGL+pg6RY/Qu4FwIlk U7pgqRSJDEhl6oCYaMcOIFhJHy2PwiNkzGDluHOCunTFy2f999u/7g+3135JFXm6qil4CoH2Nb6j X4lYUbiZJm9HXDfoduRX6B5FRtc80efH1wHdentPNboNvdRUvWKzIYAF/4CcyKOCmU+qsaqWIQ4y SmASQDuAFQ/3UI5QyDyyGDuFkUdnyDNFOWPMiAK5KmzKMAO0ORPadAH8f/gLGi8gzuAM3QHsaYbV bsoZsm0nvqm/OymkB/iWCCks5YhiyN+YXovsSnGZqd2Cp66jerVs0fChwWf8Bc1Gi74KZW5kc3Ry ZWFtCmVuZG9iagoyMzUgMCBvYmogPDwKL0xlbmd0aCAyNTMgICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42tXSvU7DMBAH8FQZIt3iR8i9AHWifm6W+iGRAQkmBsQEjAwgmN03 6Cv1UfoG7dghyp+zr/GCisSEiGTll4uds//KbDSs5lzxmK9qnlU8H/FzTW80nUhRHsf65umVFg3Z e55OyF5LmWxzwx/vny9kF7dLrsmu+KHm6pGaFWfhyrGJd4NfIHM9zP+HJKBwOEUMgC6iALANKLFz hwDXhaLAn8I0AY4yBAPspSrIsdN8Cl250TYm4ty0TOjOcN/gE9qLwF/gh/34y8dJSEdOIcRYyj6x FF0Ks483BZ4jht1m5gD9kN8iLgOMzkarP6vHXlEgM9KZ1g3d0ReJYgc9CmVuZHN0cmVhbQplbmRv YmoKMjM2IDAgb2JqIDw8Ci9MZW5ndGggMjQ0ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNqFkL9KBDEQh2fZIjBNHiHzArq3YESrwHmCWwhaWYiVWloo2rp5tH2UPMKVFmHH mbnj9FAxkHzw5Zc//OLp4UlPCzqig57iMcVIDz0+Y1S5UGM790+4HLC7odhjdyEau+GSXl/eHrFb Xp2R2BXdypk7HFYE4DiDjJE/ZG2YZ1DHagO3XABShXENOpNkxIQqwQl8hVZibrY7HINnELNFDvMO DedkmPYx1m8oCtiB92HjD2hEQv9j/BWzIf1EWwJ/wRVvmKwxv0VupQkIubGm5CVp6t3ubqo2CE46 81zSWttgDcOmXUibX9lJPB/wGj8BeeutnAplbmRzdHJlYW0KZW5kb2JqCjIzNyAwIG9iaiA8PAov TGVuZ3RoIDE3NSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja1dC9CsIw EADgEwfhlj5C7wlMKim4FWoFMwg6OYiTdnRQdG4ezUfpIzhmkJyXOujSTQeHfOR+4I4zejwhTUZe rmlq6JDhCU0ucRfGwv6IpUW1IZOjWkgWlV3S5XytUZWrGWWoKtpmpHdoKwKA1AtDDmLC7AAK5hsA +6KVdMt3GLETEx6wh7SzCG+bx6cgnfJ52bTR1EUBvitzXLPPX0z8L+UMoV+cW1zjEyzd4LcKZW5k c3RyZWFtCmVuZG9iagoyMzggMCBvYmogPDwKL0xlbmd0aCAxMzggICAgICAgCi9GaWx0ZXIgL0Zs YXRlRGVjb2RlCj4+CnN0cmVhbQp42jM20zM1UTBQAGFjYwULE4UUQ65CLiMLIN8AxAVJJOdyOXly 6YcrGFlw6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0UGOwZGBj+H2Bg/P+Agfn/BzBm //8DK4bJg9SC9ID1kgvkfzD8/4+JGYGYYYjg////f0DHXK6eXIFcAM3ZpTsKZW5kc3RyZWFtCmVu ZG9iagoyMzkgMCBvYmogPDwKL0xlbmd0aCAxODQgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp42u3RsQ6CQAwG4CYMJl14BPoE3hER3EgQExlMdHIwTurooNFVebR7FB7hjIMM hHp3ERcXHsChzdc2/9RkNJQTkhSZSkIaR7QP8YRxbGZpR3vYHTErUKwpjlHMzRZFsaDL+XpAkS2n FKLIaROS3GKRE6QaggYAmLWp0sFjrhx85tohUPfG4QZpC+CxriFgG3voDhX4Lv9UH7zKDgADVjbf of1B0wP1H1+wec3ANNUHOCtwhW8L4viaCmVuZHN0cmVhbQplbmRvYmoKMjQwIDAgb2JqIDw8Ci9M ZW5ndGggMjMxICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNq1kbEOgjAQ hmsYSG7hEbwX0IKxMJIgJjKY6ORgnNTRQaMzPJqPwiMwMhjOXksZTBglIV9z/Xu9/n+s5kmCIS5x FmG8QKXwEsEdFBdDVLHdOd8gK0AeUCUgN7oMstji8/G6gsx2K4xA5niMMDxBkaMQE3oL/lLqDImo 0vA0a82AKmp5+yOmLCgb4RPLai2pzGn+eW1rrKmtRmsDw1YEfDZtbQ/XSzM17HgpuOhYGtIoybL6 F8fuHeZ0c/f8fdfw7p6+8acZfHK+OR8HX10PN4uvc2gEx0Q2KJeTZ+KBdQF7+AIvKbXYCmVuZHN0 cmVhbQplbmRvYmoKMjQxIDAgb2JqIDw8Ci9MZW5ndGggMTY5ICAgICAgIAovRmlsdGVyIC9GbGF0 ZURlY29kZQo+PgpzdHJlYW0KeNrVzzsOwjAMANB09dIj1CcgjZJWYqpUikQGJJgYEBMwMoBgbo/G UXqEVAxkqGqcMjD1AFj2k/xZnOmZnmOKmivjNHhScAWTcz+2YXG8QGlB7tDkIFc8BWnXeL89ziDL zQIVyAr3CtMD2ApF4aJeELmYGjahlq3JsUPiiTpf+Ig6V/PRqx19Bt/NTxJfCy9oEIkLxm2Qg/oJ /R9JFJ6ZEpYWtvABal6k7wplbmRzdHJlYW0KZW5kb2JqCjI0MiAwIG9iaiA8PAovTGVuZ3RoIDI1 OSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaXdAxTsNAEAXQH6WwNAW+ ATsXANuKjUKDpRAkXCCRigJRASUFCNqsj+aj7BFcprB2mFkHKaJ50u6354/dVJfray655ouK6zU3 Db9V9En1Si9Lbq7m5PWDNh0VT1yvqLjXayq6B/7++nmnYvN4yxUVW36uuHyhbstYynAGOJnOARHZ 64VIRBbRRuQj8ggXsNTjgIXaAxF+FsD+qKg3f/YnDslRA8iUtABeO0xLWis0NXFqQC4WZOp03Md2 k/khpLjHImkH7dDEzPRlaBIO1pT0wWrbE12I/x1kVue1s73NU3Weh+ggsf31P2ipmxDT6gdn5WNm SwV4/Ra662hHv8GVoVoKZW5kc3RyZWFtCmVuZG9iagoyNDMgMCBvYmogPDwKL0xlbmd0aCAxODYg ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM11DM0UzBQMFLQNVQwMVEw N1NIMeQq5DIxBAoaKJibQ2SSc7mcPLn0wxVMDLn0PYDCXPqevgolRaWpXPpOAc4KQFEXhWignlgu TxcFBoYaBhDAT/7BTjJikMxIJDsSyQ8m5cGkPZisB5P/QSQzmOT/////P4b/OEio+kFO8jdQSsoD w+cfgpT/x2AHJP+DSP7/DcDYYP9/8AcoyP5/AAXf/wegAP3fAApFYCBxuXpyBXIBADrpk3AKZW5k c3RyZWFtCmVuZG9iagoyNDQgMCBvYmogPDwKL0xlbmd0aCAxODcgICAgICAgCi9GaWx0ZXIgL0Zs YXRlRGVjb2RlCj4+CnN0cmVhbQp42u3RMQrCQBAF0AkWC9PkCJkL6GbRbOwCMYJbCFpZiJVaWiha x85r2XkU23SmCI67iYUgigewe/zhw8CPu52wTyH1qK0oVhT1aKVwi1rbMKQoai7LDaYG5Yy0Rjmy MUozpv3usEaZTgakUGY0VxQu0GQESQng8RmYSxD8I1oWEFiAg/jjK/zPCN6QOOSvyB2SCuD2hHfl wjbuIC5uDJ+PwcnBTsP1PB5zVcN2iwb2GcEAODQ4xQeUzPBuCmVuZHN0cmVhbQplbmRvYmoKMjQ1 IDAgb2JqIDw8Ci9MZW5ndGggMzEwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJl YW0KeNqF0DFOw0AQBdCxXFjaxkfwXACcOMERTSyFIOECCSoKRAWUFCDoItZUuZZvkCv4BmzpIvIw s7OBRAJRWE+aXXn+/vL0eDrBEU7wqJhiWeLJBB/G5tmUBU9HOJuFo/sns6hNfoNlYfILnpu8vsTX l7dHky+uznBs8iXejnF0Z+olElEHGW3/M6IeICIAEVbsluXPijyzA5+zlehY+jFmM2og7tSETcVW bCFlE7EReR8biyC6byuQDD3Mg++sBFp5txLHB+q9w87IW5HEEWNvRhJHXHtTWrfqxpvQplE/g+SN iWDfiIYDtZk9bf+7lTs06w5N2z9swr2dEP4TnAd9O1mr7VSdap22xK31arTTqdoK9UlQ11qn62yn a2xrdemHvjIjfVVKLrQT0oZSzHltrs0XYcm97wplbmRzdHJlYW0KZW5kb2JqCjI0NiAwIG9iaiA8 PAovTGVuZ3RoIDEzNyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzPV MzdXMFAwNAASpuYK5hYKKYZchVwmZgogESAXLJOcy+XkyaUfrmBixqXvARTm0vf0VSgpKk3l0ncK cFYw5NJ3UYg2VDCI5fJ0UWBgYJBjAAE7MPkPRDCDSX4wWQ8i2f8DSeb/IPI/JvkDpOYPROUoSRey Hhj0///gIrlcPbkCuQBWSaKUCmVuZHN0cmVhbQplbmRvYmoKMjQ3IDAgb2JqIDw8Ci9MZW5ndGgg MzAxICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNp90U1KxTAQAOApWQSy 6RGSE9iWR19dGXg+wS4EXbkQV+rShaLr9Gg9So6QZRel4/yIPyAG2q9pZqaTdN+fDENow56vNgyn 4bFzL67f0VymvPDw7A6ja25Dv3PNJb11zXgV3l7fn1xzuD4PnWuO4a4L7b0bjwHAb0CjQixEjbgS EREngERkWpoiLZoVLC3aQi82qDMAIniJmqLkCB7nlJmcFq6X08oUrmuJ7QuDy39w3jdxEXwRzCRw 40b65pq/yCC7+WQG7UyZQNoFQXYP/BUaWhK0SKXZRtOspllNqzXea3wsWmTW7EmzZWI00GpgTYH0 5LMQZyGBQI1UdLarYBaBDlvIQs27LuBBOOOyRf4R9ct3zJViFKvUileikhT8yfwn7mJ0N+4DfXT7 lAplbmRzdHJlYW0KZW5kb2JqCjI0OCAwIG9iaiA8PAovTGVuZ3RoIDMwNSAgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjajZG9ToRAEMeHbEGyDY/AvIACxR5nRXKeiRQmWlkY K7W00GjNPdo+Co9ASUEY54OLEBsJ4bfsfP1nZhcu6xpLDHhR4a7Ceo+vlf/wIfBlifWVWV7e/aH1 xSOG4ItbvvZFe4dfn99vvjjcX2PliyM+VVg++/aIAClF4Kejib+OiE4AGaMHyEdHI5siiHEGaGZI +NQQOL7P6eRmRcpBGUVJxcgUPb//hMUtiM6SJSSpI+y1gkhcwNVX6GbDpBC5AAkNoM1oZ5mFmWNn Ht26aYa5OGla/kerYKlzK7SkySwyNdf0XGncYDIVW8xbuKjIBkUzKUTkL4j+YlrBnTEukDhHgwyD lUkbrLPpVXUedZ5Sr+GNzToR7ljUJrxv3bTtXdavIk26zt3ftP7B/wDp/etvCmVuZHN0cmVhbQpl bmRvYmoKMjQ5IDAgb2JqIDw8Ci9MZW5ndGggMjI1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29k ZQo+PgpzdHJlYW0KeNq90L1qwzAQB/AIDYJb9Ai6J4jsUNt0sSEfEA+BdOpQMrUdO7Q0m3H8aH4U P4JHD4Ikzv0DxUO79UD6oRNCd5cm8yzjiB+uK11w9shvMX1SMuai8ThevH7QsiT/zElGfnvNki93 /P11fCe/3K84Jr/ml5ijA5Vrno0RbvtMTdTQQDvRwQKeJp5FBfVEAy10d/E+hzUMcBBVL2poOtiK thEdLFBXDisYRDXAXtSdaKBtYSM69FnAGlZwEBXUPexE04oWugZifjmsYYBnieYvf8z/n3X4/3dp U9ITXQASXdNxCmVuZHN0cmVhbQplbmRvYmoKOCAwIG9iaiA8PAovVHlwZSAvRm9udAovU3VidHlw ZSAvVHlwZTMKL05hbWUgL0YzMAovRm9udE1hdHJpeCBbMC4wMDgzNiAwIDAgMC4wMDgzNiAwIDBd Ci9Gb250QkJveCBbIDEgLTI0IDk4IDg0IF0KL1Jlc291cmNlcyA8PCAvUHJvY1NldCBbIC9QREYg L0ltYWdlQiBdID4+Ci9GaXJzdENoYXIgMjgKL0xhc3RDaGFyIDEyMQovV2lkdGhzIDI1MCAwIFIK L0VuY29kaW5nIDI1MSAwIFIKL0NoYXJQcm9jcyAyNTIgMCBSCj4+IGVuZG9iagoyNTAgMCBvYmoK WzczLjA4IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNDMuODUgMCAwIDAgNjUuNzcg NjUuNzcgNjUuNzcgNjUuNzcgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA5My41IDk1LjAxIDAg ODYuMzEgMCAxMDMuMzkgMCA0OC40NCAwIDAgMCAwIDAgMCAwIDAgOTcuNzYgNzMuMDggOTEuNDcg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNjUuNzcgMCA1OC40NyA3My4wOCA1OS44MSA0MC4yIDAg MCAzNi41NCAwIDAgMCAwIDczLjA4IDY1Ljc3IDAgMCA1My4zOSA1MS44OSA1MS4xNiA3My4wOCAw IDAgMCA2OS40MyBdCmVuZG9iagoyNTEgMCBvYmogPDwKL1R5cGUgL0VuY29kaW5nCi9EaWZmZXJl bmNlcyBbMjgvYTI4IDI5Ly5ub3RkZWYgNDUvYTQ1IDQ2Ly5ub3RkZWYgNDkvYTQ5L2E1MC9hNTEv YTUyIDUzLy5ub3RkZWYgNjYvYTY2L2E2NyA2OC8ubm90ZGVmIDY5L2E2OSA3MC8ubm90ZGVmIDcx L2E3MSA3Mi8ubm90ZGVmIDczL2E3MyA3NC8ubm90ZGVmIDgyL2E4Mi9hODMvYTg0IDg1Ly5ub3Rk ZWYgOTcvYTk3IDk4Ly5ub3RkZWYgOTkvYTk5L2ExMDAvYTEwMS9hMTAyIDEwMy8ubm90ZGVmIDEw NS9hMTA1IDEwNi8ubm90ZGVmIDExMC9hMTEwL2ExMTEgMTEyLy5ub3RkZWYgMTE0L2ExMTQvYTEx NS9hMTE2L2ExMTcgMTE4Ly5ub3RkZWYgMTIxL2ExMjFdCj4+IGVuZG9iagoyNTIgMCBvYmogPDwK L2EyOCAyMjQgMCBSCi9hNDUgMjIzIDAgUgovYTQ5IDI0NiAwIFIKL2E1MCAyNDcgMCBSCi9hNTEg MjQ4IDAgUgovYTUyIDI0OSAwIFIKL2E2NiAyMjUgMCBSCi9hNjcgMjI2IDAgUgovYTY5IDIyNyAw IFIKL2E3MSAyMjggMCBSCi9hNzMgMjI5IDAgUgovYTgyIDIzMCAwIFIKL2E4MyAyMzEgMCBSCi9h ODQgMjMyIDAgUgovYTk3IDIzMyAwIFIKL2E5OSAyMzQgMCBSCi9hMTAwIDIzNSAwIFIKL2ExMDEg MjM2IDAgUgovYTEwMiAyMzcgMCBSCi9hMTA1IDIzOCAwIFIKL2ExMTAgMjM5IDAgUgovYTExMSAy NDAgMCBSCi9hMTE0IDI0MSAwIFIKL2ExMTUgMjQyIDAgUgovYTExNiAyNDMgMCBSCi9hMTE3IDI0 NCAwIFIKL2ExMjEgMjQ1IDAgUgo+PiBlbmRvYmoKMjUzIDAgb2JqIDw8Ci9MZW5ndGggMTI4ICAg ICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNotyUELAUEAhuFPU9SX/AKH7w8w MzvZdovLWmUOipODlMJRIa7MP1+rtvf2vJmfhiCnXBM/k89V6OL5YNmaUxa6cb6xirR7lbTrlmnj Rq/n+0pbbZfytLUOXu7IWGuOD5p/qUnftEi9LpMMDAboY4QhxihwxwlcRe74A8CXHScKZW5kc3Ry ZWFtCmVuZG9iagoyNTQgMCBvYmogPDwKL0xlbmd0aCA5MCAgICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42jMy1DM2VjBQMANiQ1MFC4UUQ65CLgsgzwDIAYkm53I5eXLphytY cOl7gAhPX4WSotJULn2nAGcFQy59F4VoQwWDWC5PFwWbuv9AUGfD5erJFcgFAGqQFioKZW5kc3Ry ZWFtCmVuZG9iagoyNTUgMCBvYmogPDwKL0xlbmd0aCAxNDggICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42jMy1TNTMFAwVDCyVDAyUzA1Ukgx5CrkMjIBChooGBlDZJJzuZw8 ufTDFYxMuPQ9gMJc+p6+CiVFpalc+k4BzgqGXPouCtGGCgaxXJ4uCjYMFXUMf/4z/gOhxv9AVN/w 37ahmrGBGY6YG9iZGdiAiJ2Bj42Bh49BhodBQobBwoKhoIDhQQLDAS5XT65ALgDMeSbMCmVuZHN0 cmVhbQplbmRvYmoKMjU2IDAgb2JqIDw8Ci9MZW5ndGggOTQgICAgICAgIAovRmlsdGVyIC9GbGF0 ZURlY29kZQo+PgpzdHJlYW0KeNozMtUzUzBQMFQwNFEwMlIwtFRIMeQq5DIyUABBU4hEci6XkyeX friCkQGXvoeCKZe+p69CSVFpKpe+U4CzgiGXvotCtKGCQSyXp4vC//8fkBGXqydXIBcAtT8gEgpl bmRzdHJlYW0KZW5kb2JqCjI1NyAwIG9iaiA8PAovTGVuZ3RoIDE0NCAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzLVM1MwAEIjSwUjUwVTI4UUQ65CLiMTiKAxRCY5l8vJ k0s/XMHIhEvfAyjMpe/pq1BSVJrKpe8U4KxgyKXvohBtqGAQy+XposDMwMbOwMfHICPDYCHBYGDB UGDAkFDA8CCB4QAQPWA8cICxAY7uMe75z/jvf+N/IKpvACF7hjo5BhsuV0+uQC4A6kYr2QplbmRz dHJlYW0KZW5kb2JqCjI1OCAwIG9iaiA8PAovTGVuZ3RoIDE1OCAgICAgICAKL0ZpbHRlciAvRmxh dGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHSMzNTMFAwBGITIwVTY4UUQ65CLhMDBRAEckESyblcTp5c +uEKJgZc+h5AUS59T1+FkqLSVC59pwBnBUMufReFaKDKWC5PFwUGBvkHDAwM//8wMDB/kGNg4D/A 3sAg3wAk7IFshjoG+QMMf2AE4w8Iwd8AJBgYSCD4D/wHAiQCbtRAEMxAzzyo/3/w/38EweXqyRXI BQBin3WzCmVuZHN0cmVhbQplbmRvYmoKMjU5IDAgb2JqIDw8Ci9MZW5ndGggMTYwICAgICAgIAov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdGzUDBQMARiE0sFU2OFFEOuQi4TcyDf AMQFSSTncjl5cumHK5iYc+l7AEW59D19FUqKSlO59J0CnBUMufRdFKKBKmO5PF0UGBjsH/A/YGD8 /8P+BwP7A7kfNgzyDfwf6hjsGeQf/GMA0kDyD4P9gX+MP+CkBfMHoCoGysn/IHAAmaSWydQl2UG+ Brq2+f9/FJLL1ZMrkAsA5VqC0gplbmRzdHJlYW0KZW5kb2JqCjI2MCAwIG9iaiA8PAovTGVuZ3Ro IDIxMiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjabc6xCsIwEAbgCwWF Q+3q1nsC26JBnApVwQ6CTg4iFNRRUNHZPlofpY/QsYMYL3FoKg0JH3e5kF9OR3JGAY35SElyQqcQ byhDrgNd6ovjBeME/R3JEP0Vd9FP1vS4P8/ox5s5cXdBe35ywGRBAFCAWQ1EaeNULXTfLfQ/hl6D 4auFIMosrlGuST2bwjNhctdCZG5p6Fo4v0xNOiDeNQMQOoyrlIWnlNKJAF41AZMZopqUh/N/eOtM P4SmNHAmpzB4nM6tgD8TShVNcJngFr+fbWEhCmVuZHN0cmVhbQplbmRvYmoKMjYxIDAgb2JqIDw8 Ci9MZW5ndGggMTc0ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNdIz MlMwUDAGYlMgMlRIMeQq5DIBiYG5IInkXC4nTy79cAUTMy59D6Aol76nr0JJUWkql75TgLMCkO+i EG2oYBDL5emi8B8EDiCTzH8YGOoPMAJJfjDJ/ABEMiKRDMhkAlaSjcEAB8kAJPmQSDkwWQck//// h0ZCxGFqkHWxQUkeDFIC7AZcpAUSWYBEfgD7Dkwyg0n2D+Bw+AAOkwfIJJerJ1cgFwCAenhrCmVu ZHN0cmVhbQplbmRvYmoKMjYyIDAgb2JqIDw8Ci9MZW5ndGggMjQyICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNql0DFqw0AQBdAvXAgGE19A4LlAIsnJqhIIHBuiwpBUKUKq JGWKBLsTSEfzUXwElSqM5ZlZ2cZps7C8ZZZl+T9L7mYZJ/zAtzN2Gbt7/kzph1wqw4Sd8zcf3zQv KX5ll1L8JGOKyxWvfzdfFM+fH1mmC36TN+9ULhgYHTAGUPRNJPT9LtJZ0OXApEVeAdMtbvZA3SAU DnK9RyAn2XIChM4IW6HCZHch19dnIhQDjVEr47/A6GHr/4wkUz3QnNDYimQoBrbG9ArNoLRG6NG0 Q3Yh8IXYT5eWtLPKGoxy+6zz7ba+a21BpwAtS3qhI8nObo8KZW5kc3RyZWFtCmVuZG9iagoyNjMg MCBvYmogPDwKL0xlbmd0aCAxMjcgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVh bQp42jM11zO1VDBQMAJiUzMFU0OFFEOuQi5TYyDfAMQFSSTncjl5cumHK5gac+l7AEW59D19FUqK SlO59J0CnBWAfBeFaEMFg1guTxeF////Mf///wOVYvzPwMD+h4HhHwMD84+Bpv4DAQY1KFyGQkHD DGt4crl6cgVyAQAbvZc6CmVuZHN0cmVhbQplbmRvYmoKMjY0IDAgb2JqIDw8Ci9MZW5ndGggMTAy ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMtczN1IwUABjMwVTQ4UU Q65CLiNjIN8AxAVJJOdyOXly6YcrGBlz6XsARbn0PX0VSopKU7n0nQKcFYB8F4VoQwWDWC5PF4X/ //9BEON/BoZ/A4yAboC7h8vVkyuQCwBAo1AzCmVuZHN0cmVhbQplbmRvYmoKMjY1IDAgb2JqIDw8 Ci9MZW5ndGggMTM5ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdez tFQwUDAGYhNTBVNDhRRDrkIuE0Mg3wDEBUkk53I5eXLphyuYGHLpewBFufQ9fRVKikpTufSdApwV gHwXhWigllguTxeF////MTAwIJPMIIKB8c9QIBkbsJPMEJIBO8mORPKDSXkwaQ8m68HkPwbmPwzs /4BhAgoVZJLL1ZMrkAsAE0BboAplbmRzdHJlYW0KZW5kb2JqCjI2NiAwIG9iaiA8PAovTGVuZ3Ro IDIyNyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjarZA9DoJAEEaHUJBM wxGYCyiirsZGEn8SKUy0sjBWammh0VY4mkfxCJQWRJxZdmLsJYRHvtmdnX1m1B72qEN9anXJDMj0 6JDgGU3CYYeMaSr7E04yjDdkEowXHGOcLel6uR0xnqymxOmMtrxnh9mMAIIK5MnrB3+9KigZwRMk DQsYM1KAqAC4c8BrKlv2XgB+Ka/8OnAu9VDwtot5UyTIFWkhDQuH3OKhkDkiRW3x/A+09e95DXQk O6BCp5ar1HojceNVCl8UvNSE86KWnDNuk399OrvOdWMe5xmu8QMNl3GvCmVuZHN0cmVhbQplbmRv YmoKMjY3IDAgb2JqIDw8Ci9MZW5ndGggMTY3ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNozNdIzMlMwUDAGYhMLBVNDhRRDrkIuExMg3wDEBUkk53I5eXLphyuYmHDpewBF ufQ9fRVKikpTufSdApwVgHwXhWhDBYNYLk8Xhf////9jYACS/w+AyQ8MzH8Y2P8wMP5hYPgHJuvB pH0DiJQ/ACYfgEh+ZPIDESSSeqg5BxAm1yNsZP/BwAh2CYhsAIszDADJ/A9E/v//A43kcvXkCuQC AJMRbewKZW5kc3RyZWFtCmVuZG9iagoyNjggMCBvYmogPDwKL0xlbmd0aCAyMTQgICAgICAgCi9G aWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42o3PvQrCMBAH8CsOhUNwdRC8F9C01ahbwQ+w g6CTgzipo6Cia+2j5VH6CB0dxJhLKtRFnH7hksv9Tw66MqKAIupEJIckQ9qHeEbZN8WAZM/d7I44 TlCsSfZRzE0ZRbKg6+V2QDFeTihEMaVNSMEWkylprZ8AYNCZowDwXuBz9cUnBu6OOLO0lSO3NEqK v/nq+3ymqhNSN92F4DaOphxgi/ze4BeW2qPaACVl+PRrh59kf1C3qCqxanmaaWptouWWRj5i/OLE iT2dM2ZBnCW4wjfzXoZ6CmVuZHN0cmVhbQplbmRvYmoKMjY5IDAgb2JqIDw8Ci9MZW5ndGggMjQw ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpdz7FOxDAMBuAfZYjkpY8Q vwCkvbYnsVyl45DogAQTA2ICRgYQSAwI+mh5A16hj3BsHaIz9h2gE8snx05sp5kdzedccsOHM66P ua35rqJHqhtNlty2u8rtAy17ildcNxTPNE2xP+fnp5d7isuLE64orvi64vKG+hUjjA74yB4HIh5+ HT5RDE4QAMFCS0aHN2hmyytQYAL8fzLgdmx+sNdGUrq1IUoQDQvR0IskOLGzyGRley6b35vOgAzW w+iMYN2KlPbxe4x/2Jhhy2Q7Z9teey/0Y3iHjs74ym7CKDJiDDonOa3TaU+X9A02oGL0CmVuZHN0 cmVhbQplbmRvYmoKMjcwIDAgb2JqIDw8Ci9MZW5ndGggMTQ1ICAgICAgIAovRmlsdGVyIC9GbGF0 ZURlY29kZQo+PgpzdHJlYW0KeNozNdUzMVMwUDAGYlMjBVNDhRRDrkIuEwsg3wDEBUkk53I5eXLp hyuYWHDpewBFufQ9fRVKikpTufSdApwVgHwXhWhDBYNYLk8Xhfr/QPAPhWxg/8D4r4aB/QODXQWI lCsAkXwQMgFEsj0AkezI5AEQyYyfZACRDEOH5P8BJOT///+DQnK5enIFcgEA2eJi2gplbmRzdHJl YW0KZW5kb2JqCjI3MSAwIG9iaiA8PAovTGVuZ3RoIDE3OSAgICAgICAKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnja5dA9CsJAEAXgFywC06S1MnMB3U1k/QEhECOYQtDKQgRBLQUVrfVo OUqOkNIiZJ3EKmewmPngzVTPjAdmyppD7odsRmwCPgV0IzOUULPQXI4XilNSWwlILZudrvhxf55J xes5B6QS3gWs95QmbG0F337aOBaATCXMfnT/gwnwEnSLKxC9gQPgC7mQwckAL0NHcHO4kncKePLs lOihqa+siWxR49mspimWFilt6AtW6lwuCmVuZHN0cmVhbQplbmRvYmoKMjcyIDAgb2JqIDw8Ci9M ZW5ndGggMTg4ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNptyz0KwkAQ huFPLIRpcgFh5wK6ho0QUAxoBFMIWlmIlVpaKFpnO6+13iTeQPvgOvGnERl4indmTNyOuMOGWyGb mE3Em5D2ZKooufverHc0zEgvZE96Ipl0NuXj4bQlPZyNOCSd8jLkzoqylJFboO5vQGBLoIkBkMgg scoKgfvSKKAg4B81L6gKfy5QL6UFt+rDCa/f/EV17AX3+CX44KEKl6NXuMTu71Zdrt42vGQ80AeN M5rTE1P+UZ0KZW5kc3RyZWFtCmVuZG9iagoyNzMgMCBvYmogPDwKL0xlbmd0aCAxODYgICAgICAg Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMx0jMzUzBQMFLQNVQwMVAwNVJIMeQq 5DI2BwoCucYQmeRcLidPLv1wBWNzLn0PoDCXvqevQklRaSqXvlOAs4Ihl76LQrShgkEsl6eLAvMH BgaG/6gEO4hgphJh3wAk/j9gYP584AcD83eGOgbmfwz2DMx/GOQbmH8w8B8AqgMT7A9AxAcYwQwm fpBMwA2AmPcAYjzYIrCVb0CWn2eoYWBubgQ6iBHoNAaGegYGLldPrkAuAIYRZIgKZW5kc3RyZWFt CmVuZG9iagoyNzQgMCBvYmogPDwKL0xlbmd0aCAxNzQgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVj b2RlCj4+CnN0cmVhbQp42o3NsQrCMBQF0Fs6BN7S1a3vBzRJU8FOgVrBDoJODuKkjoKKrtpPy6f0 EzI6FDVF3B3Oct+9PJOPtGHFGQ81m4xNzntNZ8qKECo24+9ld6SyJrnmrCA5DzHJesHXy+1AslxO WZOseKNZbamuGOIJ2DfQCRd5tHEbe+GET4K0Ed72ELcPAL178PrTb2OBgW0wSBtMUgeVOJxEG375 yKFLGtjQFh40q2lFH+wrOZAKZW5kc3RyZWFtCmVuZG9iagoyNzUgMCBvYmogPDwKL0xlbmd0aCAx ODcgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42qXOsQ6CQAwG4BIGki68 gfYF9DgOCNsliIk3mOjkYJzU0UGjK/Bm+Cg8AqPDRbyLSOJoHPoNbdO/UThNEgpI0IRTFFIc0oHj GUVqmgHF4j3ZnzBTyDYkUmQL00amlnS93I7IstWMOLKctpyCHaqcAECa8rsvoIR+8C9ea5DaoH0J TuvW4DVOB/4dOhhXJsgg7WZPaSksz58phgPlcO+TUb4jbXjltl6t4TGS2r6mwW8k4FzhGl9Yv0Vx CmVuZHN0cmVhbQplbmRvYmoKMjc2IDAgb2JqIDw8Ci9MZW5ndGggMTgwICAgICAgIAovRmlsdGVy IC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpdyzEOgkAQheFHKEim2daOuYAuC2ikIkFMpDDRysJY qaWJGm2Bo3GUPcKWFgZclMria/55E8UTNeOAQx4rjkKOYj4pulGY2BhwNP1djhfKCpI7DhOSK5tJ Fmt+3J9nktlmwYpkznvFwYGKnCE0UL2BVwrXiNrTohGNp/3a7Zm+pnBMBedVDtpB13VfLYB/pVUN UmDU82vMRY1ANLh6GtoxboO3sAP74RnQsqAtfQCchUD5CmVuZHN0cmVhbQplbmRvYmoKMjc3IDAg b2JqIDw8Ci9MZW5ndGggMTQzICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0K eNozMtYzMVcwUDAEYiMLBVNjhRRDrkIuIzMg3wDEBUkk53I5eXLphysYmXHpewBFufQ9fRVKikpT ufSdApwVDLn0XRSigSpjuTxdFBgY/zAwsP9nYJBnb2Cw4z/AUCN/gOGP/AHGHxDM/IOdgfkDA0n4 //8PcEyqXnIw+w8Ghvr/D+CYy9WTK5ALAIroUUsKZW5kc3RyZWFtCmVuZG9iagoyNzggMCBvYmog PDwKL0xlbmd0aCAyMzUgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42nWO sUrEQBCG/5BiYRD3BcSdF9AklxOtLnCeYApBKwu5Si0tFO0OsuCLTedrHPgCKVMcGWeDiIWyw8fu /P/8O/XZ8ZxLnvFRdcq11ZwfKnqmOnVLPqm+pfsnWrZU3JqBikvrU9Fe8evL2yMVy+tztveK7you 19SuGECwki5Ch0/J+u5D3LbJxUt4j94OQvRiJido4Lb/Y7JM5mnMAqK1G8D1G2BfB2AvCHBgf/7C 4Q9CgtcxQQVOtUeuuku30dRsxALoYGlNQogW6f/ELqnJkiYWKXljC2UD8t42hWo0zUx00dINfQFQ qle/CmVuZHN0cmVhbQplbmRvYmoKMjc5IDAgb2JqIDw8Ci9MZW5ndGggMTUyICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdIzM1MwUDACYhNDBVMjhRRDrkIuYwsg3wDE BUkk53I5eXLphysYW3DpewBFufQ9fRVKikpTufSdApwVDLn0XRSiDRUMYrk8XRSYPzAwMPxHJdhB BDOVCPkDQKL+AwPzxwd/GJg/N9QwMH9nqGNg/gci/jDYQ4kfcOIDTQn2Hwz1Df//H///B0FwuXpy BXIBAO4WXn8KZW5kc3RyZWFtCmVuZG9iagoyODAgMCBvYmogPDwKL0xlbmd0aCAxMTYgICAgICAg Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMy1DM2VjBQMAJiQ0sFU0OFFEOuQi5D MyDfAMQFSSTncjl5cumHKxiacel7AEW59D19FUqKSlO59J0CnBWAfBeFaEMFg1guTxcF9gb+A/IP IJD/AHsDAxbA/uA/GPI/YCcR8n/4DwZcrp5cgVwAsIQ8WgplbmRzdHJlYW0KZW5kb2JqCjI4MSAw IG9iaiA8PAovTGVuZ3RoIDE5MCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt Cnjarc09CsJAEAXgDSkC0+QCgnMCNz8maCXECKYQtLIQK7UUVLTVHE3wIjlCwMIUIeu8NGpvsR/M zsybvteLQvY4kBcOOQp469ORwlhqDyUamz0lGeklhzHpqfySzmZ8Pl12pJP5mH3SKa989taUpWyX SinziwPsf2Kb4hvLoFEJVgHuGMkFF8MdMAAHIAn2sxJetdCA+ipUN3RHWOu2u0hxkecAOSC0N4Cq QaOcSpncmIcpP9AkowW9Ac2ja0MKZW5kc3RyZWFtCmVuZG9iagoyODIgMCBvYmogPDwKL0xlbmd0 aCAxMDMgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMy1DM2VjBQMAJi Q0sFUyOFFEOuQi5DMyDfAMQFSSTncjl5cumHKxiacel7AEW59D19FUqKSlO59J0CnBUMufRdFKIN FQxiuTxdFNgf/AdD/gfsNIH8H/6DAZerJ1cgFwDB5UbaCmVuZHN0cmVhbQplbmRvYmoKMjgzIDAg b2JqIDw8Ci9MZW5ndGggMTcxICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0K eNozM1EwUDACYjNjBWNjhRRDrkIuMwMFEARyQRLJuVxOnlz64QpmBlz6HkBRLn1PX4WSotJULn2n AGcFQy59F4VoQwWDWC5PFwXmD/IPGP4zMPz/UP+D+f8Bhv8fH9TwMwOFPjfYyTB+YGD/zmBvwfiD gfkfg30BiP7DANTwB0H/YJA/gEx/YJBvGIQ0+w8G+wOM/xj+/z/+/5/9/w/oNJerJ1cgFwD8WXow CmVuZHN0cmVhbQplbmRvYmoKMjg0IDAgb2JqIDw8Ci9MZW5ndGggMTQyICAgICAgIAovRmlsdGVy IC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdIzM1MwUDACYhNDBWNjhRRDrkIuYwsg3wDEBUkk 53I5eXLphysYW3DpewBFufQ9fRVKikpTufSdApwVDLn0XRSiDRUMYrk8XRSYP8gfYPj/of4Dw/+P D/4w/P/cUMPA/p2hjoH5H4j4w2APJX7AiQ80Jdh/MNQ3/P9//P8fBMHl6skVyAUAHuNMcwplbmRz dHJlYW0KZW5kb2JqCjI4NSAwIG9iaiA8PAovTGVuZ3RoIDE3OCAgICAgICAKL0ZpbHRlciAvRmxh dGVEZWNvZGUKPj4Kc3RyZWFtCnjajY4xCsJAFERnsVj4TY6QfwHdxB/FykCM4BaCVhZipZYWinYS crQcJUdImSKIa7YRK+Hzihnmz8hslHDEYx7GLFOWhE8xXUnEiRHLxDvHC2WWzI5FyKycTMau+X57 nMlkmwXHZHLexxwdyOYM3QBIXw5dWEI1usKgUjV0pRoEJVqEwNMjBQrM4a5wmS+4eFr+gZ9Y/6+H 7yjRIahU68sHja79Kr/vs5SWlrb0BpL0PdoKZW5kc3RyZWFtCmVuZG9iagoyODYgMCBvYmogPDwK L0xlbmd0aCAxODkgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42pXOsQ7B UBQG4D85Q5OzeATnBbitVtmaUIkOEiaDmDAaCCv1Zn2UPsKVDu7QuC4hYbR8w3+S/z9Rpx3H4ktH WkFXIl/CUNYB7zjsudSXqP8+rbY8yFjNJeyxGrucVTaRw/64YTWYDiVglcoiEH/JWSqkkxxW2xK2 KgzsDSd4dySgGs2cDJoFaTRelA5P/0DmDzzzW1B+Sl39a6hGkj8BWdSg6mJAV/ca6TMc+BPPOKwt vuFRxjN+ANvFaRYKZW5kc3RyZWFtCmVuZG9iagoyODcgMCBvYmogPDwKL0xlbmd0aCAxOTEgICAg ICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42pXNOw6CQBAG4NlQbDINN5C5gO7i QkJHgpi4hYlWFsZKLS00WsMNOJLcRI5ASUHEgWiMpc03ybz+QE9CQ5oMjf2QgikZQwcfz2gi7moK ovdof8LEotqQiVAtuI/KLul6uR1RJasZ+ahS2vqkd2hTAlk7AHErAVpXgmicAmQlCnAr8QCvhA68 HDKIB3iTy4eu5/kP2S/D0+H9EOSWouNw5w5OLTmrGfWBDeNWTH/xL1nOx137BecW1/gC27VF4Apl bmRzdHJlYW0KZW5kb2JqCjI4OCAwIG9iaiA8PAovTGVuZ3RoIDEzMiAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzbQMzBRMFAwBGIjCwVjY4UUQ65CLiMzIN8AxAVJJOdy OXly6YcrGJlx6XsARbn0PX0VSopKU7n0nQKcFQy59F0UooEqY7k8XRSYH9Qw/H/4n+H/4/6G/8/l D7C/kz/A/AaK//A3MP9gYIDjD9TB7ECz/v9/AMdcrp5cgVwAYGRALgplbmRzdHJlYW0KZW5kb2Jq CjI4OSAwIG9iaiA8PAovTGVuZ3RoIDE4NyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4K c3RyZWFtCnjaPcw9CsJAEAXgV0WYwlxAzFxAN9kYUBAD/oApBK0sxEotLRSFdNmj5QSeQW+QzhQh 6/iDxde8N/NCv6sH7LPmTsC6z2GP9wGdSEcS+hxG32Z3pHFCas06IjWXmFSy4Mv5eiA1Xk44IDXl TcD+lpIpwzpo2Bs81BhihBRt0UTx4XyUPzUAa4CsAmKbiwKuLeVfAiuta98XIjY5POGaOxp/xZds uahkv0YLT5PiYe/IMwOaJbSiF1ZaQFUKZW5kc3RyZWFtCmVuZG9iagoyOTAgMCBvYmogPDwKL0xl bmd0aCAxNDIgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jOy1LMwUzBQ MFTQNVQwMlMwMVNIMeQq5DIyAQoaKJiYQ2SSc7mcPLn0wxWMTLj0PYDCXPqevgolRaWpXPpOAc4K hlz6LgrRhgoGsVyeLgoMBgwoqACGPoAQIxgxf2Bg/8Ag///ffzBiBosQjZhxIHbGH2xAxPCHj6FO hkH+BwP7Ay5XT65ALgAw1T6ZCmVuZHN0cmVhbQplbmRvYmoKMjkxIDAgb2JqIDw8Ci9MZW5ndGgg MTQ0ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdIzM1MwUDBS0DVU MDFUMDZWSDHkKuQytgAKGigYm0BkknO5nDy59MMVjC249D2Awlz6nr4KJUWlqVz6TgHOCoZc+i4K 0YYKBrFcni4KzB8Y7Bn+f+D/j0Swf2CoZwBL0JSoRyX+MzCCiR+M/xsYfjDv/8NQx27/h0H+H5Bg /2HPwOXqyRXIBQBpY0caCmVuZHN0cmVhbQplbmRvYmoKMjkyIDAgb2JqIDw8Ci9MZW5ndGggMTc4 ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpNzLsKwkAUhOGRFIGDmNZC 8LyA7m5WBStBI7iFoJWFCIJaCiraenkzIe9ivaVFSNxgvDRf8Q9MSzbbmiWH3FCsu6xDXivak+64 KFnr97LaUt+QmLHukBi5TMKM+Xg4bUj0JwNWJCKeK5YLMhFnGTL7I7DoXX2LOjyLSk4Z3hM1lJ6o vkECWZBiB5yxBC45PdwL6rfrh9gRxCjwH19Sh5d8cNf/wH5xxzQ0NKUXG1I8pQplbmRzdHJlYW0K ZW5kb2JqCjI5MyAwIG9iaiA8PAovTGVuZ3RoIDIxMyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnjaMzXVMzFTMFAwVNA1VDA1UTA2Ukgx5CrkMjUCChooGBtDZJJzuZw8ufTD FUyNuPQ9gMJc+p6+CiVFpalc+k4BzgqGXPouCtGGCgaxXJ4uCv//y/9v/P8BlWL/wfiHwb6B/QPj DwY5BuYPDD8YZEDUHyAFFKphkIBTfxjqGCwYgDL/GAzgVB3jf4YEEDUfSjUAKXtm/oYDyNQBICXf xn6wAUEdY38MpPjPMD9mgFPsf5i/gagfjFDqH5ACOwadYnzAUIFBMRwAuYjL1ZMrkAsAPlxZUQpl bmRzdHJlYW0KZW5kb2JqCjI5NCAwIG9iaiA8PAovTGVuZ3RoIDE5OCAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaRY07CsJAEIb/sGBgEHIBwTmBm5gI6QQfYApBKwuxUksh ioKF+MCDeBXBi1hZp0yxZJ21sdiPnX/mm0nCVifmkCN5Schxm1cRbSlOpf6VrrHcUC8jPeM4JT2S lHQ25v3usCbdm/Q5Ij3guUwuKBuwtZ4t/1AV7NUzOAEGR+CMHLjgDXRvT6B5vwLBC4D/cagEygi8 UgD3g8tgXeagHmL4TXFrgWyp+4KGKoDUKbmcQiGeV4gXFHLcGmXNHzTMaEpfYLFKcgplbmRzdHJl YW0KZW5kb2JqCjI5NSAwIG9iaiA8PAovTGVuZ3RoIDIxMyAgICAgICAKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnjaVc6xagJBEMbx7zjwYAixtRBuXiDZXdeoqQLGgFcISZUiCIJaBlQM WMV9tH0U8wYBm4OIcRZuL6T5Fd/An+nq2zvLmg3fmB7be7YdXhhak+3Lqrk7qE7zdxoWpF7Z9kmN ZSdVTHi7+ViSGj4/siE14jfDekrFiPe/bl/+kZXIfVqi6ZISGYQGcMJVxRlt4BOtigfoiFsBuZsJ /gA0va/IvlzkKKRHCD9Cco5I+h+7Gl0zqzkEfCSR5i5wShFpBK6FVTuEBkL+jfCPQE8FvdAFnD5G vQplbmRzdHJlYW0KZW5kb2JqCjcgMCBvYmogPDwKL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUz Ci9OYW1lIC9GMjcKL0ZvbnRNYXRyaXggWzAuMDEzMzggMCAwIDAuMDEzMzggMCAwXQovRm9udEJC b3ggWyAwIC0xNyA2MyA1NCBdCi9SZXNvdXJjZXMgPDwgL1Byb2NTZXQgWyAvUERGIC9JbWFnZUIg XSA+PgovRmlyc3RDaGFyIDE2Ci9MYXN0Q2hhciAxMjEKL1dpZHRocyAyOTYgMCBSCi9FbmNvZGlu ZyAyOTcgMCBSCi9DaGFyUHJvY3MgMjk4IDAgUgo+PiBlbmRvYmoKMjk2IDAgb2JqClsyNS42IDI1 LjYgMCAwIDAgMCAwIDAgMCAwIDAgNDQuOCA0Mi42NiAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAyMS4zMyAyNS42IDIxLjMzIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDU3LjU5IDAgMCAwIDUyLjI2IDAgNjAuMjYgNTcuNTkgMjcuNzIgMCAwIDQ3Ljk5IDAgMCA1OS43 