From alex@um.es Mon Jul 1 23:56:39 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E74111E82F3; Mon, 1 Jul 2013 23:56:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHTDJUyKAJSe; Mon, 1 Jul 2013 23:56:33 -0700 (PDT) Received: from xenon11.um.es (xenon11.um.es [155.54.212.165]) by ietfa.amsl.com (Postfix) with ESMTP id 35E0511E82F0; Mon, 1 Jul 2013 23:56:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon11.um.es (Postfix) with ESMTP id 1240453CF2; Tue, 2 Jul 2013 08:56:31 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon11.um.es Received: from xenon11.um.es ([127.0.0.1]) by localhost (xenon11.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id dWhweECjRvBE; Tue, 2 Jul 2013 08:56:30 +0200 (CEST) Received: from [192.168.1.102] (84.124.135.236.dyn.user.ono.com [84.124.135.236]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon11.um.es (Postfix) with ESMTPSA id A6A3153715; Tue, 2 Jul 2013 08:56:28 +0200 (CEST) Message-ID: <51D2799C.8060205@um.es> Date: Tue, 02 Jul 2013 08:56:28 +0200 From: Alejandro Perez Mendez User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130514 Thunderbird/17.0.6 MIME-Version: 1.0 To: "radext@ietf.org" , "abfab@ietf.org" References: <20130702064711.29981.10301.idtracker@ietfa.amsl.com> In-Reply-To: <20130702064711.29981.10301.idtracker@ietfa.amsl.com> X-Forwarded-Message-Id: <20130702064711.29981.10301.idtracker@ietfa.amsl.com> Content-Type: multipart/alternative; boundary="------------090901070802060201020005" Subject: [abfab] FYI: New Version Notification for draft-perez-radext-radius-fragmentation-06.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jul 2013 06:56:39 -0000 This is a multi-part message in MIME format. --------------090901070802060201020005 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hello, we have updated our RADIUS fragmentation draft. This new version addresses comments from Bernard, as well as it re-introduces the possibility to send large amounts of authorization data before authentication. Regards, Alejandro -------- Mensaje original -------- Asunto: New Version Notification for draft-perez-radext-radius-fragmentation-06.txt Fecha: Mon, 01 Jul 2013 23:47:11 -0700 De: internet-drafts@ietf.org Para: Alejandro Perez-Mendez , Rafael Lopez , Fernando Pereniguez-Garcia , Rafa Marin-Lopez , Gabriel Lopez-Millan , Diego R. Lopez , Alan DeKok A new version of I-D, draft-perez-radext-radius-fragmentation-06.txt has been successfully submitted by Alejandro Perez-Mendez and posted to the IETF repository. Filename: draft-perez-radext-radius-fragmentation Revision: 06 Title: Support of fragmentation of RADIUS packets Creation date: 2013-07-02 Group: Individual Submission Number of pages: 25 URL: http://www.ietf.org/internet-drafts/draft-perez-radext-radius-fragmentation-06.txt Status: http://datatracker.ietf.org/doc/draft-perez-radext-radius-fragmentation Htmlized: http://tools.ietf.org/html/draft-perez-radext-radius-fragmentation-06 Diff: http://www.ietf.org/rfcdiff?url2=draft-perez-radext-radius-fragmentation-06 Abstract: The Remote Authentication Dial-In User Service (RADIUS) protocol is limited to a total packet size of 4096 octets. Provisions exist for fragmenting large amounts of authentication data across multiple packets, via Access-Challenge. No similar provisions exist for fragmenting large amounts of authorization data. This document specifies how existing RADIUS mechanisms can be leveraged to provide that functionality. These mechanisms are largely compatible with existing implementations, and are designed to be invisible to proxies, and "fail-safe" to legacy clients and servers. The IETF Secretariat --------------090901070802060201020005 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Hello,

we have updated our RADIUS fragmentation draft. This new version addresses comments from Bernard, as well as it re-introduces the possibility to send large amounts of authorization data before authentication.