MyA1Mi4yNiAwIDU2LjUyIDQyLjY2IDU1LjQ2IDU3LjU5IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAz OC40IDQyLjY2IDM0LjEzIDQyLjY2IDM0LjE2IDIzLjQ3IDM4LjQgNDIuNjYgMjEuMzMgMCA0MC41 MyAyMS4zMyA2NCA0Mi42NiAzOC40IDQyLjY2IDQwLjUzIDMwLjA0IDMwLjI5IDI5Ljg2IDQyLjY2 IDQwLjUzIDU1LjQ2IDQwLjUzIDQwLjUzIF0KZW5kb2JqCjI5NyAwIG9iaiA8PAovVHlwZSAvRW5j b2RpbmcKL0RpZmZlcmVuY2VzIFsxNi9hMTYvYTE3IDE4Ly5ub3RkZWYgMjcvYTI3L2EyOCAyOS8u bm90ZGVmIDQ0L2E0NC9hNDUvYTQ2IDQ3Ly5ub3RkZWYgNjUvYTY1IDY2Ly5ub3RkZWYgNjkvYTY5 IDcwLy5ub3RkZWYgNzEvYTcxL2E3Mi9hNzMgNzQvLm5vdGRlZiA3Ni9hNzYgNzcvLm5vdGRlZiA3 OS9hNzkvYTgwIDgxLy5ub3RkZWYgODIvYTgyL2E4My9hODQvYTg1IDg2Ly5ub3RkZWYgOTcvYTk3 L2E5OC9hOTkvYTEwMC9hMTAxL2ExMDIvYTEwMy9hMTA0L2ExMDUgMTA2Ly5ub3RkZWYgMTA3L2Ex MDcvYTEwOC9hMTA5L2ExMTAvYTExMS9hMTEyL2ExMTMvYTExNC9hMTE1L2ExMTYvYTExNy9hMTE4 L2ExMTkvYTEyMC9hMTIxXQo+PiBlbmRvYmoKMjk4IDAgb2JqIDw8Ci9hMTYgMjU3IDAgUgovYTE3 IDI1NSAwIFIKL2EyNyAyNTkgMCBSCi9hMjggMjU4IDAgUgovYTQ0IDI1MyAwIFIKL2E0NSAyNTYg MCBSCi9hNDYgMjU0IDAgUgovYTY1IDI2MCAwIFIKL2E2OSAyNjEgMCBSCi9hNzEgMjYyIDAgUgov YTcyIDI2MyAwIFIKL2E3MyAyNjQgMCBSCi9hNzYgMjY1IDAgUgovYTc5IDI2NiAwIFIKL2E4MCAy NjcgMCBSCi9hODIgMjY4IDAgUgovYTgzIDI2OSAwIFIKL2E4NCAyNzAgMCBSCi9hODUgMjcxIDAg UgovYTk3IDI3MiAwIFIKL2E5OCAyNzMgMCBSCi9hOTkgMjc0IDAgUgovYTEwMCAyNzUgMCBSCi9h MTAxIDI3NiAwIFIKL2ExMDIgMjc3IDAgUgovYTEwMyAyNzggMCBSCi9hMTA0IDI3OSAwIFIKL2Ex MDUgMjgwIDAgUgovYTEwNyAyODEgMCBSCi9hMTA4IDI4MiAwIFIKL2ExMDkgMjgzIDAgUgovYTEx MCAyODQgMCBSCi9hMTExIDI4NSAwIFIKL2ExMTIgMjg2IDAgUgovYTExMyAyODcgMCBSCi9hMTE0 IDI4OCAwIFIKL2ExMTUgMjg5IDAgUgovYTExNiAyOTAgMCBSCi9hMTE3IDI5MSAwIFIKL2ExMTgg MjkyIDAgUgovYTExOSAyOTMgMCBSCi9hMTIwIDI5NCAwIFIKL2ExMjEgMjk1IDAgUgo+PiBlbmRv YmoKMjk5IDAgb2JqIDw8Ci9MZW5ndGggMjM1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNp10LFOwzAQgOGzPES6pY/gewKcFDBbLZUikQEJJgbEBIwMINhQy9bX4g36CnmE jh0ijju7lWypOHK+xF5+O4STiym1dCoznNH5lJ47fMPQkj7yqxtPrzjv0d9TaNFfyyr6/oY+3j9f 0M9vL6lDv6CHjtpH7BcEAO4b0jgYf2pXw3F5W2l4d1TLY2XDv9lN7WTD2XXWrTkFOZuNllPQzNQu DaegL8iO+6AdrEqNqEFmC1G1ogbZAVxpw5wCD05ELpRbajTI6YkKoypBMz25uFQHzQIoHfc3pg0S xvId5fWfeNXjHf4BzNyPLwplbmRzdHJlYW0KZW5kb2JqCjMwMCAwIG9iaiA8PAovTGVuZ3RoIDE5 MCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaXcwxboNAEAXQQVsgTbNH 8JzAC4YiqZAwkUIRKalcWKlilykSxTXczBxlj0BJgfLzlzJa7ZNm//6pD/vHByvswFtXVlV2KfVL 68LS4ZiCj09tew0nqwsNz3zV0L/Yz/ftqqF9PVqpobNzacW79p3J8CvigCg5sIif/Sq7xYFkCcGY mMgw+ZnkkWQjEdkYMIkHAXGY+Q8MtkaTGkNqMCfjf5ACTNxIokNsFn8H1+3gsKZFMYc+9fqmf+iM Z9kKZW5kc3RyZWFtCmVuZG9iagozMDEgMCBvYmogPDwKL0xlbmd0aCAxNzcgICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jOx1DM0UjBQMAZiEzMFUyOFFEOuQi4TkJgBiAuS SM7lcvLk0g9XMDHi0vcAinLpe/oqlBSVpnLpOwU4Kxhy6bsoRBsqGMRyebooMP5hAIL/OEh+MMlO ZZL/B4is/w8k//7/f4CB/f8H+Q9AsgEowf4fpIz9HwPzPxCD8T8y2QAyAYU8QBaJMIERSsJsgdgL cQPEPd8f2APd9hDszgNgNzcAHcvA5erJFcgFAB5Je8cKZW5kc3RyZWFtCmVuZG9iagozMDIgMCBv YmogPDwKL0xlbmd0aCAxNzMgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4 2o3OMQrCQBAF0C8pFqbJETIncDdsITYGYgS3ELSyECu1tFC0To6Wo+QIKVMsGXcD6S3mMZ+Z4tv1 0rLhaVZsLd9zepGN2cQYl9uTSkf6HDLp/aQ78Of9fZAuj1vOSVd8ydlcyVUMJQ1QSA+IeCTjYoTy iSAdAlkfKLqZugvXuoWPGEgL/E090c0UHVRT9IFsQNqkAzKoERsk0vjYZYitwqcSgHaOTvQDwTFO QgplbmRzdHJlYW0KZW5kb2JqCjMwMyAwIG9iaiA8PAovTGVuZ3RoIDEzOCAgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzbTMzFXMFAwAmJjEwVjY4UUQ65CLmNDIN8AxAVJ JOdyOXly6YcrGBty6XsARbn0PX0VSopKU7n0nQKcFYCiLgrRQC2xXJ4uCow/5Bv+/6j/8P8HEP58 /Of/7+P/+P+3/2P/zw7BYMj8h/0f4w/2fwwJ7H8YGCjF//9/QMFcrp5cgVwAHrNNJwplbmRzdHJl YW0KZW5kb2JqCjMwNCAwIG9iaiA8PAovTGVuZ3RoIDE3NSAgICAgICAKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnjaLcyxCsJADAbgQIeDLPcI5gm8tufQrVAr2EHQyUGc1NFB0dXeo92j nG9wo0JpzEmHD5I/5LeLeVVRTjYpyVo6F3jDMmV5WtPhdMWmQ7OnskKzlhRNt6HH/XlB02yXVKBp 6VBQfsSuJeC3V8xei9rV/gVaKD/8ZX6csAPgQXCAXoaeR6iZXfpTKUw0R4Be6BhBiSx+JtIVRlCB pZ/9zDEzfKUn1AFw1eEOf0lLV7wKZW5kc3RyZWFtCmVuZG9iagozMDUgMCBvYmogPDwKL0xlbmd0 aCAxNDMgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jM20TO2UDBQMAJh SwUTc4UUQ65CLiMzIN8AxAVJJOdyOXly6YcrGJlx6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0V DGK5PF0UGGwYGDBwDRL+A8GMUMwMxOxALP//f8N/JMwOFScfMx/Aif+xNzADMeN/fgaG//8YGOyB Gvg/MHC5enIFcgEA0ctMVQplbmRzdHJlYW0KZW5kb2JqCjYgMCBvYmogPDwKL1R5cGUgL0ZvbnQK L1N1YnR5cGUgL1R5cGUzCi9OYW1lIC9GMjgKL0ZvbnRNYXRyaXggWzAuMDEzMzggMCAwIDAuMDEz MzggMCAwXQovRm9udEJCb3ggWyAyIDAgNjQgNTIgXQovUmVzb3VyY2VzIDw8IC9Qcm9jU2V0IFsg L1BERiAvSW1hZ2VCIF0gPj4KL0ZpcnN0Q2hhciA2NQovTGFzdENoYXIgMTE2Ci9XaWR0aHMgMzA2 IDAgUgovRW5jb2RpbmcgMzA3IDAgUgovQ2hhclByb2NzIDMwOCAwIFIKPj4gZW5kb2JqCjMwNiAw IG9iagpbNjYuNzIgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCA0Mi45OCA0OS4xMiAzOS4zIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAzNi40NyAzNC44OCAzNC4zOCBdCmVuZG9iagozMDcgMCBvYmogPDwKL1R5cGUgL0VuY29k aW5nCi9EaWZmZXJlbmNlcyBbNjUvYTY1IDY2Ly5ub3RkZWYgOTcvYTk3L2E5OC9hOTkgMTAwLy5u b3RkZWYgMTE0L2ExMTQvYTExNS9hMTE2XQo+PiBlbmRvYmoKMzA4IDAgb2JqIDw8Ci9hNjUgMjk5 IDAgUgovYTk3IDMwMCAwIFIKL2E5OCAzMDEgMCBSCi9hOTkgMzAyIDAgUgovYTExNCAzMDMgMCBS Ci9hMTE1IDMwNCAwIFIKL2ExMTYgMzA1IDAgUgo+PiBlbmRvYmoKMzA5IDAgb2JqIDw8Ci9MZW5n dGggMTM2ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMtczsFAwULBQ 0DW0VDAyUDA0UEgx5CrkMjQEihooGFlCpZJzuZw8ufTDFQwNufQ9gOJc+p6+CiVFpalc+k4BzgpA UReFaKCmWC5PFwU5hvqG/w3/DwDhAxCsfyCXwACDDxgOgCDjAcYG5gZmBnYGNgY+BhkGC4YCoCSX qydXIBcA9wknrgplbmRzdHJlYW0KZW5kb2JqCjMxMCAwIG9iaiA8PAovTGVuZ3RoIDk1ICAgICAg ICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzLXM7BQMFAAYUNLBUMDhRRDrkIu IA2ChhCJ5FwuJ08u/XAgn0vfA0x6+iqUFJWmcuk7BTgrGHLpuyhEGyoYxHJ5uijIMdQ31Df8PwCB ILYcA5erJ1cgFwAHjRzLCmVuZHN0cmVhbQplbmRvYmoKMzExIDAgb2JqIDw8Ci9MZW5ndGggMzQ3 ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNq1ks1KxDAQx/8hYCFIe/VQ bF5A2wW724NQWFewB0FPHkRYUI/CKoqe3DxawRcp+AI59rBYJ5N0ET0b2vDLzGS+MrPysDrShS71 wUTP6Cv03UQ9qmlJwsJJWHP7oOaNyq/0tFT5GYlV3pzr56eXe5XPL040nRf6eqKLG9UsNIBsA15i GFqGqJOWYR84ZngDEjbpAOmMpKGNDl5MaqQIW+Ugpn/FvoId32D3wkB4aJ0wsc5AAjWlsXT2m8Td jSEthaqwi6gliz1ynhlSpIS1YUWF2sWMUeCdUrE7BF8eViB3kY2wFAzyB8j+F3QBTBtZB+IfIcQS ZvkXfIZbkCZUIce65Fip9LVnBNyNmirl/rxS7dyxzz72Pfzo09DVTRX6vLah80kb3sKtLXQjrEao RkhH4Hd3AXkSsDY8G5BfYRwy6+dHDIYnCus+zNjgHWQ8bOq0UZfqG+6enMAKZW5kc3RyZWFtCmVu ZG9iagozMTIgMCBvYmogPDwKL0xlbmd0aCAyNTcgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp42nXQsWrDMBAG4BOCGI6A1mTyPUEtE3DoFEhSqIdCO3UohUCbMZCWBrI5j+ZH 8SNk9GDsnmQNlRodFnwnCfOflos7fU+aFryW/OX0meMXFgX3tjUHHwdcl5i9UlFg9si7mJVP9PN9 2mO2ft4Q91t6y0m/Y7kl4KphLNFEIa9RJG0Uqoti3kehhxDH4TJiV4VoKpe+XgUQ9WpMLy5pAAnp 1UEFmIBqHZIAU5BdBDMQfQQaYPBxZNj0O4DKB8cb5xm4PAiDxg4BkHqQvOw8BsrDxKB1SDxMzb3u Jmbm7/1NaJvpL84WnKV1EPZJOLQyx5JD2+AVz/Ef+FDiC/4C+OaFTAplbmRzdHJlYW0KZW5kb2Jq CjMxMyAwIG9iaiA8PAovTGVuZ3RoIDIwMyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4K c3RyZWFtCnjanY+9CsIwFIVP6RC4S9/A3hfQtKR2DfgDdhB0chBBUEdBRcFBMI+WR+kjODoI9cYf 3B3yQU7Iud8tTMcYzthwO+ci46LL65z2ZEoJ5Vq+X1Zb6lWkZ2xK0iOJSVdjPh5OG9K9SZ9z0gOe 55wtqBowcHVA3NyAxF8AiwR4IHbRHZGP75KqG9Ja1bB1EpD6L6x7I/XSoV5FH8hB8x9ef39V9ovM eoHMxU40sAyoRQ1BMvKiGzsRV2GFFsTpDKiwFhoHGlY0pSdWaExyCmVuZHN0cmVhbQplbmRvYmoK MzE0IDAgb2JqIDw8Ci9MZW5ndGggMjEwICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+Pgpz dHJlYW0KeNp1zzFqwzAYBeBnPAj+xTeI/ws0spHjMQYnhXoopFOHEAgkGQtNSNdYR9NRfISMGUrd V1wTKFSID/QE+p8KN3VOM3X6kGuRaTHTfS5HcSVDHsvhZvcmdSP2VV0p9omx2OZZz6ePg9h6tdBc 7FLXuWYbaZaK6AuA6QOQxlfggk9wXxDdUIFJBdMh9QkJSUAS0h8qj6QjZqAl1xYj/R+4fuEs/Et7 x49UIxnnDryzBrYshM6wcWDJKLBu7FncAHNM+Bl/A+K+G96Wx0Ze5BuDt1YyCmVuZHN0cmVhbQpl bmRvYmoKMzE1IDAgb2JqIDw8Ci9MZW5ndGggMTI1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29k ZQo+PgpzdHJlYW0KeNozMtczsFAwUDAGYiNTBTNzhRRDrkIuI0Mg3wDEBUkk53I5eXLphysYGXLp ewBFufQ9fRVKikpTufSdApwVgKIuCtFALbFcni4KjA8Y2H+AEP8fBIKIAKWIBIx/GP7DEPsfBuY/ IBE6IOZ/DP///4AgLldPrkAuALsVUAkKZW5kc3RyZWFtCmVuZG9iagozMTYgMCBvYmogPDwKL0xl bmd0aCAxMTAgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42jMy1zOwUDBQ MAZiI1MFM0uFFEOuQi4jQyDfAMQFSSTncjl5cumHKxgZcul7AEW59D19FUqKSlO59J0CnBWAoi4K 0UAtsVyeLgqMfxj+wxD7HwbmPwyMQw0x/2P4//8HBHG5enIFcgEAj3Be2gplbmRzdHJlYW0KZW5k b2JqCjMxNyAwIG9iaiA8PAovTGVuZ3RoIDIwMyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUK Pj4Kc3RyZWFtCnja5dA9qsJAEAfwf0gRmMJcQMicwE38IApCwA8whaCVhVippaCircnR9ih7BMsU q+PuKx++E7xiht/8pxiYYdbpDjjlnqt8xP0+HzK6UO6z1I9+sT/RpCS14XxAauFSUuWSb9f7kdRk NeWM1Iy3Gac7KmccWAiQGEBsJMZ1rzhsAlN5jQMb1UWNyJ7xbiHRCK3Bo41YI3hpVEPExqlGlf5I ahRPRE8noDC/9HbSf8rd9qf+s0L3jUojbiDSJCKhiPkmmpe0pg/dj6SbCmVuZHN0cmVhbQplbmRv YmoKMzE4IDAgb2JqIDw8Ci9MZW5ndGggMTU5ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNozNdEzNFcwUDAGYlNDBRMThRRDrkIuE5CYAYgLkkjO5XLy5NIPVzAx59L3AIpy 6Xv6KpQUlaZy6TsFOCsYcum7KEQbKhjEcnm6KDD+YfzHwPD/D/v/A0BSjv0DkLRg/MHA/qeA8Q8D 858HDH8YGP8eYPgHJBtA5P8GhnogyYAg/2GQfwYvyQzybcP//z/s//9DJrlcPbkCuQA/cWpTCmVu ZHN0cmVhbQplbmRvYmoKMzE5IDAgb2JqIDw8Ci9MZW5ndGggMjA5ICAgICAgIAovRmlsdGVyIC9G bGF0ZURlY29kZQo+PgpzdHJlYW0KeNqdkD0KwkAQhUdSBKbJETIX0E10/akUYgRTCFpZiJVaWija icnRchSPkDJFSHybKCh2wvDtzJvdnberR51hXzzpSdsXPRDdl73PJ9ZdiJ5R6s7uyEHEai26y2oO mVW0kMv5emAVLKfiswpl44u35SgUojghIqvKQCctwDG54I0cNHKyU2plZD1MIEEJ0QGLF11su9ME jN/E8QlWMPllZZj+x6/bzKzkc27jxIWr8u0QnguywZyszAQSlC/zzUvdtATtKgfr3+BZxCt+AlD7 Wj4KZW5kc3RyZWFtCmVuZG9iagozMjAgMCBvYmogPDwKL0xlbmd0aCAyMTggICAgICAgCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42q3QvY7CMAwHcFsdKnnpI+AXgDQigJCQkPiQ6IB0 N91wugkYkQDBCn00HqWP0LFDSHBIJ268W36DrTh/e2B6esQ597mrxzzQbAxvNR3JhGrOw37b2uxp VpD6YjMitZI6qWLN59NlR2r2MWdNasHfmvMfKhaMNrEA3ma+FCdpJR6wgfRRgQN8lHADlN60RA/Q uaMTK5Q3WbQOptEmmETtu+j+6u+Z8cfWus3jXtncK61knkbLsMVVNrqDBbR10oiTrBI70ol3CBP+ 28QFvW/epGVBn/QEJJSKmgplbmRzdHJlYW0KZW5kb2JqCjMyMSAwIG9iaiA8PAovTGVuZ3RoIDE0 NCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzbXszRSMFAwBmEzBRMT hRRDrkIuY5CYAYgLkkjO5XLy5NIPVzA24tL3AIpy6Xv6KpQUlaZy6TsFOCsYcum7KEQbKhjEcnm6 KDD/YP7w/4f8n/8/bOz+/yioZ//x4D/zzwP/GX82/Gf8DcIMdUBsw/ifgYHxHxr+Q3vMDLT3//9/ cMzl6skVyAUAyPZQ6gplbmRzdHJlYW0KZW5kb2JqCjMyMiAwIG9iaiA8PAovTGVuZ3RoIDE2MCAg ICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzbXszRSMFAwUtA1VDA2VjAz VEgx5CrkMjZQAEEzI4hMci6XkyeXfriCsQGXvgdQmEvf01ehpKg0lUvfKcBZwZBL30Uh2lDBIJbL 00WBgY2BAQPzoWE5JGwHxHVQ/I+BgRGI2YFY/v//D/+hGCROI8xDFK5jkGGoZ5AAY3sGCwb5BgMG +QMFDOwPHjAw/j/AAJTgcvXkCuQCAPkOSm0KZW5kc3RyZWFtCmVuZG9iagozMjMgMCBvYmogPDwK L0xlbmd0aCAyNDggICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42mXQv0rE QBAG8G8JXGAIXptCvHkB3c1dDAoHB+cJphC0shDhQC0FFe3E20eytMyj5BFSXhESd6L5w9n8ipld vpk5jo7ihA1P+XBqOD7leMYPEb1QUzWczP5a90+0TEnfcJyQvnB10uklv72+P5JeXp1xRHrFtxGb O0pXXNeFqsuhfg1scq8CJlaJEPcAZwC47r57AISdFifAwsK0TjKsO3PkwDhH1uoXynZuPae39dCq ylFv5WJdcNC7CQd+i4uvXhe24zjr9e2uEtg6+mcwMOycN37Knu4Yv64HSlSlxA/ZDc++/JwfNHOU TV4h0nlK1/QDW81YJwplbmRzdHJlYW0KZW5kb2JqCjMyNCAwIG9iaiA8PAovTGVuZ3RoIDIwNyAg ICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjavZC9CsJQDEa/0qGQpY/QvIDe Vm6rk4I/YAdBJwdxUkcHRTfB+mZ9lD5Cxw7Fmt6CiugqgTMkkHw5utfuhuyz5laHdchRxNuADqR9 rivqNZPNnoYxqSVrn9RU2qTiGZ+O5x2p4XzEAakxrwL21xSPGagAOFUGeLcC6OMClBjAKuAlVg43 sTM4qZPCzgxcQe4msHJPUBgMBOUbZGV5Fdy/oT5Y/Q0/Y1wl6f0j+Ouj5ssnHHGQGRG2KEmNHKOp EWbUGYm1TprEtKAHgwOFKQplbmRzdHJlYW0KZW5kb2JqCjMyNSAwIG9iaiA8PAovTGVuZ3RoIDEz MSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaM7HQMzdVMFCwAGITQwUz M4UUQ65CLmMjIN8AxAVJJOdyOXly6YcrGBtx6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5 PF0UGBgMGBgYPjAwMAIxMxDLA/H/Dwz/Qfg5ELMD+cMN8/8A+vMPQ/3///9hmMvVkyuQCwDMdF5A CmVuZHN0cmVhbQplbmRvYmoKMzI2IDAgb2JqIDw8Ci9MZW5ndGggMjU5ICAgICAgIAovRmlsdGVy IC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpd0MFKhUAUxvFPZiEcIrcuIucJGuXazUUwcLtBLoJa tYggqHYFFrUL9NF8FB/BpYvLnc5nSJAwP5jxP3C0rE7OTm1uucrSrtf2uZB3WVW6z7nli6c32dTi 7uyqEnelp+Lqa/v58fUibnNzYQtxW3tf2PxB6q2F2QPIQg+0YUQ0JTuYPtoj7hBwqKfdEeB7JRsq ZcyBZGyU6RGIp1cSlF3oSP+L+U/Lt54dFqaFZGbkIDPDgtexdAKiSwfSh/NGvG/m+7wQs03YZmw9 s2/CAiwiFoZFzCIBDnBMzol+V4qGaJZGmqVGsyrWNNd/gCYLIYwznrREVxj+kMtabuUHzhx2agpl bmRzdHJlYW0KZW5kb2JqCjMyNyAwIG9iaiA8PAovTGVuZ3RoIDIxOSAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjapc/NSsNAEAfwDQEDQ2muHoqdF7C7CflYLxZiC82hoKce ihBQj0Is7U0kj5ZH6SN49FDU3X8gLtRDoTPwO8zM7s4mepKnrDjl65gTzVnOzxG9URKbouLspus8 vVJRklxxEpNcmDLJcsnbze6FZHF/xxHJGa8jVo9UzngkbHSOG/hjonWdWhtHYf0W2kwPhML52qhF ZVSwhnvYmhQe9BtrgOcu4NBZ4BJqWMMK7i3mgl4fmwadGAkdx/AK3jp+wHfHw5/ekf7X/wYnGJ5h 8Nl/lOYlPdAvL/Nd4wplbmRzdHJlYW0KZW5kb2JqCjUgMCBvYmogPDwKL1R5cGUgL0ZvbnQKL1N1 YnR5cGUgL1R5cGUzCi9OYW1lIC9GMTcKL0ZvbnRNYXRyaXggWzAuMDEwMDQgMCAwIDAuMDEwMDQg MCAwXQovRm9udEJCb3ggWyAyIC0yMCA3OSA3MSBdCi9SZXNvdXJjZXMgPDwgL1Byb2NTZXQgWyAv UERGIC9JbWFnZUIgXSA+PgovRmlyc3RDaGFyIDQ0Ci9MYXN0Q2hhciAxMjEKL1dpZHRocyAzMjgg MCBSCi9FbmNvZGluZyAzMjkgMCBSCi9DaGFyUHJvY3MgMzMwIDAgUgo+PiBlbmRvYmoKMzI4IDAg b2JqClsyNy4wOCAwIDI3LjA4IDAgNDguNzUgNDguNzUgNDguNzUgMCAwIDAgMCA0OC43NSAwIDAg MCAwIDAgMCAwIDAgNzUuODQgNzMuMDkgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNDMuMzMgMCA0My4zMyAwIDAgMCAyNy4w OCAwIDAgMjcuMDggODEuMjUgNTQuMTcgNDguNzUgNTQuMTcgMCAzNy45MiAwIDM3LjkyIDAgMCAw IDAgNTEuNDYgXQplbmRvYmoKMzI5IDAgb2JqIDw8Ci9UeXBlIC9FbmNvZGluZwovRGlmZmVyZW5j ZXMgWzQ0L2E0NCA0NS8ubm90ZGVmIDQ2L2E0NiA0Ny8ubm90ZGVmIDQ4L2E0OC9hNDkvYTUwIDUx Ly5ub3RkZWYgNTUvYTU1IDU2Ly5ub3RkZWYgNjQvYTY0L2E2NSA2Ni8ubm90ZGVmIDk5L2E5OSAx MDAvLm5vdGRlZiAxMDEvYTEwMSAxMDIvLm5vdGRlZiAxMDUvYTEwNSAxMDYvLm5vdGRlZiAxMDgv YTEwOC9hMTA5L2ExMTAvYTExMS9hMTEyIDExMy8ubm90ZGVmIDExNC9hMTE0IDExNS8ubm90ZGVm IDExNi9hMTE2IDExNy8ubm90ZGVmIDEyMS9hMTIxXQo+PiBlbmRvYmoKMzMwIDAgb2JqIDw8Ci9h NDQgMzA5IDAgUgovYTQ2IDMxMCAwIFIKL2E0OCAzMjQgMCBSCi9hNDkgMzI1IDAgUgovYTUwIDMy NiAwIFIKL2E1NSAzMjcgMCBSCi9hNjQgMzExIDAgUgovYTY1IDMxMiAwIFIKL2E5OSAzMTMgMCBS Ci9hMTAxIDMxNCAwIFIKL2ExMDUgMzE1IDAgUgovYTEwOCAzMTYgMCBSCi9hMTA5IDMxNyAwIFIK L2ExMTAgMzE4IDAgUgovYTExMSAzMTkgMCBSCi9hMTEyIDMyMCAwIFIKL2ExMTQgMzIxIDAgUgov YTExNiAzMjIgMCBSCi9hMTIxIDMyMyAwIFIKPj4gZW5kb2JqCjMzMSAwIG9iaiA8PAovTGVuZ3Ro IDE0OSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzbXMzFSMFAwNFLQ NbJQMDIDsVIMuQq5DI2BwgYKJnC55FwuJ08u/XAFQ2MufQ+gBJe+p69CSVFpKpe+U4CzgiGXvotC tKGCQSyXp4sCP4P9gfoH/x/8/wCGP/7/qP9h/4PfggEdVjAUgOEHhgcMDxgfMB5gPsDcwA6E/Ax8 DHIMNkAFFQwGDFyunlyBXABqjy+HCmVuZHN0cmVhbQplbmRvYmoKMzMyIDAgb2JqIDw8Ci9MZW5n dGggOTcgICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozMdGzNFIwUDBU MDJXMLZQMDZRSDHkKuQyNgMKGiiYQySSc7mcPLn0wxWMzbj0PRTMufQ9fRVKikpTufSdApwVDLn0 XRSiDRUMYrk8XRT+A8EH/ASXqydXIBcAkZs0NAplbmRzdHJlYW0KZW5kb2JqCjMzMyAwIG9iaiA8 PAovTGVuZ3RoIDM2OCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjajdRN SsQwGAbghCwCWUwvMNicwLaD6AwMFMYR7ELQlQtxpS6FURTctTfwCF6lN7FHmOUspDF/X1Kmn4yh LU9SWnjf/hR5cZyfylye6H1xJou8kI+FeBGLmV7I7dycengWq0pkt3IxE9mlWRZZdSXfXt+fRLa6 Ppd6vpZ3hczvRbWWxIyExPGX0wZ32R523R222h40Vbvob9zs6yf6EzdP+mgenXAVPGG4j5gK4acU 95KqEH5OcG+I6qJr1B2pt9ElZtqSchedgpk2BGYNSTBzbQjP9YZZvwGhlIm+HPPUuAmmmOfGbTDB vDHuoqEIkxWKMEvl2NR6BzUQKGJoZu3CM2XG2Ny6H9seeogeSpm4G4w8dW6CfRFL5xaiQ/ihP5w7 qAGKGNqldqW4lsp9U9eqLcU73TdzT8eW4p3sm/sXoY+2Rfh/gy3C24ZPBy4bEoqo22DqnzLXgRP/ Taf6O9d1Q/Hb/1hcVOJG/ALxFN5DCmVuZHN0cmVhbQplbmRvYmoKMzM0IDAgb2JqIDw8Ci9MZW5n dGggMjQzICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNql071qwzAQB/AT Ggw3xC9Q8D1BZXexDYVAmkI8BJopQ8jUdiykpYVu7qPlUfQIHjsUVCsm/1AQjkIFgt9J6AOdri6u yxvJpfK9krqSp4Jfuaz7OPehn3h84VnDZi1lzWbRj7JplvL+9vHMZvZwJwWbuWwKybfczMUd29e4 yP0QkfKafveizO0pO0hDdFILTaEMSqEkIB2SPUpFiv6j3aBdvChGXZwUpKEESqF2kE9QjE4r/uyS BE5T3aV3Pv8Gk0hdIQuX6xaqRvUZqW5MKiANJQGl+GEZ1ELOoqIsqswOlaeds6jG/bj4vuEV/wLD Ix2NCmVuZHN0cmVhbQplbmRvYmoKMzM1IDAgb2JqIDw8Ci9MZW5ndGggMzk5ICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNrVlLFOwzAQhm1liOTFb0D8ApCkEqoiISyVIpEB CSYGxASMDCCQ2NI3w4/iR8iYocpxZzuJm7bsdHC/OJf77+y7K4vzs2WlCrVUpwtVVaosCvVSindR lbhb4PPCv3t+E6ta5A+qKkV+Q/sir2/V58fXq8hXd1cKt9fqEb96EvVaMfpBi4txKAEY454bABs4 AYCOJcab2KQPrLdoxlLHaMykcZzABhcridMeF95mxHJLht+ONYmyC03cWOITx+BFGvzj5AY90FYC zAdigsvA3iWaImcd8/kQtxPrwOTTS+GeGaR2GWMLsruMuYQQ9jiEw+gcYg6h7TKeWxZzd5j1Ica7 GFKZc3OIKeVjbCeGf85/58uxdMEeY73HVODteOYchSaO7giie5yxjLmfOD3CYy3NeKy9GY+1Oufh UuOan/dC3CNDoFFP8ajXHAdh12tBzLMXS39cLzunUk89nrkeT52jy8yMX22lGSYO7/zc0KgsbWqG o4dNMs6cPppFXTSjzFQIPh9xXYt78QuOoSVPCmVuZHN0cmVhbQplbmRvYmoKMzM2IDAgb2JqIDw8 Ci9MZW5ndGggMTQ2ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNDDU MzBTMFCwAGJLYwVLC4UUQ65CLgsTIN8AxAVJJOdyOXly6YcrWJhw6XsARbn0PX0VSopKU7n0nQKc FQy59F0Uog0VDGK5PF0U/gMBAwM/kPxAkMkAYoHYHxgY7P+AmMz/DzAwyP8AMRn/N4wyhwDzPwQQ xRwNs+HJRMq8iCxNSknA5erJFcgFAAMDUoUKZW5kc3RyZWFtCmVuZG9iagozMzcgMCBvYmogPDwK L0xlbmd0aCAxNzYgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42rMw0TMy VjBQsABicwsFSwuFFEOuQi4zSyDfAMQFSSTncjl5cumHK5hZcul7AEW59D19FUqKSlO59J0CnBUM ufRdFKINFQxiuTxdFP4DwQMGIMDDALIawDSD/R8IzSAPZ/wYZYwYhgVZjAoYo4AsxgfCDEZMxgMo gxmDwY7B4Icx5GEMexijHsb4D2Uwwxj8QIY9iGH//wDD/z8gmf8H/kMBPgaXqydXIBcAJ4zKOgpl bmRzdHJlYW0KZW5kb2JqCjMzOCAwIG9iaiA8PAovTGVuZ3RoIDMxNiAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjajdSxSsQwGMDxhA6BDL0XqDRPYBu10FssnCfYQfAmB3FS R6GK4thuvladfI2Cg+tt3nBc/PKlinA58wXa5JeWDn9K9MHhfnGkcjWFS+tCTUt1q+WD1HkBO7m1 fXRzL2e1zC4V7MvsDLZlVp+rp8fnO5nNLk6UltlcXWmVX8t6roxZMzdSY7r/tRlVgdgfdXD7lV3s mVEv6y0l9nU7PoNqewR/D6oaUNFrUOkSJYRHkxUqDku4MElYkQtThsVdpsYn5sIMBGEY3hOEYaKO IMwkmFcYJqaIPmGYkiLM1PiFYQaSIAzvSYIwUUcSZBJshyBMTBPMCU0QpqQJMjU0QaZhp9q3nqjq oyMq/WJETTZ+Hf8sPGq3FK1GcdOPsp8SZjnKnm7Gnnd8iQefPQcDgv/KSZ7WciG/AfViOygKZW5k c3RyZWFtCmVuZG9iagozMzkgMCBvYmogPDwKL0xlbmd0aCAyMzMgICAgICAgCi9GaWx0ZXIgL0Zs YXRlRGVjb2RlCj4+CnN0cmVhbQp42rM01DM3UjBQsABhUwVLC4UUQ65CLnMzIN8AxAVJJOdyOXly 6YcrmJtx6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0VDGK5PF0U/oPBAQYGBgjrH5wFEoSyPoAE /8AI+x9Agv8/kJAHsZj/N0BZDCAtEJb9BxgLREJY/H9gLHY4i/kfnPUfxmIEGojOAhmNj/UAxqrH xvpAMxYW2xBuwetmZF9ihgH7P8yw4oeHpDw8dIHWooc9Mzxm5P9BWYz/wVxwXD6AsxhgLHg8QcAo azCw7P/AWJCYguZLYlhcrp5cgVwAVj/vQAplbmRzdHJlYW0KZW5kb2JqCjM0MCAwIG9iaiA8PAov TGVuZ3RoIDMxMyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaxdSxTsMw EADQqzxEusV/QO4HIEmneiFSKRIZkGBiQEyFkQEEG1LyafmUfEJGD1ZNnDrxVXKBiSaS8xRbsX13 sVIXyyXltKLzJSlFakXPBb6hysndRe67tq+4rjB7IJVjduPeY1bd0sf75wtm67srKjDb0GNB+RNW G7Lu0jBeo23LrJmtH2QApB9Uun7bj0711PhHsgsWNhhsE1y3wWXH3AfzVpq495NFbOMWB27+0b+v 7dheDvau4/HhcePxZHFesPgLlqPEBJcspz7XztLXQOrKwTC3zD3M41MTLCxEvwl1x+qHzSt1fG3H 6orvi9tP9rPr7kTuT+ZFO1kHl3/w0IrZBkQT6jNpoBxTJXfO+zNjSJgEf4AMCTubPCTpcvIQlK/Z 6XQgjT9GNxvqBvC6wnv8BofxLFwKZW5kc3RyZWFtCmVuZG9iagozNDEgMCBvYmogPDwKL0xlbmd0 aCAzNzQgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42oXSO07EMBAG4D9K EcmNj2BfAJIgtEBliYfEFkhQUSAqoKQAQUtytBzFR3CZwsow9piIXQmhLb7VxJ7x2HNyfHh6Zjt7 Yg+O7ObU9l1nn3v1pjadTb++O5JvT6/qfKvae7vpVHud4qrd3tiP988X1Z7fXthetZf2obfdo9pe WqAhoAbgKKABKqKYbIgIGtARNLHOQwcDDCPqmV14S3SoIvvlOMaaAU1gNe/0yKn1JJpkzY5INeCS YCEO2WH1K+tWlx3NH+pV+stct1kdpj09pFIozsUomqUoCbhV2dBQLFLOVBPlnXydspJKYCgBw/qc QD7wBlrKwnXBVDLkGo4o/E7NAalZUznUsB4O5XBjWSBWcjausefa9Z7Gyx8TRP2PzWr4x3lXL2of d53Ke07SkflxlI7cKB04yBUNkCtasOSEEUtKVM2IabB4SGMaQB0wpwE1HnMT80yHijyPJ0J6IA75 dP8hWednmMrTq6utulPf1I7mOwplbmRzdHJlYW0KZW5kb2JqCjM0MiAwIG9iaiA8PAovTGVuZ3Ro IDE5MCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaszTXMzZXMFAwBWJL IwVLC4UUQ65CLgszIN8AxAVJJOdyOXly6YcrWJhx6XsARbn0PX0VSopKU7n0nQKcFQy59F0Uog0V DGK5PF0U7P/DwAcimA0M7GD8wf4PAwPzfwYGBiDzAZQp/8H+AJTJ/6G+Acpk/1HPAGUy/6iDMRl/ 1MCYDDiYFXBmBUFmAZxpQSbzA5xp8wDOlKGcyQBnMowyR5kDywRlXkym/f8PMJUgQAyTy9WTK5AL AAa7z/YKZW5kc3RyZWFtCmVuZG9iagozNDMgMCBvYmogPDwKL0xlbmd0aCAyODcgICAgICAgCi9G aWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42pXRvU7DMBAA4Is8WLrFD8CQewFIIjVpJQZL pUhkQIKJoWICRgb+tkrxo4U3MW+QMUMUc/7pQAsDlqxPurPPZ7tZni2opCWdVtQ01CzoscIXrFcc LKmpY+bhGdctFndUr7C44jAW7TW9v348YbG+uaAKiw1tKyrvsd0QgLbgh3BzUDlnvLqPiR2o0TuA mJjMQuYXih7AsZIXdzxV2MKa5ACQc4F8TE4p9otyPNYf6hU26sd/7aKdG9PFxhgN+cyZoJzi+nyI dn2UXyGcP8d6ct/XQX+8LajtT7kMm/WHur3mWPWHedp3kuqcJ9+8Nmg09/E1CcP9iE+W+5NmliBn /hqn/HV30M3xNTRfInc2fI7gX5QW8LLFW/wGn1un+QplbmRzdHJlYW0KZW5kb2JqCjM0NCAwIG9i aiA8PAovTGVuZ3RoIDI2MiAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja tZGxSsRAEIb/JcXCNHmDy7yAbgJu4OAgcJ5gCkErC7lKLS3uULhCuDxaHiWPkNLicJ3ZDcZC7EyK b9nd/5/Zf/zyfMklez6r2NdcX/BTRTvyJetf+3Ty+ELrltw9+5LctWyTa2/4df/2TG59e8kVuQ0/ VFxuqd0wYEIH+fLwoWjCpyLgKLvZCXYA7AgzAoUsD3KjB1aI5wu9KFIYFRUwpygVmbpaMcy+kY8/ oV4zmkEF0RnvCVLgV8ReEf4PU4XjH01MDWrXM/QpMH0xRugzkfW5ZprFCASaC2yXaVg2ZZanBBep 7ip5H5KbWIjeDGkOfWyx6eYZTROL86Orlu7oC1MtelkKZW5kc3RyZWFtCmVuZG9iagozNDUgMCBv YmogPDwKL0xlbmd0aCAyOTAgICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4 2uXRvUrEQBAH8FlSBKbJG5h5AU0WzJ0WsnCeYApBKwuxurO0ULSU5N4s9ybxDbTLQci4s5uEw8OP zsKQsL/dJZPNf6aHB0fHlFJG+5qmmnSa0lLjA04yu5raufZ7i3uc5Zhc0yTD5FzWMckv6Onx+Q6T 2eUp2fmcbjSlt5jPCdy15wcwnR9D/hkQDQh2oP4tuPSIuPEw3HlwaVaCoIVwLQgbUK+CuAbYCEwF 8CIoSoATAct211eXwFUrb3aujIct45MP3/pjRAPiEfVnmBFVj+I3KHvwX2D8+jcnNLuovwzBBRVs w4Xp4m22c46GFkgvQB7XnWKAsSfbuF5VoN4FtmKw5spVjFZs/0ExFEoABbceMdceds/egGc5XuEH WznXXgplbmRzdHJlYW0KZW5kb2JqCjM0NiAwIG9iaiA8PAovTGVuZ3RoIDI2NyAgICAgICAKL0Zp bHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjanZGxSgQxEIYnbHEwhfsG3ryAZhfMwoGwcJ7g FoJWFmKllhaKgl3yaHmUfYQtrzg2zkyinIeVCdkvzPw7k/xxq9MVNeTopCXXUXdGTy2+omtIZudy 5vEF1wPaO3IN2isOox2u6f3t4xnt+uaCWrQbum+pecBhQwDVDDKWaRSktOWvmTW6mMAHgHqEPoKs JWs8ByYWcpqlLKu2YHaMnexkK3Ezy9+SFzGrFV4r/CD0BVwd+m94RTxA2Ecq0HGIoPf5L3xB/AP9 b4zZuD2YqNcsqKI4AVUoYIfYtCBmQS0OARypkXCc+57n2p+52qQPUI1q7SLqEXttnKQC1EmagJGD 4+WAt/gFWVKOGAplbmRzdHJlYW0KZW5kb2JqCjM0NyAwIG9iaiA8PAovTGVuZ3RoIDE4MiAgICAg ICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzHUMzRXMFAwBmITMwVDA0OFFEOu Qi4TI6CAAZgPkkrO5XLy5NIPVzAx4tL3AAlz6Xv6KpQUlaZy6TsFOCsA+S4K0YYKBrFcni4KDAwM 8g+ABMP/H0CC+f8/IMn/wR4kfEC+gYHBvqEeSNYz/D/AwPAPRDKCSeY/YPIHiGT/wQBUAyH5PzDI gQxgYICRENMHAfkfCB5gIQePC4cYaQ+O3/o/IOZ/UMLBJLlcPbkCuQD7BJ2ZCmVuZHN0cmVhbQpl bmRvYmoKMzQ4IDAgb2JqIDw8Ci9MZW5ndGggMjE5ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29k ZQo+PgpzdHJlYW0KeNozN9GzsFQwUDABYnNDBUMDA4UUQ65CLjMzoIABmA+SSs7lcvLk0g9XMDPj 0vcACXPpe/oqlBSVpnLpOwU4Kxhy6bsoRBsqGMRyebooMDAfYAAD9v9Qxn8iGIwwBkM9BsN+ZDPq H0AYzP//QBj8//9DGPYM4FCzP1DBIP8AzPjAwP8BxDh4gIH9B4hxuIGBHaTN/jgDAzOYcQ7I+Adl MIIZd2CMGzAGSCvIDvsPuBkPcDMOjDKoxgDFPuP/BiAHGPLMwPj+////B2YgcQAPg8vVkyuQCwAY h95QCmVuZHN0cmVhbQplbmRvYmoKMzQ5IDAgb2JqIDw8Ci9MZW5ndGggMTQyICAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNozNtczMVIwUDAFYmNDBUtThRRDrkIuIxDfAMQF MZJzuZw8ufTDFYxMufQ9gKJc+p6+CiVFpalc+k4BzgqGXPouCtGGCgaxXJ4uCgwVDAyM/xgYmP8z MLD/b8CKQXIgNSC1VAfsDQz8QDv+o2FmIGaA4fohjv8fYGD8/wDor/8NyJjL1ZMrkAsAPHpxwwpl bmRzdHJlYW0KZW5kb2JqCjM1MCAwIG9iaiA8PAovTGVuZ3RoIDEyMyAgICAgICAKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjaMzbXMzFSMFAwBWJjIwVDAwOFFEOuQi4jM6CAAZgPkkrO 5XLy5NIPVzAy49L3AAlz6Xv6KpQUlaZy6TsFOCsYcum7KEQbKhjEcnm6KDCwNzDw/29g+I+GmYGY AYbrRzHV8f8DDIz/HwDD+v8BZMzl6skVyAUAuKeJ9AplbmRzdHJlYW0KZW5kb2JqCjM1MSAwIG9i aiA8PAovTGVuZ3RoIDIwNyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja 7dGhDsIwEAbgWyqWnNkjcE9At0AKqCUwEiZIQCEICpAICCS48WglCBwagdgjTCIIx3WABIVEtPn+ tpdLeo16tdmikOqyGhGZGs0iXKIxkkMX3cV0ge0U9YiMQd2TU9Rpn9arzRx1e9ChCHVC44jCCaYJ gbKQ5QDgs1V8EzDbgPmJGNiW2EIlL1FAUAB4vLfgX+VRdtiB78qyI4ByiE+C+wteicsb5zdcqesR F5+Rf4b942dw0/d4J0F+Xsm8mblQstkvwG6KQ3wAH1W4/QplbmRzdHJlYW0KZW5kb2JqCjM1MiAw IG9iaiA8PAovTGVuZ3RoIDI0OSAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt CnjarZGxTsNADIZ96hDJSx4hfgG4BDXHGKkEqRkqwdQBMQEjAwjm3KP1UfoIGTNUOWzXEQrqyN1J 38m+/LF/h9vrNZVU01VF4YbCml4r/MA6cLCkUJ8zL++46dDvqQ7otxxG3+3o6/P7Df3m4Y4q9C09 VVQ+Y9cSgEsReOVpEPRpEiTeAKsRigNAdpQjVw5AE8Gd+CHnJz1y5QA04DgNRVwpDpkI5kdDzgqQ DYZCMYo6izaK0xK9YuqlOncZWrlL/4o/P7IiFljWaT3MHZ0xd6u9D2aB+WJw6lmcHTQ/zV3zmmXk W5uD46nE3xnZxHR+eN/hI/4AsLSU8AplbmRzdHJlYW0KZW5kb2JqCjM1MyAwIG9iaiA8PAovTGVu Z3RoIDI4OCAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja1dGxTsMwEADQ qzJEuqWfkPsBSAJt2k6WSpHIgARTB8TUMjKAYCX5NKMOjP2DKp/gMUPUw2dbBSEFdUJiiPLuYp+d u8nodDqjjEZ0cjalSUbFOa1zfMJibLMZzfLwafWI8xLTJRVjTK9sHtPyml6eXx8wnd9ckI0XdJdT do/lgiDSUGkAiFnH3Fkw64TZowLWDi0kRrBpIG4BBvxRQySrq62N9oKdbLGPcunaopXI7ldG0AQk jQ9cRYdh69d9Ie5+Itr3YsDHoPaAP8RxF+v/wa63G65RrnXmezMPfT50XiDjdUNhGcrOnwlq648C ZUcphUFttKsH6t34okq/SeMEimWtxZBbD1cu3Oe/omoC2IQ3B/0CvCzxFj8BbrfZZQplbmRzdHJl YW0KZW5kb2JqCjM1NCAwIG9iaiA8PAovTGVuZ3RoIDE4NSAgICAgICAKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnja3c8/CsJQDAbwrxQsZLCrg9CcwNfaVnQq+AfsIOjkIIKgjoKKzq9H 61F6BMdOxvc6iIN4AIf8yJdAIGm/l0QccmoqGfEg5kNEF0pik0Mb7WJ/onFOas1JTGpupqTyBd+u 9yOp8XLCEakpb8yZLeVThg+vhi8InhCBlsJYB6WIU2VGt9SVK16hK4gPa9uqu40dZCX0EEEBHaIF 6DPwdtdYfVj+tPgfxX7kyMO2IvU3aZbTil6kRHMuCmVuZHN0cmVhbQplbmRvYmoKMzU1IDAgb2Jq IDw8Ci9MZW5ndGggMjgxICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNp1 0DFOxDAQBdAfpYjkxkfwXACSCG8kGiIti0QKJKgoEBVQUoCgW21yE67im5AjuEwRdphxCnYLmifZ M/4zyerstG6oIk8nNflzajw91+bNeC+XFTWrpfL0atadKe/Je1Ney7Upuxv6eP98MeX69pJqU27o oabq0XQbAjjkgOWpAHreW2SM9gt5RPGNYkTOsIN0wYk9WqgXYoud6LBNzqL9xwL7A3lxUPuQHKGp k9pqExzrlWVejJA1WCoZsz7sWeuOWZ4UzDojlfWQQrRJDmrGIaUHTWxH1S3GqOnJ4khdJD9yPlDn 5GOaNvKfQafZoNPskNYbfqL+pUkidpi2yGZEN7iIKJ8UMOa6bEAvXeaqM3fmF9eEjJwKZW5kc3Ry ZWFtCmVuZG9iagozNTYgMCBvYmogPDwKL0xlbmd0aCAxOTEgICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42jM10jMxVDBQMFLQNVQwMVWwsFBIMeQq5DIxAgoaKFhYQmSSc7mc PLn0wxVMjLj0PYDCXPqevgolRaWpXPpOAc4Khlz6LgrRQINiuTxdFBgYChhAgBjyAz6SEYNkRiLZ kUh+JFIeTNqDyXow+R9EMoNJ/v9AwPAfg0QxYYiSjAeoTLL/YGBuQCfZGxiY/zCwM4BIfmC8/GPg AwUxgxwouBtsQEH/4AcoGsDhzf7/ADgGGBi4XD25ArkAfkCH2AplbmRzdHJlYW0KZW5kb2JqCjM1 NyAwIG9iaiA8PAovTGVuZ3RoIDIwMyAgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3Ry ZWFtCnja7dK/DgFBEAbw73IJyRTuBSQ3L8DexmVRSfxJXCGhUogKpQSh5tHuUTyCUmXMnhANjVb3 2/l2tvm2mdZbbU445ZrlpmXX4KWlLTmnw4Rd+kgWa+pmZKbsHJmhjslkI97vDisy3XGPLZk+zywn c8r6jDAHEAFlUcQCiCKU7wj85bICx9yf3tHxD/7xM4LPCD+jKCVWlAqcgcoTVY/ohQvQkpNuKDYe 4RXBWTQPbvorfNeQPD4V6MitaB+RXB/QDLpFg4wmdAdqOK3aCmVuZHN0cmVhbQplbmRvYmoKMzU4 IDAgb2JqIDw8Ci9MZW5ndGggMzM1ICAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJl YW0KeNp90s9LwzAUB/BXeijksP0DxeUf0P5A6gbDwpxgD4KePIgn9ShMUfCWwP6x3PZv9C/QHnco iy/J62gzJvSRT1JIv33JRXaWnfOU5/w0n/ECn5y/ZOydFQWupnyW0avnN7aoWPLAi4IlN7jOkuqW f358vbJkcXfFcb7kjxlPn1i15FprCaHW6h8EegsAusWqEWUDIAwmCicWsoOpAU6wxk0fsYHZcI4V GUwHwM/AN1ZosDLYEQKDegCNZQAGykISBIaXQyiILEoEWNQEzDry0NjINnTssCVg1qmH1ka2oVdD YNbag3aRMatL2seaINaSsCGUG/DxS5j8dNgRxu1R2E4PEDZH0SXtQfkI95A+IvAx7jA6QHyAeQfX ZbxmDnh+rrl4DfeofVBAUVNAodzpQykpTklHjMMlxVPUpkhTCwLd/bmgkV1X7J79AcwlmU8KZW5k c3RyZWFtCmVuZG9iago0IDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMwovTmFt ZSAvRjE2Ci9Gb250TWF0cml4IFswLjAwNjk3IDAgMCAwLjAwNjk3IDAgMF0KL0ZvbnRCQm94IFsg MSAtMjkgMTE1IDEwMSBdCi9SZXNvdXJjZXMgPDwgL1Byb2NTZXQgWyAvUERGIC9JbWFnZUIgXSA+ PgovRmlyc3RDaGFyIDQ0Ci9MYXN0Q2hhciAxMjEKL1dpZHRocyAzNTkgMCBSCi9FbmNvZGluZyAz NjAgMCBSCi9DaGFyUHJvY3MgMzYxIDAgUgo+PiBlbmRvYmoKMzU5IDAgb2JqClszNy40MiA0NC45 MiAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDEwMS4wNiAwIDAgMCA5MS43 MiAwIDEwNS43OSAxMDEuMDYgMCAwIDAgODQuMjMgMTIzLjU0IDAgMCA5MS43MiAwIDk5LjIyIDc0 Ljg5IDk3LjM3IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDY3LjQgMCA1OS45IDc0Ljg5IDU5Ljkg NDEuMTcgMCA3NC44OSAzNy40MiAwIDAgMzcuNDIgMCA3NC44OSA2Ny40IDc0Ljg5IDAgNTIuNDEg NTMuMTYgNTIuNDEgNzQuODkgMCAwIDAgNzEuMTQgXQplbmRvYmoKMzYwIDAgb2JqIDw8Ci9UeXBl IC9FbmNvZGluZwovRGlmZmVyZW5jZXMgWzQ0L2E0NC9hNDUgNDYvLm5vdGRlZiA2NS9hNjUgNjYv Lm5vdGRlZiA2OS9hNjkgNzAvLm5vdGRlZiA3MS9hNzEvYTcyIDczLy5ub3RkZWYgNzYvYTc2L2E3 NyA3OC8ubm90ZGVmIDgwL2E4MCA4MS8ubm90ZGVmIDgyL2E4Mi9hODMvYTg0IDg1Ly5ub3RkZWYg OTcvYTk3IDk4Ly5ub3RkZWYgOTkvYTk5L2ExMDAvYTEwMS9hMTAyIDEwMy8ubm90ZGVmIDEwNC9h MTA0L2ExMDUgMTA2Ly5ub3RkZWYgMTA4L2ExMDggMTA5Ly5ub3RkZWYgMTEwL2ExMTAvYTExMS9h MTEyIDExMy8ubm90ZGVmIDExNC9hMTE0L2ExMTUvYTExNi9hMTE3IDExOC8ubm90ZGVmIDEyMS9h MTIxXQo+PiBlbmRvYmoKMzYxIDAgb2JqIDw8Ci9hNDQgMzMxIDAgUgovYTQ1IDMzMiAwIFIKL2E2 NSAzMzMgMCBSCi9hNjkgMzM0IDAgUgovYTcxIDMzNSAwIFIKL2E3MiAzMzYgMCBSCi9hNzYgMzM3 IDAgUgovYTc3IDMzOCAwIFIKL2E4MCAzMzkgMCBSCi9hODIgMzQwIDAgUgovYTgzIDM0MSAwIFIK L2E4NCAzNDIgMCBSCi9hOTcgMzQzIDAgUgovYTk5IDM0NCAwIFIKL2ExMDAgMzQ1IDAgUgovYTEw MSAzNDYgMCBSCi9hMTAyIDM0NyAwIFIKL2ExMDQgMzQ4IDAgUgovYTEwNSAzNDkgMCBSCi9hMTA4 IDM1MCAwIFIKL2ExMTAgMzUxIDAgUgovYTExMSAzNTIgMCBSCi9hMTEyIDM1MyAwIFIKL2ExMTQg MzU0IDAgUgovYTExNSAzNTUgMCBSCi9hMTE2IDM1NiAwIFIKL2ExMTcgMzU3IDAgUgovYTEyMSAz NTggMCBSCj4+IGVuZG9iagozNjIgMCBvYmogPDwKL0xlbmd0aDEgMTQwMwovTGVuZ3RoMiA2MDI5 Ci9MZW5ndGgzIDAKL0xlbmd0aCA2OTg3ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0 cmVhbQp42o14BzSc7da2IFrUaNGH6HWG6NF79E5EGWMwjBnM6ESv0XsLIToJovcgCKJHD6InSgiC CPFN8uY957zn/9f6vjVrPfPce1977/va97WfmfVwsOoZCijYIW2hqkgEWgAkCJQCKGkbmoOAACBQ RBAIFCbi4DCCoeHQv+1EHCZQdxQMiZD6D4SSOxSMxtiUwWgMUBuJADzwgANAIgCQmBRIXAoIBAgD gZJ/A5HuUgBlsCfMDqAtCHiAREBRRBxKSFcfd5iDIxpT5+9bADeEBwCSlBTn/x0OUHCBusMgYARA G4x2hLpgKkLAcIAhEgKDon3+kYL7viMa7SolJOTl5SUIdkEJIt0dZHn4AV4wtCPAAIqCuntC7QC/ KAN0wC7QP9QEiTgARo4w1F8OQ6Q92gvsDgVgDHAYBIpAYUI8EHZQdwCmOsBQQwug6wpF/AXW+gvA D/jTHABIEPSvdH+ifyWCIX4HgyEQpIsrGOEDQzgA7GFwKEBXVUsQ7Y3mB4ARdr+AYDgKiYkHe4Jh cLAtBvB762CAqoI+AIxh+IcfCuIOc0WjBFEw+C+OQr/SYNqsgrBTQrq4QBFoFNGv/SnD3KEQTN99 hP4crjMC6YXw+3tlD0PY2f+iYefhKmSMgLl5QDWU/2AwJqJ/2xygaIAoUFJMTBQEgLoBoN4QR6Ff BYx8XKG/nb/NGA4Bfq5IV4A9hgY0AGYPxXwR+aHAnlAA2t0DGuD3n45/rohAIIAdDIIG2EIdYAii f2fHmKH2f60x5+8O8wZYADHyAwGAvz7/urPEKMwOiYD7/Bv++4iF1FQVTA3U+P5Q/pdTURHpDfAT EJYECEiKAQEgEEgMIC4uCgj4Z55/deBv9r+temDYn939R0YNhD0SIPkXCUz3/ibi+UcZ3H/Ghgfw zwo6SIyeoQDuf8v/EVAUCMFcQP/nIfgd8v/T/q8s/6v8/3tHqh5w+G8/91+A/8cPdoHBff4gMHr2 QGNmQxuJmRDEf0NNoX8NtDbUDubh8t9eDTQYMyMKCAeMzgVA9wSB9/6yw1CqMG+onR4MDXH8S0t/ HwamBhyGgOohUbBfzx1MFBD4Xz7M6EGcMc8WFObIfrugmMn6Z10VBARp92sEhUXFAGB3d7APEUYB mJUowA+EmVU7qPdviQOEBBFINCYEgOEYALBHuhP9OliQKEDIFtMjjOwxdqJ/5IZ4uLtjxu+3CDCF /17/nnUo1BsKIZqfQUKkw5xehbWf1ygweAlsjuCtrHZGJ5r3RYmiOWef+Tlq4WerTbop2ti9uDOc oTdXHjEx48/A++V81PtRd27wcrp6PhpLpW9d8VCgYPD7cbcDlNkOSe8wJp4RvU5xkKTPRGZjgWvB lWI6cxku3iOy/XKr6KoTtf1QchfgAig5JWdNZ0DHKeR17mI/MWdlX0UPmT8ij7/tbpHpYaRhPHaF /QQWf6bYHkv33WfdIj5raGnpbW5/X4bIUaFmb7XYiwhKOirfB6x5w8kDdNRJuQ+aUFiciqKnSuVp iWx0xS4RnMs4NuLLP6YK+9uSBkQ8Ghx0lIJv6T5+1+hRhxSdkcnrWT5itN7IMfouRHKnOTnakb8m g12Ro9oO63Qo86BaBJ7fi0vDDMCr61y81p5ClpadmWthLzTG4j8OFbHaGr9zbhOXnQQStkyTgUsM fHyuKKYHZ3YdtjdduLyfBqCk56DU08DRYXVa9Ri+yy/47XkfrNKMJQVx8qn5bftQT+Qhkv0LE/Vk cKJZR/bum52kJg3R0/cUJrwqYuhazVlklzVPQl7CVKBBfh6uXlunmvRDecm5cbYEExGyAiOKWSOt baxMHUJzqXCFoClyUkrnL+VMLxeqxN49kwlplkmTCAI+Xhw/vKGsv5dAXrt+S7/n+02rRFv3QyFh AivN/M6HjjalOlwP0PcSYY27iZefFM0ngw/FZ5bzFX8aB1pTlj1+lG8f9yP+2/ZJw0G+mUJd1EN4 dGrXZOC69fN3TB0P++MZM1+P7/V2cKVte6s3XJziHlLaDqlJDbCFFcMrGxNEW5WW+qmjjS36wVrt J80E7j3v7BtPvhODLM6k720Eu1p9atA5cP1R4aaoDLhNxjUXLimy/kI7iFPSD5c4yiRQmeSbxG0S 8HhDiPAMQhDL0b6RaAMup7lAU7hrwf6kOYai7kLN9fC0l3GJsrWWUejBgC/kDKc4RFXih6eeyIeP Qma6Ym99FJBdtV8e725bmroxKIdot+BFmd9bKT2OaKYoNE+YfldopqdyqHUlvG4t3HLrRUs5Uj3N jwhE6z1JRzW4w9XV7kHn34YkOT+9MNVhYTLIVkk9KtnPakmYwj75wZm6nglnUb2meRSoRYFt4Ah6 yayaZ/u15MVYAF8knETp3BJQUrzYw00QxuhpP40M5bMfu5OrvbvPUhdwBpdjhPAuR7F9eWEVaFC1 ZVnhErFB/h5WGqZZoTs4Gc+qcSv21dSrH9t3vhlQ/LRGT5lKZ3W9+5o54CHPfbcCzfuulHLqlvGz XD//9W/f9APAIpuqZXCctM5jCW/cKgb8okl0srqpQlnPizXpOtYFk+XxnyRKrUNUoSbIuoxFz9a8 vWS5nrpUFunU3FqZ4Q+y/GH966WVnY/YKr83pmXTThjs3/Q0UEqbK8bN1Vd2JKIjnZK35s8boBnO Jetwvk0TZ2sP31bQONezwq6oy/Kaz6YssdMYVPd15oaciYR6/0hkjhkM3jMcMtbTqLP30xwtH0HR hxN/GTGvbi/YF9rz7E4Ysyho+THH3KzFoVsgv5ulHhqRcvv+sh5X/IPnw4uBnknT/P3s9WyOxqXa cid1u3KrKa68M2HinqSztDKLeiBUwLoaWYp8kU6yqNWhSFq00WadhH1rBIDeR78kMrRFlyesnqQK KD61NclBGk4YpkZcdJFs4Puc8vjY/rNf5LgVhbLjh5P7G4V+WVlrimnDOzMBF6/75/NQwvZcSsc+ y2s11gMvp17KW0KYJVJqEfTiblyhdFs3NKMu7znrytDu/6yUnzEGJJd9gPMv6SFVnizTbjljv8/i JRUncMOxWGDF2zu7aBqd+zT1CNkWYjXL3sQZu3l8ZEkhAU9L2GhCtXCGhXULJa6tWfFksxptvgkC kxxjr1Z9mR+vW6UJ7jBkK5BO+JR26WGFZRhNpCB6lCWmKEOxWOiJWMwyWid4kZVQO9bOFj5xVk5p KYQ3IhAY4Bc10T8onz+VzveEMRtGeuOqHAIedUUMLq7XT32c9qsg0SkPwTpw5EB9r/h8mAfAapld 1SmiCdnYrDJZ2BgdCO0Cl2dbnnySm+Ynxt4/skUXwFMyHcnFkq51ozx7rEvxDD6/q5NMNARY4ejt s+q7nhF2JzKctbiLnbV3SxfXPUz/1NW/4TnHLOlM7EMRT9OgnuzjKk2vPDi7DkhxotsH5Y5LHRqE WVYt5dj6qinJsXGE+EOXir1YP9Wmj4jFDRcb6H1i32pqkbrueM8z2BGvcnfuU7EdV1XvZheDQEsj 8VthLCGGPgDH1/iAyPkuhti5D7TELsPh1Q8v6d8UapFKjL0+mY+DDB83jCGp5rGrYnK01Ivft2p+ ODluzOPJ/Ibvlsc3uwgx90nrG2krzs+5QURprf0u9spGQL4OH3jbBO+Kgeskd6x2/LQcbVg2WERm J7dUa0aNS8kdah4a/ubMWce0wfz1vurc/U+KAXXpn53rFnvxVwz2uRemx6yE5zjIgdgKl1d7LmFt WLGjZJ/h/i6hyKm3e+X36PQ3W6lfhBX4PKX0T0lY8GS5fcD3OLEon/lNqkoDJP79q3mcZO3+3Vmh F6dMNLvouXCcS3VodsS8nlL9Z0+dL9tsamIBxCV7JF/w8/MsG0AFCrSJr2NT+fy3a7g3Wkymv67E qJVVwcVDNO0ZTKl8l93zrfdlfqix+XFV3BuOMNMGlHB33elNq404oPMV+lDXOO87qdX7MMy/JVr5 BnP/PQGy76tAlX3Xxhj6h4YXzccKA6uRVQRRdW9X6eaaFTZSW7o70PDO2lH1qwILLKNgb9SodiFT uF40b/0zKLQ8ocS+pBPLy3kh8g7zuTqIR5ygLAHGFjfeexDCDmSa+xlcX9lrIgfrun072vd4W6K/ z7+rWNbu2snHKDsuuLfBxGVgK2OVzq30nYPSEF3ScdLB3OvW7BuSvjfbNo2ilJYDhd6gH7cm9WVG 3CxFMvHuZ0jG9ruPTWs8KUA6VRvva55SejsVtAoS8uONnPPZgmpmXn0l7tXIgStrHeg/xBEJPmvU E0AgT9qPOrjuj5t3rOBBBfZAQueksfniwbG8KqJ3M+wivxYh49P9LJUqZNl/4qgS+jqwjkfxPke2 Yk3ddIp5L6DzI3h/pHjkBfJIIqFP00vfYSnONZcXZEVJGiI4ExP1dLRnt5ZYyyT68cnb68tzFxIq OHiUxJKDak+QrcQmsa3c+qV+E4wxkH7D9fVpXzzzED4+Khlb1EfQLDQBh3Fy5CXP1y3GQqOCfayS UzuQZn6hc2XluxinpcDKQgIGBNCXtkLtJdMqi1t0U8IuuNxU/zOHb9jUnQevWubMiugLe0TQGj7A N53PBXGn7kb3WaTcLWIKVb6r8j4k2dW1WpW3suxb7XKm54G77pTdKEIccauIYhLHXjKUt5phz0zq W+e27EB7thTvyLIWkz32SBx1r2QyJzjZSZqPyY+6DRhJyDO+oJDs0FujybsTbKbZg71o0sjlO//w +J0C0wIPIeLL6ditummj9lSK3qzERa3RFdIHuwdHn62UYWVXFiWHUqj7Tz80C/ewfqVaNo688M/B Sr+L913UJGzXfsI4ZsdNLzjg7HLSX+Y6Nhvzf6ZHVNdfrxfvEypb8mspc3zAxmYKLxETn4OrQhB/ DX+3jL9TpbAohdJgiHjOt2ni5IP06oaMOUbyQMHPQqplDAyDLcPAwnS0Qe5qawy2IBujF5TYkZ6u i1Qv6Bl0Y8bF9ejLg0hkvXxN7Vp68LX14Y7CZKBI6Zo+9ecuRWaTk8fsh5Iqha00iU4yRE8s5QCV n576ed2stiYTFTkrVv3iMNVVd++pYtanjZw9hbLK26sdbq/GDofJWFZeL0/ca8CPYY4sShz/Anqp Z3/nPWHVMf+MYV++2Ml6+03GZ+5FpRZJS92eNh+J2xtqf8TRnnQFep+psV/nM4QV74wJBhS0jN56 l9pURvthrFN1JCsVUlObnRQic+dFtz0r7Q0W3uGOCkE8oW0vvDfRBhKt3PLz80+yfUkgzR3yvTqc Gi4ZeUvPZc1Y37qkQb8OyY/CaUhNr9kmTZTUP50/lXjvTDuddPO+z3mujgcJOBV/p7iso0+wpP8A G61TX/wmCi78irzZWUHDMpKHVvucLLDRsHDr2jx9HtFAHxKHh5eVMM1ZxmsVzzSQxHUJkcciW7tz ydk06H9/ZbSvKOOsk3mCfr/m9vXOfAVfKoT0RVDj/YLHPlwue6j7WcafgyVdWa07sUv12xe+bXCV 6OSo1R+s3syUJcXuKxt57WRZfxtxLGIm+6DAV25eeT9IRuc8/EaHLYKEKc7PjdbWnFuWbV6C99OT zsER5zIfkXPkWsw51gdA0HG0+noPSYKy11rLuWVREHEHQyL1rt0zP5Vk6qHi3idewfN0q1kUguzU JqvbjvTo3FNfZ3ZnZ3bLe7vV1LiHEPvmgotq8jYlXNN0+aPh4x8iT08zXFng+tXPUvS3sqJxbVfL qIVcj280HD9jNEpx61SdkMC1/jmtQJHchdil1H+Pf13oohnvx+krfX+6Kw8v2OVo3QIm/m6Mpn43 9/lXLl6aKzezIKMbiCP0fYbpWOcjIQK5cmEXOp684TH7k5bq/bTVtcJzn7vc69U2HAt+FQzkpazt +sy5QkBO1Ip3y4n9tmIlX9W0+5MDlZUDC/TEgoOuJmOc/nP2C/ZXMlT0H0Nmc+V27ORFIDzkliIV 9OmkO9OM01gcvNoB6oy99Fmfi/Okleyer2beHHR37aCrAVE5XeWrUtCTd0VBwlFM6LR9Na6zNaVH 6a2uPLgveE7xfuZas2RTFPLUTnO3XOQUN9zS1m4laqgLI3Hr9+RsrB46U1rZFNHBatR6iKrzMtLz 8EuiQbW3jtWc6+U94RN4+qK8wPhJRq3qN+NzPbY2zdGICL7K9knzTqg4pRywkjvtlABmx8CQrVUv 7eCML9l9m9tcQyAxFm7z8tsXaZtp6u0thXECdan6l89WzdWZbEEpDWtt6gN+zV6hAwZW5hPZdKT8 RM/YVcvep6srzx+Z0Mu5HuH7TGS0UOktc6jKtIX0DPQrRuKdzp8WqGnO6TnWPdapt2jG1Riy3okK UiI4NKLxXZ60J9wmvD+Vnhp7GXzD5h7mV1kFNPOAq/1qdYndJsCAEI8sBH8h8FFZEMWajrCzfSH4 GOnxQFzkaSD5Tv2R5+pO10mg5qKpX6721LKI3GxCXLn2keV3KVM6aSoKT5bEcPLMm2Zr0jfDFFmS CaNLzSgTBPVWNaTl8lmNiqIAgreaUDR7OKfGlhsvQ5NlJsxift66Shatfx0T5B6kjZb1kamO4F0P tlXC6XxsRdKB7mNQcK8tgHM1nveVpF0e33h0cjaXP8ioFYy9G1qgl8IpjkaTYZ96qPlKazrcWzie iGOWbvLgYftcJ33xwTAtvcezY/jw8pvS4zq5rgehbULJqmxixoI1QNltPOwTvg+a+lNhQDq2oanK CZnd4K+oz8v7od7IB5arsxWs77wuxXSXBAOe5AWhd4cDRSkOC03Whsvr+KooipuqXry+ZBKPqTNG hWS/nCnv99neHHqTgm+UH6skeqnm7rBmjPeGXPQde0JkRiynf01CQ1cMweO0JbWKjTmJvIwdkoJq PG3PzRVuJ1p0aej6CoDk61gh4ut+juWoZZ8+9jvTO+G6c0n0US6kgrHP418cEhpYdNKOZyJ17jvd 3SL4yRWy/aYd9IJyjvS1dAAL2WH4I+3Ap5AZbqk5aEKt3Gl4xDrlw6x7zJpRDpG45X2finrKt8ko 5WNzjapSAdNc4FM2jn5Nfxt9zYCPhW/XjzyUI3JTokkDjjmDrt5ISApezZS2bdvSeypC+AJVuvjk iAdFS6I44ZInZi16suMIhxNCDdVtKbkedOpcIp6hse4opJ/USVjJxaL4Y6WuuGyws+mFc3FheQf2 sFk1V+irL0wlNLlk1D33jUtfzeosSmgh7ZwWUbOkIuSRssRZdxnov6ZPoLnM0uyoJflUxGsPdTbw CLLsYiX8+iyPYl1angpF0t3q/0qe1zYbT11sR+9J98QcOwLPPP30J4sX0pXy5HMWa5bKG72n4qpy yDtjb5z0yCTXjl6w5XQ7pCjGPI0d7ZvX+xJ/Iq1opZ+gW54i8r2LV/GWSF2oB6INh71pRaOfdOc6 31oXD/rT5j0RSyb76xWbkAABSWp9oTfFm9p10KA8ubnugcGdyZqGG8zke44bOJYxJbaHXYRXn9t2 Kq13hO9PnI+k9/Phku+hGXsqaizGcmuj6B4U/CzXlS/i0E7SCFn+TIIuaZjzxAuNmH5E3yJkuz7R e6Rtoko9BBS9HuVz1tgUNpWUtU8PKG8CkI+fv2k8EUFHNlZetxY4VUSU9PqzldZvnXxJnCHKHxi0 oJ7SinHMx443v01dxzOHFBV3pl75mXKXIxBfPfkRFn+V96j/Caoa5b1frJ53X1WTYn0jcu7myL5j 6a2Wh2Ljd8KxXPiXJxwNBUwf3k4gxRl9cIerqeZsSKZs44OXzubTOjC8Qiqa/VxXdEVvI8yr13o8 WgUYw6q5LBI9PsxmtTnx3cHtpySw1l6ln1valU3m55A9ZFYwx1kNtT+tNLwbvB5DqPv9667N7SGC UtfkTL/mlTINMVqldM0rJRwhr5qnLlT4lR+GDN+zv9T/wTyhpHVSeJzUTOOd6UX4sbOEKVy1eTnn JifJY7awDZUU2ZEI/0ZpG1yyPmLPHxznLAvVRhb7kBk8y4MQKHYMm1qGMb1T3EolXphPzCHa03ta ysNOP4nG46GPNdUrIzu2lIrntnzb3boRlnPwau+PXGJeR+tiZq+UyLuUNZl18em6I+1zuB3kvSzt S0yyhnssdgIf78aCVL9/ZrYiUxDxrCIcWNPN8ZysZmwUvuFJTOR7sWnUvHwxDJxforK9e5pzwyLH 12cseZodFwqqWnSeFs2wM1DYs+HuC5f3S5S56WMq23UYtSF7kVS97SO/1XfdYrx6QfD7lUKvuvQA xC/98L6Poq14OZyV0zuh9fCmfHnk+4M0AgG7AtzFDo+NnUdYPSPYW2yZgWdcHl+G/KlZZRdFfgDr 42h7259bTb9MvcMznSXg16Sb0FKjO3MhTG5Q1lNP5v320y4BS5R+H8GJl6LDeNJa+5XhVVteDtts BTzH9vDUV7qlNlPDZ/qRyuzN7uGdaFf3Mmdt4iZ5PPkeKOfrZyJpmfDeoWi04dnWGw6m4H2eT0Ku BgPny/OvK9juCDd4EGWqQJNFz/nezNegSh8ecdETUNW2lH7L/LhtG6X/iv7ksMYQfjvfqe8UkEhH 74vvSYdFvhy09phDkFLT95EOVUFM2Pbl+hmNyg4+/zrURHiSQkabFknJQyUQ/AAyYPKxSGqS3nhe eKJZdhAUNfs2hY2sS9+09Vmo7tW3iaR7vLq+P1oFIc3HTpDUSnPOy5UPc3NjlAl7OzK74rdTze9k 1Z+evz3c4VcQRQxprKjGpAnlyl2+i8laJbEEowTrdYSuKXLT/MXnkuA6F1UOu/7rqnoSzOnzao+N gATthJw3jpk6izi89DPiLW7lTrh8rZnC/b63VU7Rk8JngFxo1Je+YLmbf6XP5TsbSKNyMObHcS8a /5a12uVorizqw9bTh1qesj0F7pzid6Zev/qQ8Y0UR5P0OVhwjrxHiI4aK2bB53YIjlCHaDX5GGL+ 2i1ozWvAre3tAyB+asmXYcuCubFpq2ZB4vBn0Zx5S44iJ2tyVASQ6VWtR08ooh++3s69xcqosbed UP/qparm3reIR0ugkKZJOiRnsMysgK9XoMh43NKSZQfOYLUgWSXiB8lX1+6bRFM4ntFw+0ieR40x pVImr97pmxV2I1OzzwIB96ZZnlPNU8SYHEcm8LmO+7ycNevTDdnirF8rLC93EzHr1tRyhl5/Ky+t jdTsX+yIPX2+YovfFSsX1ZSfNpAOX5jYOvTcUThVOWQZU5kWqyePOHayZNdgGpcOJz1i8jdlqLOg FPEFkVRv2CBGFT8HsWymaUerFoo6GJcZVrV0P89Wm6eeXvwuh6V9fJw+Vq82TCtWvWk8YpDK+ywr 7ANxaWQD+pag6XXyNeFHCBFcb0G3pslcBurc63y8zkH1P8WziyAKZW5kc3RyZWFtCmVuZG9iagoz NjMgMCBvYmogPDwKL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250TmFtZSAvR0ZBV1JHK0NNU1kx MAovRmxhZ3MgNAovRm9udEJCb3ggWy0yOSAtOTYwIDExMTYgNzc1XQovQXNjZW50IDc1MAovQ2Fw SGVpZ2h0IDY4MwovRGVzY2VudCAtMTk0Ci9JdGFsaWNBbmdsZSAtMTQKL1N0ZW1WIDQwCi9YSGVp Z2h0IDQzMQovQ2hhclNldCAoL2J1bGxldCkKL0ZvbnRGaWxlIDM2MiAwIFIKPj4gZW5kb2JqCjE1 IDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMQovQmFzZUZvbnQgL0dGQVdSRytD TVNZMTAKL0ZvbnREZXNjcmlwdG9yIDM2MyAwIFIKL0ZpcnN0Q2hhciAxNQovTGFzdENoYXIgMTUK L1dpZHRocyA5MiAwIFIKPj4gZW5kb2JqCjExIDAgb2JqIDw8Ci9UeXBlIC9QYWdlcwovQ291bnQg NgovUGFyZW50IDM2NCAwIFIKL0tpZHMgWzIgMCBSIDEzIDAgUiAxNyAwIFIgMjEgMCBSIDI0IDAg UiAyNyAwIFJdCj4+IGVuZG9iagozMyAwIG9iaiA8PAovVHlwZSAvUGFnZXMKL0NvdW50IDQKL1Bh cmVudCAzNjQgMCBSCi9LaWRzIFszMSAwIFIgMzUgMCBSIDM4IDAgUiA0MSAwIFJdCj4+IGVuZG9i agozNjQgMCBvYmogPDwKL1R5cGUgL1BhZ2VzCi9Db3VudCAxMAovS2lkcyBbMTEgMCBSIDMzIDAg Ul0KPj4gZW5kb2JqCjM2NSAwIG9iaiA8PAovVHlwZSAvQ2F0YWxvZwovUGFnZXMgMzY0IDAgUgo+ PiBlbmRvYmoKMzY2IDAgb2JqIDw8Ci9Qcm9kdWNlciAocGRmVGVYLTEuNDAuMTApCi9DcmVhdG9y IChUZVgpCi9DcmVhdGlvbkRhdGUgKEQ6MjAxMTA0MjcxOTU1MjgtMDUnMDAnKQovTW9kRGF0ZSAo RDoyMDExMDQyNzE5NTUyOC0wNScwMCcpCi9UcmFwcGVkIC9GYWxzZQovUFRFWC5GdWxsYmFubmVy IChUaGlzIGlzIHBkZlRlWCwgVmVyc2lvbiAzLjE0MTU5MjYtMS40MC4xMC0yLjIgKFRlWCBMaXZl IDIwMDkvRGViaWFuKSBrcGF0aHNlYSB2ZXJzaW9uIDUuMC4wKQo+PiBlbmRvYmoKeHJlZgowIDM2 NwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDE3NDUgMDAwMDAgbiAKMDAwMDAwMTYzMyAwMDAw MCBuIAowMDAwMDAwMDE1IDAwMDAwIG4gCjAwMDAxMTI4MTcgMDAwMDAgbiAKMDAwMDEwMjc0NSAw MDAwMCBuIAowMDAwMDk2OTM0IDAwMDAwIG4gCjAwMDAwOTM0OTkgMDAwMDAgbiAKMDAwMDA4MTQ4 MCAwMDAwMCBuIAowMDAwMDcxNDAwIDAwMDAwIG4gCjAwMDAwNTczOTEgMDAwMDAgbiAKMDAwMDEy MTYwNiAwMDAwMCBuIAowMDAwMDA0MzYxIDAwMDAwIG4gCjAwMDAwMDQyNDYgMDAwMDAgbiAKMDAw MDAwMTg4MCAwMDAwMCBuIAowMDAwMTIxNDY1IDAwMDAwIG4gCjAwMDAwMDY4OTQgMDAwMDAgbiAK MDAwMDAwNjc3OSAwMDAwMCBuIAowMDAwMDA0NDU0IDAwMDAwIG4gCjAwMDAwMzQ2ODEgMDAwMDAg biAKMDAwMDAwOTQ1OSAwMDAwMCBuIAowMDAwMDA5MzQ0IDAwMDAwIG4gCjAwMDAwMDY5ODggMDAw MDAgbiAKMDAwMDAxMTU2MiAwMDAwMCBuIAowMDAwMDExNDQ3IDAwMDAwIG4gCjAwMDAwMDk1NTMg MDAwMDAgbiAKMDAwMDAxNDI2NyAwMDAwMCBuIAowMDAwMDE0MTUyIDAwMDAwIG4gCjAwMDAwMTE2 NTUgMDAwMDAgbiAKMDAwMDAyMzgyMCAwMDAwMCBuIAowMDAwMDE2Nzk4IDAwMDAwIG4gCjAwMDAw MTY2ODMgMDAwMDAgbiAKMDAwMDAxNDM4NCAwMDAwMCBuIAowMDAwMTIxNzE1IDAwMDAwIG4gCjAw MDAwMTg5NDkgMDAwMDAgbiAKMDAwMDAxODgzNCAwMDAwMCBuIAowMDAwMDE2OTAzIDAwMDAwIG4g CjAwMDAwMjEwMzMgMDAwMDAgbiAKMDAwMDAyMDkxOCAwMDAwMCBuIAowMDAwMDE5MDU0IDAwMDAw IG4gCjAwMDAwMjE3MDcgMDAwMDAgbiAKMDAwMDAyMTU5MiAwMDAwMCBuIAowMDAwMDIxMTI2IDAw MDAwIG4gCjAwMDAwMjE3NzcgMDAwMDAgbiAKMDAwMDAyMjA2OSAwMDAwMCBuIAowMDAwMDIyMzM2 IDAwMDAwIG4gCjAwMDAwMjI1ODggMDAwMDAgbiAKMDAwMDAyMjkzNCAwMDAwMCBuIAowMDAwMDIz MjM5IDAwMDAwIG4gCjAwMDAwMjM0OTcgMDAwMDAgbiAKMDAwMDAyNDA2NiAwMDAwMCBuIAowMDAw MDI0MTYzIDAwMDAwIG4gCjAwMDAwMjQzMTYgMDAwMDAgbiAKMDAwMDAyNDQyOCAwMDAwMCBuIAow MDAwMDI0NjEzIDAwMDAwIG4gCjAwMDAwMjQ3ODkgMDAwMDAgbiAKMDAwMDAyNTE2MCAwMDAwMCBu IAowMDAwMDI1NDc1IDAwMDAwIG4gCjAwMDAwMjU4NjEgMDAwMDAgbiAKMDAwMDAyNjE0OSAwMDAw MCBuIAowMDAwMDI2NTI5IDAwMDAwIG4gCjAwMDAwMjY3MzAgMDAwMDAgbiAKMDAwMDAyNjkxNCAw MDAwMCBuIAowMDAwMDI3MTY2IDAwMDAwIG4gCjAwMDAwMjc1MjMgMDAwMDAgbiAKMDAwMDAyNzc4 OCAwMDAwMCBuIAowMDAwMDI4MTE5IDAwMDAwIG4gCjAwMDAwMjg1MDMgMDAwMDAgbiAKMDAwMDAy ODc0NSAwMDAwMCBuIAowMDAwMDI5MDU3IDAwMDAwIG4gCjAwMDAwMjkzNTEgMDAwMDAgbiAKMDAw MDAyOTY1MiAwMDAwMCBuIAowMDAwMDI5OTU4IDAwMDAwIG4gCjAwMDAwMzAyMDUgMDAwMDAgbiAK MDAwMDAzMDU2NiAwMDAwMCBuIAowMDAwMDMwODEzIDAwMDAwIG4gCjAwMDAwMzEwMjQgMDAwMDAg biAKMDAwMDAzMTIxMSAwMDAwMCBuIAowMDAwMDMxNTAwIDAwMDAwIG4gCjAwMDAwMzE3NDIgMDAw MDAgbiAKMDAwMDAzMjAzNSAwMDAwMCBuIAowMDAwMDMyMzQyIDAwMDAwIG4gCjAwMDAwMzI1ODMg MDAwMDAgbiAKMDAwMDAzMjg4NiAwMDAwMCBuIAowMDAwMDMzMTM5IDAwMDAwIG4gCjAwMDAwMzM0 MzUgMDAwMDAgbiAKMDAwMDAzMzc5MSAwMDAwMCBuIAowMDAwMDMzOTk3IDAwMDAwIG4gCjAwMDAw MzQzNDMgMDAwMDAgbiAKMDAwMDAzNDkyNyAwMDAwMCBuIAowMDAwMDM1MjQwIDAwMDAwIG4gCjAw MDAwMzU2MzAgMDAwMDAgbiAKMDAwMDAzNjEwMCAwMDAwMCBuIAowMDAwMDM2MTIyIDAwMDAwIG4g CjAwMDAwMzYzOTEgMDAwMDAgbiAKMDAwMDAzNjY1OSAwMDAwMCBuIAowMDAwMDM2ODQzIDAwMDAw IG4gCjAwMDAwMzcwMjUgMDAwMDAgbiAKMDAwMDAzNzI4MiAwMDAwMCBuIAowMDAwMDM3NTM2IDAw MDAwIG4gCjAwMDAwMzc3MTkgMDAwMDAgbiAKMDAwMDAzNzkwOSAwMDAwMCBuIAowMDAwMDM4MTIw IDAwMDAwIG4gCjAwMDAwMzgzMDYgMDAwMDAgbiAKMDAwMDAzODUxOCAwMDAwMCBuIAowMDAwMDM4 NjkzIDAwMDAwIG4gCjAwMDAwMzg5MjcgMDAwMDAgbiAKMDAwMDAzOTEwOSAwMDAwMCBuIAowMDAw MDM5MzMwIDAwMDAwIG4gCjAwMDAwMzk1NzMgMDAwMDAgbiAKMDAwMDAzOTc0OCAwMDAwMCBuIAow MDAwMDM5OTk0IDAwMDAwIG4gCjAwMDAwNDAxNjUgMDAwMDAgbiAKMDAwMDA0MDQxOCAwMDAwMCBu IAowMDAwMDQwNjc0IDAwMDAwIG4gCjAwMDAwNDA5NjMgMDAwMDAgbiAKMDAwMDA0MTI3OSAwMDAw MCBuIAowMDAwMDQxNTY5IDAwMDAwIG4gCjAwMDAwNDE5MTAgMDAwMDAgbiAKMDAwMDA0MjE4NSAw MDAwMCBuIAowMDAwMDQyNDQ3IDAwMDAwIG4gCjAwMDAwNDI2OTQgMDAwMDAgbiAKMDAwMDA0MzAy OSAwMDAwMCBuIAowMDAwMDQzMjM1IDAwMDAwIG4gCjAwMDAwNDM0MjIgMDAwMDAgbiAKMDAwMDA0 MzY2OCAwMDAwMCBuIAowMDAwMDQzOTkyIDAwMDAwIG4gCjAwMDAwNDQyMTMgMDAwMDAgbiAKMDAw MDA0NDUzOCAwMDAwMCBuIAowMDAwMDQ0ODYyIDAwMDAwIG4gCjAwMDAwNDUxODIgMDAwMDAgbiAK MDAwMDA0NTQzMCAwMDAwMCBuIAowMDAwMDQ1NzMyIDAwMDAwIG4gCjAwMDAwNDYwNjkgMDAwMDAg biAKMDAwMDA0NjMwMCAwMDAwMCBuIAowMDAwMDQ2NTcyIDAwMDAwIG4gCjAwMDAwNDY4OTMgMDAw MDAgbiAKMDAwMDA0NzI4MSAwMDAwMCBuIAowMDAwMDQ3NjQxIDAwMDAwIG4gCjAwMDAwNDc5NTQg MDAwMDAgbiAKMDAwMDA0ODIzOSAwMDAwMCBuIAowMDAwMDQ4NTE4IDAwMDAwIG4gCjAwMDAwNDg3 ODEgMDAwMDAgbiAKMDAwMDA0OTA2MCAwMDAwMCBuIAowMDAwMDQ5MzMwIDAwMDAwIG4gCjAwMDAw NDk1NTIgMDAwMDAgbiAKMDAwMDA0OTg3MCAwMDAwMCBuIAowMDAwMDUwMTA2IDAwMDAwIG4gCjAw MDAwNTAzMDkgMDAwMDAgbiAKMDAwMDA1MDU0MCAwMDAwMCBuIAowMDAwMDUwODE3IDAwMDAwIG4g CjAwMDAwNTEwMDYgMDAwMDAgbiAKMDAwMDA1MTI2NCAwMDAwMCBuIAowMDAwMDUxNDkyIDAwMDAw IG4gCjAwMDAwNTE3NjEgMDAwMDAgbiAKMDAwMDA1MjAzOCAwMDAwMCBuIAowMDAwMDUyMzIxIDAw MDAwIG4gCjAwMDAwNTI1NDIgMDAwMDAgbiAKMDAwMDA1MjgxOCAwMDAwMCBuIAowMDAwMDUzMDUw IDAwMDAwIG4gCjAwMDAwNTMyODQgMDAwMDAgbiAKMDAwMDA1MzU0OCAwMDAwMCBuIAowMDAwMDUz ODYyIDAwMDAwIG4gCjAwMDAwNTQxNTMgMDAwMDAgbiAKMDAwMDA1NDQ1MyAwMDAwMCBuIAowMDAw MDU0NzIyIDAwMDAwIG4gCjAwMDAwNTQ5MjQgMDAwMDAgbiAKMDAwMDA1NTIzMyAwMDAwMCBuIAow MDAwMDU1NTQ5IDAwMDAwIG4gCjAwMDAwNTU4MTggMDAwMDAgbiAKMDAwMDA1NjEyNSAwMDAwMCBu IAowMDAwMDU2NDQ5IDAwMDAwIG4gCjAwMDAwNTY3MjcgMDAwMDAgbiAKMDAwMDA1NzA3MyAwMDAw MCBuIAowMDAwMDU3NjQxIDAwMDAwIG4gCjAwMDAwNTgyMDEgMDAwMDAgbiAKMDAwMDA1ODgwNiAw MDAwMCBuIAowMDAwMDU5ODk5IDAwMDAwIG4gCjAwMDAwNjAxODAgMDAwMDAgbiAKMDAwMDA2MDQ1 NyAwMDAwMCBuIAowMDAwMDYwNjQwIDAwMDAwIG4gCjAwMDAwNjA4MTcgMDAwMDAgbiAKMDAwMDA2 MTA2OCAwMDAwMCBuIAowMDAwMDYxNDA1IDAwMDAwIG4gCjAwMDAwNjE2OTQgMDAwMDAgbiAKMDAw MDA2MjAzOCAwMDAwMCBuIAowMDAwMDYyMzAzIDAwMDAwIG4gCjAwMDAwNjI2NDYgMDAwMDAgbiAK MDAwMDA2MjgyOCAwMDAwMCBuIAowMDAwMDYzMDc2IDAwMDAwIG4gCjAwMDAwNjMzMjIgMDAwMDAg biAKMDAwMDA2MzYzNiAwMDAwMCBuIAowMDAwMDYzOTgwIDAwMDAwIG4gCjAwMDAwNjQyMTMgMDAw MDAgbiAKMDAwMDA2NDQ5MCAwMDAwMCBuIAowMDAwMDY0NzcwIDAwMDAwIG4gCjAwMDAwNjUwNDIg MDAwMDAgbiAKMDAwMDA2NTMwNyAwMDAwMCBuIAowMDAwMDY1NTg0IDAwMDAwIG4gCjAwMDAwNjU4 NTYgMDAwMDAgbiAKMDAwMDA2NjA5MiAwMDAwMCBuIAowMDAwMDY2NDM3IDAwMDAwIG4gCjAwMDAw NjY2NzUgMDAwMDAgbiAKMDAwMDA2Njg3OCAwMDAwMCBuIAowMDAwMDY3MDY0IDAwMDAwIG4gCjAw MDAwNjczMzMgMDAwMDAgbiAKMDAwMDA2NzU2NSAwMDAwMCBuIAowMDAwMDY3ODIyIDAwMDAwIG4g CjAwMDAwNjgwOTUgMDAwMDAgbiAKMDAwMDA2ODMyMCAwMDAwMCBuIAowMDAwMDY4NTg4IDAwMDAw IG4gCjAwMDAwNjg4MTkgMDAwMDAgbiAKMDAwMDA2OTA0OSAwMDAwMCBuIAowMDAwMDY5MzI5IDAw MDAwIG4gCjAwMDAwNjk2NTUgMDAwMDAgbiAKMDAwMDA2OTg1OCAwMDAwMCBuIAowMDAwMDcwMTcw IDAwMDAwIG4gCjAwMDAwNzA0ODggMDAwMDAgbiAKMDAwMDA3MDc1NyAwMDAwMCBuIAowMDAwMDcx MDY3IDAwMDAwIG4gCjAwMDAwNzE2NDggMDAwMDAgbiAKMDAwMDA3MjAyNSAwMDAwMCBuIAowMDAw MDcyNDczIDAwMDAwIG4gCjAwMDAwNzMwNzIgMDAwMDAgbiAKMDAwMDA3MzI0OCAwMDAwMCBuIAow MDAwMDczNTM5IDAwMDAwIG4gCjAwMDAwNzM4ODcgMDAwMDAgbiAKMDAwMDA3NDMwNiAwMDAwMCBu IAowMDAwMDc0NjE1IDAwMDAwIG4gCjAwMDAwNzUwNDUgMDAwMDAgbiAKMDAwMDA3NTIzMSAwMDAw MCBuIAowMDAwMDc1NjAyIDAwMDAwIG4gCjAwMDAwNzYwMjkgMDAwMDAgbiAKMDAwMDA3NjI4NiAw MDAwMCBuIAowMDAwMDc2NjM3IDAwMDAwIG4gCjAwMDAwNzY5NjEgMDAwMDAgbiAKMDAwMDA3NzI5 NSAwMDAwMCBuIAowMDAwMDc3NjIwIDAwMDAwIG4gCjAwMDAwNzc4NzYgMDAwMDAgbiAKMDAwMDA3 ODA5NSAwMDAwMCBuIAowMDAwMDc4MzYwIDAwMDAwIG4gCjAwMDAwNzg2NzIgMDAwMDAgbiAKMDAw MDA3ODkyMiAwMDAwMCBuIAowMDAwMDc5MjYyIDAwMDAwIG4gCjAwMDAwNzk1MjkgMDAwMDAgbiAK MDAwMDA3OTc5NyAwMDAwMCBuIAowMDAwMDgwMTg4IDAwMDAwIG4gCjAwMDAwODA0MDYgMDAwMDAg biAKMDAwMDA4MDc4OCAwMDAwMCBuIAowMDAwMDgxMTc0IDAwMDAwIG4gCjAwMDAwODE3MjggMDAw MDAgbiAKMDAwMDA4MjA0MyAwMDAwMCBuIAowMDAwMDgyNDA5IDAwMDAwIG4gCjAwMDAwODI3OTQg MDAwMDAgbiAKMDAwMDA4MzAwMyAwMDAwMCBuIAowMDAwMDgzMTc0IDAwMDAwIG4gCjAwMDAwODM0 MDMgMDAwMDAgbiAKMDAwMDA4MzU3OCAwMDAwMCBuIAowMDAwMDgzODAzIDAwMDAwIG4gCjAwMDAw ODQwNDIgMDAwMDAgbiAKMDAwMDA4NDI4MyAwMDAwMCBuIAowMDAwMDg0NTc2IDAwMDAwIG4gCjAw MDAwODQ4MzEgMDAwMDAgbiAKMDAwMDA4NTE1NCAwMDAwMCBuIAowMDAwMDg1MzYyIDAwMDAwIG4g CjAwMDAwODU1NDUgMDAwMDAgbiAKMDAwMDA4NTc2NSAwMDAwMCBuIAowMDAwMDg2MDczIDAwMDAw IG4gCjAwMDAwODYzMjEgMDAwMDAgbiAKMDAwMDA4NjYxNiAwMDAwMCBuIAowMDAwMDg2OTM3IDAw MDAwIG4gCjAwMDAwODcxNjMgMDAwMDAgbiAKMDAwMDA4NzQyMyAwMDAwMCBuIAowMDAwMDg3Njky IDAwMDAwIG4gCjAwMDAwODc5NTkgMDAwMDAgbiAKMDAwMDA4ODIxNCAwMDAwMCBuIAowMDAwMDg4 NDgyIDAwMDAwIG4gCjAwMDAwODg3NDMgMDAwMDAgbiAKMDAwMDA4ODk2NyAwMDAwMCBuIAowMDAw MDg5MjgzIDAwMDAwIG4gCjAwMDAwODk1MTYgMDAwMDAgbiAKMDAwMDA4OTcxMyAwMDAwMCBuIAow MDAwMDg5OTg0IDAwMDAwIG4gCjAwMDAwOTAxNjggMDAwMDAgbiAKMDAwMDA5MDQyMCAwMDAwMCBu IAowMDAwMDkwNjQzIDAwMDAwIG4gCjAwMDAwOTA5MDIgMDAwMDAgbiAKMDAwMDA5MTE3MiAwMDAw MCBuIAowMDAwMDkxNDQ0IDAwMDAwIG4gCjAwMDAwOTE2NTcgMDAwMDAgbiAKMDAwMDA5MTkyNSAw MDAwMCBuIAowMDAwMDkyMTQ4IDAwMDAwIG4gCjAwMDAwOTIzNzMgMDAwMDAgbiAKMDAwMDA5MjYz MiAwMDAwMCBuIAowMDAwMDkyOTI2IDAwMDAwIG4gCjAwMDAwOTMyMDUgMDAwMDAgbiAKMDAwMDA5 Mzc0NyAwMDAwMCBuIAowMDAwMDk0MTQxIDAwMDAwIG4gCjAwMDAwOTQ1MzMgMDAwMDAgbiAKMDAw MDA5NTEzNiAwMDAwMCBuIAowMDAwMDk1NDUyIDAwMDAwIG4gCjAwMDAwOTU3MjMgMDAwMDAgbiAK MDAwMDA5NTk4MSAwMDAwMCBuIAowMDAwMDk2MjM1IDAwMDAwIG4gCjAwMDAwOTY0NTQgMDAwMDAg biAKMDAwMDA5NjcxMCAwMDAwMCBuIAowMDAwMDk3MTgwIDAwMDAwIG4gCjAwMDAwOTczMzEgMDAw MDAgbiAKMDAwMDA5NzQ0OSAwMDAwMCBuIAowMDAwMDk3NTY2IDAwMDAwIG4gCjAwMDAwOTc3ODMg MDAwMDAgbiAKMDAwMDA5Nzk1OSAwMDAwMCBuIAowMDAwMDk4Mzg3IDAwMDAwIG4gCjAwMDAwOTg3 MjUgMDAwMDAgbiAKMDAwMDA5OTAwOSAwMDAwMCBuIAowMDAwMDk5MzAwIDAwMDAwIG4gCjAwMDAw