Regards,
Alejandro


-------- Mensaje original --------
Asunto: New Version Notification for draft-perez-radext-radius-fragmentation-06.txt
Fecha: Mon, 01 Jul 2013 23:47:11 -0700
De: internet-drafts@ietf.org
Para: Alejandro Perez-Mendez <alex@um.es>, Rafael Lopez <rafa@um.es>, Fernando Pereniguez-Garcia <pereniguez@um.es>, Rafa Marin-Lopez <rafa@um.es>, Gabriel Lopez-Millan <gabilm@um.es>, Diego R. Lopez <diego@tid.es>, Alan DeKok <aland@networkradius.com> 


A new version of I-D, draft-perez-radext-radius-fragmentation-06.txt
has been successfully submitted by Alejandro Perez-Mendez and posted to the
IETF repository.

Filename:	 draft-perez-radext-radius-fragmentation
Revision:	 06
Title:		 Support of fragmentation of RADIUS packets
Creation date:	 2013-07-02
Group:		 Individual Submission
Number of pages: 25
URL:             http://www.ietf.org/internet-drafts/draft-perez-radext-radius-fragmentation-06.txt
Status:          http://datatracker.ietf.org/doc/draft-perez-radext-radius-fragmentation
Htmlized:        http://tools.ietf.org/html/draft-perez-radext-radius-fragmentation-06
Diff:            http://www.ietf.org/rfcdiff?url2=draft-perez-radext-radius-fragmentation-06

Abstract:
   The Remote Authentication Dial-In User Service (RADIUS) protocol is
   limited to a total packet size of 4096 octets.  Provisions exist for
   fragmenting large amounts of authentication data across multiple
   packets, via Access-Challenge.  No similar provisions exist for
   fragmenting large amounts of authorization data.  This document
   specifies how existing RADIUS mechanisms can be leveraged to provide
   that functionality.  These mechanisms are largely compatible with
   existing implementations, and are designed to be invisible to
   proxies, and "fail-safe" to legacy clients and servers.

                                                                                  


The IETF Secretariat


--------------090901070802060201020005-- From internet-drafts@ietf.org Wed Jul 3 03:51:23 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB55821F9C33; Wed, 3 Jul 2013 03:51:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.48 X-Spam-Level: X-Spam-Status: No, score=-102.48 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydrUnYHoCr85; Wed, 3 Jul 2013 03:51:23 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3526221F9C34; Wed, 3 Jul 2013 03:51:22 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.51.p2 Message-ID: <20130703105122.14242.5299.idtracker@ietfa.amsl.com> Date: Wed, 03 Jul 2013 03:51:22 -0700 Cc: abfab@ietf.org Subject: [abfab] I-D Action: draft-ietf-abfab-aaa-saml-06.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 10:51:24 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Application Bridging for Federated Access= Beyond web Working Group of the IETF. Title : A RADIUS Attribute, Binding, Profiles, Name Identifier F= ormat, and Confirmation Methods for SAML Author(s) : Josh Howlett Sam Hartman Filename : draft-ietf-abfab-aaa-saml-06.txt Pages : 22 Date : 2013-07-03 Abstract: This document specifies a RADIUS attribute, a binding, a name identifier format, two profiles, and two confirmation methods for the Security Assertion Mark-up Language (SAML). The attribute provides RADIUS encapsulation of SAML protocol messages, and the binding describes the use of this attribute, and the SAML protocol messages within, with RADIUS transport. The two profiles describe the application of this binding for ABFAB authentication and assertion query/request respectively. The name identifier format allows a subject to be named using an NAI, and the subject confirmation methods allow queries to be issued for a principal without needing to explicitly name the intended subject within the request. These artifacts have been defined to permit application in scenarios other than ABFAB, such as network access. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-abfab-aaa-saml There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-abfab-aaa-saml-06 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-abfab-aaa-saml-06 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From Josh.Howlett@ja.net Wed Jul 3 13:48:50 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDB3711E8220 for ; Wed, 3 Jul 2013 13:48:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyuxRfaqAOBL for ; Wed, 3 Jul 2013 13:48:45 -0700 (PDT) Received: from egw002.ukerna.ac.uk (egw002.ukerna.ac.uk [194.81.3.65]) by ietfa.amsl.com (Postfix) with ESMTP id B69BD11E80CC for ; Wed, 3 Jul 2013 13:48:43 -0700 (PDT) Received: from egw002.