OTk1MDYgMDAwMDAgbiAKMDAwMDA5OTY5NyAwMDAwMCBuIAowMDAwMDk5OTgxIDAwMDAwIG4gCjAw MDAxMDAyMjEgMDAwMDAgbiAKMDAwMDEwMDUxMSAwMDAwMCBuIAowMDAwMTAwODEwIDAwMDAwIG4g CjAwMDAxMDEwMzUgMDAwMDAgbiAKMDAwMDEwMTI3NiAwMDAwMCBuIAowMDAwMTAxNjA1IDAwMDAw IG4gCjAwMDAxMDE4OTMgMDAwMDAgbiAKMDAwMDEwMjEwNSAwMDAwMCBuIAowMDAwMTAyNDQ1IDAw MDAwIG4gCjAwMDAxMDI5OTMgMDAwMDAgbiAKMDAwMDEwMzI0NSAwMDAwMCBuIAowMDAwMTAzNTU0 IDAwMDAwIG4gCjAwMDAxMDM4MzQgMDAwMDAgbiAKMDAwMDEwNDA2NCAwMDAwMCBuIAowMDAwMTA0 MjQyIDAwMDAwIG4gCjAwMDAxMDQ2OTEgMDAwMDAgbiAKMDAwMDEwNTAxNSAwMDAwMCBuIAowMDAw MTA1NDk1IDAwMDAwIG4gCjAwMDAxMDU3MjIgMDAwMDAgbiAKMDAwMDEwNTk3OSAwMDAwMCBuIAow MDAwMTA2Mzc2IDAwMDAwIG4gCjAwMDAxMDY2OTAgMDAwMDAgbiAKMDAwMDEwNzA4NCAwMDAwMCBu IAowMDAwMTA3NTM5IDAwMDAwIG4gCjAwMDAxMDc4MTAgMDAwMDAgbiAKMDAwMDEwODE3OCAwMDAw MCBuIAowMDAwMTA4NTIxIDAwMDAwIG4gCjAwMDAxMDg4OTIgMDAwMDAgbiAKMDAwMDEwOTI0MCAw MDAwMCBuIAowMDAwMTA5NTAzIDAwMDAwIG4gCjAwMDAxMDk4MDMgMDAwMDAgbiAKMDAwMDExMDAy NiAwMDAwMCBuIAowMDAwMTEwMjMwIDAwMDAwIG4gCjAwMDAxMTA1MTggMDAwMDAgbiAKMDAwMDEx MDg0OCAwMDAwMCBuIAowMDAwMTExMjE3IDAwMDAwIG4gCjAwMDAxMTE0ODMgMDAwMDAgbiAKMDAw MDExMTg0NSAwMDAwMCBuIAowMDAwMTEyMTE3IDAwMDAwIG4gCjAwMDAxMTI0MDEgMDAwMDAgbiAK MDAwMDExMzA2NyAwMDAwMCBuIAowMDAwMTEzMzU1IDAwMDAwIG4gCjAwMDAxMTM3MzAgMDAwMDAg biAKMDAwMDExNDEzMSAwMDAwMCBuIAowMDAwMTIxMjM4IDAwMDAwIG4gCjAwMDAxMjE4MTEgMDAw MDAgbiAKMDAwMDEyMTg3OSAwMDAwMCBuIAowMDAwMTIxOTMyIDAwMDAwIG4gCnRyYWlsZXIKPDwg L1NpemUgMzY3Ci9Sb290IDM2NSAwIFIKL0luZm8gMzY2IDAgUgovSUQgWzw4MTk4QkVCMjFGQ0FB RERCRDg0QkQ4Nzk2MTA3RjEzRT4gPDgxOThCRUIyMUZDQUFEREJEODRCRDg3OTYxMDdGMTNFPl0g Pj4Kc3RhcnR4cmVmCjEyMjE5OQolJUVPRgo= --0016e649c86c4cae4204a1f026c6-- From dhc2@dcrocker.net Wed Apr 27 18:07:29 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 847EDE08AD for ; Wed, 27 Apr 2011 18:07:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.438 X-Spam-Level: X-Spam-Status: No, score=-7.438 tagged_above=-999 required=5 tests=[AWL=1.162, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ceTWntDU8MX0 for ; Wed, 27 Apr 2011 18:07:28 -0700 (PDT) Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by ietfa.amsl.com (Postfix) with ESMTP id 43966E0800 for ; Wed, 27 Apr 2011 18:07:28 -0700 (PDT) Received: from [192.168.1.4] (adsl-67-127-56-68.dsl.pltn13.pacbell.net [67.127.56.68]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id p3S17MnX015887 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for ; Wed, 27 Apr 2011 18:07:27 -0700 Message-ID: <4DB8BDBD.9080604@dcrocker.net> Date: Wed, 27 Apr 2011 18:07:09 -0700 From: Dave CROCKER Organization: Brandenburg InternetWorking User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.17]); Wed, 27 Apr 2011 18:07:28 -0700 (PDT) Subject: [saag] DOSETA paper for the W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: dcrocker@bbiw.net List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 01:07:29 -0000 Folks, Since I've been shopping this to every IETF venue I can get away with, I'll choose to use the thread on Sean and Stephen's W3C Identity paper as an excuse to burden this list with my own paper on Domain Security Tagging (DOSETA) and would appreciate any comments. d/ ----------- Tailored Signatures with DOSETA D. Crocker Brandenburg InternetWorking bbiw.net April 27, 2011 Abstract Trust begins with a verifiably correct identifier, coupled with claims about the meaning of the identifier’s presence. To date, Internet-scale authentication services have achieved limited deployment and less use, often with far more restricted actual semantics than are assumed by users. Domain Security Tagging (DOSETA) creates convenient specification, development, deployment and use of trust-related identifiers, by generalizing upon the core mechanisms of DKIM. Hence the effort needed for development and use of new authentication services is minimized. DOSETA is based on domain names as (organizational) identifiers and self-certifying keys stored in the Domain Name System. This paper summarizes the scope and details of DOSETA and describes an initial application for signing MIME objects. Introduction What does a signature mean? In the paper world, it might mean authorization for a charge on a credit card, or acknowledgment that a letter has been received, or the sale of a house. The language surrounding the signature defines its meaning. In the digital world, existing signature mechanisms typically are not as flexible. The meaning is built into the specification for a particular signature and the effort to create a new type of signature is typically quite high. Consequently, there is a very small range of digital signatures performed on the Internet today. What if it were easy to define a new type of signature with new semantics? This is not an issue of basic algorithms, but of defining the semantics and the packaging, along with a small matter of a certificate authority, to start the trust hierarchy, and of deployment and use effort. DOmain SEcurity TAgging [DOSETA] provides this flexibility and ease. It is based on the core mechanisms from [DKIM], extracted into a library of protocol components that minimize the incremental effort to develop a purpose-built data signature mechanism.^^1 <#sdfootnote1sym> This protocol design library is used by a signature protocol designer to provide a high point of specification departure, primarily limited to definition of semantics and mapping from a template to the specifics of the environment for the new signature. The core DOSETA services include: 1. A standardized mechanism for access to a signature’s public key, using existing infrastructure. 2. A packaging method for associating key-related information with the data being signed, in a manner that can be invisible to a non-participating receiver of the data. 3. A basic set of cryptography algorithms, but this is extensible by registration. 4. A basic set of algorithms for data canonicalizations, to withstand small changes to the data when it is in transit, but this is extensible by registration. This core is enhanced with a “template” for performing object-oriented authentication on data that conform to a classic header/content model. The template supports asserting a list of signature semantic “claims” through an extensible registry. Hence, a signature can assert multiple meanings, such as validation of the purported author and validation of the content. An object-oriented approach is distinguished from a channel-oriented approach, such as SSL/TLS. The philosophical difference essentially means that a channel-oriented scheme protects the path and does not care what bits pass over it. An object-oriented scheme protects a package of data and does not care what path the data travel. DOSETA is based on some simplifying assumptions: 1. Signatures are by organizations, not individuals. Hence, the identity and naming mechanism is relatively coarse-grained, specifically in the form of a domain name. (It is possible to use domain names to refer to individuals, but this has not typically proved practical at scale.) 2. Signature keys are self-certifying. Because a domain name is the signature identifier, a public key that is associated with the signature is stored under that name in the DNS. The premise is that the owner of the domain name controls what is put into the DNS under that name. Self-certifying keys have significant appeal, but they also have limitations for use. Some signatures really do need to be vetted by an outside trust authority. DOSETA does not (currently) satisfy such a requirement, when asserted. To the extent that higher-valued signature assurances are needed, adding in the use of DNSSEC can be helpful to reduce a concern that an independent agent might have modified the DNS records under the name. Key Storage DOSETA re-uses the DKIM/DomainKeys key storage mechanism. This employs a DNS TXT resource record, containing public key parameters to be used when validating a signature. A key query is made to the domain name: //*._domainkey.*// where: /domain:/ is the identifier used to do the signing. /selector:/ is an administrative qualifier, which supports use of multiple keys for the same identifier, such as to permit multiple individuals being able to sign, or to permit rolling over to a new key in a graceful manner. The full string is used to do a retrieval, but the string that specifies the signing “identifier” is only the base // string. The constant string “_domainkey” is used to signal that the sub-tree provides attribute information to the parent domain, in this case the parameters for a public key. The key storage mechanism re-uses the DKIM/DomainKeys name format on the theory that there is no added security in defining a different scheme and name tree, such as using a different “underscore” constant string, and that there is considerable administrative benefit in avoiding the effort to create and maintain a new set of keys. However, it is a small matter for any new protocol designer to create a new naming tree, by specifying a different constant. (Populating and maintain a new tree of keys will be less easy.) Packaging of Parameters Digital signature mechanisms usually impose their presence on the receiver of data. [OpenPGP] has specialized, in-line packaging. [S/MIME] uses MIME Multipart/Secure packaging. For recipients of the data who do not participate in the security mechanism, this largely renders the data unusable.^^2 <#sdfootnote2sym> In contrast, the DOSETA scheme puts the signature information into a separate header field, out of the way of software (and users) not prepared to process it. Within this header field, parameters use a simple attribute/value textual tagging format. Cryptographic Routines DOSETA re-uses the set of cryptography algorithms used for DKIM. These are defined as extensible sets, so that the effort of adding new algorithms is primarily the work of defining new registry entries. Data Canonicalization In transit, some services subject data to transformation, such as reducing a string of linear white space to a single string, or mapping newline to a particular character (or character pair.) Changes like these often are benign. They do not change the “meaning” of the data and it makes sense to define the signature in a way that is robust against the changes. DOSETA re-uses the two canonicalization schemes currently in DKIM. However, an additional scheme is being contemplated, to provide robustness against some additional transformations that appear to be common. Note, however, that the more robust a canonicalizations algorithm, the more opportunity there is for a bad actor to find a way to exploit the signature insensitivity. Signature Template DOSETA defines a generic signing protocol template, for data that has a header and separate content, such as email and MIME. A variety of other data formats appear to be friendly candidates for this model, such as JSON and XML. When conforming to the template, a new signature designer merely needs to define: /D-Signature association: / How is the signature data linked to the cover header and the content? /Semantics signaling:/ How does the consuming application detect that the signature is present? Although this will normally be accomplished by detecting the signature in a standardized header field that holds the signature attributes, other approaches might make sense in some situations. /Semantics: / The meaning(s) of a signature. A registry supports definition of multiple “claims” that can be listed and asserted by a signature. /Header/Content mapping:/ How are the actual header and content data for a particular signing service mapped from the generic DOSETA template? Claims Registry As described earlier, a signature can have different or multiple meanings. The DOSETA signature template defines a registry for signature semantics, so that one or more can be asserted at the time of signing. The initial entries for the registry are: /handled:/ The signer had a role in processing the object. (This claim is approximately equivalent to the semantics of DKIM.) /validauth:/ Purported author of object is valid /validdata:/ All of the content is valid. /validfields:/ The listed portions of the object are valid. MIME Authentication As an initial demonstration of DOSETA’s flexibility and utility, there is a definition of authentication for signed MIME bodies [MIMEAUTH]. To follow the template described above: /D-Signature association:/ The *Content-Authentication:* field is defined to hold the parameters /Semantics signaling/ The presence of a *Content-Authentication:* signals the presence of a MIMEAUTH signature. /Semantics:/ The meaning of a MIMEAUTH signature is asserted by listing one or more claims from the DOSETA Claims Registry. /Header/content mapping:/ Specified MIME fields map to the DOSETA template’s header and the MIME Body maps to the DOSETA templates content. DOSETA’s signature template re-uses an interesting feature from DKIM, namely the selective inclusion of header fields to be covered by the signature. The reason that not all fields are automatically included refers back to DKIM’s email context: In transit, some fields are added (and therefore can not be part of the signature) and some fields are subject to particularly violent transformations that would break the signature. In addition to permitting selective inclusion of MIME header fields, this mechanism permits selective inclusion of fields that are part of the container holding the data object. That is, the signature can also cover parts of the “parent” object, such as an email message header or an HTTP header. Hence, this mechanism can be useful for signing a web page. Status The DOSETA and MIMEAUTH specifications are quite new and are still going through early reviews. Early returns have been encouraging. The primary open source implementation of DKIM is [OpenDKIM]. There are plans to enhance the library so that it also support DOSETA and MIMEAUTH. References [DKIM] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., and M. Thomas, "DomainKeys Identified Mail (DKIM) Signatures", RFC 4871, May 2007. [DOSETA] Crocker, D. and Kucherawy, M., “DomainKeys Security Tagging (DOSETA)”, Work in Progress, <_http://datatracker.ietf.org/doc/draft-crocker-doseta-base/_>, March 2011. [MIMEAUTH] Crocker, D. and Kucherawy, M., “MIME Content Authentication using DOSETA (MIMEAUTH)”, Work in Progress, <_http://datatracker.ietf.org/doc/draft-crocker-doseta-mimeauth/ _>, February 2011. [OpenDKIM] The OpenDKIM Project, [OpenPGP] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, "OpenPGP Message Format", RFC 4880, November 2007. [S/MIME] Ramsdell, B. (ed), “S/MIME Version 3 Message Specification”, RFC 2633, June 1999 1 <#sdfootnote1anc>These core aspects of DOSETA were the essential contributions developed for DKIM’s predecessor, DomainKeys, by Mark Delany, then of Yahoo! DKIM was an evolution of DomainKeys. DOSETA is merely stealing these earlier innovations for re-purposing to other signing activities. 2 <#sdfootnote2anc>Note also that OpenPGP and S/MIME are typically tied to confidentiality content encryption, as well as signing. DOSETA can be enhanced to support confidentiality but it currently only has the task of authentication. -- Dave Crocker Brandenburg InternetWorking bbiw.net From stpeter@stpeter.im Wed Apr 27 20:34:05 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930E7E0838 for ; Wed, 27 Apr 2011 20:34:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AErUtO2qDQbZ for ; Wed, 27 Apr 2011 20:34:04 -0700 (PDT) Received: from stpeter.im (stpeter.im [207.210.219.233]) by ietfa.amsl.com (Postfix) with ESMTP id 32375E0870 for ; Wed, 27 Apr 2011 20:34:04 -0700 (PDT) Received: from squire.local (198-135-0-233.cisco.com [198.135.0.233]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 4122B40022; Wed, 27 Apr 2011 21:38:22 -0600 (MDT) Message-ID: <4DB8E02A.9030602@stpeter.im> Date: Wed, 27 Apr 2011 23:34:02 -0400 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: =JeffH References: <4DB8B355.7040505@KingsMountain.com> In-Reply-To: <4DB8B355.7040505@KingsMountain.com> X-Enigmail-Version: 1.1.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060001060001000106050508" Cc: IETF Security Area Advisory Group Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 03:34:05 -0000 This is a cryptographically signed message in MIME format. --------------ms060001060001000106050508 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Jeff, thanks for the feedback. I just arrived in Princeton for another W3C workshop (on web tracking and user privacy) and I need to submit the position paper today (I think that means in the next 30 minutes), so I'll try to incorporate as much of your feedback as possible. On 4/27/11 8:22 PM, =3DJeffH wrote: > Glad you folks are putting this together and that PSA will be there wit= h > an IETF hat on. >=20 > I'm supportive of everyone's feedback on this so far. Below's my > editorial suggestions, applied to the original version of the writeup. = I > found it a bit confusing terminology- and organization-wise. I'm sorta > guessing about some of the intent/context, but took a stab at enhancing= it. >=20 > Basically, I'd spell things out in a bit more contextual detail because= > if one isn't mired in the middle of all this web and web browser stuff,= > it can be pretty confusing. >=20 > take what you will of the below, hope it helps a bit, >=20 > =3DJeffH >=20 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> Abstract >> >> This position paper aims to provide some motivations for an Applicatio= n >> Programming Interface (API) that will allow developers access to >> cryptographic algorithms already present in today's web browsers. >=20 > Today, Web applications are constructed from a combination of server > side code and dynamically-downloaded client side amalgamations of HTML > and Javascript (plus other components). The formally standardized > environment the client-side Javascript programmer has to work with is > provided by the browser implementation (e.g. the DOM Core [1], CSS > Selectors, Geolocation, localStorage, etc APIs [2]). Additionally, > various de-jure standard Javascript libararies are often downloaded and= > utilized (e.g. JQuery []). But again, those libraries are limited to th= e > same native client side APIs that main web application client-side > Javascript modules have access to. The standardized native client side > APIs do not include cryptographic functions at this time. >=20 > This position paper presents motivations for specifying a native > in-browser cryptographic Application Programming Interface (API) > facilitating developer access to basic cryptographic functions -- that > are already part of the browser or its execution environment -- similar= > to what is available to application programmers developing directly on > typical operating system platforms. >=20 >=20 >=20 >> Motivations >> >> More and more applications are moving to the "web" (i.e., >> http://www.example.com:80 and http://www.example.com:443). >=20 >=20 > More and more applications are moving to the "web" (i.e., > HTTP + HTML + Javascript + other stuff as appropriate). >=20 >=20 >> Developers >> are working within the confines of browsers to secure these applicatio= ns >> and most use Secure Sockets Layer (SSL)/Transport Security Layer (TLS)= >> to do so. For applications whose architectures are not strictly >> client-server this reliance is not always optimal. > ^ > insert: >=20 > For example, for some applications there is a need to apply data-origin= > message-level authentication and possibly encryption to objects > exchanged between the browser and other network entities. >=20 >> As a work around, >> developers are investigating the use of JavaScript Object Notation >> (JSON) for application layer security protocols and cryptographic >> algorithms. >=20 > As a work around, > developers are investigating the use of JavaScript Object Notation > (JSON) for application layer security protocols, as well as implenting > various cryptographic functions directly in Javascript libraries > (Javascript libraries are typically stored at well-known web addresses > and fetched as needed by any web application needing them). >=20 >=20 > New para here: >=20 >> Use of JSON makes some sense in an application layer >> security protocol but developers rolling and then delivering their own= >> cryptographic algorithms is not only wasteful but is possibly insecure= >> when the browser's security "goodies" (i.e., the cryptographic >> algorithms) are just an Application Programming Interface (API) away. >=20 > Use of JSON as an object encoding construct makes sense in a web > application layer security protocol. Hoever, developers rolling and the= n > delivering their own cryptographic libraries is wasteful when the > browsers' already existing cryptographic functions are just an > "Application Programming Interface (API) away". The various functions > that could be made available via such APIs are: message digest/hash > algorithms, digital signature algorithms, content encryption algorithms= , > key wrap algorithms, keyed-Hash Message Authentication Code (HMAC) > algorithms, etc. >=20 >=20 >> Downloading cryptographic algorithms is wasteful in terms of bandwidth= >> used. >=20 > delete above -- it was already said immediately above. >=20 > combine this.. >> Application and browser developers are both very interested in >> ensuring their applications are speedy in the eyes of users; nobody >> wants to loose a speed war on cnet=C2=AE. If web developers end up ro= lling >> their own cryptographic algorithms to support a JSON application layer= >> security protocol, then the code may end up being downloaded during >> application initialization. > ..with "Use of JSON..." para. >=20 > s/algorithms/libraries/ >=20 >> Cryptographic code could include: message >> digest/hash algorithms, digital signature algorithms, content encrypti= on >> algorithms, key wrap algorithms, keyed-Hash Message Authentication Cod= e >> (HMAC) algorithms, etc. >=20 > above sentence was moved upwards. >=20 >=20 >=20 >=20 >=20 >> >> Developers rolling their own cryptographic code could be insecure. >=20 > Developers rolling their own new cryptographic code will almost > certainly begat insecure functionality. >=20 >> As >> Steve Bellovin pointed out in RFC 5406: The design of security protoco= ls >> is a subtle and difficult art. In fact, it is worse: coding security >> protocols is even more subtle and difficult than designing the securit= y >> protocol. There is no doubt that some developers will get it right th= e >> first time but there is also no doubt that some will get it wrong. Wi= th >> cryptographic algorithms already coded in browsers and some having bee= n > ^^^^^^^^^^ ^^^^^ > functions implemented >=20 >> National Institute of Standards and Technology (NIST) Federal >> Information Processing Publication (FIPS PUB) 140 evaluated, it seems >> unnecessarily risky to not utilize the cryptographic algorithms alread= y >> present in the browser. ^^^^^^^^^^ > functions >=20 >> >> Greedy Goals >> >> An API that allows web developers to access browser-embedded >> cryptographic algorithms would include the following: >> >> o Support for hash/message digest algorithms (e.g., SHA-256); >> o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, > ECDSA); >> o Support for confidentiality algorithms (i.e., AES); >> o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1.= 5, >> ECDH); >> o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); >> o Support extracting keys from TLS sessions ala RFC 5176; >> o Support for PKI path validation (i.e., input/output of base64 >> certificate/crl/ocsp blobs), and; >> o Support for Cryptographic Message Syntax (CMS). >=20 > add references: >=20 >=20 > [1] http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/ >=20 > [2] http://blog.frontendforce.com/2010/04/html5-javascript-api-whats-n= ew/ > see also pages 20 & 21 of.. > http://www.ietf.org/proceedings/80/slides/plenaryt-6.pdf >=20 >=20 >=20 >> _______________________________________________ > end >=20 >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --=20 Peter Saint-Andre https://stpeter.im/ --------------ms060001060001000106050508 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITzjCC BjQwggQcoAMCAQICASMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDMzM1oXDTE3MTAyNDIxMDMzM1owgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjSW4SPiDKlAinvVeL ZOVfItiuP1aRHL530E7QUc9icCwL33+PH+Js1HAh8CgWFl34sOxx1FJyS/C4VLPRsqDfP72j tzCVUAL0DAxZ7wgzQvFz7x61jGxfhYhqYb1+PPOLkYBbkRIrPMg3dLEdKmXIYJYXDH+mB/V/ jLo73/Kb7h/rNoNg/oHHSv5Jolyvp5IY2btfcTBfW/telEFj5rDTX2juTvZ3Qhf3XQX5ca3Q 7A10zrUV/cWJOJ7F5RltbEIaboZmX5JBUb3FhUiAdBotehAX6DbDOuYoJtVxmGof6GuVGcPo 98K4TJf8FHo+UA9EOVDp/W7fCqKT4sXk/XkCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7iZySlyShhEcCy3T8LvSs3DLl8zAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQELBQADggIBAGpd SbdLFMhirxK37V4gE00+uW74UdAXtDgQI3AsRZWtaRtKHgAxFBSteqz4kDkeAjH/1b+K8tQR 6cxSI2nho7qOaPW/UpzOfSS/MeKK/9vfM2lfs+uItXH7LWtvS9wD1erfH1a+BXHCrCp4LA1l fADDhRIiGTSS3i0Zu5xV3INNRHrCCCl6patltQ8RZTqzDMri7ombgIxjN51Zo7xV77EZcThV 0GA8iIN+7T53uHhUJpjfLIztHs/69OclRvHux9hCflfOm7GY5Sc4nqjfES+5XPArGGWiQSEk ez37QfXqsxO3oCHK4b3DFZysG4uyOuC/WL80ab3muQ3tgwjBhq0D3JZN5kvu5gSuNZPa1WrV hEgXkd6C7s5stqB6/htVpshG08jRz9DEutGM9oKQ1ncTivbfPNx7pILoHWvvT7N5i/puVoNu bPUmLXh/2wA6wzAzuuoONiIL14Xpw6jLSnqpaLWElo2yTIFZ/CU/nCvvpW1Dj1457P3Ci9bD 0RPkWSR+CuucpgxrEmaw4UOLxflzuYYaq1RJwygOO5K0s2bAWOcXpgteyUOnQ3d/EjJAWRri 2v0ubiq+4H3KUOMlbznlPAY/1T8YyyJPM88+Ueahe/AW1zoUwZayNcTnuM7cq6yBV8Wr3GOI LFXhtT0UVuJLChPMJKVKVsa7qNorlLkMMIIGxzCCBa+gAwIBAgICAIswDQYJKoZIhvcNAQEF BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMDEwMTQwMTM2MzRa Fw0xMjEwMTQxMjAxMDdaMIHAMSAwHgYDVQQNExcyNzQ1ODEtOU5YMDRxeExEYjBvNDY5VDEL MAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxLDAqBgNV BAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRowGAYDVQQDExFQZXRl ciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBldGVyLmltMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuERvnrkpQTx9wbJfgxbNKEYvt0IilecZRUM6 wrbCzIUPCocuYhaAJcQoqIyHaKybPQ7f+DIGIAolAa3dHnNdlsXP2smTft/ZNpj10PIG5bil NAqLUYwmLJaEaqY7BMW8423U3blW43/luLJk/Pq4OsWcw7AK3LeVh1U/HOgqhin26N3h72X1 nbLEpZFrgcp8egmWtXLCbLBDMqUK3j6wjLldni79muzYEVqU0A5GqSeb8Wc4kIx8VI5yL24J KzinG2iVRP5ZDEbOZETzBXJabUsV56XSxqPG9DK6ke+ybCiL/wKV1HFqdtFB1y25lfvHgOP2 gyEApBKEDNjgLmKyyQIDAQABo4IC+zCCAvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYD VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBS2EW2iNB+g0EibKJLBdv8I eLovVDAfBgNVHSMEGDAWgBR7iZySlyShhEcCy3T8LvSs3DLl8zAdBgNVHREEFjAUgRJzdHBl dGVyQHN0cGV0ZXIuaW0wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEF BQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYB BQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1 My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z dGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBADVtbXJG tKAr55xc/OUM546gXUybI72Bank0w739Mv+9BBNtq9rMEvCnLmSKhBi76c1mdXh6zXs8RQDo 6nR/aPabE3llF2T4z80smi9jfnl3y9dpu9TcgDoqDLZ7a2lBlW656XAAQzHjvLp2MC7/mxlg PYH2axa+q40mAYM20GbNsAEGbWQT1IqIh0BcLLsgbaMJHbyG/57zd9JLyMX3Vry1L1fJRQr3 GeLxMV5RtxN+mBgxrwFz/cOc09COiFExlsHgekpB5O43gqsAU16MXypyoSt4MrSfKTMHIGx6 2RF/M6vqUlvhi28gk2ZUvQ/+OX5+gjcZyooEzAAn4RuOKNswggbHMIIFr6ADAgECAgIAizAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTEw MTAxNDAxMzYzNFoXDTEyMTAxNDEyMDEwN1owgcAxIDAeBgNVBA0TFzI3NDU4MS05TlgwNHF4 TERiMG80NjlUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRl bnZlcjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBNZW1iZXIxGjAY BgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQHN0cGV0 ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RG+euSlBPH3Bsl+DFs0o Ri+3QiKV5xlFQzrCtsLMhQ8Khy5iFoAlxCiojIdorJs9Dt/4MgYgCiUBrd0ec12Wxc/ayZN+ 39k2mPXQ8gbluKU0CotRjCYsloRqpjsExbzjbdTduVbjf+W4smT8+rg6xZzDsArct5WHVT8c 6CqGKfbo3eHvZfWdssSlkWuBynx6CZa1csJssEMypQrePrCMuV2eLv2a7NgRWpTQDkapJ5vx ZziQjHxUjnIvbgkrOKcbaJVE/lkMRs5kRPMFclptSxXnpdLGo8b0MrqR77JsKIv/ApXUcWp2 0UHXLbmV+8eA4/aDIQCkEoQM2OAuYrLJAgMBAAGjggL7MIIC9zAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLYRbaI0 H6DQSJsoksF2/wh4ui9UMB8GA1UdIwQYMBaAFHuJnJKXJKGERwLLdPwu9KzcMuXzMB0GA1Ud EQQWMBSBEnN0cGV0ZXJAc3RwZXRlci5pbTCCAUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGB tTcBAgIwggEgMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMIG3BggrBgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExp YWJpbGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMGA1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NydHUzLWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL2NydHUzLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0 dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MzL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMy5jbGllbnQuY2Eu Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF AAOCAQEANW1tcka0oCvnnFz85QznjqBdTJsjvYFqeTTDvf0y/70EE22r2swS8KcuZIqEGLvp zWZ1eHrNezxFAOjqdH9o9psTeWUXZPjPzSyaL2N+eXfL12m71NyAOioMtntraUGVbrnpcABD MeO8unYwLv+bGWA9gfZrFr6rjSYBgzbQZs2wAQZtZBPUioiHQFwsuyBtowkdvIb/nvN30kvI xfdWvLUvV8lFCvcZ4vExXlG3E36YGDGvAXP9w5zT0I6IUTGWweB6SkHk7jeCqwBTXoxfKnKh K3gytJ8pMwcgbHrZEX8zq+pSW+GLbyCTZlS9D/45fn6CNxnKigTMACfhG44o2zGCA80wggPJ AgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMAkGBSsOAwIa BQCgggIOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDQy ODAzMzQwMlowIwYJKoZIhvcNAQkEMRYEFJfdX6TaTcbIX0/LGGYHsz4y+42ZMF8GCSqGSIb3 DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIAizANBgkqhkiG 9w0BAQEFAASCAQBrq6WpnrG2s0llAmZ9y3ChF1ZfCsnjLnCztRoYuD+XtfOBGZyT/BBsgJIx Xp5V2P4/ucoTGmlYXw+N+Uqdwl/inox4suyCs4QVlr3S5A48LqOJQFfxM1VHM/hrYAEr15WV VvnQVZOd42gNZww9gfJ0lXDwgY7yxMd6SXOrKi1Ky68Rpm/RNq8/jOnIwInBJbJ6M87k05Pg ciaEkGhtT3FalrTDywnsla+YFWXhvM1DzaH/2/s3PekwLkc8VBHqVynZgzOD8g1GlF7lKdSh dmv+pc6jj36V6OcTNUV2nIzgm2wHXt0r2KTO0ouWX7/pO5+fbAhV7JueGOulcjjt7wlUAAAA AAAA --------------ms060001060001000106050508-- From stpeter@stpeter.im Wed Apr 27 21:05:07 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B819E072E for ; Wed, 27 Apr 2011 21:05:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Dg+FriDaTfY for ; Wed, 27 Apr 2011 21:05:06 -0700 (PDT) Received: from stpeter.im (stpeter.im [207.210.219.233]) by ietfa.amsl.com (Postfix) with ESMTP id B91D3E0680 for ; Wed, 27 Apr 2011 21:05:06 -0700 (PDT) Received: from squire.local (198-135-0-233.cisco.com [198.135.0.233]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 1F84540022; Wed, 27 Apr 2011 22:09:25 -0600 (MDT) Message-ID: <4DB8E770.1010507@stpeter.im> Date: Thu, 28 Apr 2011 00:05:04 -0400 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: =JeffH References: <4DB8B355.7040505@KingsMountain.com> <4DB8E02A.9030602@stpeter.im> In-Reply-To: <4DB8E02A.9030602@stpeter.im> X-Enigmail-Version: 1.1.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040505040802010804020604" Cc: IETF Security Area Advisory Group Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 04:05:07 -0000 This is a cryptographically signed message in MIME format. --------------ms040505040802010804020604 Content-Type: multipart/mixed; boundary="------------010801000709040503070801" This is a multi-part message in MIME format. --------------010801000709040503070801 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 4/27/11 11:34 PM, Peter Saint-Andre wrote: > Jeff, thanks for the feedback. I just arrived in Princeton for another > W3C workshop (on web tracking and user privacy) and I need to submit th= e > position paper today (I think that means in the next 30 minutes), so > I'll try to incorporate as much of your feedback as possible. See attached PDF file for what I submitted. Peter --=20 Peter Saint-Andre https://stpeter.im/ --------------010801000709040503070801 Content-Type: application/pdf; name="web-security-api.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="web-security-api.pdf" JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVy IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGVWMty4kYU3esrbs0mosowPG1cWTmZTMVT83AK klnEWTRSG3osdTPdLQg/m2/JuS1A4uWxaqoGjEB9H+ece66+0x/0nbr4d93r081tn6ykr6Tp 7a+uR4mjHrnk+PrT6Qf4ej/C1/lOXf7Jd/yS37b5he+b5PTLlHqj7acjuunT+IamOb193+t0 8fXpE/1N8dfBr/S1FfVuKDb22S3Mkoym+1Rqr/yGlCa/kPSLNWsnbYv+oekH+m0a0njFib3+ IDo5coobfpYypSdjSeB04tPljCYyKSyf2qLBNcV3D/cHB0avOXB0e5RjPClmufJeWtei6bcQ fHSpXP1tudCbPvV29erX6jWRQiM+jnjKYUZxYTVXZjSk+Iruf5u+r+fBn95ZKeidsjLx5sUS RtumHUTR76JV3LWDKLxcLqSm98JamWUn50aNzt2B5fBcYGd3LipfouVBoo40EUr79p1Ordye XKZ/t1xmKhFeGe1Qo3MxRI3g0x8eIza+mzlvReJb0baXF6F/mM1Nlc0e+2hgr9cF8FOxaUU3 A27gGjgU9TwEGJogIW+LxDNorcmB2sTkM6VDrmSeCORYSdt2KuVv4z+hU2pFP6bLYZTjLXrr vU43WuQoa5Zt2qlZ68yIFHEkmQJHayc+xkurcmFVtqHfp58+tqLBiOIQyAexEpPEqqV/bHVo B1/QcGnNAcUuqEgV5Kh33endQl/649uS2ftQ4/aeX6/ryaA7OEJYPLciz5Wek9QrZY3OkSIh eJWJWSbJm4O0q7QolSuZmSVITspxWit0IqUZtKQZUAZg9g72e6AwKGalBJLKl5nkuLY450av UHVT4FyzLDJhqRZYpmYWV6VD3f/UUDxfADUy2wOuWf0hS4PBiSBEMYv0G+cRjLDpm3oAJ9Sk B2v2db7XIPSTSKSjRxZc99ii1JA2HtKfZAWQ3BjFg+EZriV2s/R87nKhEnoqdBJkgtEYhs90 wX0zTvHHtBRoJYl0ZSAniC2BhIYLoJogpt0K0qN0e9eVsorRi5OpQjFXcTcoKvwifQw74Wmt sozmOKIOK5GgSC5A8CAVkc0NhtYid4FqBp2wkIPdJGuIPojQIfriXPqFSXHzDDVIN8C2dMwK nswsXD+5oFnbQrgrcioHXSxHuuZsUNcDBjUlxMkUjGv6yFQLYGLmbUnI/E3DuIMSoZmQyhwv zE40DhfdxnmZu86PIzmwL8PeyWz/ZICEkog/vtlB/4e70VL1/5OB1DOd8/DmeAjk0BQEj7IG skET3oAzqiM7VzWR2Rm5F11ZFclg3O10u4NbqsezH7e/T6cPmFH9MU8m1vSrGrOvONYWtYd9 qPxLKnLWVgyvj1UkaEimnmUl42wz2ZXubOYrfBMGaqfbh3c4PQBuM4yfd5VW83Bdw3dyYdcg 0dZuYt7+p0F7sH0nrTUJDiQMDJOtqD1AcV5M/6y7GZ76gSCiDgioNT7UGHhwngpcCgYVLyZ5 lt7RR7EB1x/jyeTjY+ttsIMUW6HdEjJfucDya41ldHjODDzG048TaDRQCJl25lA/4QWV0Ilk zrti1jZLD0eQlUa7lhaEwXCmNlkoD1taQFPwlwy63zjQUW2O70cm/JJKPARg51OCQUKxZGcO wtx/Ckz7qxWcqrl/2BqTyjA1JFJ/PO50bxAJojk2Ju+xZ8h/BQ/uq1ALZ/LDPjOlkT5LJbB0 yVmeJdLoxDDEmpcbdIiRtKFUeNHGiJgD3DlGiJjLdsYUIFHgWOxZpWUOBcEEdGqGX0kdJiYP Q9ypobiNTixCbGbf0GiHOiQLoefsjaRfS+wQrGa7McrqV04wjasgJuLAHljalyqIY114hd8b Dq4749vxkMrYoto+E99x2fk0YU2hU8jpxRacJfNoODpuec0PMq6VXknn1bycP5wx0xnyUnNq X0KF6LMpnR2g+mHy5TO4Jjg8OLccw7SqwatWyNGJy4AI8trr1FyjB1zvbafx17ZHNU7LTaCl yByG+VYnAYe9B93LY2P9H506jQsWrZrlAHCtXntni0qtYeoWIVS/WZa7Cjlsu5xi86KdOo41 ltz2s8b2Uy5oKVZP51i0UMAn6ZMFn+SImYd3sP1Cb453uXCVJ03DJl6f28CBobzUrHLXzuDS ivmC2VTOEGsEosIzh0rSfgyZ/mjcwbi/JZx5DGnKxbOE5EO6YABxCNqBZxG1cUVZGEiV+dzR 6BVzG5b4urbxlzqOjdJ4kxg8YFA+nO8oYxdcBsBA5rlcIxvAaQ3c82PMnUkxj7AW87xaSGWJ +9e0+P3jlTg+xGnlv8EbkBeOE/IJJYeb4E0QzwoUJuJawHM+FSETWObAqJSFEJIDB80PU5pG Njz26uA2S8tWTHHKvhNv5sakUNHKMfIXLyXCmgPR+lbAdvDTphJh2E6agYlbOjraZiPEKNZ4 3EHgf9xpfsNxtduVNjV+t30mwcy6lBH3Y9eBsLlIi30J+jsDTNYq9QsW5DQo36Xpe1b6r29P 4HFXGZ0gD7vZVkMpV3eGOUcAJz/jxA6M8QDhAKVALTyEZKMfINsQFDe9Y1DUtyXgDie7JVRq /2hVbkqji/yt+xkObGZwcS00hjXYlAWjVv4Gn4JDdaD+8T/0GB5WCmVuZHN0cmVhbQplbmRv YmoKNSAwIG9iagoxOTU5CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQg MyAwIFIgL1Jlc291cmNlcyA2IDAgUiAvQ29udGVudHMgNCAwIFIgL01lZGlhQm94IFswIDAg NjEyIDc5Ml0KPj4KZW5kb2JqCjYgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0g L0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiAvQ3MyIDggMCBSID4+IC9Gb250IDw8Ci9GMi4w IDEwIDAgUiAvRjEuMCA5IDAgUiA+PiA+PgplbmRvYmoKMTEgMCBvYmoKPDwgL0xlbmd0aCAx MiAwIFIgL04gMSAvQWx0ZXJuYXRlIC9EZXZpY2VHcmF5IC9GaWx0ZXIgL0ZsYXRlRGVjb2Rl ID4+CnN0cmVhbQp4AYVST0gUURz+zTYShIhBhXiIdwoJlSmsrKDadnVZlW1bldKiGGffuqOz M9Ob2TXFkwRdojx1D6JjdOzQoZuXosCsS9cgqSAIPHXo+83s6iiEb3k73/v9/X7fe0Rtnabv OylBVHNDlSulp25OTYuDHylFHdROWKYV+OlicYyx67mSv7vX1mfS2LLex7V2+/Y9tZVlYCHq Lba3EPohkWYAH5mfKGWAs8Adlq/YPgE8WA6sGvAjogMPmrkw09GcdKWyLZFT5qIoKq9iO0mu +/m5xr6LtYmD/lyPZtaOvbPqqtFM1LT3RKG8D65EGc9fVPZsNRSnDeOcSEMaKfKu1d8rTMcR kSsQSgZSNWS5n2pOnXXgdRi7XbqT4/j2EKU+yWCoibXpspkdhX0AdirL7BDwBejxsmIP54F7 Yf9bUcOTwCdhP2SHedatH/YXrlPge4Q9NeDOFK7F8dqKH14tAUP3VCNojHNNxNPXOXOkiO8x 1BmY90Y5pgsxd5aqEzeAO2EfWapmCrFd+67qJe57AnfT4zvRmzkLXKAcSXKxFdkU0DwJWBR9 i7BJDjw+zh5V4HeomMAcuYnczSj3HtURG2ejUoFWeo1Xxk/jufHF+GVsGM+Afqx213t8/+nj FXXXtj48+Y163DmuvZ0bVWFWcWUL3f/HMoSP2Sc5psHToVlYa9h25A+azEywDCjEfwU+l/qS E1Xc1e7tuEUSzFA+LGwluktUbinU6j2DSqwcK9gAdnCSxCxaHLhTa7o5eHfYInpt+U1XsuuG /vr2evva8h5tyqgpKBPNs0RmlLFbo+TdeNv9ZpERnzg6vue9ilrJ/klFED+FOVoq8hRV9FZQ 1sRvZw5+G7Z+XD+l5/VB/TwJPa2f0a/ooxG+DHRJz8JzUR+jSfCwaSHiEqCKgzPUTlRjjQPi KfHytFtkkf0PQBn9ZgplbmRzdHJlYW0KZW5kb2JqCjEyIDAgb2JqCjcwNAplbmRvYmoKNyAw IG9iagpbIC9JQ0NCYXNlZCAxMSAwIFIgXQplbmRvYmoKMTMgMCBvYmoKPDwgL0xlbmd0aCAx NCAwIFIgL04gMyAvQWx0ZXJuYXRlIC9EZXZpY2VSR0IgL0ZpbHRlciAvRmxhdGVEZWNvZGUg Pj4Kc3RyZWFtCngBhZRNSBRhGMf/s40EsQbRlwjF0MEkVCYLUgLT9StTtmXVTAlinX13nRxn p5ndLUUihOiYdYwuVkSHiE7hoUOnOkQEmXWJoKNFEAVeIrb/O5O7Y1S+MDO/eZ7/+3y9wwBV j1KOY0U0YMrOu8nemHZ6dEzb/BpVqEYUXCnDczoSiQGfqZXP9Wv1LRRpWWqUsdb7NnyrdpkQ UDQqd2QDPix5PODjki/knTw1ZyQbE6k02SE3uEPJTvIt8tZsiMdDnBaeAVS1U5MzHJdxIjvI LUUjK2M+IOt22rTJ76U97RlT1LDfyDc5C9q48v1A2x5g04uKbcwDHtwDdtdVbPU1wM4RYPFQ xfY96c9H2fXKyxxq9sMp0Rhr+lAqfa8DNt8Afl4vlX7cLpV+3mEO1vHUMgpu0deyMOUlENQb 7Gb85Br9i4OefFULsMA5jmwB+q8ANz8C+x8C2x8DiWpgqBWRy2w3uPLiIucCdOacadfMTuS1 Zl0/onXwaIXWZxtNDVrKsjTf5Wmu8IRbFOkmTFkFztlf23iPCnt4kE/2F7kkvO7frMylU12c JZrY1qe06OomN5DvZ8yePnI9r/cZt2c4YOWAme8bCjhyyrbiPBepidTY4/GTZMZXVCcfk/OQ POcVB2VM334udSJBrqU9OZnrl5pd3Ns+MzHEM5KsWDMTnfHf/MYtJGXefdTcdSz/m2dtkWcY hQUBEzbvNjQk0YsYGuHARQ4ZekwqTFqlX9BqwsPkX5UWEuVdFhW9WOGeFX/PeRS4W8Y/hVgc cw3lCJr+Tv+iL+sL+l3983xtob7imXPPmsara18ZV2aW1ci4QY0yvqwpiG+w2g56LWRpneIV 9OSV9Y3h6jL2fG3Zo8kc4mp8NdSlCGVqxDjjya5l90WyxTfh51vL9q/pUft89klNJdeyunhm Kfp8NlwNa/+zq2DSsqvw5I2QLjxroe5VD6p9aovaCk09prarbWoX346qA+Udw5yViQus22X1 KfZgY5reyklXZovg38Ivhv+lXmEL1zQ0+Q9NuLmMaQnfEdw2cIeU/8NfswMN3gplbmRzdHJl YW0KZW5kb2JqCjE0IDAgb2JqCjc5MgplbmRvYmoKOCAwIG9iagpbIC9JQ0NCYXNlZCAxMyAw IFIgXQplbmRvYmoKMTYgMCBvYmoKPDwgL0xlbmd0aCAxNyAwIFIgL0ZpbHRlciAvRmxhdGVE ZWNvZGUgPj4Kc3RyZWFtCngBlVhNk9pIFrzzK17EXkQEDUh8DXtrM213z9ieHoNjDsMeSlKB aluoZFUJzPxY/5bNJ4kvgWNR+NBtGqinfJn58tU3+pO+UR//xq5Hk6lHmaS/KKHezLgUGHLJ BPW/r65fwNu9Ft7O39Tnj3zDJ/nXB/7B3xts6N2CcEj5Kg7z6JcBLTbUe+91+3j7YkV/kzP7 /LRot1y3T06X6GVFO+lTKLcy1qnMDMkkpDylTMexStZkI6ky0ruEgmyfWr3ORBqpgES81pmy 0caQwCdi5WciU9K0Ww+DMTnUpv/Q4jd6WhQA3FHrdFKr1bGaTJ6mOrMk6Lf5H59JpGmsAmGV TigWe5mRkUGOMvaUZtrqQMcdrpgCHUraiP3haXzJz9JuLf7boCLXBWYX8DkhgIi1CGVIIc7F d56XpBJllYjVP0WFQHeeB1ENt6KyQOdxSCoJ4hx1Ni3LG9XL2khjxFpSqNbS2F4kTHTWoA6/ rqyIyah1ImwOCp7a1wFYiZWJBVZFixncpiUNprWSQLTzI97knnZgzsW5zBv8QYYPz1zwp+oh 2q3RkJzHHH1M7KHbM25oY065o0HrsoOoa+k8f3qcLdtntaBVbXIn5CwiZehNoTC9KkmE/9t9 ijLieE+JtmQ2+JV8GYjcSH4b842BVT8CARTbrYbEd8d15qPIjbARCLLV8RZcUwnzO8wDZpyx meYfFfPbrckAUm6OzbROo79bzrPewQmyNnELSimtMyksWEWhSNZQXCRBH6DCWAjaCWMLFHx0 c6dCG3XIzy2l2hjlx0DmINDGuHj9G6TyUU0QSYOO/eFvlc5NvC8RAMsrcTJIPzUrVC4SksLs SVgrgjfaysDqjNSK+dVq5Fmed8NgGZhQJ0AFSNJ8/rG3+DhHve8AC3MFTxBTEIFFEoAylDYS 4NUBKLwQiSxkTpZKMDS36Epz+nuDE7Nahf8772Qc6y3zSSuoHjxHVfjvl/cz9Lw/LnseSiY0 k/tY1cFfDRcsYMy+RXdZwg29whtdu6pa/QjyGHzKLB77JaGVCCwbU1gQ/oDMRQ1AJKGNBhnP agkP3wRIG7uYN75SBDklFLfLKFpU2sZRFGg9oKlaqjfw5NNo3Sk4x1oCcEuZWkcFH9r0MIKA m/uGN6nrw/mRQadWbWQpQrCt1KqIjYZgr2o7L2jHroIn+qAY2IKSTTs7ravBuZThKk8Cnt0g UDGCoIRwT2qTxnIDry+Nzs/0znAQWTrMrlIbDGRptZumfBv0TyI4hqBIQE8iLgvwJR5YbkWc w+hC8vc4VNLXLkT7uZjk0OtLYqyyeel1c4vKINEy+iBM8eTAAOFMJYMo0XEzNx55/e5k5BFK rY0r56FNjTLLwDupq5K8Xu+B5eeX+QIzbwWnCzQQVyIJJO2Q4Oi9DGVWPCP+isHDAeA10wHm MfP+NfePoWvpvH95ndPr13f4rob0GAzq8nLcYX/Z7rAcjJRIknmSSD4WSRLTNlPmDb1g5lqE uTdJZxP3klmnrNG4qmFdRUV0KZmRZtJwMoJBMiUqapa2fDFxD2n+/mg+mDAtW5fZfIFDKr9g QRQGzBGSvawYyY+vL2SiKj0W4aAe35fOLtL4IBIdvsooCK3x5B1MTyQqJeMYVqkKkLQ5OBmc CivDzwqS05yQ37FFWFbvVR0AUxlIB7xDU8vpu2wXJtqI48N+nUho2WNsgcsaockSchgCGlJv NVZwmi/i8mBkB0lrDUfsYIwh+nJNjHU1bAEwa0QEzEOus5mUsXQN3WldxT8lKztcJuPCd46j 9mSTu6LTGHtbhfiLqVtGv4bCGw6ufHmlczhYoXR+2vJoaJ1Zjn2wezqBF0/eU//v4jmqFs8R L57Dwyh1u/3Khj4w5g3dbFifKC10+q8yqkuOxIiZIBPHJ0RR7LFHDE9yKTE8LJL8gCustnrH 1nZmG2WSaRjdR1ezxTlWcOziv09g3rW0j659UhNvSL3LNe+8+qUju+tuh+bPjw/eaLxsNz3z lgtq+rW+N2Linfb+w6Ff5o+leOj199n8Xy5t3e6oQ0+zX+ePqKTpRcBofGNp0zTTyY8QQuUF G/v+jTqqnj/Nzw5t8fXLHbcPo8KOa1clmn7H3mozkRi+hegJ7EJFUrl1+s9ReD6r597bkNHU rZsISIC99dbR/PoDWu92irfwryUJDtmhdRcG41u+qunpOxBAboNesK0bWmWaQ1gRej7OITnE BM50BzrkRWooFopJf3TPs7cub63G7o2RrEGuF0p5LUZSU5V5Hc5USZrbHnYZ/OCpefYWXxg5 HlKAqcQbupW92ZeP7RZE5pAfa78KcU1ZOj4z1crhiNiSYNWAqpchyCgsWuvzWo6kRaJApaaq 2DBIxQi8l67jYT3UOpo+yAQ5rjB1djPUcohwQGR2cXt3uGuZ7xMrvqN1s0+smmb3Y+PxVUy4 KAKnpkV27KWZ2gJ55g9aqDLcEjaa+OPJjYkPZiJNIJua6BCWTqzEfo0siXsa3OWgCTfZ2R+N iwW2oOrUm15Q9U7J/FKnKvrwtbwXijUujTDdjc4zNIKzxLrsEO4A0CCoaOlg+KZG5qF+KF9C ukryjc/7D+BrCNOkfzXowcnL8IEIgWsHG52++s//AYdBQ0sKZW5kc3RyZWFtCmVuZG9iagox NyAwIG9iagoxOTYzCmVuZG9iagoxNSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMg MCBSIC9SZXNvdXJjZXMgMTggMCBSIC9Db250ZW50cyAxNiAwIFIgL01lZGlhQm94ClswIDAg NjEyIDc5Ml0gPj4KZW5kb2JqCjE4IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBd IC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgL0NzMiA4IDAgUiA+PiAvRm9udCA8PAovRjEu MCA5IDAgUiAvRjIuMCAxMCAwIFIgPj4gPj4KZW5kb2JqCjMgMCBvYmoKPDwgL1R5cGUgL1Bh Z2VzIC9NZWRpYUJveCBbMCAwIDYxMiA3OTJdIC9Db3VudCAyIC9LaWRzIFsgMiAwIFIgMTUg MCBSIF0gPj4KZW5kb2JqCjE5IDAgb2JqCjw8IC9UeXBlIC9DYXRhbG9nIC9QYWdlcyAzIDAg UiA+PgplbmRvYmoKMjAgMCBvYmoKPDwgL0xlbmd0aCAyMSAwIFIgL0xlbmd0aDEgMTkzMjAg L0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBvXx5YFRF1m9V3bVv7/venU6nu9MJ 2XcSSBuyscoikCBB9k1RQAyLwqCyi6ggi4ALLqxiQogQQPwYDCLqKLiLy+gIDM5Mxpl56IxA 37xTt0MEZ755/jFvurvq1l26btU5p0796ld1L8IIIQ1ajBgUmzBj3Mz2KlsYjryNEDZNaJyT 9PC3vZ+C9FcIMXdMnjllhvGr195EiBuAkKSZcsf8yUcv1kIO+jqECiZOnTRu4uX0eXciVPkK 5FE4FQ5IyUID7F+C/ZSpM+bMC97sSkGoygF5Wu64a8K45+xNbQhV94Dzq2eMmzdT3CX9CPtw DCXdOW7GpNHz5z4C+5/AfvLMu+6ew08TXoT9q7D/4szZk2a+8uCdOQjV7ITyvQvHMHzpRwNJ Xkn92wgjwsAFLAfXCqJKUmu0SKc3GJHJbFH+aLXZHU6X2+P1+ZMCycEUFApHUqNp3Zmm98jI zMrOyc3LLygsKi7piUrLevUuj91U0af7kv9/icpfkDV3DBm4oyiVW4xcbBbyI9T5KYSzdCsP 77zAnUQGeUbnX5lSyOwQDUQuL0PH0MNoC2pCPNoJ6VQ0Bm1Cp/B0dAiPRq3oI+xDmWAzLGpD A9DbuLPzDJqMnofr56DjaD3aB/JPRTOQFc6uwaHOBbAfg/R4tKTzWZSCitEydBSVQK5rUEfn rs79cHYoGo52oz3w/7dwkOxjzZ0vdZ5DIhoCeS6BM2c6B3Q2IRPqgSrQYDi6BL2KQ8zZzqnI gUqhdFvR02gb+jX6E34At3ZO7WzsPN35NSJw1oOGwXchbsVfM03sss6tnX/olEESqSgN7joW rUPPQf5N8D0G5lOFb8dz8Dq8nsTIA6SVXcrZ5TjIIYpq4FuL7kIrQAKHUDv6G/oRf0ccjIGZ w5zoLOj8P0iN+kMtaU0moUb4LofvGqjTEczjbNwHD8YL8eN4PX6fpJHhpI7MJfPIBWYQM5qZ z7zP3s22cKu5Tbxa/r7zSOfJzg+RHXnRrWg2WgS1O45Oo0voMmYgLw8O4VJcgcfAdzHeQg7h bfgQGYyP4dNkN/4t/gZ/h68QjmiIlaSTOWQd2UOOk3eYacx65gnmt8z3bG+OcNu483xI+Ewe L6+U3+ks7fy68x/gBUQUAM1UoEHoNjQOajsT5aNfQS32wrcJtNaOTqBTyvcb7EEd6B8gBfAV 2IVz8UD4DsI348l4Gn4KH4bvq0pZfiCgCKIiRmInHjKMjCczyGLyIVnMuJk0ph8zimmC7xvM R8wV5grLsWbWytawfdFqdga7Gb7b2Z1sC/suV8L15gZxI7jF3EpuNTOBO8N9xC/i1/At/Hf8 X4RUYYBwl7AatHMKbPbXNzQOFqdA6XPRnWgCrsTj0QbQxjY8Dq0C65qIV4C8ZqLUzgZmEVND ssEaXkX3grVuRgvRSmY02tb5CbMbfQyWcgfkuhjtYCuQl9sI2nkAZYMVdX1j0bRoaiQcSgkm B5L8Pq/H7XI67DarxWwyGrQataQSBZ5jGYJRj6pg9dik5vDYZjYcrK3NoPvBcXBg3HUHxjYn waHqG69pTqL/GwenbrgyBldO/tmVscSVse4rsSGpDJVl9EiqCiY1/6YymNSGRw2pg/TDlcH6 pOYOJT1QST+qpLWQDgTgD0lVjqmVSc14bFJVc3Xj1FVVYyszeuBDMRCHlNGDOo4YUtOMm1Gf cQunOmBDr6hqdgUrq5qdQUjDOSZUNW5i8+AhdVWV7kCgHo7BoaF1cI+MHtOaoZzoIc3E4MSH 2mJo/FiaGje6rpkZV99MxtK8jOnN9mBls33BecdPu9dSVauvO9lMQtXjJq2qbo6NfQiES3fH 0r1xq2Gv/7AkyJYsra9rxku7CkHLOB1KSos7KVhFyzV2elKzKlgRnLpq+lgQLhpa1+KKuaqC 4yrrm9HguhZnzKnsZPQ45FhUGoDaH8q4KeMmui0NOBYltr9/MHH8vWN061jU/hVs+w/tFgCm dwr2hXI2J01QbhKEwhbTaFIxWjWhGOQEn3oM1ZwG5enTTMBmmFAzF+o7rnnxsGvFmFqZKNzY 6ZUtKqeL1mFsRT1cP3aVoSdoCq43BJNWfY9AhcGOP914ZFzXET5k+B7Rk1TR3bbSjMddSzcq goFaT3UEp1L9Nio6hf2go+q6A7BPRUPL3Gxpzu0/uC7QnFQPB9pQeo/+bUg1uG4fxmvq23Dn 0jZU6T2EVIi5bQyc7kFNbVol3B92MnrAgbQApDJ7JFVDrauprSStSlrVd+KqpOqkqWBMbEjZ wolJq+qzQILD6kBO6Ba4Y6ze3Z2cVF/fE/LJovnAX+DyVfWQw/SuHGCrHMqKw0XZPfqDVsKD 64bUNS+udDfHKutBC2C+xwbXNR8Dy62vh6tyuksKJV44zdFV5lwoc04anM9L5DIM8oAs6let onkOqwsGmo+tWuVeRdtbYr8No58fiHUdaEP0Eqh4VRtePBj+C5tgwE0PBAPBABSrnso0H0z6 mkW1oYJ/L+HC7nLDP4ugtIWKhIv/QxIu+SUS7vmLJFzaXdIbJFwGZS6lEu7135Nw7xskXP7v JRzrLjcU8iYobUyRcMV/SMJ9fomEK3+RhKu6S3qDhKuhzFVUwjX/PQnX3iDhvv9ewv26yw2F 7A+l7adIeMB/SMIDf4mEB/0iCd/cXdIbJDwYynwzlfCQ/56Eh94g4WH/XsK3dJcbCjkcSnuL IuER/yEJj/wlEq77RRKu7y7pDRIeBWWupxK+9b8n4dHXSRgAbwUMLE/D2ItBAipvQ8PS25CY BZ0fBNEAA9zTEOg+pJnP2xALAUFa+Bwdhn8gNCL9MOTCwTY7J88YMEYgVLBr2q7+jjt6uU8b O/DKfriKoKHMLDKm6z6hmIXwT7IMQlGGjQpOUSUHjtQ60tMHXRrY8VEclZfFy3KyMRNUvmSM b75/m3e+nzsabyUDaID84MPOgvzcMEb6PrZTEAW73RFxjNTM9fE6o8mkZdxuFiOjkyeMzgmA VuvkRVbrEFSs1ippWK1FrWd0FrUBGS1qs9tkUdvcJqtkd5scgsttcvIeZLRKXkZnlXyMziH4 kdEhmIw6KDWvdfNOp8fkcAiS1eoxWSxqp8NqUUsCL2rddIN0TJGWfdJtREUm9wIHPStpP3QH apIMje2OsvNQw7IywyWopiEOEd3DRpO9ZHlm+kLDieWZDrpRjuh/9lluKIMflU6DOc8cLMoz 5zFKEIJMHoSgWQkh2Pi+HXPRf3Hu+vlf3LtuPqRu+9Z/AVK/hSMXSeNtX4wmObhuDj4mx2iY I++cI/fBR2mYg+vkncBRbGVm4aGKzsIxM3mSQZzd7gKdOVnu190Kiw+qmlR5AZUP7EioDA8N zAkkVAX0BlojjyHjuA+RBfWOqSxGldkGeaiO4K0whrPgrTFdDC1mBxicVtvfA3cMdbQJuUsT duD6wtXxQUdX5uWQNxF4o8FuMwczcSQcCRcYigrNZMyTWTVDctfNX1sdLbapG0qPcB/K7z76 mfy1/OVfHpf/cG7RHY/vHHkzTv39OhwCk8GoEspjh/KYUWFMIxqR2QrlYQfozbRICKmgSCrR abH+PVB+b5dFftDxxXXlMJuKCo2GSJjJ82G7D1sNAs/UPJ1ZTUux+aZwdnRM6WF5DC5c8zEO 4MBfHse2H+6etPDSLPmTi+vlL5Uy7JZP48XoLNKhjJgNBXXSRFEyQDGEfGkiEp36CZMc6YMM lwaWxa/ddyCIIifbXlhUWJAfjgQL8qwWXthd5dFjMuOjsY1nNMMz0gS1cPbNua1WuAXUczj+ kvQnG6FdJ8UklMVgF4dAb224Yn/gsNLWzhkuoCyqNXPAGhiOf5AlspFyKxjGoEgpH4NA7ziN kaje8UT6/4kBWjjaUK/Xe1GeNdh05sxZIGzo/+FDpit2kx6zC9iONwIhQIjHxDBAZUnAZyHG meX4AJpBeRmnGH07bsB5OIjf2yRnbqKeg/qMWOenrIfbhPTAjsyK2ZdzuFq0Fug5T4GgNRUz dzmK1b4aL21SH3TEO1B5RznUps/8WD5ya8M45AqrQlzYpnOkgvWZUrFbhJSBh5RdY03FZgKR U/KkIiMLUTp8MI2Uz/2oAdltRoNAAkmRsDG/yBQwFRrzSTCZGC12Wx4Tu2/syEXy72R50bTy Rlywavu8vU+vy6p9idt0fp/8tvz5/8h//uoILr3UhKsvn/8HHnoJl8ofyl98tvSthIzaoYIf cmuhFQT3ibgN58U0LCtoWGEDh6QaFa1U+4fxElRefuk3oKKC3rgozxg0tr+2ObzmGPPDKnP9 9st3Mj8o8o6BL/RxT6JktD02qJCtZkdyt3vv9C3wLcHLiZgmjnLe7rzPeZ/nZSeHkrGe9eic AcHjBPfI+fX6ZLNUYOaS/PcEkjWBXwnFtruSdRH9/f7i5JSaYEK4lzoM33ecU/xyeYfRVJIF vgrcU4mppMQIEWpQxO5hnZqQMaw26VKRyiKAcFmtQUrFohUikK/BoMgXRFtoKscJWw4mC7wQ hHQg12S1CLwe83AADLLf0l8fuz9/6IaFh2rC7EGm4h6c+sM386tfXjm+eKKL0V2NHsKmmXf1 Lxh2+8J1q/svPdJ4Wv7huRcX1EwaUJgzcvpuaoLACSE2i9sKKS0aHUtWEUnUgh2+auJ5gfCY E0TgqQSJ3KPmvmM0Asu0YfvLeINWfFFqw3X7OX2NTqn/9+Cpofbl1GEbS5SaQ+Wpt2bBT+vB NxlV2BgowHlGaAhG8oJcgN+JryaPbnr/faC4Vsbnyhwe08ysuXrbk/KzCf1XdH4Otr0YJaEj sfRa0wo/KdFUm0eap5jZnqJGKyCNpNfp7jGZzSadPslkFpDZLtkLoGDJMZf2Vzqd19RTz7IF SSe9WqNQ7LoLFScl1wQS+vq+ox1aQ0d5HFR17hLVGNUWVVeih0FdB3KyHdBcUh1+rCJhxgdk I0b+JM4DulM5IMJ+NhXxbohEZ0KHtIkYygxl6en3gx4bwJvb8nKpUwom80KEehIGlJmXy1ot JJCcEombFsZueWbzwcUNS7O2ziAX40/3ys0YPO0ENl2RO5rk/2PAMzaX+t6+b8PztTEVw7wk zw6bA/Jrb8lvnnhb0eHAzs/YIPcU9PMRtCtWMteF7WJIjDjrnMvQcrxCJdSIUiASKNDpLMxJ ocDNRQosWiZK7vcVG++yS6RMSsmxR2tSFcHES+7rP3TegiwHmPOlhMPoABFRASUcRyjsSdLb EM+Fk/S+VBy2pqQijxlSPGJSMcv4DYFUHLJFUpHXBBGLQUjUX2AqEfjcDx/cAL7DZg1CHwXe 4idxBJOR0aD4kYS4rBZwIzVHWwzBm5ZsbJF6jxkxvRVr5D+ekj+/aSEecP/Di7bPaXr6Ye6p H5cMzx4lfytfvTUj9cK51+T3cQ5Ql+rDeOLlL/7ngTtPbt6yIuG3+yv2vhj85bBYIad2kmJ1 T02Jtp92OBnBjicHBek+bav2hJYhKqzV9UR6VqUhWhGhu3RisepFnbHGoIgJmvt5ai9g8mDx YDYYGngDtvLQBdPmajIXFgUK2Kyq83UjM7yZJysvrtx49SK3+Mk+cuuxI5snfI434w1/3vsy bYN9Oz9hjdxmRX97YplOLp1LtdXyddxUbqVzhWuTS1UtCoFIpECSHIECA8cWuE86tAIpE3w5 ljY8PKbWoqj7/pRi7TUlguYM38dLFiY0qdj5jUr0h50utRkzphAJJ+tBg0lG0CDjBPMOq2E3 qAMl+s0QYReYdkgDmqTK6/L+CR3ihGWbdRiUWJBvyksy26CvB6MOF6Aug6caxAbx9qKq+w+E y/ZNfvevf76IS+ZW3PygfPK9syR339P3LtmyYj0etb7E9zHue9tATN56DafKF7Z8K//4lvzS 59tx+OHmp7bse3z1C1RW30Dn2coGFCyeG3NxaQKThsBBqaD75fBEFgFSnhiYd1+iAwbVXENH AzsMtB+nzgfCN2fgwwbOxtcp/THkC3ijDfLVA+opiXlRUA+Iw5xm4EWJoh8h3yRNNEATt9Cs FeABeV+DHgDsDP+MPsAMlFtVu3UYz/jQn//Ahx+e0Q5Oy+UEzdk3b69ttHND4O4M8sE8XC/A