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 6366E20C7143_1D48E29B; Wed, 3 Jul 2013 20:48:41 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw002.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id BE67420C70FB_1D48E28F; Wed, 3 Jul 2013 20:48:40 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Wed, 3 Jul 2013 21:48:40 +0100 From: Josh Howlett To: Jim Schaad , 'Sam Hartman' , 'Leif Johansson' Thread-Topic: [abfab] Naming of SAML and AAA systems Thread-Index: AQHObeBeNQobE6KmnEeECspOwbUWY5lAqAoAgBLFpoA= Date: Wed, 3 Jul 2013 20:48:39 +0000 Message-ID: In-Reply-To: <06c301ce6eca$4800bc60$d8023520$@augustcellars.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.5.130515 x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "abfab@ietf.org" Subject: Re: [abfab] Naming of SAML and AAA systems X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 20:48:51 -0000 I suggest we do this in Berlin; I assume there is agenda time available? I can rehearse things here in advance if that would be helpful, but I think this is one of those cases where a diagram or two could help. I've submitted an update to aaa-saml that ought to address Jim's outstanding issues, but not these. Josh. On 21/06/2013 22:57, "Jim Schaad" wrote: >Yes - but we still don't know what type of problem he thinks he is >solving. > >Jim > >> -----Original Message----- >> From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf >> Of Sam Hartman >> Sent: Thursday, June 20, 2013 11:03 AM >> To: Leif Johansson >> Cc: abfab@ietf.org >> Subject: Re: [abfab] Naming of SAML and AAA systems >>=20 >> >>>>> "Leif" =3D=3D Leif Johansson writes: >>=20 >> Leif> On 06/20/2013 04:16 PM, Sam Hartman wrote: >> >> Josh, in the case where someone is deploying SAML infrastructure >> >> specifically to work with ABFAB, I think it ought to be >> >> relatively easy to map naming between AAA and SAML. >> >> >> >> However, I don't understand how to do this in the case where >> >> we're using existing SAML infrastructure for ABFAB. >> Leif> This gets you into SAML metadata territory. >>=20 >> I think Josh was looking for something structural. >> _______________________________________________ >> abfab mailing list >> abfab@ietf.org >> https://www.ietf.org/mailman/listinfo/abfab > >_______________________________________________ >abfab mailing list >abfab@ietf.org >https://www.ietf.org/mailman/listinfo/abfab Janet(UK) is a trading name of Jisc Collections and Janet Limited, a=20 not-for-profit company which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 From leifj@sunet.se Mon Jul 8 00:03:20 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CCB111E819E for ; Mon, 8 Jul 2013 00:03:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEDRgv3Wl3Xp for ; Mon, 8 Jul 2013 00:03:19 -0700 (PDT) Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) by ietfa.amsl.com (Postfix) with ESMTP id 2FA2611E8193 for ; Mon, 8 Jul 2013 00:03:18 -0700 (PDT) Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.3/8.14.3/Debian-9.4) with ESMTP id r6873EQY014939 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jul 2013 09:03:14 +0200 Received: from [10.0.0.244] (tb62-102-145-131.cust.teknikbyran.com [62.102.145.131]) (authenticated bits=0) by smtp1.nordu.net (8.14.6/8.14.6) with ESMTP id r6873Bh2017045 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 8 Jul 2013 07:03:14 GMT Message-ID: <51DA642F.7030007@sunet.se> Date: Mon, 08 Jul 2013 09:03:11 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7 MIME-Version: 1.0 To: abfab@ietf.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Bayes-Prob: 0.005 (Score 0, tokens from: outbound, nordu-net:default, base:default, @@RPTN) X-p0f-Info: os=unknown unknown, link=Ethernet or modem X-CanIt-Geo: ip=62.102.145.131; country=SE; region=26; city=Vallentuna; latitude=59.5333; longitude=18.0833; http://maps.google.com/maps?q=59.5333,18.0833&z=6 X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default) X-Canit-Stats-ID: 0aJVH3elz - fea5fb37096e - 20130708 X-Antispam-Training-Forget: https://mailfilter.nordu.net/canit/b.php?i=0aJVH3elz&m=fea5fb37096e&t=20130708&c=f X-Antispam-Training-Nonspam: https://mailfilter.nordu.net/canit/b.php?i=0aJVH3elz&m=fea5fb37096e&t=20130708&c=n X-Antispam-Training-Spam: https://mailfilter.nordu.net/canit/b.php?i=0aJVH3elz&m=fea5fb37096e&t=20130708&c=s X-Scanned-By: CanIt (www . roaringpenguin . com) Subject: Re: [abfab] Naming of SAML and AAA systems X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 07:03:20 -0000 On 07/03/2013 10:48 PM, Josh Howlett wrote: > I suggest we do this in Berlin; I assume there is agenda time available? I > can rehearse things here in advance if