AgRJMPNwNja4FtfhqZhZwWxkN0m7pDZVm8SnAiYQeB4TUaWCSEICh1djhk2ySFLIBMcsHBcC r43Vao5RSSzPYTXBACZ8gtiG62MqoKt5lcRwsLczZtJqqcCewk9JTo12W2D1GBCYc9Alx8B4 3KmIrLrSgcrtAD4GUvhtLCm/5h6NJVmKh+wPrBp7zN3Mttcn0Dg9wMABpr0+/ZorBRwudGFx aPJYjc2AYJgAE8TMmt92LP2aWM+ujx95+m3yKBlFOwFmwuU+uE2uVZDRRpALCykJ5p9S0QOx 4lHaUcbpZLp2unEBmRsQ+mprjcQr+vWs3wwyjIg+O1H7IiKb456mzwm60lTWUKrNGU1rw7ft DzROVmyC1meQ4YeBinOLl9NmEVdcv+LdTA4XJzpDfFhwsOmYc4np0CtTo6c+qwHnUnAJPitg vC7JBJLo3ACoG9oD3UYxaV9Ufec9FQ/IT+K9BwflPDJgoXzPa2QuINHYzdGBs4on1C+Vv4yv YwYHix55NNcjl8RHTe9z2zM9/fErnHnzrXMfqs+KpBeO3bXm7hfBKkZ1nuVmceeRFyxlX6zU zW3EGzjGDz3PA3g5t9LMDROZZV6j0cr39DKanlaVj/h8TiaHlBpyjK4kVY7T6U/aFpieEMDA jq7qQ83BewEghARtG9DN9UQee8gc1oXcYbVNlYu0FkMuNhn1BsEDexxicjEmLCM5NLlIb4JI dPG5mMUQKd4h0e0lYnrg/gbcIGI7DEcUz27KAwEW5YGDVBAjjE4CQdaH843HAydaPpW//+t3 n9/dy3fctbZJ/rgTvXT+xcO4JpU7L589sma7/K58Qpbl/9lV/9jFJ49u+Q1+EVed/p3S/4Fj 4CaAnWhhjnBKzL/cuMFEckW1T0+Qzy6KOWaXSxvSOZ2ujwKNK68hc2oCqDxeHlcqHsY2Y8ga 5gVOYAVGIALHSwYRamuDSGVS52LBArNOigNMo/UK0ZpQfGYgYA2KCRgtAgHVn55005x+pS79 p3+Vn36DDMNZO9bXbZGXxZt2WyN31T80rAYbceaVTZz54+PymT8clVuUOsB4gu2AOqhhhnVQ LEXwsaya8cEwQCX6JLWoIRoNQfw0Uqpy6RgxhJxaXRtW7w+sv1YhxagvnYOGR7UKTba8TLHt xNjFCKiDBtzEZl1dx6Rf/ZC578pxAnxBq1yxW9Y1wa3ho4xr2N2wowIv6KClUHWVgr8du9TK nSV1Gx4Jd/68S5TKnSn2+6cbBpuYK1ffJmfiWSeVGzXFJ1IfPqHzUzpnCVg8iM7Eerv5ZXgp YbzYzy3DKz0HkriYqGetNsYww7bIRvQ2o5Zdlmww+swmk1XomcxYRW1PlypIgjCAN7Xh/jED w+YwpYaQ2RWScnzOlFAbnrI/MH1mooBd9h43KLBcMXnF5kFGyqGShi7XplhCD3cAaTyhJBgc adwSWHgAIh6xuZgwHKv2anORyi/kYo5ARPtEwDVdyAacBNg7jIno+Dth8IHcFHOgIGAMRsDo g3SYRI0+wlzY+FnOiZTfvfi2/O0FzJ7EHCPnk6WLsycNevBN+corv3njVZwZ4L4ZfLf81bZ1 8jvyGfmyfPD3mLxw9c9H70rvt+sDPBvPOnuaKDrbBvafpdhOeSwgqnwMISwmkiCyQojnXFos hdTIqdFonwk0UpkYBl3q8oJ0o4wwS7JAGrR7BGqKjqGgxNtOkaunTsXZU0BUbCO3Xe5DmuJD lPudAkNZC/djkB3mgYDcosPZzHRYQ0BpMALLKCCf4KlT8E8YpGIU7PyUmQHXm1EFjDB4Jz9F vYDfSLh5LFapWBPRrmVVxhByWaWQALRCGx6yP7D6BuXRcSsYtgKxwMECwOiFYXwPuBpaoDGP mVE0Wf7dC384cvusp3N8J/CBw1Ne2X9+2rR582f0Ocy8T+0aiAuYcabt63BsAc+FuIhYK9QJ c7kVzCamDaasfy+otzPbWcJxqWJUtVP1I+HAGYicivmAYI7jRVFQEZLKMCETNAqedrZwiGNh KpjOBAu8SuQIK7Ewiqck1+38vfxFnuG7pa8F50M72YTsnYMMFxqggy2jxJYyUrSXiMsHZqZz XeQWa6DY7YRBLBNBL2j2rAY8C+gsIw6ogDMRjMGtx8nb2Bx/ksyR43H5j8dBS/nk7Xjz1XXk 669lRU9QZ7Y/1JlDOTEzsArEx3Ii4xIwCQHRwQtteBh0iz8VCsoEJQKTACqJWoI1sPUkuXh1 CKjxb00gQ+iPebuix7di9ZW4PwAKrGJs2Ml8jDkz9jAWtVszEtcxH+DPmA/Un2kkkIe2iiwj 7BCykZColKotloq1NWQkaSRCaKJWIowJBKbWmBheVFgmSr9siWklP6Pm4xpM4lo/NPEtB8zI aaHGC9ALSnjOeamkBH6Oc7QzT5BrFKuAJPsPnb9Pq2nDu1sJaAJc1e4WQpjl3MDMBXF2Yfty LrEFmTbMnoVnN8wyU4mCyecXFgC5AkZlNQY3Yi/ejp/DrqOs3HBCHsW9yh29EmbPXu7DTMg4 PfdKlP04o/CL/KtPgpyJYltpIBcVIJXGmKUIF8MoACidCK7BdWBGMJ6mlbIrY2o6oCYiwEpG kjAvglbg3Msc69JQnLYlJqmQU63paqk3NFSKqRLOHSpaUsICClu+8AStCCU6MW23GH5b/0gu HP1tXP8q6QmFHsVuv9yHfeHKrVA+ijUHd37IXQTfq4fRhgetivVYDguHTuLXyBviKYnvI1p7 6hl3T0HlIR6P2pTDuHyOHLXT6/vkZ/ChGzwoTjMXuSib1MUl5VIuKRe7REcu5ZJyKZeUS7mk XOCS3LnAJUGk4AUa0c/PqCQ6BESmAgOiTtRiCjDsliNrd7TL6+W9x/c+/ios63H/Uf7rH8/J X/0dW3Xc+cuvyaflg2c70Vef4H447QNsuPwsnv89MGpl8kn53UvyPm4M6In2sf8AOUhQvnGx gmmaaab5mgUmttZSZ5lqWWBhBdFnNBgkrNPTnlcSCW/SsCqLJYd12fQq6HSttn/R6cYpLZ3o cw0gFnCkyljQHMgFNMgDOggiBTIGgARoIuvb//LRl3LuSWbxvIq75Tl49bId3NEv3nixM76O PdTTLzOzH6U21Qr+ap5iUxH0eMwkaPviWq4e13HTuImWeZxoOwILkZzIjT2ximAgKTzWNMt0 j4Ux+fwWj5UJ+GwWNmxKCfmQSuUWfGoS9rjFpJDVH7IxOfppbldUDIcikjM1+lFg/Y3A+BKM ZD4AaASuiXIjUJ0SY4LKouRIA1hhOrA5gIWvQWEmkEtxLy/4sJ8OCe1W6P6yMB3bQ92ZmtXP ze41WXadJDt3znh3xvgRIzmBUZsyL8EMg0aYWLJALj3JeGaufbLEB/Tqtpwx8SU784KzF5+4 JVptCZjLRnz/aI47vgpkMrbzQ/YHsN0sWKsjx8ZE9ZFgOFyoKwjUhMeHF+jmpqhuFx06e4jU 66bqdiczkq5nckqyxLAexzJLVla6p6eFYXumq7KJpBONKcn+1OxsoyNk7yuGUl25/pCxLwpl OXNynwlM70JVMEj4CSybgNeiQUEQCdBMNZ8Zz2uYpbSCgamZRj8SSZiEM0I8cKtMD5SOMjKV DZcGYwmv2Z+O3FZHOnY6cAabjlQRdToOqXEmpIUoRD6TB07aIFJaiMGgAAzaRn4CGdBaEkPv xGhEEXVBfgpllBKMCm8F/lXRhdXCUtRRhLFPyJ9weebolv4Dnj352pDVQC79Hvc5os+59Wzz 5lGlp99ZP2S1/OQf5T9v2cKQgfjswkFrk3o/My8vN5TRo2D0wdfl337fWH734+PvyE3Kzkou ndJ+6b3VD/2ZVdO+NQDtCvp6mOvKj7kw70MCYUU6IEdXCBPi2Cu8U6QDTDpspvzgpWtjctrX gC0BNAXEUcCeko1vykbuaNPlv3E6aKy0HewGrEixjRXZUFksaOciXLGBkRDhehpUNsZms6hC GpcDhyxOu+OZwPobYMM1J1UGwAErnHQCLyQ4aybshK50Tln9+/Fbc97su0xeLa9e2pf04Y5e nfPM9Gf2jnmaWX31pPzXtfIPWFqL9UwJ1BX4Uq4QysOjR2KVj+JnMInhWzCxYTyPu4DJFHYq t4JlnKkkBEw+i+iInAOsyPAwEudYUQSpsIR5ikP4Kd4prAGpABSgw+6SEvglht4UF8DQGzgl igjo4Bo6tRh0hhgxQEhjwnPLxYWGdiWibRE1zJo1W0Xo5AA2QMe17bfxi+/HvwX372W/uQwV orLEKARrY+l8oAaPiK0XVXieMF81T70cL2O5GtyfVDK17ECxQlopLpfeICeBKnxDralTTxGm qleSZcwyYaX6CbKBWS9sVu8i25kXhN1qPUAgSVQ7RZs0UuDVIiuR3qlVqVwI2GMgjTRqFYsZ NQBnXsMhIC3UjCDqKJ3C8ctiIsNekojq0mI1wss0Tu0NwnAlBEI33UKBHh6kAr4IxNKxPLMD pNKqgrV4QPhujulNdGjKMSwvqGABMPSlm2MSQDUGDiONevlCg0hnDbl0kNyJ5aIyhZjY6T9k /n4M/h7+cQCyYyETJUOVSkzkR0UOOYiGY0owcAviDrHdsZwmFortoIHZDQ2zAE+YVTgPfjio Ak3EsRUP+AQPwNaz8qIz8l55zxl5MahkOLuHBuiVj1/pDdpg0FDguekqST2sfy1DX8SK07Kx ZAAs5Ynk1RqmqaYbhBLRpFEx7lwhReU1aLyl6SQzWnqwlJTmpoVMBoETPZFku6cNr4Im4vUL EW+mmngL1GVCWZnHIkTTdqa4erujnn76SLGzV+9X8EZotIfwBtQ1Qkq4uXPx9mstBlgB8HDU vVGHn9mR2UHHSNAPKI4utbDImoywM4QL9QHk8MGQyZZkgam8ZFREAsjltQegUUPUNT5SunhK huOGFAWz98I6rExjWG+Y4+iN82hXYqTAHm5BeUWYxqSbcEF+YZEZ62YPuq1+Q2Bq7ozxOcNw a2+r5sEFD5cGpJ3c35872niPPaTxGdN6hBvSbKqid+5bf/TwxlXvjurRd/tjVg+v03qypuA7 xB6OjNHDBqQNe31Lbe2m+EZPMsMs1fAVwVjt9JdXrH/ejM9Rv9PY+SUb4o4jI3AuM2OZ24Ud no89TLKo9xEOIbuXE4ySz6tWWyKiK8mVacjEUZhI9yctDxxtuIbyz51TOg86eIGfEeaBFOk5 TDZesvGWMDZJEFkFexibVb4wCAtYFComAN9UFCajBSbTQALWYEo3nQqTCY1Npc+PfePHH84u uCW3ZDuZ/NhjD997KFxznDse/+PAIXKHfEmWm0uDA1cuvPjqri8PnNk4Zp/iS2FlMHOaHYRc gP12xLJ2OPEmx05xt4PpJxq3WBjGwntdgtYLKF5wu+2GiAkzEWJ0eaWI3enxtmFhf2D2wi6L gZqVDewoKaH94HUdolLBfCBhQxqrFEY6swFqSfkjJ+wBfxRQ+CO1TRsG/ggilYMPU/4o8C/4 I8VekC3BHgnQpylWkUfNgQA2zBPIR9/YmwyzF73YL3vF2pkPOpt8fzny3mVs+sDDDmr+eMKD O2c8s+3zlXM/PIHzLsCy5p7gglBx51mmA/SqRl40N5ZbpKvRjdTtYHe5uZBoIXovcLxer2CW iNeu5jLNmYao0eTyqyMup8+/PDC74vrqx88B63Gjbl0Oj0pCGDvUUDcPRMhJwkhyi2GooKJd qJWJVqRrggPYAjtF7gW0WoiS6D+s3bZw2/YFK3bhVcOye+19tvzFu/bLl7/7Et928eNTb712 +k1SlO/rT7yXe6+fUIczLv8BjwQfUtt5lnWBD/HAqvwQ1sTmbxSfcO3wM5yO6DmLVWfSWy0x TcwiRl24v/oAcxK/zpx0fyJ+qvrI/0nwov1iUH3SeNJERotcIEW/2eZNKeEFwRbwegTJa1OH hI2eHZ6D0AbYkE0f8nBOSSMYYQ7UG+FckZRMIeJ0hiMfBLYnjB9GaIrpfxCnmJEOXMBMGrrt BDCAwrwo1lKNguBmYRk75ljeDwSJyWA2WAwsrwklu1PCKAl5w9jnVdmFMFJbdWGYlgm6AnCI g0h0gF3BDCoImjoZZY5JAUpp6Wn3w4gZzWqAiSaQsc0a8EGTovSjDgNVyyv8DMpTYCrMy2HS +lFxoclw9Tvu0Y0P35Jt2SfcnDN0/k1D35D/gB2/w351ar+99+3kcJCtuX34kDv6PfvciYbC mtLHMgd7DODtgZjHFXL4nuoH9q/Cnyf6Ww84Ejv3Hqz+HxhLF7w8LJXBekuJTcubJCf0gjqt MWo3CSa9zq8juqsWp8N5NTBlUcLE4g0l7RR8G64HS+XKLIOJzh4CzM4Ek+GtdEYDvgV5BS8H y1uNKXaPUz00qaW1Zf16riJ/NCHPEzz8pTVXJzJb18DTNWArveRS5iLYih9lwNMfB2MDCy19 xb6qOrFetUKzy73TuyuyPf2QWw09tC05qmuXkqFLYfmo1ymZvJI+U8jM5DxMpi0zI8q5sjW6 iLZ3OOJxZmVf10AudZRQC4if+x603+UhwAsmCDdF7z2CqS6f2pgSMoSDvnAYpbogMqp1MAej 02hD3uQwjrij4Cc0MBjs6kh+mkJU1h7YC/KAdKV0UCQPVEzVq/QWKUZwDwimFru8BuBkTO4b k1ewvWymfGrvn3QHtZFeD74bCzOFmxa+JF/BwmFc+fyvXq0Orbvv+M095DNsRe9gn+VXc99u PLvlhdpI2doRXwwd/HcgBbQ4U952rOW2zS8fbZqwhGQouGoJCJX6FBvMKfaAViPaBbsYYSPm e4R7RNGsJWZYcGL08oJVI2mjEqBVaxTZAK+2YX5/YHzCp1As3NVdlCm9RQmmM65KZ6BMF9OO EVgKOmPKQ2pJayxv5APfDss45MtZPvNAKzj/z4cESp6rfyo+hDzXWFS3+aP4G9QOCTxhg3Cp gjQEWNHjEc6zAAZ5RpkzA7uNCgydNdv9U0na42Xt3WanrFqihB6dzFpyED5s2pWPuKPK3HPn WXkwLlbyNlLybxiwgRRqjoA1cpiugaNr42CrOg3soA4uMGYdBguka+KyczAYLe6NgcCjWoRO PoKLW1vlZ+fntIbLm7VeP9tx+sd8NjiaPXCl6J6e45VHvCDzxSBvOo5XQy82sZ7gniJ2EmjU dn4kN4Wbz88TlnOHmFPMWViVkyDuGLKEPA4NgSElMFUGT4mBq5lhAk0p5B2X4O5gVIFYhgf2 TgLaDlZCRJEaJsdaAuMPYVsCKVEllVHurou6K6cICUOgQB2A5a+BlHGkNwCJd6yLuQNwPguA IRB3gAyDlLhbvBe/c0GejPddkFs27oXBxh58Ur4rPp54VsnwxB3UbyVEdD6QQdEYWE7X2iIS hRVBLHedmn6a3FT4uuDK1tbEsiDIA3TOh9gaFEZLY6Ww8k/H6+2iXWfXR8QIuO1a5wj1FLUm GJJc3qBTIqw9FPDavVqA7bzbE2LMUio4KGMUppdxiysKnT+OQb+WGYIG6YyktmHt9YZ7znCp 49K1xU6A0oFE7ACy/doCmIQVW7us2H4N5YExd9nydVbdEsuvn7V4UI+UsmcnfTIo7cjtA6c/ cdAVnTl5RyubtenmlF7lKdUjhm29ZU28iFy8ffCa7fHHyJEZuf2fepdau2LrTAf4NiegnDGx nIP8SZ6wvIWPWBr5OQJn0RCLwwDoDfEOteQSXC6kiapcHpzpiDqR0w0Q+oYmmejGEh4M6tVB l7YkmiXl3KzXVYW2S+hXdBjaJl6yZ8DuqecG9zjozV4Ui/YrznC34h1Q/jFDnx75LG2f48sm am0VBbOmxd+FwoKmS2EdVwCwmQbmsJzo0VjeJnGD4QnbC+xOcbthl61NfEP8mD2v+9ai6Sny Xoeg8ZrUTsHptJKI3uVWRazwcGMbVgFC6+qBE8RFt+9NuFxkZ8Nqswp6SyMJY8EOKU4LKcmi CUN7hUi0ASBjdBAp/SmNKDuXYlLmPcHzAAozwSINmORHCRD21dLsAYdf2LDhOXiY8Kr89y/k q9j0e34O1m/fMObxqy17zjFn5T8BJI3LL+H0qwD8YxSHNcrD2RBUXQezQHNiPXaJO+wkVUzy GHW81yroeZ3Xo07WkYjDlSIBug5Ek/XOYMq/RNcKBKNrrJQ6emxuxLnCbBi5oWKcDSLs1IUR Y1fqpFSLYmyKqBM6o2RJHkwnKPYJD3hRVwSg2xgkr+8IVR8+UhWCWM5sKozdeu8B+eCczfOH Zpe2zn//vcWj9x2ZuPm+kduZfWv6ppbB8pO4/OyG2wp8feNfdLVjshbaoBHdHAtHmLC2iKlh WZ1oIDqVUaWJiNQMjZLoMmOKM5HTZG7DVdCwEhCA8twKJV8+sLw93k5RFB2EdbUmanrdGMAY XLnH+vztnMNrcBtWrIWmcqhwC2FeZUjT7Pgm2i4qOj9mDrD9ob/PwpmxR4pVm7gNpicsm6yb 0vjUlFCkMFAdqEmpiYxIGRmZnDIlPF8zXztf1xickzInNCe83bezh5kB+MVlsJlmmKlx2z0O a4YlM1WvngZMYmGIhJK1Eptudrzu8ZoF1pu5OV2dJah0BiKgrECWy++wOSL23qlhIZLqytH5 I4beKJLpzM5p6caM4EISmKHEACla3ZIsiLsYNzoipS4lQbUNwBkkbAWKLaDzB5AqLAQwsGwB BOtBAthrgmNuiyOAk/TJARRI1mnFiBTA4ZBKAtYtgPgoRD6jJ0CZtsQoNbFiS5nKU0zkmuFT bl2BFoq5dFFtAL/sNuGfubZEH/adGKrcOXFTr8jdj6y8ac5nh/52ex+ymwv3fmLytKrUQXOP V0z79MvvTgr4IB48KnvkyFurUgBtJ6f1vX/TK2tGTe2VWzMoVp3mNHuzelQ9/sjpT58hP4I/ t3d+R1TcKPAOQ1/WZkrHdLAesjwWYm0ldobXSUYXuGtYqRdFVp1Vz/gZwly1wYw34MmuEdvP 8GQWddKwgsUQP6d0HhRF0nZwbdwdLqCQcueBPXvC1hytz+LvE1k06rHHuFHyh+viVcVmNSZr VOL9U8iJddBnEbS48xvmS2jPdijhmFjPNssbFqIyixan2WlJ5ecyH0NnizidBCvDJQ58l0Nw OGAYmClFNWqXC0dpYd+7hkCUJQrU/EH9CexYDiT0Nb97A5MXLFKwPKx1NoZwsSv7wVcqQ627 STB/yrrzwzLodHe8ZGj+2J2jniS6K2ee6pV2yxNDV5JPXLR9AnnJ/IHNQoCBYpkV+AQQRVPQ VDKVmcIvZ1dwO9BOIsKTwqSK7cctY1dyJ9k3OLFv6t2pdKYGXK0C1YGEauuc2QqDlyS2DT94 kGFmmGDmCaaxHoz5eEAZcCeOpzRUggUE6CFRFpBpIocxRWZL9uMmWCuvrL356quu1Tc/UYBQ bVOJAPDCMOjcQCGxSQfKKhYiUYVijF5HMV7LHNZoNAHF2J3vvyIXOcGQDj9gr2CYBNNgCnGF P8c+nH5CvuOYfA+sFNjETL1yBiSE4XltxG2DlAYnxRbVsLtVoH5cLfRVL2dWiUulN0k787pw SnxdOqVWTxami5OkaepGYb7YKM1XLxVWqSV6Lalh5qJ5HDMy1ZYKo2G2FJeyj+BHWP56mhCm xoAmlLpowi3AErYDS9gOJOEWIAmpzAGAdTOmP+NNr1GEDVRCGg5kA08aRE3ARHLLDenwu44z fChmppyhwLMcvbCbN3wopqO8oVoD1Vb+mqBhDQvbHRyFd5RAVBLAKbZ3H6E87KxZswDtuUme m5KAasB7H79z5s33PmuVTx05+/4R+S0QaSsz4OohpubKGabX1ddAoF12+DUk1aiAImhAyhRK MxB4CCpAzLD0A7psU8lheFL/WkrsStHZdje2A7qkANP37Q8/fiZvxPMvyD/I8jk8n82Sl+P5 XPxK/DO8Vr6TAAlM26tV7quMASnaeDN25yrrCscOB0MxdLGp1lRnmiLMZeYKqy2b0EZuk3Wj baN9J9ppM9Si/tYa+ykrW8m9zpHl3Ha0He/gdtq5lFTOYbXbYFxh1aj1XlFHwYnNDYZO7dBu dTRpHrEBRvkg0WrA3Aeec9ygvERTByI8F9a908c9aH9HiW+TFch/2wwTPLzCwUI6sEQHTH1S ddCNCFuQfE72LMqD4zwe5uKJ4ogL6IC/sAhWhYM2GCZwMvzg+Iqti7eGo76sNENuloHrrZPn vA2TVmzWFPkx+U8vyZNbefF5LR9wiI+nsIPA/B+gsgLOn2kF30bnd++IVRTxtWgkqsMjefAW eAo/l1NBC+ejtKXTOV0gMzApgZEErNcrASpaErjegkvD9KMTuy3dAE2BlsqyGZhhUxaRKstQ lNV1yrwubijCsHbEium6nXxyb7yV6R1fSVZdXYzfXcOgbevi0CL7AnYEnoGZp/AM9EmfcbFC 93kn+olv8ALh4DdKAdCF2xd1+P+JdkgKvBeY0sVsdXcTHwH30DUGpGsUoK+g5EN5B87J/t/4 hxA8cyHAQPGfeAhiboXPP7MR/rffPnnlI2XMQ60SPeY43nGbvux7ZIQFt/A59eVGylgoWxhp lsLsxXnYVUGbSXxgy0flKLwmBP9j0tUO9WPdZ7ouQFWcCVWQElDjx2goezeoaDnaSnajNRAq 4fhu2A6HbRO9Bs7HILR3bfNhWwFhIIT+EPrCNd/QwI1APggbYep8FIQXIN3EfoOa+BI0Afa3 wTWnWISCcHwr/G8rv1u5diucH0yvhWtaYTsW/hOA9G5I5wsPoxBcS8vYCP8thW0xhFrIywPb XhCW4JM0ANMH7y6A9ErIdwk9DoFe3wh1WQnnaH3tsL8Y0mrI30S3EKwQ8iGAvYBN56PRAMaz 8Tx4u8OfiARvshhEXiG/Y+5kXmEHsxe4bGjhf+Oz+VeEmHBazBUbxZ2qwaoVqmdUv5NGS0vU BvVk9TlNT0279lHtqzpeN1Gfrb9smGi4YBxq8pimmg3mseY15jcsxZZRlo+sudbdNo9tvL3C vtb+J8cDzmzndBdyDXa1KBqrgvdTMOh2mEEkyADfBpipuihpwNtRTdPeJ6FxHs6hypEjh9YP Sa+ddEfjpDnTJoyDK+g6KPh0TkKTEqmfxVWwD49mgcekK2w1MNMCz7RBrmZYCWBVMAsdL3oQ XWEJ/CmMmiOw4jQK74NIh/eUUJaMzjnnwArAPARLm1ERKoZ3a/RElagKVStvE+mL+invDBkI 79u4WXmvyVB4V8lwNIK6ClSPRsH7P0ZDvY4lnh/sC/xIOYQCCOnpNzlAn9vRoxCegcCgafgh NB/CSghPQGC7U7tg7xB+qIUVY4fxfOTC/WJq1n+Lxel3SGr/ezB8bX3K/6njmyOwOECLvsbO Fi1S3SThZ/DTaCLy4xeAHV4Abz9JxZv3R+/wj4VTu9BMCIshMEqM8a4WX67/VdwDLBIedsBh 5GPxAf/vczL853PaCG7xH4+0sbD5tQ/2Ynr/Me9T/v/xTvG/CmFP4tTuKFxxwL/Le4d/nQ+m 01r8aymJ0OJ/LLG5xwt/PeCfEd3gn5ijnB+woY3safGXwPkRMbW/sDjgL/Ce82dF2kQM+xne Af60nN/4U+CPcFkSZBqKGf0e7zp/Tzjl81ZFekI4gnfjLSgNb2kJ9fMfhiRUd3/faPGGNnzv /trUHFgauCBWWJu6IVobCUUH+EPR6kgE0iPeEJYItwo3CblCOryABAYUgluwiCbRIOpEjSiJ QBW14Rdbyv38EbwHlYNY9uyHZTyA816Cg+wRvFc5uPegyIpERKKlrfMrWMSBEVAoe1rBbDGC xAFeSfFteC8880kP7Y35oUlixConDGDJMBUJ5goGT7BIwKya8cNtPFpqayx3lJt6G0uqK/+3 aKxy5lqsDGH+deTA3uYN/eGNBLu99fBaB0h0euuvXQr88//jM+ceuGBSRTpFU/sbZ06frLym Ilg1aSy8raL5oUZ4bcji8UlJ+6bPpCfo+xHGjp8wlW7HTWqeGZxU2Tw9WJm0r1H5389OT6an G4OV+9Dkqlvq9k2OTapsaYw1VgXhdR37x1fMbrjhXiu77zW74l/cq4JmNpvea7zyv5/dq4Ge Hk/v1UDv1UDvNT42XrkXFUHVtGEVd88B64RXWcCrJFKHNfcdMqoO3thSX9mGt9P3W9yD/i8S QeNkCmVuZHN0cmVhbQplbmRvYmoKMjEgMCBvYmoKMTM2MzQKZW5kb2JqCjIyIDAgb2JqCjw8 IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvQXNjZW50IDc3MCAvQ2FwSGVpZ2h0IDcyNyAvRGVz Y2VudCAtMjMwIC9GbGFncyAzMgovRm9udEJCb3ggWy05NTEgLTQ4MSAxNDQ1IDExMjJdIC9G b250TmFtZSAvRFdXUllRK0hlbHZldGljYSAvSXRhbGljQW5nbGUgMAovU3RlbVYgOTggL01h eFdpZHRoIDE1MDAgL1N0ZW1IIDg1IC9YSGVpZ2h0IDUzMSAvRm9udEZpbGUyIDIwIDAgUiA+ PgplbmRvYmoKMjMgMCBvYmoKWyAyNzggMCAzNTUgNTU2IDAgMCAwIDE5MSAzMzMgMzMzIDAg MCAyNzggMzMzIDI3OCAyNzggNTU2IDU1NiA1NTYgMCA1NTYgNTU2CjU1NiA1NTYgMCA1NTYg Mjc4IDI3OCAwIDAgMCAwIDAgNjY3IDY2NyA3MjIgNzIyIDY2NyA2MTEgNzc4IDcyMiAyNzgg NTAwIDY2Nwo1NTYgODMzIDcyMiA3NzggNjY3IDAgNzIyIDY2NyA2MTEgNzIyIDY2NyA5NDQg MCAwIDAgMCAwIDAgMCAwIDAgNTU2IDU1NiA1MDAKNTU2IDU1NiAyNzggNTU2IDU1NiAyMjIg MjIyIDUwMCAyMjIgODMzIDU1NiA1NTYgNTU2IDAgMzMzIDUwMCAyNzggNTU2IDUwMAo3MjIg NTAwIDUwMCA1MDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNTAwIF0K ZW5kb2JqCjEwIDAgb2JqCjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFz ZUZvbnQgL0RXV1JZUStIZWx2ZXRpY2EgL0ZvbnREZXNjcmlwdG9yCjIyIDAgUiAvV2lkdGhz IDIzIDAgUiAvRmlyc3RDaGFyIDMyIC9MYXN0Q2hhciAyMjIgL0VuY29kaW5nIC9NYWNSb21h bkVuY29kaW5nCj4+CmVuZG9iagoyNCAwIG9iago8PCAvTGVuZ3RoIDI1IDAgUiAvTGVuZ3Ro MSAxMjQ0OCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAG9egl4VNXZ8Dl3nztL ZsmsWWZuZiaTTPZANgjkJmSDJBACgQQTSYDQgKCgGIgURUADgbq0VRD9aq1YEWsdgsZBqh8f RUGF73PBiopaKyAUI9aiqDB3/vfcGVLp08fH5/n7NDdnznrvec973v0chBFCOrQW0Uiev7R7 Gd6BL0HLEUivzu9b4flJZaaMEN6GEH3nwmU/Wfp6z6c7EGI9CImWnyzpX3ggt+MLhBLGIpT0 h96e7gXfzV21AaEgtKHiXmjQ3MlnIpSVAXVf79IVqx6boyuCeiPUtyy5YX73qjvXVkH9ONTr l3avWiYMiJcRyvZA3XN999Ke5z/XHIK6DPXAshtuWkHvZ96Eei/Ue5fd2LMs0rJpIdRfB/j+ D9owPORPhzj0IuQeNCfeojb/wA/1A300YhAb7+cg5+NlAWmgJKo1LcxJ/vTq79U/BpSAjMiE zMgCHYnICr82ZEcO5EQulAS1ZJSCUpEb4JWglgYY3o9M7AGUw25FKUwV9KLoe5DeJ7kyI3qe fR2J0Uh0hAbMYxiP0z66hBPR0wDbc+hWgPdNtAtrkBeN4EL0Lk7BQXQcKeh99BeYcTP6NfzW oDP4a1jBWZwBY4rROvQr9HB0GVqGKuA5g1mAsxSdja6OHo5+i6rQIDqIeWzBKdG9KA8NwLMd PYR11LzoblhJI1oJVLQOvYLeiw5F/wrfL0ansAnnMeOjHyAK8OdCZWgT2oWewxL24iC+JnoK 2h0AYwfaFW2K9sF752FUHpqKVsNsH2M3TsdZeDv+kB6Jro3eBWtLhr5WNB+epeh2tA09hJ5S R81jklkrfL8aNUDfXUC/Z9CXQAyZuAqvot6m/0p/wYxntkcPAhytMF8XehjTgBUfbsUL8DL8 FH4G/xF/TZVQ3XQZ/TazjHkEYGtFG9Ej6AV0CL2FPkDn0Aj6DkUwAzBNxNPwavxf8N5fqDFU J7WG2kK9R52nC+gPGZ7ZzN7B7osy0bej3wHMqSiIxqM6NB21oR54FqLr0c3oNrQB82gr2o3+ CNB+hD7CIjbiPFyA6/BMfA2+Dveje4Ebn8cn8El8Gp8F6CyUm/JSeVQfzLeO2kQ9RQ1Re6kR 2kSvoNfQ++kP6a8ZK9PJ7IfnIzaHXcElcw38dOWXykfRnOg90e2wLzZ4fCgT5aCJmAEsLkUb YCc3Ac4eQjvQk+j3aAgNRS/hMnQQvQFwfYzOo4uwY8nwSLgQl+JmPB0gXIKX4tvwNoBwFx4G KPfhfegd/A6+BI+CnJSGyqGuobqpfni2o23UWyp+dLREZ9A5dAM9I/o3+il6N/0l42fmMMuZ 1cwgs415mE1mJ7Cz2TnsMvY+dph9jf0Te569wKVwA9wO7hnuLV7gx/LbeAWnASwe7EfPAJ+v Q/fTy6DuQ5PwBtjVWegIUO8IegldQt+i/ehxnIIUmuxmevQRFI5uhN18AT1L/xSVo3upX1BT ohX0TlqDC6MX4Vv5sF9XHiQHMzMC6X6fN03yuFNTkpNcTofdZk20mE3GBINepxU1As+xDE1h lF3jre3yhNK7Qky6t74+h9S93dDQ/b2GrpAHmmqvHhPykPe6oeuqkTKMXPhPI+XYSHl0JDZ6 ylF5TranxusJHa32esJ4zvQ2KP+s2tvuCY2o5Sa1fI9a1kNZkuAFT42jt9oTwl2emlBtX+9g TVd1TjbeK4MEEnOy0V6EZKQlHw6hSd1reh2QkRE1IZe3uibk9EIZ+mh/TfeCUPP0tprqJElq z8kO4UnzvfNCyFsVSsiKv07e88DQljaYOyd7UQjgR5t1C7wLNodlNK+LlLo72kJ0d3uI6iJz mLJCdm91yH7LKcc/qldKNVu+1xmi/LXdPYO1IblrMyCdVLtIrXsL1BpmeOCz1B3tbSF8BwBH gFBhj62ix1tDWroWe0Iab5W3d3BxF+AcNbcNuWRXjberuj2EWtqGnLJTreRk73XcOl4CpOzN qcypJPl4yXFrLP90faz9zf0kd9x68M+QN7SM4gWTmbyTAcyQZz5MArgAWEvJT08pGpxfCuiD v3YMq1wE8EwKUUBKtD/E+id3h9bOiIPR3VsdB25x9ZDG6aqBNXRVtcP4rkHjONhAGG/0ega/ QrCz3pHPrm7pjrdwfuNXiHSS/R8loRDuvlLuUxFT4+3udXh7yfb1qVsNda+j5nsNUIdB1Tlh FMxuCCNNc9tujO9qD+PoHWFUnbIXFAw991roziIEt6gapoNKdjY0BCUoAQS1sMhaQhmeQc/g 5AWDnlpPL5AU41dz6OgZbM8DhM1oA7SgmW1SSG5PGi32tLePg+/kku/AKzB8sB2+sDj+BcjV prwIDMrLboBNSG9um94WWludFJKr2wHpQMT7m9tC+4F+29thVP4opADxmkWOOMwFAHN+EPoL Y1+ZAd+AT7QPDpJvzmjzSqH9g4NJg4TrYvUwRv/cIMcbwogMgYXXhPHaZngXMq+URBq8klcC sNoJTscAAV8hoDAa+8MYLhqFG94sBmiLVAyX/JswXPpjMFz2ozA8bhTSqzA8HmAeRzBc/p/D 8ISrMDzxhzFcMQo3ACkDtBUqhiv/TRiu+jEYnvSjMFw9CulVGK4BmKsJhmv/cxiuuwrD9T+M 4cmjcAOQUwDaySqGG/5NGG78MRhu+lEYnjoK6VUYngYwTyUYbv7PYXj6VRhu+WEMzxiFG4Cc CdDOUDHc+m/C8Kwfg+HZPwrDbaOQXoXhdoC5jWB4zn8Ow9d8D8MIPIPt4KFNAP+MBvt+oiyx XArYfwyfQiORZVJomnJpOD4FI6eg2SUtKXdkZU29UN4UKZ9q/Lq8yRgpRxXlkXKSCvLHmCRT ANJ25tHw5aPsge8mhpmWS78HIww81+LoCUZid4NN2jes8eBtaTg/jAW5PNue6vdrv75B95GO 0umyLXIqy8jZer+fN94g8eszdVts8+0/RfMzHzfm5+dTv84P5b+e/0U+k19YVzDV2HfQcaxz +cmmkQuR08aRYyPmsjxUMVJB8s5I2YQ8h/GocaQgH3Xi5TjRbhtTWFw0NpDuLSougUK6N42z S1AsmYjHFIIpzHN8ITGJKa8nkB7AU5PHbpq5ZkXVXZtL5na39cyllK8ZydtQun3Z69HG/LGB yUuj3ylHVlXw+IXZZYtuWnJ3ftIRyhlcO6N37XVLulvrxxS/8+zatpLEST1Ph5Wzr1z3FLj2 CLxcdifgmwJvW4tOyNf1UjjAZoilXImmnusVV4kbmY3cdvo+Zhu3i36M2cmFcVg8jA+Lx+nj ohXzHEchQaOBHxHzLJUoin4zVBNZ1m+GPl4IQuCAErVgyHMakWYFrd5ud2lFhmPDOHFIQ1OQ DYtOXc/NNzqy+qYaLziaImVl8G8qc06t6ak+7QAc2subKsrLzWVlebC17EBu1hpjA5gazP6k EHOwfSDXEW+goYE+2G6CkfA/YCwv5yEV5ONOwLmkBUdLAkdJwlQe7gs/iTsoURmaG/l4ofIi 9Tz4VdV4+ncTcZ7yhkqBjwBuuqGkgchCJmqXs59gHucfN9MrbQM2KlkMYhxAwQxKGwwIyUa2 2DHNWOJ2ZSGtP+AMZv0Bp0LIoQXCAyqNxkgUCANogZBEBEgiUhYHzCTFCQFDiZACbDciOw8U kIrVzIC9kknCh/Di7v7mmuuUP0CheN7coi5cu7y6On3K8puqghV1/7M8soA6whxQ9k3u/Ilk jxxSVrryN96U5cB00QPXrh9oyU3PHLptfW9NXnEGLAx2vSP6DruaPa/GSFbImbPFX/K/FOhr qPaktpSFzEq8iX0icYh5TnyZOaR9j3o/8QPHR0nfOIz2MNbKXpcguHSVbpo2V7o0bluJXShx p/IuKaEk1emRHpCemhVb+whwZ5OpDBhCZYdywg+ED8iumEuKJY/dZpfSgRHSKGsicAWwgMQh CajehDv+7xlswyt+N5dXjqTmzXxs54Gjv/pNa54bF2QozylR5cDwMHUPM/uN4QubBhcXdyl/ ++abi4vLbvyb8uaRo7iHdsEaW6Pvsk+zZyD640V3yA2HhfeF71zfSkwmlSGVWRoc7dZt0svO AynfaDQW0Zx2zG0IJiSYmUqvmzYLYqVd47WYLWY9DdGgEm9S2u8SjC4/X5Lk9PnD+LY90lP9 31vl0QuwTpPZXpYH3K6utkJdbsQIrdAU3/HYYk1GIgJKpCLJ5A1wPEf43GQkCEF2zKz2bmzs HDr1za8efNmuPEktPOJur7tlSHl/3x9feglXYydudUZW0V9vLZeUvytfKl/8Zc+9X18+G16U 1fDaETwPLzx+XPnkbfwlkXcUxCIQHmY/Ao5nUL5sYigKCwwHnMggP3ay3PO4AUm4aHd8LZEy lfVgARXAPZlAlwE8rPwvLnyAPQAhMwzxFcQREjKj/fI9GsQLgoY12QSnJhMFhCyNzxQ0l/BF Qrmm1LwY9Zj60c2mTehO03Z0v2kn+q3pELoofKNJZgVRYxMcGoY3u3iXaDfDFpnyzBP4CrHC fIt5r2bYfMhsSOATREpMMJs0AmINPEWbRZ42mBBlEGghEdZAMXSAMifoDYEEp6UFlgBSBBjO aTxxwhEpN6pLAcUAegE2BoNwgMwEzIeWgyAGuQBKYmxxEQiHRJsVyhJmluJ9yseUclZ5WzlH KR/j/VhHFAh9KuvB4KUs5u3gg1mXk9gDl/oJbgEXbDX7EsgJEc2W8wRqNkVRHI/5oBljCkSg SGNK4ARRxJxABViXjhcCGqdWt18iwIIGi0uHiKkMJBxAGpN1DMg548Cag0RhWCTYA4AM/rfi SVQDditHIr8FGOcBFJcY9ruJjP3SWQAC4HkU4NHC3ggQFZ0oJ2/FWzlKF2QYAx1MAJwJJRaX ldb7Dc5Eaxin7JFa4myqatGmEdhzwqAx/kwnYgekE2JIAYqMlX6vfymgxL20Hxco33ylHFL+ l1r3IZBT1zxl6uKblMjxyOfsgZPnVbprjb7HGkC+5EL08VF5sZDAS3y6U+tMsEv29IW6Hv2i tFM52kxjpjXDlR4YZy117bW+aj1hfTP7nOWc7VvLd7ZvcxIMyKRNc7j9dsGfZtAyjtxjWY5j yZV5iTRTmaXJc9yfZ7JPE+7PcBW4i02zUXGuM78gjFOBNa8IoAuqCBohzBkXQSPAkDFiIMoC UpwzbUQtx2RwHgY2LRqLYNFx8cRZQWu7MYyxJoJ8QkUYrzZkNgwvrb5dljc9dLrtPuzB9rN4 sqAcF5bUX7fyrtqcXyiPt25QXlNOK39Whqnp+FBP4TWO3DWTMwKp3rETFr77MuYunruj1N81 a1rA5Z2QMan3pVeVrzB/mskAPpMQYl6DveRRqazDXJCnGEEDJI/CuG2I8oMObZM1HFhD+yWi PwktXYhEVIpvgo0kdhDQjPowryl1yqtKDXtAuXRpEvMCRPIwyH3E30D4GC+WvxQZltXoOOMU poat121kBthB3Ub9QMKdxneZd9j3dX8ymmzIxSSyTr09gQXSRjTDAKXzLFgAvF4wOAyUhiZf 4ThBy5l4s120ax26frqf6WP7uD7T8/TzzDPss9wr9CvMy+zL3Lv0u8yf2D9xZ+mzzGn2NOdu o+cwrexsbrZpEb2IWcgu5Hq1C01aApVTZzM+q91nOqU9ZboofqX9u0mrFSknsTd4jclMOc1+ M5A/ERAmhtWIZhZRJqNOC6JJS4ssp6MNPMIm2kwzRtpAEcEhvojDiMcYUZAMODxsdlp6Tv3D Djl5MhKzQZqISCdSI5Y5iDQpB6sEqqo10tCy6hbjwQFj1ppYiRDT8uWoE5oMVyXouHE5tthL LJL6A0YJmCO454/BrN/imqdzcl7CZUq38t7Q2LFDyl+Ua9kDl585d5qeDr9/oVtBAl2LU5RP Lv8Gtgz+aDQ++iFTysxFBojRj0N3y9PGU0XF/XgTZo6n4vS/nw5+6jXoWTglsLiyINbKpOem 5wZJA5OkTUuyZY9z80FRm12oHWdpQk2544qCE9Nd5a6mpByhqcg5vvwP2Ak0WI9/HzdjwIAh yvykqezoqVNx/RY5GsNLGZGtMRxlxbnJgBMwKDZVqxeXBK7YuWDXEENXIuatKdGeiu1WKRer KjANOA70v4X6MKkkX54TqJo+ruNB+qlpaRM65/QEU0VlRFMHCNyzeTNFJycrr+pFenxTx4pf /s+DrY8to8wmq0ZntAdaJlcuufu8mOAqmTSm0F9xd8c9dXUvKbqxU0oz9EFpnF/OKXriwVfm FFjxMYJHCq2OfsI8xO4HfeZBVbJf49EazDrk9Jl5rejxsVrrBsqVluIW3fqA1imlbZOap8Yl 94WTBCEgNUdAblaYYqIEmYnZngZ2nJUwH6x1jDlm66fFsEE/8fcv3hloKShTzuLk4sqmlf5b UsseeHBc6k9vY+Yor36lKEPFnuZN7P7IhcaMwssrhu5d0XjPzxpWbgnH4K2LvseMhX0np1vX yzUP2HbaqIFkPNnaZu41rxL7zWHrIcthq+CgOCblTcaX6uJtBlFnfE7nS9SmGosT3Kg41Z7i 8gjFdqfbMyDVx9cTt9UiF1RBOUI0Elgwaq4SNdjRqvFClqF6MGCq8ZzkoYqMaAwISkwbBSm/ 556i5OQxP1swU4O94sw7lW+Vb7/B5r8dxaxDSaL2TSiourvx1lWTNy6ZtW7FPlz6LVgzpeGz eIe6FxVA0z2wF0ZY3TQ5+4wOvAxrCmWkkd1n5DkxxSdqrbTL4ubcdIBxuV3Femeqe5tUX/M9 Qyxy4SQI9X/sCvgDRI8im50IwyKwp9MQAfnKtqg0St2yPR9LyrkJD634b+USxu88d2vPxJY1 N6/sZzpmN1HCd/LW7jZc9CW2Y/nyjc/cfXjW2Be2bH0W+DAP/MlxsB9gtoKd+aQ8uVYYSNyK HwA/B2tYzsi6Gtha42TPnfiOhAG3SNtou8VmsdcLjbZG+2RXh63DPsd1Ar/PnE351HPRY5yC a40b2fVGBtyj++Qx0wxzDTcYaIMhifOlSbzdnJ2ktdFUGl1sX52W2qVbC96qy0e5DfelOr0+ QMUV6iTE2Qm298mRvBg6jsbs0c7IFfMHAS/mYm8xKDW7jZfi+k/dVUCRyYjGY/z6UgPex6++ ZuN7dbJFS0VsXPf4GW0lqXbs1c7Zcvl15QB2n0qkV/x08fKbzy28vnttw892VGUWJuV3L3gY 63AuTsK5hG4xOaGlNrNvwBnt7ZV5UKNRNnCfG00Du3QuJBBM0GKHkVrY/w7gRw3g1ACWlRNa 7XCKKcJoGk6DrXDepkEB6HODnfNzGO0k577YADvQBWeBcWV4EjzJ8mMX4jZgBYkVVIx0Xhgh 1GCzW3MxbLx1jNULVOEtGkNkzxiqMDvdsTxr3z7l5MMPjZ84wr5B02dousjjKX/l8r30Da/U Pl01DyAcAN18LfsCQFUh+1kqQLUZeg1Mot2MdD47b+RFoZh1OS3GgMnpcL4oNcfJc9TMAkBA XqiS0gYykJieJBqQxqlGqAmiAPSkx4pyEpUPUgNLl9+snMTJEx+dw1xbWz/h9p9H1lJb24ob t26JDLEvRC7ObYjJhU2A5F3sa4AhHo2X0xpRI+5AHXC0uhswy/GiajtwAcyDyTB0BSQ1gEJc bbAYKppiAQpgEmIY413KR8ARamLgmFpZeQmO/zGc5iFmKaxdi76Qh2Sqlj1GnaKYBLDnW9lN 7N3CXZqX2FeFd/mPhBMarcA5uDw6j8lgc7gSupRrpOu5TrqdW0wv4lYxG5mt9H38E/TTzC5u Jz9Mh5mXwTpwNXBT+FnsRma9cJA9LBBD4QP+PUHLajTEvtBqGYHioQhnhCLloenXzAwDXTTF cJRGZGhO5OH+AOfSYzGAtB5tvlbWMlqnTj8gNX9CaONyp2p1f05cHHAMiPKylw005WYxamzh lvaDyAxtZWUJA0aBhBFgo5Z3gstgkUxY0oC3wJukddiB5+NuZT3eouxULvUpZ9gXLp/G25W5 kQX4zdXKEwRXm+GHxFho5JctFMIiSwy4AHYy7OgWNMVsNgAm5m7hnconOIVoeYzWwjoeYubA yfKByiZUAjyCgScooH8K+SEtglsQi4Ez+iG/BfJNkA9C/gDkD0D+BKS9kD6F3TLAeAmiGTRw jR7Oq3OAZ8ivH+jFDV9NAY4TgMfy4tzGwW0DDU6AN0yoCSVCKRU0ZArwXSrwG1j12Avfa4Y7 D3F1eNAIvHXhymrASAKWi9naMZMAmA4eKx2ndZDsV8g+VpSsRFmCYWAnOXv3lrJco0gpJxLT F/bl2JWPE32LbgnagSCtRXkzNqxpmugpndG2hJlTWls2o2RxZDo1PDGjcd7YyZGV1Kbu7GnT ctojyxj54VafXDKmuSsnB9ZP+LYbZDW5KdIg57DYiv24BLdpe7UcNhs5jQ8EoYER7WyxPYFy OU3Er7yKgw/GAxoxX22koizOxf9yLQF68B3lhD3Yd29xMvCwpaSgbWAR07H7aCSN2jord+bq yp7IEIA4019FAxPTqAp0+0NMD+wWucnSJGfYaSzoNuo2Gmm73pGwUE+zPkcir/UZtA6HQBXb XS6h2OR0usK4b8+o6I95PKZYBLKceHM3ohuX++KBRmKR+VQXBvwbD7Ji6tydd65ZMzCwhspV PlM+hecznAhq2YkTI2+9MrRjx+7dO3YMLVSexK1ffIbnKL/9jJIBl2uUGcx2oE09UMUUOdNu EcRkF+Xz8C5O9Fm0ToOgd+iLja40zp3kdgSc/9J2UjWTaj+B+RRT1CAGRy2MIjNRQ6o1RXS3 SiD0iptuB2upp7xl5ZoUrFEiR9bNystRTmNT7ti566mHD/xi6qoXm3LCD1Bl4HmdB9/rzUpf TeQwe/6RuszJgOaYDKMuMR2gPabsRTSu20Ml6CG8WSc7Lbye04keKp+SKdpKIgwGbUCn+ssL 9kjNC6/Q+rGYo9VJ5CaYSMeI6AQDA9QpgX4UWOoDrSUpqP/deAn8ZmNVQfNapgNj5QRNLatY H7nIVL24NGMSgYmCvX8f7m10oyzQgrfK0zRGLt2ppzWMpNU2iJO1dVK1pz7zHVpISfPoRMaW xdhc2dlmnsnO0GZnJ1hFT4qtKY235vBNfleuDqU0JeSgpixnTu73LDwSg1RtVjVWpTq/Mac4 ctR4FIRgQf61ndfiTuLmxiPUftURBra8yhFWGTkRolbp4AfP16QW3T1zfkaGEt3b2DjyzhGM LconnDNveee0YDC6q3Xm3y4r0a/gEktHo6essDDf6ZyQW1O9duu7jx4u8YwbFyiw2Uszpres /s3Rd3fSwAhgK0T/Sq1ie4FPpwwbsxPcumzT83g5YnCHbONRB4c5B2xNAneB0QTQz2GfHGFs 2CN1ke05Vn4yUn6hnOzP5+AIQ9QYYq4XThbkW4rIuQBR+CTSWFxi5Tlw8k3Wbdi1e3fabH2K YeDVKfn00tdwvvL6a5H9k8A7e5vlmwoWUg8Teo+eYVpBdpD7ZY1yrmhz2YK2UtssvofnXKBx OJtBL7JgY7v0YsDl0LqScbHDmZT8D/VP+NJc1hQ5puKcWNcg8gHb4AcBQBB5IGQD9ilPTFQC mh8/Ygvc+PNiuCaknGM8tklrZn45Mw9/xlRFbujMm9EnL6KmX3pxO1toKc/+fdc+6t4UwJ0L ZNxsuN/GoV/J0wLcTG4B9xj3LNyn4bCRqoOuW6gV9EqGq8Mb0QC7lX2cfY49TH+KL2IN7WGY gBl0LOWBCLcZPsFRLAMqh6ZEAXx+HMa6IZoFTtENM06+h+Db+f3AvdP4MnGQiYtsjrnHJFgP CnU0Tg9lsublJAAHZgaWLLQfFyorlbeUfix/wlRdepGpunwC1mEA3SfBOnSoDC5CZKEwYvPC SICEINGQxLznYV/gFiFIkedBi10p6eKl/AIsJZE51Oi/hRrA0m934UzloPL+k08px0lQcxdM dp42XXqRdl0+DeV4zNSq1DHNsNcWiP+/Ky8LiLPEheJ94g7xLRGMDsxxybxJn8N79BP4An0D 38kTDbKS79dDdKRYP6DZqN2mDWu5xESdoKc8Ol3ADAELjqfcghCAMxJS1ItWnVYjcLwGuals i9uYkMjbgKgNeq0O8LsHOkTIZZ3l54Kzx2p7IkbdfRDmOem4DL4ZSfFjEhBCTScjJ0Hhqicl gA4MAUQWrBkITrw0Jo58UiYh0LwrGwDhLHLiFIhhieK8aXDWtNsXbHQ5sxhlGZ7w+cdwIjK4 5NYX0nNz8bo3KEo0m5bomBsvn6B9l15XXr0P01wi4Vc1XURh/dyE8q+QSSASDb3y4dado7lB qYNo03kYq1HHkw54j8tUMuFqKb544vL72ltHe0gv+fOyh9B2qgwo+iZUDOWxkB6B1MGVoVZo 38DtQluhvpWdhR6F1Mp8giT+ZygVxo+H8mrI6yCvgDyP2oWsUB6A9zZBfR3km/kUtJa0QaqC tIZOQeugryo+dg2UXTCXAXJyw3QsPGFci8NUkPoddYyeQ/+GPgNmbJjdxpVzv+QpvoP/Qpgl /Fo4plmsGRQLxXXicW2xdq2O0zXrdugFfa3+Q3WVXrDbaLQELC4K/Bfi7yD+jGgBHyiGTXMc FxyZt3Zm7Zy2mqz6niV9PSsWze/OqbphyQKiM9S/KLkB+a/+vNBIgwz1gY2XDvfvsuHMswCN AbuuBCJG1WC51cIdyno0GW54NsIt0GlgzU1HLWgG3NKchWbD3cp2uOvbEUYtWWFUD2kipLGQ glm7Bfl5fA9K7Lwga7CbQVr3cefnL+JcsAZOq78hnCvr9Egzf325e/769fWZlRo4ZygBYeLG Ncin5tVDvifdYTxxyOeFbEIso4ZKUqCGZE2Jzx0pmee+XBIWsJzk/sb3C/dFSF/7Ktxf+Qrc b8C410vq3EcroX/I/VowTEH2qi/MYDnBfdh3u/vZkkz3MyXj3UMBaBty766EbNi9o+R296Mb 1JbfBNXsEV8Ybx9y/5pkw+6H4fv3r1c77ou9uC6WLdugTnTDHjW7fk+YenLYvdSX7p4HL2JZ 6+70LXF3+MrcMyvD2D/kbiKvDbsbA0fdDWTqIbccm6g49vUinwpxYWzabN8+d0ZshjQyWra4 Pb5Gdwp8P/vX97uzfde6K4NhvPO5+oygrz5wf3EYX1DnIBkASrLrY9n8wAv4cdjZTDwHjnge 2FOfCTDje4bc6yHbvqc+o8Qfps/IZveeQH1gA6RiSH5IrWE8U87mt/IL+FZ+DJ/FZ/LpELVP 5ZP4RMEsGAWDoBNEQYATDfDBBCQkhqN/lrMIJydyRpJxDPll1LIR6BPiq0CEQNJw6EShKSjM oTtsfRWOCvNEU1lt9b/46VIbu6qz/vEHSn30z4FTQvfDBa7QrpT2UCEpRFPaR3v//wo9VfB+ Q0v/npb+c7PUO4Demp4uuAoY2twHVzXXzvN4dp/rJx3kNlrXvPm9JO/uCfV7e6pD57zVnt0t 6nv/1D2LdLd4q3ejWTUz23bPknuqh1rkFnLHr31Pc009mCowyZW5No3OVV/zL+aqIR+rJ3M1 q+/901xTSXczmWsqmWsqmatZblbnysqqWTSjCv0/+8SbxQplbmRzdHJlYW0KZW5kb2JqCjI1 IDAgb2JqCjg2MzUKZW5kb2JqCjI2IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAv QXNjZW50IDc3MCAvQ2FwSGVpZ2h0IDczMSAvRGVzY2VudCAtMjMwIC9GbGFncyAzMgovRm9u dEJCb3ggWy0xMDE4IC00ODEgMTQzNiAxMTU5XSAvRm9udE5hbWUgL0ZURlpYRStIZWx2ZXRp Y2EtQm9sZCAvSXRhbGljQW5nbGUKMCAvU3RlbVYgMTQ5IC9NYXhXaWR0aCAxNTAwIC9TdGVt SCAxMjQgL1hIZWlnaHQgNTQwIC9Gb250RmlsZTIgMjQgMCBSID4+CmVuZG9iagoyNyAwIG9i agpbIDI3OCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA1NTYgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCA3MjIKNzIyIDcyMiAwIDAgMCA3NzggMCAyNzggMCAwIDAg ODMzIDcyMiAwIDY2NyAwIDAgNjY3IDYxMSAwIDAgOTQ0IDAgMCAwIDAgMAowIDAgMCAwIDU1 NiA2MTEgNTU2IDYxMSA1NTYgMzMzIDAgNjExIDI3OCAwIDU1NiAyNzggODg5IDYxMSA2MTEg NjExIDAgMzg5CjU1NiAzMzMgNjExIDU1NiA3NzggMCA1NTYgXQplbmRvYmoKOSAwIG9iago8 PCAvVHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9GVEZaWEUrSGVs dmV0aWNhLUJvbGQgL0ZvbnREZXNjcmlwdG9yCjI2IDAgUiAvV2lkdGhzIDI3IDAgUiAvRmly c3RDaGFyIDMyIC9MYXN0Q2hhciAxMjEgL0VuY29kaW5nIC9NYWNSb21hbkVuY29kaW5nCj4+ CmVuZG9iagoxIDAgb2JqCjw8IC9UaXRsZSAod2ViLXNlY3VyaXR5LWFwaSkgL0F1dGhvciAo UGV0ZXIgU2FpbnQtQW5kcmUpIC9DcmVhdG9yIChQYWdlcykKL1Byb2R1Y2VyIChNYWMgT1Mg WCAxMC41LjggUXVhcnR6IFBERkNvbnRleHQpIC9DcmVhdGlvbkRhdGUgKEQ6MjAxMTA0Mjgw NDAzNTJaMDAnMDAnKQovTW9kRGF0ZSAoRDoyMDExMDQyODA0MDM1MlowMCcwMCcpID4+CmVu ZG9iagp4cmVmCjAgMjgKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMDMwNjgwIDAwMDAwIG4g CjAwMDAwMDIwNzUgMDAwMDAgbiAKMDAwMDAwNjQwNiAwMDAwMCBuIAowMDAwMDAwMDIyIDAw MDAwIG4gCjAwMDAwMDIwNTUgMDAwMDAgbiAKMDAwMDAwMjE3OSAwMDAwMCBuIAowMDAwMDAz MTI5IDAwMDAwIG4gCjAwMDAwMDQwODAgMDAwMDAgbiAKMDAwMDAzMDUwMSAwMDAwMCBuIAow MDAwMDIxMDY3IDAwMDAwIG4gCjAwMDAwMDIzMDEgMDAwMDAgbiAKMDAwMDAwMzEwOSAwMDAw MCBuIAowMDAwMDAzMTY1IDAwMDAwIG4gCjAwMDAwMDQwNjAgMDAwMDAgbiAKMDAwMDAwNjE3 NiAwMDAwMCBuIAowMDAwMDA0MTE2IDAwMDAwIG4gCjAwMDAwMDYxNTUgMDAwMDAgbiAKMDAw MDAwNjI4MyAwMDAwMCBuIAowMDAwMDA2NDk2IDAwMDAwIG4gCjAwMDAwMDY1NDYgMDAwMDAg biAKMDAwMDAyMDI3MSAwMDAwMCBuIAowMDAwMDIwMjkzIDAwMDAwIG4gCjAwMDAwMjA1Mjkg MDAwMDAgbiAKMDAwMDAyMTI0MiAwMDAwMCBuIAowMDAwMDI5OTY4IDAwMDAwIG4gCjAwMDAw Mjk5ODkgMDAwMDAgbiAKMDAwMDAzMDIzMyAwMDAwMCBuIAp0cmFpbGVyCjw8IC9TaXplIDI4 IC9Sb290IDE5IDAgUiAvSW5mbyAxIDAgUiAvSUQgWyA8NTM1Zjk3Y2Q1ZjVjNWFjZmYwYmZk NDZhYWMzZjdhODk+Cjw1MzVmOTdjZDVmNWM1YWNmZjBiZmQ0NmFhYzNmN2E4OT4gXSA+Pgpz dGFydHhyZWYKMzA4OTMKJSVFT0YK --------------010801000709040503070801-- --------------ms040505040802010804020604 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITzjCC BjQwggQcoAMCAQICASMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDMzM1oXDTE3MTAyNDIxMDMzM1owgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjSW4SPiDKlAinvVeL ZOVfItiuP1aRHL530E7QUc9icCwL33+PH+Js1HAh8CgWFl34sOxx1FJyS/C4VLPRsqDfP72j tzCVUAL0DAxZ7wgzQvFz7x61jGxfhYhqYb1+PPOLkYBbkRIrPMg3dLEdKmXIYJYXDH+mB/V/ jLo73/Kb7h/rNoNg/oHHSv5Jolyvp5IY2btfcTBfW/telEFj5rDTX2juTvZ3Qhf3XQX5ca3Q 7A10zrUV/cWJOJ7F5RltbEIaboZmX5JBUb3FhUiAdBotehAX6DbDOuYoJtVxmGof6GuVGcPo 98K4TJf8FHo+UA9EOVDp/W7fCqKT4sXk/XkCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7iZySlyShhEcCy3T8LvSs3DLl8zAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQELBQADggIBAGpd SbdLFMhirxK37V4gE00+uW74UdAXtDgQI3AsRZWtaRtKHgAxFBSteqz4kDkeAjH/1b+K8tQR 6cxSI2nho7qOaPW/UpzOfSS/MeKK/9vfM2lfs+uItXH7LWtvS9wD1erfH1a+BXHCrCp4LA1l fADDhRIiGTSS3i0Zu5xV3INNRHrCCCl6patltQ8RZTqzDMri7ombgIxjN51Zo7xV77EZcThV 0GA8iIN+7T53uHhUJpjfLIztHs/69OclRvHux9hCflfOm7GY5Sc4nqjfES+5XPArGGWiQSEk ez37QfXqsxO3oCHK4b3DFZysG4uyOuC/WL80ab3muQ3tgwjBhq0D3JZN5kvu5gSuNZPa1WrV hEgXkd6C7s5stqB6/htVpshG08jRz9DEutGM9oKQ1ncTivbfPNx7pILoHWvvT7N5i/puVoNu bPUmLXh/2wA6wzAzuuoONiIL14Xpw6jLSnqpaLWElo2yTIFZ/CU/nCvvpW1Dj1457P3Ci9bD 0RPkWSR+CuucpgxrEmaw4UOLxflzuYYaq1RJwygOO5K0s2bAWOcXpgteyUOnQ3d/EjJAWRri 2v0ubiq+4H3KUOMlbznlPAY/1T8YyyJPM88+Ueahe/AW1zoUwZayNcTnuM7cq6yBV8Wr3GOI LFXhtT0UVuJLChPMJKVKVsa7qNorlLkMMIIGxzCCBa+gAwIBAgICAIswDQYJKoZIhvcNAQEF BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMDEwMTQwMTM2MzRa Fw0xMjEwMTQxMjAxMDdaMIHAMSAwHgYDVQQNExcyNzQ1ODEtOU5YMDRxeExEYjBvNDY5VDEL MAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxLDAqBgNV BAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRowGAYDVQQDExFQZXRl ciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBldGVyLmltMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuERvnrkpQTx9wbJfgxbNKEYvt0IilecZRUM6 wrbCzIUPCocuYhaAJcQoqIyHaKybPQ7f+DIGIAolAa3dHnNdlsXP2smTft/ZNpj10PIG5bil NAqLUYwmLJaEaqY7BMW8423U3blW43/luLJk/Pq4OsWcw7AK3LeVh1U/HOgqhin26N3h72X1 nbLEpZFrgcp8egmWtXLCbLBDMqUK3j6wjLldni79muzYEVqU0A5GqSeb8Wc4kIx8VI5yL24J KzinG2iVRP5ZDEbOZETzBXJabUsV56XSxqPG9DK6ke+ybCiL/wKV1HFqdtFB1y25lfvHgOP2 gyEApBKEDNjgLmKyyQIDAQABo4IC+zCCAvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYD VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBS2EW2iNB+g0EibKJLBdv8I eLovVDAfBgNVHSMEGDAWgBR7iZySlyShhEcCy3T8LvSs3DLl8zAdBgNVHREEFjAUgRJzdHBl dGVyQHN0cGV0ZXIuaW0wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEF BQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYB BQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1 My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z dGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBADVtbXJG tKAr55xc/OUM546gXUybI72Bank0w739Mv+9BBNtq9rMEvCnLmSKhBi76c1mdXh6zXs8RQDo 6nR/aPabE3llF2T4z80smi9jfnl3y9dpu9TcgDoqDLZ7a2lBlW656XAAQzHjvLp2MC7/mxlg PYH2axa+q40mAYM20GbNsAEGbWQT1IqIh0BcLLsgbaMJHbyG/57zd9JLyMX3Vry1L1fJRQr3 GeLxMV5RtxN+mBgxrwFz/cOc09COiFExlsHgekpB5O43gqsAU16MXypyoSt4MrSfKTMHIGx6 2RF/M6vqUlvhi28gk2ZUvQ/+OX5+gjcZyooEzAAn4RuOKNswggbHMIIFr6ADAgECAgIAizAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTEw MTAxNDAxMzYzNFoXDTEyMTAxNDEyMDEwN1owgcAxIDAeBgNVBA0TFzI3NDU4MS05TlgwNHF4 TERiMG80NjlUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRl bnZlcjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBNZW1iZXIxGjAY BgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQHN0cGV0 ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RG+euSlBPH3Bsl+DFs0o Ri+3QiKV5xlFQzrCtsLMhQ8Khy5iFoAlxCiojIdorJs9Dt/4MgYgCiUBrd0ec12Wxc/ayZN+ 39k2mPXQ8gbluKU0CotRjCYsloRqpjsExbzjbdTduVbjf+W4smT8+rg6xZzDsArct5WHVT8c 6CqGKfbo3eHvZfWdssSlkWuBynx6CZa1csJssEMypQrePrCMuV2eLv2a7NgRWpTQDkapJ5vx ZziQjHxUjnIvbgkrOKcbaJVE/lkMRs5kRPMFclptSxXnpdLGo8b0MrqR77JsKIv/ApXUcWp2 0UHXLbmV+8eA4/aDIQCkEoQM2OAuYrLJAgMBAAGjggL7MIIC9zAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLYRbaI0 H6DQSJsoksF2/wh4ui9UMB8GA1UdIwQYMBaAFHuJnJKXJKGERwLLdPwu9KzcMuXzMB0GA1Ud EQQWMBSBEnN0cGV0ZXJAc3RwZXRlci5pbTCCAUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGB tTcBAgIwggEgMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMIG3BggrBgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExp YWJpbGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMGA1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NydHUzLWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL2NydHUzLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0 dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MzL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMy5jbGllbnQuY2Eu Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF AAOCAQEANW1tcka0oCvnnFz85QznjqBdTJsjvYFqeTTDvf0y/70EE22r2swS8KcuZIqEGLvp zWZ1eHrNezxFAOjqdH9o9psTeWUXZPjPzSyaL2N+eXfL12m71NyAOioMtntraUGVbrnpcABD MeO8unYwLv+bGWA9gfZrFr6rjSYBgzbQZs2wAQZtZBPUioiHQFwsuyBtowkdvIb/nvN30kvI xfdWvLUvV8lFCvcZ4vExXlG3E36YGDGvAXP9w5zT0I6IUTGWweB6SkHk7jeCqwBTXoxfKnKh K3gytJ8pMwcgbHrZEX8zq+pSW+GLbyCTZlS9D/45fn6CNxnKigTMACfhG44o2zGCA80wggPJ AgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMAkGBSsOAwIa BQCgggIOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDQy ODA0MDUwNFowIwYJKoZIhvcNAQkEMRYEFLn/aCu6F92HYhAfzjOxo/czIk+/MF8GCSqGSIb3 DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIAizANBgkqhkiG 9w0BAQEFAASCAQCqeEo1Nu0rdbdtcRbY23t6HDsyoiFAuqg3sHlIFA/4+G7CzukQN4m6syIt gUBVt1/9pSb+eli0AGIDeP6o0p7X+YhHqzYu49hAcKvfJcuzT9oEmDL9LTAwObPv+hwLcaQu kljKYGpow5PvP4/8ObJ1RtGXTmZVFDc/69GBIi+f6Ti80hbHjAYdHZgKRlWAenjZ2pdvw9xW uYkexPQ7uG+FGrklFAj7uA3EUxLTZAPf5IM64RckTbxyvltFkW5bJsi1TxL2wsz3BGgckVyB hPWRKCJih8+As129gjqfvcvja85riULdqdyfnABMjI11kTOuJJ8CBvQ+V9kZ18WskkjzAAAA AAAA --------------ms040505040802010804020604-- From Jeff.Hodges@KingsMountain.com Thu Apr 28 09:45:59 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE71E06AF for ; Thu, 28 Apr 2011 09:45:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.615 X-Spam-Level: X-Spam-Status: No, score=-100.615 tagged_above=-999 required=5 tests=[AWL=-0.430, BAYES_40=-0.185, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0dJGbxvHVBJ for ; Thu, 28 Apr 2011 09:45:59 -0700 (PDT) Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by ietfa.amsl.com (Postfix) with SMTP id DA66FE0669 for ; Thu, 28 Apr 2011 09:45:58 -0700 (PDT) Received: (qmail 10836 invoked by uid 0); 28 Apr 2011 16:45:58 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 28 Apr 2011 16:45:58 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=DQOIFGk4vrJyzOFQIYgWrY9UiT3pB7S1PqljofbILjOWFKjDoG3GW1t6GO7iQD2TZMI6eMgHlqbA9HrDRVyULGRujm48qyuquyYhfQfVc2WorlKcVp3IG8/Ouo0lif5h; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.202]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QFULm-0006rK-7b; Thu, 28 Apr 2011 10:45:58 -0600 Message-ID: <4DB999C5.4050309@KingsMountain.com> Date: Thu, 28 Apr 2011 09:45:57 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 To: Peter Saint-Andre , IETF Security Area Advisory Group Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 16:45:59 -0000 > See attached PDF file for what I submitted. LGTM thx, =JeffH From turners@ieca.com Thu Apr 28 12:56:15 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4C4E070D for ; Thu, 28 Apr 2011 12:56:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.495 X-Spam-Level: X-Spam-Status: No, score=-102.495 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GVfkRCNPpIpa for ; Thu, 28 Apr 2011 12:56:14 -0700 (PDT) Received: from nm10-vm0.bullet.mail.sp2.yahoo.com (nm10-vm0.bullet.mail.sp2.yahoo.com [98.139.91.198]) by ietfa.amsl.com (Postfix) with SMTP id B5970E071F for ; Thu, 28 Apr 2011 12:56:14 -0700 (PDT) Received: from [98.139.91.61] by nm10.bullet.mail.sp2.yahoo.com with NNFMP; 28 Apr 2011 19:56:12 -0000 Received: from [98.139.91.2] by tm1.bullet.mail.sp2.yahoo.com with NNFMP; 28 Apr 2011 19:56:12 -0000 Received: from [127.0.0.1] by omp1002.mail.sp2.yahoo.com with NNFMP; 28 Apr 2011 19:56:12 -0000 X-Yahoo-Newman-Id: 266891.71588.bm@omp1002.mail.sp2.yahoo.com Received: (qmail 80482 invoked from network); 28 Apr 2011 19:56:12 -0000 Received: from thunderfish.local (turners@71.191.13.18 with plain) by smtp115.biz.mail.sp1.yahoo.com with SMTP; 28 Apr 2011 12:56:11 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: QNQMZFYVM1lsB5fJUQx4VJqMEvCyPv0TPRg3PRzE4H5MB3p O2iC5wiZrQad8y0FBIkPXhoM2dHXapfxtpTh.MP5KScKKLfqt0S0RBC4HCpX 12pnz8GIlOncZ5srow2edqC7vW4SN4TVYOi.0yNkQzibNMErIZngSHxCXCYt lzR2Q8YPu7apY.miOQBTpwvD0_vrqImUhv.MQFwAdrTamyxc9h4UFSfatoCi paTFu4ptPHfWF7dhS1iuZahelFRdORhpzoc4aYcpQF.7A1XgY3jF3iwt04_n E2n9qoF.6L2tn8eLqs3q22JqevE9Q1MkNH_6U2.Q.oXP35rpopHom89OEIsH r5kKNnLz9RrC8UIRxFSKAoBwzykoJbciaQ7dYhvr9 X-Yahoo-Newman-Property: ymail-3 Message-ID: <4DB9C65A.70108@ieca.com> Date: Thu, 28 Apr 2011 15:56:10 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: [saag] Fwd: 81th IETF - Working Group/BOF Scheduling X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 19:56:15 -0000 In case your considering a security related BOF, please note the dates and instructions below. spt -------- Original Message -------- Subject: 81th IETF - Working Group/BOF Scheduling ----------------------------------------------------------------- 81th IETF – Quebec City, Canada Meeting Dates: July 24-29, 2011 Host: RIM ----------------------------------------------------------------- IETF meetings start Monday morning and run through Friday mid-afternoon (15:15). We are accepting scheduling requests for all Working Groups and BOFs starting today. The milestones and deadlines for scheduling-related activities are as follows: NOTE: cutoff dates are subject to change. * 2011-04-25 (Week of): Working Group and BOF scheduling begins. To request a Working Group session, use the IETF Meeting Session Request Tool. * 2011- 06-13 (Monday): Cutoff date for BOF proposal requests to Area Directors at 17:00 PT (00:00 UTC). To request a BOF, please see instructions on Requesting a BOF. * 2011-06-16 (Thursday): Cutoff date for Area Directors to approve BOFs at 17:00 PT (00:00 UTC). * 2011-06-23 (Thursday): Preliminary agenda published for comment. * 2011-06-27 (Monday): Cutoff date for requests to reschedule Working Group and BOF meetings 17:00 PT (00:00 UTC). * 2011-07-01 (Friday): Final agenda to be published. * 2011-07-04 (Monday): Internet Draft Cut-off for initial document (-00) submission by 17:00 PT (00:00 UTC), upload using IETF ID Submission Tool. * 2011-07-11 (Monday): Internet Draft final submission cut-off by 17:00 PT (00:00 UTC), upload using IETF ID Submission Tool. Submitting Requests for BOF Sessions Please send requests to schedule your BOF sessions to agenda@ietf.org. Please include the acronym of your BOF in the subject line of the message, and include all of the information specified in item (4) of "Requesting Meeting Sessions at IETF Meetings" in the body. (This document is included below.) If you are a BOF chair who is not also a Working Group chair, then you will be given an account on the "IETF Meeting Materials Management Tool" when your BOF has been approved. If you require assistance in using either tool, or wish to report a bug, then please send a message to: ietf-action@ietf.org. =============================================================== For your convenience, comprehensive information on requesting meeting sessions at IETF 81 is presented below: 1. Requests to schedule Working Group sessions should be submitted using the "IETF Meeting Session Request Tool," a Web-based tool for submitting all of the information required by the Secretariat to schedule your sessions. The URL for the tool is: https://datatracker.ietf.org/cgi-bin/wg/wg_session_requester.cgi Instructions for using the tool are available at: http://www.ietf.org/instructions/session_request_tool_instruction.html If you require an account on this tool, or assistance in using it, then please send a message to ietf-action@ietf.org. If you are unable to use the tool, then you may send your request via e-mail to agenda@ietf.org, with a copy to the appropriate Area Director(s). Requests to schedule BOF sessions must be sent to agenda@ietf.org with a copy to the appropriate Area Director(s). When submitting a Working Group or BOF session request by e-mail, please include the Working Group or BOF acronym in the Subject line. 2. BOFs will NOT be scheduled unless the Area Director(s) approved request is accompanied by a BOF'S FULL NAME AND ACRONYM, AREA, CHAIR(S) NAME(S) (given together with e-mail address(es)), AN AGENDA AND FULL DESCRIPTION, and the information requested in (4) below. (Please read the BOF Procedure at: http://www.ietf.org/ietf/1bof-procedures.txt before requesting a session for a BOF.) 3. A Working Group may request either one or two sessions. If your Working Group requires more than two sessions, then your request must be approved by an Area Director. Additional sessions will be assigned, based on availability, after Monday, June 27, 2011 at 17:00 PT (00:00 UTC), the cut-off date for requests to reschedule a session. 4. You MUST provide the following information before a Working Group or BOF session will be scheduled: a. Working Group or BOF full name with acronym in brackets: b. AREA under which Working Group or BOF appears: c. CONFLICTS you wish to avoid, please be as specific as possible: d. Expected Attendance: e. Special requests: f. Number of sessions: g. Length of session: - 1 hour - 1 1/2 hours - 2 hours - 2 1/2 hours For more information on scheduling Working Group and BOF sessions, please refer to RFC 2418 (BCP 25), "IETF Working Group Guidelines and Procedures" (http://www.ietf.org/rfc/rfc2418.txt). =============================================================== For your convenience please find here a list of the IETF Security Area Directors with their e-mail addresses: Stephen Farrell Sean Turner From nico@cryptonector.com Thu Apr 28 14:19:49 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 225C1E0712 for ; Thu, 28 Apr 2011 14:19:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.477 X-Spam-Level: X-Spam-Status: No, score=-2.477 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YshZtqMo6OCN for ; Thu, 28 Apr 2011 14:19:48 -0700 (PDT) Received: from homiemail-a34.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id A7D9DE06C3 for ; Thu, 28 Apr 2011 14:19:48 -0700 (PDT) Received: from homiemail-a34.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTP id 68C061005D for ; Thu, 28 Apr 2011 14:19:48 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=nDgW1aNUKBDEZp8CW17Bv +Jo7KjKlJnb9fDhd/GtE68fjTXf+Kkg5bZCAegNAYdhn3UY02edUUk6fwAOZShyx a/4GI0PJn3IL4YK6a0lCFAxJr70aknOaIhkdS6HSUnVONi3SAlT2HvQcbbFmcLaU ah2NvzaqkIIszSa03ZUx7c= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=RmT7UmCpdKbiVLV1TEH6 nKzVFkw=; b=pFeQPwfQZQqxSkhD9mxJkJcfJQMhBXIvP7IcHLOYENzJI4oE/RF2 zIvzKEIhUAXG6p9Z8JluYaJS9s2iGYElNbPWnf7PYMjZ940etiYuKCIbp4iciuq9 MZvHgMmIPGKSI9286IuVZY7CP4WDlN6G7O8xY6xgBuMF4Hnfkz49jsw= Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTPSA id 0BE1C10059 for ; Thu, 28 Apr 2011 14:19:47 -0700 (PDT) Received: by wwa36 with SMTP id 36so2449839wwa.13 for ; Thu, 28 Apr 2011 14:19:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.68.140 with SMTP id l12mr1688456wed.79.1304025586477; Thu, 28 Apr 2011 14:19:46 -0700 (PDT) Received: by 10.216.241.200 with HTTP; Thu, 28 Apr 2011 14:19:46 -0700 (PDT) In-Reply-To: <4DB6C1E7.9050805@ieca.com> References: <4DB6C1E7.9050805@ieca.com> Date: Thu, 28 Apr 2011 16:19:46 -0500 Message-ID: From: Nico Williams To: Sean Turner Content-Type: text/plain; charset=UTF-8 Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 21:19:49 -0000 On Tue, Apr 26, 2011 at 8:00 AM, Sean Turner wrote: > Greedy Goals > > An API that allows web developers to access browser-embedded cryptographic > algorithms would include the following: > > o Support for hash/message digest algorithms (e.g., SHA-256); > o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA); > o Support for confidentiality algorithms (i.e., AES); > o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, > ECDH); > o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); > o Support extracting keys from TLS sessions ala RFC 5176; Please add: o Support for extracting channel bindings from TLS connections (see RFC5929); Also, practically every major OS, if not every major OS, has a native SASL and GSS-API implementation (or SSPI, which, for my purposes is about the same). It'd be nice to expose a standard interface to those via JavaScript. (See my GSS-REST paper that I submitted to the same workshop, and which I posted here yesterday.) > o Support for PKI path validation (i.e., input/output of base64 > certificate/crl/ocsp blobs), and; > o Support for Cryptographic Message Syntax (CMS). Nico -- From turners@ieca.com Thu Apr 28 14:33:47 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB7C2E06A6 for ; Thu, 28 Apr 2011 14:33:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.5 X-Spam-Level: X-Spam-Status: No, score=-102.5 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DyEDia+F+V2m for ; Thu, 28 Apr 2011 14:33:47 -0700 (PDT) Received: from nm16.bullet.mail.bf1.yahoo.com (nm16.bullet.mail.bf1.yahoo.com [98.139.212.175]) by ietfa.amsl.com (Postfix) with SMTP id 16CD2E06C3 for ; Thu, 28 Apr 2011 14:33:46 -0700 (PDT) Received: from [98.139.212.153] by nm16.bullet.mail.bf1.yahoo.com with NNFMP; 28 Apr 2011 21:33:46 -0000 Received: from [98.139.212.238] by tm10.bullet.mail.bf1.yahoo.com with NNFMP; 28 Apr 2011 21:33:46 -0000 Received: from [127.0.0.1] by omp1047.mail.bf1.yahoo.com with NNFMP; 28 Apr 2011 21:33:46 -0000 X-Yahoo-Newman-Id: 598174.82371.bm@omp1047.mail.bf1.yahoo.com Received: (qmail 61058 invoked from network); 28 Apr 2011 21:33:46 -0000 Received: from thunderfish.local (turners@71.191.13.18 with plain) by smtp105.biz.mail.bf1.yahoo.com with SMTP; 28 Apr 2011 14:33:46 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: rlZTMOgVM1nKRua_z.gwRvI0prFoSfT_kxZyBAtPGB4FiPT 7Njo5lqxH.w.iSoJ7nQcfjVZHsZZXzr9s3HhlsqV0gGUdLXKaiexxes1Lvph FIKIW08xYLxI9TFrg0iz9IeHFP4omVq76CBQCGb.OunCRrCPbl_Mo.18LYIe 1BykSRLIVy5AtsE5lDU4lyV2KjOxMa0cgZqiivTUWR88j1VmHRZLOKRimaRJ d77z517S94RcA2tG1xk1XqGGJqcfa0yO5dNZXPU2okg8_KWCzg_RvpbQSN9. ogRDdMp5WnjJb5ddFjeaiLkTDkKC2jdiN2iLdz4WNSx1taFKoAyxMCZhzZeJ NpnbKsjdgsRJOR_mxt_TuPQhTaQ-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4DB9DD38.4080904@ieca.com> Date: Thu, 28 Apr 2011 17:33:44 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: Nico Williams References: <4DB6C1E7.9050805@ieca.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 21:33:48 -0000 Nico, It made it in the version we submitted last night. spt On 4/28/11 5:19 PM, Nico Williams wrote: > On Tue, Apr 26, 2011 at 8:00 AM, Sean Turner wrote: >> Greedy Goals >> >> An API that allows web developers to access browser-embedded cryptographic >> algorithms would include the following: >> >> o Support for hash/message digest algorithms (e.g., SHA-256); >> o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, ECDSA); >> o Support for confidentiality algorithms (i.e., AES); >> o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1.5, >> ECDH); >> o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); >> o Support extracting keys from TLS sessions ala RFC 5176; > > Please add: > > o Support for extracting channel bindings from TLS connections (see RFC5929); > > Also, practically every major OS, if not every major OS, has a native > SASL and GSS-API implementation (or SSPI, which, for my purposes is > about the same). It'd be nice to expose a standard interface to those > via JavaScript. (See my GSS-REST paper that I submitted to the same > workshop, and which I posted here yesterday.) > >> o Support for PKI path validation (i.e., input/output of base64 >> certificate/crl/ocsp blobs), and; >> o Support for Cryptographic Message Syntax (CMS). > > Nico > -- > From stpeter@stpeter.im Thu Apr 28 15:26:02 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C94A5E070B for ; Thu, 28 Apr 2011 15:26:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.539 X-Spam-Level: X-Spam-Status: No, score=-102.