that would be helpful, but I think > this is one of those cases where a diagram or two could help. There is! Lets do that then. > > I've submitted an update to aaa-saml that ought to address Jim's > outstanding issues, but not these. Excellent! > > Josh. > > On 21/06/2013 22:57, "Jim Schaad" wrote: > >> Yes - but we still don't know what type of problem he thinks he is >> solving. >> >> Jim >> >>> -----Original Message----- >>> From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf >>> Of Sam Hartman >>> Sent: Thursday, June 20, 2013 11:03 AM >>> To: Leif Johansson >>> Cc: abfab@ietf.org >>> Subject: Re: [abfab] Naming of SAML and AAA systems >>> >>>>>>>> "Leif" == Leif Johansson writes: >>> Leif> On 06/20/2013 04:16 PM, Sam Hartman wrote: >>> >> Josh, in the case where someone is deploying SAML infrastructure >>> >> specifically to work with ABFAB, I think it ought to be >>> >> relatively easy to map naming between AAA and SAML. >>> >> >>> >> However, I don't understand how to do this in the case where >>> >> we're using existing SAML infrastructure for ABFAB. >>> Leif> This gets you into SAML metadata territory. >>> >>> I think Josh was looking for something structural. >>> _______________________________________________ >>> abfab mailing list >>> abfab@ietf.org >>> https://www.ietf.org/mailman/listinfo/abfab >> _______________________________________________ >> abfab mailing list >> abfab@ietf.org >> https://www.ietf.org/mailman/listinfo/abfab > > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a > not-for-profit company which is registered in England under No. 2881024 > and whose Registered Office is at Lumen House, Library Avenue, > Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From internet-drafts@ietf.org Mon Jul 8 11:53:06 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5515421F9799; Mon, 8 Jul 2013 11:53:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.524 X-Spam-Level: X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jIeqTuuNSOpq; Mon, 8 Jul 2013 11:53:05 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A580221F8904; Mon, 8 Jul 2013 11:53:02 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.51.p2 Message-ID: <20130708185302.5854.12725.idtracker@ietfa.amsl.com> Date: Mon, 08 Jul 2013 11:53:02 -0700 Cc: abfab@ietf.org Subject: [abfab] I-D Action: draft-ietf-abfab-eapapplicability-04.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 18:53:06 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Application Bridging for Federated Access= Beyond web Working Group of the IETF. Title : Update to the EAP Applicability Statement for ABFAB Author(s) : Stefan Winter Joseph Salowey Filename : draft-ietf-abfab-eapapplicability-04.txt Pages : 7 Date : 2013-07-08 Abstract: This document updates the Extensible Authentication Protocol (EAP) applicability statement from RFC3748 to reflect recent usage of the EAP protocol in the Application Bridging for Federated Access Beyond web (ABFAB) architecture. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-abfab-eapapplicability There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-abfab-eapapplicability-04 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-abfab-eapapplicability-04 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From david.black@emc.com Mon Jul 8 13:44:31 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B91621F9E18; Mon, 8 Jul 2013 13:44:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYiHA9L0gMKd; Mon, 8 Jul 2013 13:44:26 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 798DA21F9E0D; Mon, 8 Jul 2013 13:44:24 -0700 (PDT) Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r68KhwW7016168 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Jul 2013 16:44:07 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Mon, 8 Jul 2013 16:43:43 -0400 Received: from mxhub12.corp.emc.com (mxhub12.corp.emc.com [10.254.92.107]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r68Khg2q012722; Mon, 8 Jul 2013 16:43:43 -0400 Received: from mxhub40.corp.emc.com (128.222.70.107) by mxhub12.corp.emc.com (10.254.92.107) with Microsoft SMTP Server (TLS) id 8.3.297.1; Mon, 8 Jul 2013 16:43:42 -0400 Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub40.corp.emc.com ([128.222.70.107]) with mapi; Mon, 8 Jul 2013 16:43:42 -0400 From: "Black, David" To: "Black, David" , "stefan.winter@restena.lu" , "jsalowey@cisco.com" , General Area Review Team Date: Mon, 8 Jul 2013 16:43:41 -0400 Thread-Topic: Gen-ART review of draft-ietf-abfab-eapapplicability-04 Thread-Index: Ac5rzQ3h5Vr98eb9RParuraCHgwUcgQTfgIg Message-ID: <8D3D17ACE214DC429325B2B98F3AE712983F2C87@MX15A.corp.emc.com> References: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com> In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 Cc: "abfab@ietf.org" , "ietf@ietf.org" Subject: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-04 X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 20:44:31 -0000 The -04 version of this draft resolves the minor issue noted in the Gen-ART review of the -03 version. There is a remaining editorial nit, in that the one use of "non-network" in the -04 version would benefit from clarification. I suggest the following text change to the start of the paragraph that's split across pages 3 and 4 (change is to last line of excerpt): OLD Operators need to carefully consider the security implications before relaxing these requirements. One potentially serious attack exists when channel binding is not required and EAP authentication is introduced into an existing non-network service. NEW Operators need to carefully consider the security implications before relaxing these requirements. One potentially serious attack exists when channel binding is not required and EAP authentication is introduced into an existing service other than network access. =09 Thanks, --David > -----Original Message----- > From: Black, David > Sent: Monday, June 17, 2013 10:39 PM > To: stefan.winter@restena.lu; jsalowey@cisco.com; General Area Review Tea= m > Cc: ietf@ietf.org; abfab@ietf.org; Black, David > Subject: Gen-ART review of draft-ietf-abfab-eapapplicability-03 >=20 > I am the assigned Gen-ART reviewer for this draft. For background on > Gen-ART, please see the FAQ at >=20 > . >=20 > Please resolve these comments along with any other Last Call comments > you may receive. >=20 > Document: draft-ietf-abfab-eapapplicability-03 > Reviewer: David L. Black > Review Date: June 17, 2003 > IETF LC End Date: June 17, 2003 >=20 > Summary: > This draft is on the right track but has open issues, described in the re= view. >=20 > This draft updates the applicability statement for EAP to include usage > for application layer access via EAP over GSSAPI. Additional security > requirements are introduced for environments in which EAP is used for > that purpose. >=20 > I found one open issue, which is minor, and may be editorial >=20 > Major issues: None >=20 > Minor issues: One >=20 > The next to last paragraph on p.3 begins with this sentence: >=20 > For these reasons, channel binding MUST be implemented by peers, EAP > servers and AAA servers in environments where EAP authentication is > used to access application layer services. >=20 > It appear that this "MUST" requirement applies to all uses of EAP, > including network access authentication, not just application layer acces= s > authentication. If so, that's not immediately obvious from the text, and > an additional sentence should be added to make this clearer. If not, > the above sentence needs to exclude network access authentication from > that requirement. >=20 > Nits/editorial comments: >=20 > The same paragraph (p.3) continues with: >=20 > In addition, channel > binding MUST default to being required by peers for non-network > authentication. If the EAP server is aware that authentication is > for something other than a network service, it too MUST default to > requiring channel binding. >=20 > What is meant by "non-network authentication" and "other than a network > service"? If those mean "other than for network access authentication" > as the term "network access authentication" is used in section 1 and > RFC 3748, that meaning should be clarified. >=20 > idnits 2.12.17 generated this comment: >=20 > -- The document seems to lack a disclaimer for pre-RFC5378 work, but ma= y > have content which was first submitted before 10 November 2008. If = you > have contacted all the original authors and they are all willing to = grant > the BCP78 rights to the IETF Trust, then this is fine, and you can i= gnore > this comment. If not, you may need to add the pre-RFC5378 disclaime= r. > (See the Legal Provisions document at > http://trustee.ietf.org/license-info for more information.) >=20 > idnits appears to be confused ;-). The -00 version of this draft is from > 2012, > and this draft does not contain sufficient material from RFC 3748 that wo= uld > raise that concern, so this comment should be ok to ignore. >=20 > Thanks, > --David > ---------------------------------------------------- > David L. Black, Distinguished Engineer > EMC Corporation, 176 South St., Hopkinton, MA=A0 01748 > +1 (508) 293-7953=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 FAX: +1 (508) 293-7= 786 > david.black@emc.com=A0=A0=A0=A0=A0=A0=A0 Mobile: +1 (978) 394-7754 > ---------------------------------------------------- From internet-drafts@ietf.org Mon Jul 8 16:34:57 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B5811E80E3; Mon, 8 Jul 2013 16:34:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KO+P+LbNniiX; Mon, 8 Jul 2013 16:34:57 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E19511E80E0; Mon, 8 Jul 2013 16:34:55 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.51.p2 Message-ID: <20130708233455.16990.69394.idtracker@ietfa.amsl.com> Date: Mon, 08 Jul 2013 16:34:55 -0700 Cc: abfab@ietf.org Subject: [abfab] I-D Action: draft-ietf-abfab-eapapplicability-05.txt X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 23:34:57 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Application Bridging for Federated Access= Beyond web Working Group of the IETF. Title : Update to the EAP Applicability Statement for ABFAB Author(s) : Stefan Winter Joseph Salowey Filename : draft-ietf-abfab-eapapplicability-05.txt Pages : 7 Date : 2013-07-08 Abstract: This document updates the Extensible Authentication Protocol (EAP) applicability statement from RFC3748 to reflect recent usage of the EAP protocol in the Application Bridging for Federated Access Beyond web (ABFAB) architecture. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-abfab-eapapplicability There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-abfab-eapapplicability-05 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-abfab-eapapplicability-05 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From hartmans@painless-security.com Wed Jul 10 04:51:56 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B7C211E8122 for ; Wed, 10 Jul 2013 04:51:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.322 X-Spam-Level: X-Spam-Status: No, score=-2.322 tagged_above=-999 required=5 tests=[AWL=0.277, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMlg7JjqCY0K for ; Wed, 10 Jul 2013 04:51:47 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 4835821F9B25 for ; Wed, 10 Jul 2013 04:51:36 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id BA2142018C for ; Wed, 10 Jul 2013 07:46:50 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kyIA95gUts-V for ; Wed, 10 Jul 2013 07:46:50 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for ; Wed, 10 Jul 2013 07:46:50 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C7C0488408; Wed, 10 Jul 2013 07:50:48 -0400 (EDT) From: Sam Hartman To: abfab@ietf.org Date: Wed, 10 Jul 2013 07:50:48 -0400 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 11:51:56 -0000 On one of the Moonshot lists, we recently noticed that Moonshot simply expects the AAA server to send back a SAML assertion in the AAA message. However, draft-ietf-abfab-aaa-saml expects a SAML response. One answer is that Moonshot is broken and should be fixed to conform to the spec. However, Scott seemed to think the current behavior might be reasonable, and it's certainly a lot easier to implement. (Well, OK, we do have a full SAML library, so parsing a response should be relatively easy too) There are a couple of advantages to the current text. First, it permits a request/response protocol. Second, it permits multiple assertions, which Jim is interested in for some of his use cases. There are some advantages to the Moonshot approach. It's simpler and it is shorter in a space-constrained RADIUS packet. My recommendation is that if an AAA server is sending an unsolicited response with a single assertion, it just include the assertion. Otherwise, it should include a response. What do people think of this? --Sam From Josh.Howlett@ja.net Wed Jul 10 05:45:25 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59C221F866E for ; Wed, 10 Jul 2013 05:45:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZUhkZ7o0TtN for ; Wed, 10 Jul 2013 05:45:19 -0700 (PDT) Received: from egw002.ukerna.ac.uk (egw002.ukerna.ac.uk [194.81.3.65]) by ietfa.amsl.com (Postfix) with ESMTP id 85B3721F9F02 for ; Wed, 10 Jul 2013 05:45:19 -0700 (PDT) Received: from egw002.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 6A5A220C85D6_1DD575EB; Wed, 10 Jul 2013 12:45:18 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw002.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 4553520C7180_1DD575EF; Wed, 10 Jul 2013 12:45:18 +0000 (GMT) Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Wed, 10 Jul 2013 13:45:18 +0100 From: Josh Howlett To: Sam Hartman , "abfab@ietf.org" Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does Thread-Index: AQHOfWtULCp6hk5xuEeuTFxH/FoT8g== Date: Wed, 10 Jul 2013 12:45:17 +0000 Message-ID: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.5.130515 x-originating-ip: [194.82.140.76] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 12:45:26 -0000 > >My recommendation is that if an AAA server is sending an unsolicited >response with a single assertion, it just include the assertion. >Otherwise, it should include a response. >What do people think of this? I like it. Josh. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a=20 not-for-profit company which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 From cantor.2@osu.edu Wed Jul 10 06:24:40 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DB9E11E8170 for ; Wed, 10 Jul 2013 06:24:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUC4-9Gxu1mG for ; Wed, 10 Jul 2013 06:24:33 -0700 (PDT) Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe001.messaging.microsoft.com [216.32.180.11]) by ietfa.amsl.com (Postfix) with ESMTP id 9E39811E8167 for ; Wed, 10 Jul 2013 06:24:09 -0700 (PDT) Received: from mail191-va3-R.bigfish.com (10.7.14.240) by VA3EHSOBE011.bigfish.com (10.7.40.61) with Microsoft SMTP Server id 14.1.225.22; Wed, 10 Jul 2013 13:24:08 +0000 Received: from mail191-va3 (localhost [127.0.0.1]) by mail191-va3-R.bigfish.com (Postfix) with ESMTP id B25E04C016B; Wed, 10 Jul 2013 13:24:08 +0000 (UTC) X-Forefront-Antispam-Report: CIP:164.107.81.218; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf04; RD:none; EFVD:NLI X-SpamScore: 3 X-BigFish: VPS3(zzbb2dI98dI9371I1432Izz1f42h1d77h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz8275bhz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h) Received-SPF: pass (mail191-va3: domain of osu.edu designates 164.107.81.218 as permitted sender) client-ip=164.107.81.218; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf04 ; cio-tnc-pf04 ; Received: from mail191-va3 (localhost.localdomain [127.0.0.1]) by mail191-va3 (MessageSwitch) id 1373462647588261_11939; Wed, 10 Jul 2013 13:24:07 +0000 (UTC) Received: from VA3EHSMHS002.bigfish.com (unknown [10.7.14.241]) by mail191-va3.bigfish.com (Postfix) with ESMTP id 8A1304200AF; Wed, 10 Jul 2013 13:24:07 +0000 (UTC) Received: from cio-tnc-pf04 (164.107.81.218) by VA3EHSMHS002.bigfish.com (10.7.99.12) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 10 Jul 2013 13:24:07 +0000 Received: from CIO-KRC-HT02.osuad.osu.edu (localhost [127.0.0.1]) by cio-tnc-pf04 (Postfix) with ESMTP id D4490380051; Wed, 10 Jul 2013 09:24:06 -0400 (EDT) Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT02.osuad.osu.edu ([fe80::8554:1787:2a7:72c9%12]) with mapi id 14.03.0123.003; Wed, 10 Jul 2013 09:24:06 -0400 From: "Cantor, Scott" To: Sam Hartman , "abfab@ietf.org" Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does Thread-Index: AQHOfXDA4WMZULhUcEiwF47oqkzlww== Date: Wed, 10 Jul 2013 13:24:06 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [128.146.178.16] Content-Type: text/plain; charset="us-ascii" Content-ID: <10FF7528673F314EA7E5CAB3CBE9C9CC@osu.edu> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Forward X-OriginatorOrg: osu.edu Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 13:24:40 -0000 On 7/10/13 7:50 AM, "Sam Hartman" wrote: > >However, Scott seemed to think the current behavior might be reasonable, >and it's certainly a lot easier to implement. (Well, OK, we do have a >full SAML library, so parsing a response should be relatively easy too) Parsing is not so big a deal, it's more about what processing rules would be expected to apply. >My recommendation is that if an AAA server is sending an unsolicited >response with a single assertion, it just include the assertion. >Otherwise, it should include a response. >What do people think of this? >From a coding PoV, if you have to handle the response in at least some cases than the main win would appear to be space, which is not insignificant in this context I suppose. I did note in the same thread that you may want to speak to encryption in this as well. I don't know if it's even possible, let alone desirable, to do XML Encryption here, but you should answer that somewhere if you haven't already. -- Scott From d.w.chadwick@kent.ac.uk Wed Jul 10 07:58:09 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E0821F854D for ; Wed, 10 Jul 2013 07:58:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwLj5j+VgGRA for ; Wed, 10 Jul 2013 07:58:03 -0700 (PDT) Received: from mx3.kent.ac.uk (mx3.kent.ac.uk [129.12.21.34]) by ietfa.amsl.com (Postfix) with ESMTP id BCADD21F9F86 for ; Wed, 10 Jul 2013 07:57:30 -0700 (PDT) Received: from 187.91.112.87.dyn.plus.net ([87.112.91.187] helo=[192.168.1.69]) by