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xWX1PZNKTA46 for ; Thu, 28 Apr 2011 15:26:02 -0700 (PDT) Received: from stpeter.im (stpeter.im [207.210.219.233]) by ietfa.amsl.com (Postfix) with ESMTP id 36E65E06A6 for ; Thu, 28 Apr 2011 15:26:02 -0700 (PDT) Received: from squire.local (198-135-0-233.cisco.com [198.135.0.233]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id DBE0540022; Thu, 28 Apr 2011 16:30:23 -0600 (MDT) Message-ID: <4DB9E976.3030501@stpeter.im> Date: Thu, 28 Apr 2011 18:25:58 -0400 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Sean Turner References: <4DB6C1E7.9050805@ieca.com> <4DB9DD38.4080904@ieca.com> In-Reply-To: <4DB9DD38.4080904@ieca.com> X-Enigmail-Version: 1.1.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050603010301020100020409" Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 22:26:02 -0000 This is a cryptographically signed message in MIME format. --------------ms050603010301020100020409 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable If I missed anything, please let me know -- I was working on it late last night and might have failed to incorporate all comments. Perhaps I can re-submit if needed. Peter On 4/28/11 5:33 PM, Sean Turner wrote: > Nico, >=20 > It made it in the version we submitted last night. >=20 > spt >=20 > On 4/28/11 5:19 PM, Nico Williams wrote: >> On Tue, Apr 26, 2011 at 8:00 AM, Sean Turner wrote:= >>> Greedy Goals >>> >>> An API that allows web developers to access browser-embedded >>> cryptographic >>> algorithms would include the following: >>> >>> o Support for hash/message digest algorithms (e.g., SHA-256); >>> o Support for digital signatures algorithms (e.g., RSA PKCS#1 v1.5, >>> ECDSA); >>> o Support for confidentiality algorithms (i.e., AES); >>> o Support for key transport/agreement algorithms (e.g., RSA PKCS#1 v1= =2E5, >>> ECDH); >>> o Support for HMAC algorithms (e.g., HMAC-SHA1, HMAC-SHA256); >>> o Support extracting keys from TLS sessions ala RFC 5176; >> >> Please add: >> >> o Support for extracting channel bindings from TLS connections (see >> RFC5929); >> >> Also, practically every major OS, if not every major OS, has a native >> SASL and GSS-API implementation (or SSPI, which, for my purposes is >> about the same). It'd be nice to expose a standard interface to those= >> via JavaScript. (See my GSS-REST paper that I submitted to the same >> workshop, and which I posted here yesterday.) >> >>> o Support for PKI path validation (i.e., input/output of base64 >>> certificate/crl/ocsp blobs), and; >>> o Support for Cryptographic Message Syntax (CMS). >> >> Nico >> --=20 >> --------------ms050603010301020100020409 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITzjCC BjQwggQcoAMCAQICASMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDMzM1oXDTE3MTAyNDIxMDMzM1owgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjSW4SPiDKlAinvVeL ZOVfItiuP1aRHL530E7QUc9icCwL33+PH+Js1HAh8CgWFl34sOxx1FJyS/C4VLPRsqDfP72j tzCVUAL0DAxZ7wgzQvFz7x61jGxfhYhqYb1+PPOLkYBbkRIrPMg3dLEdKmXIYJYXDH+mB/V/ jLo73/Kb7h/rNoNg/oHHSv5Jolyvp5IY2btfcTBfW/telEFj5rDTX2juTvZ3Qhf3XQX5ca3Q 7A10zrUV/cWJOJ7F5RltbEIaboZmX5JBUb3FhUiAdBotehAX6DbDOuYoJtVxmGof6GuVGcPo 98K4TJf8FHo+UA9EOVDp/W7fCqKT4sXk/XkCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7iZySlyShhEcCy3T8LvSs3DLl8zAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQELBQADggIBAGpd SbdLFMhirxK37V4gE00+uW74UdAXtDgQI3AsRZWtaRtKHgAxFBSteqz4kDkeAjH/1b+K8tQR 6cxSI2nho7qOaPW/UpzOfSS/MeKK/9vfM2lfs+uItXH7LWtvS9wD1erfH1a+BXHCrCp4LA1l fADDhRIiGTSS3i0Zu5xV3INNRHrCCCl6patltQ8RZTqzDMri7ombgIxjN51Zo7xV77EZcThV 0GA8iIN+7T53uHhUJpjfLIztHs/69OclRvHux9hCflfOm7GY5Sc4nqjfES+5XPArGGWiQSEk ez37QfXqsxO3oCHK4b3DFZysG4uyOuC/WL80ab3muQ3tgwjBhq0D3JZN5kvu5gSuNZPa1WrV hEgXkd6C7s5stqB6/htVpshG08jRz9DEutGM9oKQ1ncTivbfPNx7pILoHWvvT7N5i/puVoNu bPUmLXh/2wA6wzAzuuoONiIL14Xpw6jLSnqpaLWElo2yTIFZ/CU/nCvvpW1Dj1457P3Ci9bD 0RPkWSR+CuucpgxrEmaw4UOLxflzuYYaq1RJwygOO5K0s2bAWOcXpgteyUOnQ3d/EjJAWRri 2v0ubiq+4H3KUOMlbznlPAY/1T8YyyJPM88+Ueahe/AW1zoUwZayNcTnuM7cq6yBV8Wr3GOI LFXhtT0UVuJLChPMJKVKVsa7qNorlLkMMIIGxzCCBa+gAwIBAgICAIswDQYJKoZIhvcNAQEF BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMDEwMTQwMTM2MzRa Fw0xMjEwMTQxMjAxMDdaMIHAMSAwHgYDVQQNExcyNzQ1ODEtOU5YMDRxeExEYjBvNDY5VDEL MAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxLDAqBgNV BAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRowGAYDVQQDExFQZXRl ciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBldGVyLmltMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuERvnrkpQTx9wbJfgxbNKEYvt0IilecZRUM6 wrbCzIUPCocuYhaAJcQoqIyHaKybPQ7f+DIGIAolAa3dHnNdlsXP2smTft/ZNpj10PIG5bil NAqLUYwmLJaEaqY7BMW8423U3blW43/luLJk/Pq4OsWcw7AK3LeVh1U/HOgqhin26N3h72X1 nbLEpZFrgcp8egmWtXLCbLBDMqUK3j6wjLldni79muzYEVqU0A5GqSeb8Wc4kIx8VI5yL24J KzinG2iVRP5ZDEbOZETzBXJabUsV56XSxqPG9DK6ke+ybCiL/wKV1HFqdtFB1y25lfvHgOP2 gyEApBKEDNjgLmKyyQIDAQABo4IC+zCCAvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYD VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBS2EW2iNB+g0EibKJLBdv8I eLovVDAfBgNVHSMEGDAWgBR7iZySlyShhEcCy3T8LvSs3DLl8zAdBgNVHREEFjAUgRJzdHBl dGVyQHN0cGV0ZXIuaW0wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEF BQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYB BQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1 My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z dGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBADVtbXJG tKAr55xc/OUM546gXUybI72Bank0w739Mv+9BBNtq9rMEvCnLmSKhBi76c1mdXh6zXs8RQDo 6nR/aPabE3llF2T4z80smi9jfnl3y9dpu9TcgDoqDLZ7a2lBlW656XAAQzHjvLp2MC7/mxlg PYH2axa+q40mAYM20GbNsAEGbWQT1IqIh0BcLLsgbaMJHbyG/57zd9JLyMX3Vry1L1fJRQr3 GeLxMV5RtxN+mBgxrwFz/cOc09COiFExlsHgekpB5O43gqsAU16MXypyoSt4MrSfKTMHIGx6 2RF/M6vqUlvhi28gk2ZUvQ/+OX5+gjcZyooEzAAn4RuOKNswggbHMIIFr6ADAgECAgIAizAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTEw MTAxNDAxMzYzNFoXDTEyMTAxNDEyMDEwN1owgcAxIDAeBgNVBA0TFzI3NDU4MS05TlgwNHF4 TERiMG80NjlUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRl bnZlcjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBNZW1iZXIxGjAY BgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQHN0cGV0 ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RG+euSlBPH3Bsl+DFs0o Ri+3QiKV5xlFQzrCtsLMhQ8Khy5iFoAlxCiojIdorJs9Dt/4MgYgCiUBrd0ec12Wxc/ayZN+ 39k2mPXQ8gbluKU0CotRjCYsloRqpjsExbzjbdTduVbjf+W4smT8+rg6xZzDsArct5WHVT8c 6CqGKfbo3eHvZfWdssSlkWuBynx6CZa1csJssEMypQrePrCMuV2eLv2a7NgRWpTQDkapJ5vx ZziQjHxUjnIvbgkrOKcbaJVE/lkMRs5kRPMFclptSxXnpdLGo8b0MrqR77JsKIv/ApXUcWp2 0UHXLbmV+8eA4/aDIQCkEoQM2OAuYrLJAgMBAAGjggL7MIIC9zAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLYRbaI0 H6DQSJsoksF2/wh4ui9UMB8GA1UdIwQYMBaAFHuJnJKXJKGERwLLdPwu9KzcMuXzMB0GA1Ud EQQWMBSBEnN0cGV0ZXJAc3RwZXRlci5pbTCCAUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGB tTcBAgIwggEgMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMIG3BggrBgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExp YWJpbGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMGA1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NydHUzLWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL2NydHUzLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0 dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MzL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMy5jbGllbnQuY2Eu Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF AAOCAQEANW1tcka0oCvnnFz85QznjqBdTJsjvYFqeTTDvf0y/70EE22r2swS8KcuZIqEGLvp zWZ1eHrNezxFAOjqdH9o9psTeWUXZPjPzSyaL2N+eXfL12m71NyAOioMtntraUGVbrnpcABD MeO8unYwLv+bGWA9gfZrFr6rjSYBgzbQZs2wAQZtZBPUioiHQFwsuyBtowkdvIb/nvN30kvI xfdWvLUvV8lFCvcZ4vExXlG3E36YGDGvAXP9w5zT0I6IUTGWweB6SkHk7jeCqwBTXoxfKnKh K3gytJ8pMwcgbHrZEX8zq+pSW+GLbyCTZlS9D/45fn6CNxnKigTMACfhG44o2zGCA80wggPJ AgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMAkGBSsOAwIa BQCgggIOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDQy ODIyMjU1OFowIwYJKoZIhvcNAQkEMRYEFJ0DiXKV2jrczRFikycSvYiljisjMF8GCSqGSIb3 DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIAizANBgkqhkiG 9w0BAQEFAASCAQAxfa02IR4nM8SeGGy4OQ5XXplCDiO+1tb2GPuQ9gcOwQz39IIAVkRfAxAG WX1LvpoFVrSaLA+ptadapiVqtrQsbDWS5R+oIdMTv7lVeEYS9ptJnGgyWUdPpRBK/l0ZMUc/ fQisgHgtRWdQL2eA8HMzDB8SHV1fPnqz/GNBc1sxMTOZQjN+mUkRJi3w6FhvCrpiHt2Um5RB R5zdRYZ0HppkHGALoY6VsaZzzLZTO6qMwKwn4JyXZwFTkGVRswehm8jN9Y6W0sBQFgrFjiY5 UC2oW7kG+cPt5uelJz2MRw7+2ityjKOoLODAv9hi4su3XpEf5jn4rQl0kWHcY9HMEnKnAAAA AAAA --------------ms050603010301020100020409-- From nico@cryptonector.com Thu Apr 28 16:22:22 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 841CDE06EC for ; Thu, 28 Apr 2011 16:22:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.377 X-Spam-Level: X-Spam-Status: No, score=-2.377 tagged_above=-999 required=5 tests=[AWL=-0.400, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klbh84I6iHKG for ; Thu, 28 Apr 2011 16:22:20 -0700 (PDT) Received: from homiemail-a35.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6A1E0738 for ; Thu, 28 Apr 2011 16:22:20 -0700 (PDT) Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id CA5AE5405B for ; Thu, 28 Apr 2011 16:22:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=vT25x2Q1Fpk2/nffbbJxk W+V6fbc7q+DhpctY6bSbtoA1LltaKeupuEkum9l9sGttDM3CCT3Wygcxmh1042+J nZSv65p6SjuaCuP/dz+w9Yq1/mkLYXzKmZYVlPyxiSns3gtrsbJ+bSsB7oDYfeSl J0C05RE/Egbehw+Svxp7uQ= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=BkA+dOgZ30DurjFoLxmO KMsZqAw=; b=cU1euI6xP1MCdRi3jpI76hEJ95q9rqTP887GAeuYdVOLvp119NTe ZDlAhD9d0HH2JZ83R5r5lAW/SEhPsTzj/yJ1UH8OwWuXoLF+gudwXVQyKpJQtmQx ZDpL4DWCcHNSn3upOn20EKYckEGwerzFZuSvNUp5qxvA/i6x5KZWcJs= Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPSA id 710DA54055 for ; Thu, 28 Apr 2011 16:22:19 -0700 (PDT) Received: by wwa36 with SMTP id 36so2511710wwa.13 for ; Thu, 28 Apr 2011 16:22:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.145.200 with SMTP id p50mr370292wej.79.1304032938207; Thu, 28 Apr 2011 16:22:18 -0700 (PDT) Received: by 10.216.241.200 with HTTP; Thu, 28 Apr 2011 16:22:18 -0700 (PDT) In-Reply-To: <4DB9E976.3030501@stpeter.im> References: <4DB6C1E7.9050805@ieca.com> <4DB9DD38.4080904@ieca.com> <4DB9E976.3030501@stpeter.im> Date: Thu, 28 Apr 2011 18:22:18 -0500 Message-ID: From: Nico Williams To: Peter Saint-Andre Content-Type: text/plain; charset=UTF-8 Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2011 23:22:22 -0000 On Thu, Apr 28, 2011 at 5:25 PM, Peter Saint-Andre wrote: > If I missed anything, please let me know -- I was working on it late > last night and might have failed to incorporate all comments. Perhaps I > can re-submit if needed. I'd word the item about channel binding slightly differently: o Extraction of TLS channel bindings (see RFC5929) Note that developers can use the TLS extractor and still get close to RFC5056 channel binding semantics. I'd rather developers used RFC5929 instead of the TLS extractor though, except where they absolutely need to extract shared secret key material. Which brings me to... ...I'm afraid that we could giving developers a lot of rope and not much instruction in its use. I have no objection of any kind to giving developers all this rope (we don't have much choice anyways, as they will get it with or without our approval). But since developers will likely be doing things that amount to security mechanism composition, it'd be quite useful to take this chance to educate them, via your W3C audience as to the value of channel binding as a composition design and analysis technique. I would also very much like off-the-shelf security mechanisms made available to developers, for obvious reasons. Besides the obvious reasons there's also this one: browser chrome can be aware of and help manage identities/credentials for such mechanisms, whereas mechanisms implemented in random scripts cannot provide that level of integration. Nico -- From pgut001@login01.cs.auckland.ac.nz Fri Apr 29 04:31:58 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAEE6E06FE for ; Fri, 29 Apr 2011 04:31:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.48 X-Spam-Level: X-Spam-Status: No, score=-3.48 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNLeFwRzYu19 for ; Fri, 29 Apr 2011 04:31:54 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id 3A783E06DD for ; Fri, 29 Apr 2011 04:31:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1304076714; x=1335612714; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20nico@cryptonector.com,=20turners@ieca.com|Subject: =20Re:=20[saag]=20Paper=20for=20W3C=20Identity=20in=20the =20Browser=20Workshop|Cc:=20saag@ietf.org|In-Reply-To:=20 |Message-Id:=20|Date:=20Fri,=2029=20Apr=202011=2023:31:51=20+1200; bh=aq1FRUt1GWBKXwL/kTpaywrjHNbptBex/Om9iRKaQpc=; b=qQo4lb7WomRb8v3Y1T0cwL2FjWhcdN6os0FwyzUB9GPGppTRHDT3yGrk 66c+SieW53iNEUqKl5K8meeFWHMT/9cSh183lUZk8BZ4Av586jgIn8/Qe pIKc/L1YSHtwhNmAZ1en8Ku0Oy36aoGouhugzL3fo1cVYmg9vRamhGBYS M=; X-IronPort-AV: E=Sophos;i="4.64,287,1301832000"; d="scan'208";a="59053922" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Apr 2011 23:31:51 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1QFlvL-0005vt-IR; Fri, 29 Apr 2011 23:31:51 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1QFlvL-0006ri-Li; Fri, 29 Apr 2011 23:31:51 +1200 From: Peter Gutmann To: nico@cryptonector.com, turners@ieca.com In-Reply-To: Message-Id: Date: Fri, 29 Apr 2011 23:31:51 +1200 Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2011 11:31:59 -0000 Nico Williams writes: >Please add: That's it, it's doomed. You may as well just take the CDSA spec [0] and add a Javascript wrapper for it, given that it now includes pretty much everthing, including at least two different styles of kitchen sink. Peter. [0] This being the most elephantine crypto API I know of, with (from memory, before it collapsed under its own gravitational field) 1,000 pages of documentation and 250MB of code. From stephen.farrell@cs.tcd.ie Fri Apr 29 04:36:57 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E3AE06DD for ; Fri, 29 Apr 2011 04:36:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPZg0nT2iA+4 for ; Fri, 29 Apr 2011 04:36:53 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 4365EE0723 for ; Fri, 29 Apr 2011 04:36:52 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id ABA04171C08; Fri, 29 Apr 2011 12:36:51 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1304077011; bh=bSKU0gPf2qlQh3 OFdb8hkqws+jfFGyFnOjt6BSlqWyU=; b=WeQ8Z9FuE8MsVMRrVeHMOtHqdTYw9j XWuhqUZ4yoO49tmDYtXywqMd9chor5U2vX8zXVuYlURh4PaVprxohk0qdeUkGOft 58lm6XfeI1HAVsymc48DRPMyZJwjJLoCbo9HJtSEi6wP/MQ4pOPBb2j5zKZFICZB rxu451ARIgx2sN2aXH6AdU2lCTWaOeZKo0fefprAxRDxwXGPslMORKJrkpdeqCyy BhLyQN6Wb5O/bWpGG+GfzF5K8Pju7+fwo1ma8Yd2GMrvs5EIV7kf+uyRpgXUoN+C AfUde4UizBi2TVTXqutc+bqIC9Gv61ELJZZQBtZQGRycheSOD3sxz40g== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id EIBBph366O30; Fri, 29 Apr 2011 12:36:51 +0100 (IST) Received: from [134.226.36.137] (stephen-samy.dsg.cs.tcd.ie [134.226.36.137]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 0AF3B171BFA; Fri, 29 Apr 2011 12:36:46 +0100 (IST) Message-ID: <4DBAA2CE.7010000@cs.tcd.ie> Date: Fri, 29 Apr 2011 12:36:46 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8 MIME-Version: 1.0 To: Peter Gutmann References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2011 11:36:57 -0000 On 29/04/11 12:31, Peter Gutmann wrote: > Nico Williams writes: > >> Please add: > > That's it, it's doomed. That's early to call it, even for you Peter:-) If this got traction, then there'd be some interplay between various interested folks, not sure where, but I bet that one of the first things that'd have to be done is make it simple for web developers, which would be a good thing IMO. If it starts being CDSA-like, my name won't be attached at least! S. From pgut001@login01.cs.auckland.ac.nz Fri Apr 29 04:47:04 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38BFEE071D for ; Fri, 29 Apr 2011 04:47:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.493 X-Spam-Level: X-Spam-Status: No, score=-3.493 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azXCS9hNMDzx for ; Fri, 29 Apr 2011 04:47:00 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id 13BDBE06C0 for ; Fri, 29 Apr 2011 04:46:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1304077620; x=1335613620; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20pgut001@cs.auckland.ac.nz,=20stephen.farrell@cs.tc d.ie|Subject:=20Re:=20[saag]=20Paper=20for=20W3C=20Identi ty=20in=20the=20Browser=20Workshop|Cc:=20nico@cryptonecto r.com,=20saag@ietf.org,=20turners@ieca.com|In-Reply-To: =20<4DBAA2CE.7010000@cs.tcd.ie>|Message-Id:=20|Date:=20Fri,=2029=20A pr=202011=2023:46:59=20+1200; bh=4i6ny8fAT9YeivbuctRVffXSYN8thIgjhC6mhkQ0J/8=; b=XY1LrFNo4ElBg9v40xXL3r0y0C6v9q1GGWVQBvSYX1R9CVm7UcgA1Bv6 l0F8+4r3kCZ7OJP9uc0UZimfJ+uMzl7M9+nMe4wtvFxDZIagovFyfE77a dGo2+SudcXpW0XnKLQWYkUy2hvZOWNJ211NvZomyJwKJewHfURX89ksr6 Y=; X-IronPort-AV: E=Sophos;i="4.64,287,1301832000"; d="scan'208";a="59061716" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Apr 2011 23:46:59 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1QFm9z-0006NF-Gl; Fri, 29 Apr 2011 23:46:59 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1QFm9z-0007gV-4v; Fri, 29 Apr 2011 23:46:59 +1200 From: Peter Gutmann To: pgut001@cs.auckland.ac.nz, stephen.farrell@cs.tcd.ie In-Reply-To: <4DBAA2CE.7010000@cs.tcd.ie> Message-Id: Date: Fri, 29 Apr 2011 23:46:59 +1200 Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2011 11:47:04 -0000 Stephen Farrell writes: >I bet that one of the first things that'd have to be done is make it simple >for web developers In that case it'd need to have an API built around things like "protect a password", "wrap a message", and one or two others, something a bit like what I suggested earlier. How many web developers are going to even know what PKI path validation and TLS channel bindings are, let alone want to touch them with a barge pole? The current proposal seem entirely tuned to meeting the needs of security geeks, and totally alien for web developers. Peter. From paul.hoffman@vpnc.org Fri Apr 29 06:49:20 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78E9E06A7 for ; Fri, 29 Apr 2011 06:49:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.588 X-Spam-Level: X-Spam-Status: No, score=-101.588 tagged_above=-999 required=5 tests=[AWL=1.011, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ksgTmYCRAvC for ; Fri, 29 Apr 2011 06:49:20 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id E2D15E0663 for ; Fri, 29 Apr 2011 06:49:19 -0700 (PDT) Received: from [10.20.30.150] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p3TDmuLO023861 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 29 Apr 2011 06:48:57 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Paul Hoffman In-Reply-To: Date: Fri, 29 Apr 2011 06:48:56 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <1B8401A5-B0F2-4A53-BEDA-03EE40AA9B6B@vpnc.org> References: To: Peter Gutmann X-Mailer: Apple Mail (2.1084) Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2011 13:49:20 -0000 On Apr 29, 2011, at 4:46 AM, Peter Gutmann wrote: > Stephen Farrell writes: >=20 >> I bet that one of the first things that'd have to be done is make it = simple >> for web developers >=20 > In that case it'd need to have an API built around things like = "protect a > password", "wrap a message", and one or two others, something a bit = like what > I suggested earlier. How many web developers are going to even know = what PKI > path validation and TLS channel bindings are, let alone want to touch = them > with a barge pole? The current proposal seem entirely tuned to = meeting the > needs of security geeks, and totally alien for web developers. Why does such an API need to be just one (crypto primitives) or the = other (common uses of web developers)? Why not an API that has both = low-level and high-level calls? I know web developers who could use = either. --Paul Hoffman From nico@cryptonector.com Fri Apr 29 08:14:20 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB12E06A0 for ; Fri, 29 Apr 2011 08:14:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.311 X-Spam-Level: X-Spam-Status: No, score=-2.311 tagged_above=-999 required=5 tests=[AWL=-0.334, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CxcE0zlBmTcC for ; Fri, 29 Apr 2011 08:14:16 -0700 (PDT) Received: from homiemail-a31.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id 6A7F5E0663 for ; Fri, 29 Apr 2011 08:14:16 -0700 (PDT) Received: from homiemail-a31.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTP id 183FD202038 for ; Fri, 29 Apr 2011 08:14:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=ROQPO8jh4PNBFHMufpGsh j98FE/QXqaVs36HXqDlFiNg4nt5x/hfKOuVfZx3LUDVto1ATG4iqmrvz4Ze81GwE avnt3xI+F3PIIY4FuGc1RZFMZy2KvS+39wu2pVXPhEOJ0dQt1Am5pteYvi20+1I7 2UIjrXudyfWRPNz4MSS9bo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=8CcV0RPW9/oDeoX7rV2E CWMgAOo=; b=JD4DTiEpHmgmfVf7P6QWVlD0/EORH1s6yd6FLaUu+/v2mIqqjj7W twmj2O/fepeXkF7XuuBKWqWdU0A/kqOu+bwz3MGsIik+hPzjCjuqPGQWVsG1lS3X nlG52xkHKzPc1RkW1vxDalnHTWG2AXXakOSWFuZxDpkL36nNJbIEk74= Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTPSA id C158A20202C for ; Fri, 29 Apr 2011 08:14:15 -0700 (PDT) Received: by vxg33 with SMTP id 33so3327685vxg.31 for ; Fri, 29 Apr 2011 08:14:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.111.71 with SMTP id ig7mr397740vdb.209.1304090055207; Fri, 29 Apr 2011 08:14:15 -0700 (PDT) Received: by 10.52.163.71 with HTTP; Fri, 29 Apr 2011 08:14:15 -0700 (PDT) In-Reply-To: References: Date: Fri, 29 Apr 2011 10:14:15 -0500 Message-ID: From: Nico Williams To: Peter Gutmann Content-Type: text/plain; charset=UTF-8 Cc: saag@ietf.org Subject: Re: [saag] Paper for W3C Identity in the Browser Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2011 15:14:20 -0000 On Fri, Apr 29, 2011 at 6:31 AM, Peter Gutmann wrote: > Nico Williams writes: > >>Please add: > > That's it, it's doomed. ... I want to agree, but can't. There's two big differences between developers using what rope they have to implement cryptographic protocols and their using off-the-shelf ones: a) they're bound to screw it up if they implement their own, b) there can't be any decent browser chrome integration if they implement their own crypto protocols. (b) is the user noticeable difference. (a) sucks too. Of course, it's much easier to just give someone rope. If that was your point, well, I agree :) > ... You may as well just take the CDSA spec [0] and add a > Javascript wrapper for it, given that it now includes pretty much everthing, > including at least two different styles of kitchen sink. Why not say the same thing about PKI, TLS, SASL, GSS, Kerberos, IKE, SSH, ...? They're all complex enough for that complaint. Oh, that's right: those are actually being used, and widely so :) The paper in question isn't asking for new or never-used frameworks, nor new primitives. It's asking for JavaScript interfaces to _existing_ frameworks (e.g., PKI) and primitives. That's NOT a lot to ask for. (Does something like SWIG exist for ECMAScript implementations?) Nico --