mx3.kent.ac.uk with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72) (envelope-from ) id 1Uwvpf-0002J9-8M; Wed, 10 Jul 2013 15:57:27 +0100 Message-ID: <51DD7654.7030903@kent.ac.uk> Date: Wed, 10 Jul 2013 15:57:24 +0100 From: David Chadwick User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Sam Hartman References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: abfab@ietf.org Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 14:58:09 -0000 On 10/07/2013 12:50, Sam Hartman wrote: > > > On one of the Moonshot lists, we recently noticed that Moonshot simply > expects the AAA server to send back a SAML assertion in the AAA message. > > However, draft-ietf-abfab-aaa-saml expects a SAML response. > > One answer is that Moonshot is broken and should be fixed to conform to > the spec. > > However, Scott seemed to think the current behavior might be reasonable, > and it's certainly a lot easier to implement. (Well, OK, we do have a > full SAML library, so parsing a response should be relatively easy too) > > There are a couple of advantages to the current text. > First, it permits a request/response protocol. Second, it permits > multiple assertions, which Jim is interested in for some of his use > cases. > > There are some advantages to the Moonshot approach. It's simpler and it > is shorter in a space-constrained RADIUS packet. > > My recommendation is that if an AAA server is sending an unsolicited > response with a single assertion, it just include the assertion. > Otherwise, it should include a response. > What do people think of this? Firstly I suggest these should be flagged as different attribute types, so that the recipient knows before starting parsing the value what data type it is. Secondly, (excuse my ignorance here), but is it possible to send multiple values of a particular attribute? If so, then there should be no reason to limit unsolicited responses to containing a single assertion. Each attribute value can be a different assertion regards David > > --Sam > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab > From hartmans@painless-security.com Wed Jul 10 12:23:04 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DDA021F9EB7 for ; Wed, 10 Jul 2013 12:23:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.377 X-Spam-Level: X-Spam-Status: No, score=-2.377 tagged_above=-999 required=5 tests=[AWL=0.222, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMeDInqfw+g9 for ; Wed, 10 Jul 2013 12:22:58 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id E00EF21F9D65 for ; Wed, 10 Jul 2013 12:22:52 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id E0A0820188; Wed, 10 Jul 2013 15:18:05 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aJTJaB9pkK16; Wed, 10 Jul 2013 15:18:04 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 10 Jul 2013 15:18:04 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 6E08A88408; Wed, 10 Jul 2013 15:22:04 -0400 (EDT) From: Sam Hartman To: "Cantor\, Scott" References: Date: Wed, 10 Jul 2013 15:22:04 -0400 In-Reply-To: (Scott Cantor's message of "Wed, 10 Jul 2013 13:24:06 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "abfab@ietf.org" Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 19:23:04 -0000 >>>>> "Cantor," == Cantor, Scott writes: >> My recommendation is that if an AAA server is sending an >> unsolicited response with a single assertion, it just include the >> assertion. Otherwise, it should include a response. What do >> people think of this? Cantor,> From a coding PoV, if you have to handle the response in at Cantor,> least some cases than the main win would appear to be Cantor,> space, which is not insignificant in this context I Cantor,> suppose. Well, if you are an IDP who doesn't care about solicited requests--if the request will never influence your behavior--then you can simply your processing. Similarly if you're a client that wouldn't know what to do with multiple assertions andnever sends a request, you can simply processing. Cantor,> I did note in the same thread that you may want to speak to Cantor,> encryption in this as well. I don't know if it's even Cantor,> possible, let alone desirable, to do XML Encryption here, Cantor,> but you should answer that somewhere if you haven't Cantor,> already. I don't think encryption should be an MTI, but nor do I think it should be forbidden. Figuring out the keys is unspecified, although metadata is the obvious answer. I.E. I don't think we have anything new to say about encryption. From ietf@augustcellars.com Wed Jul 10 12:59:05 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBB8221F9DE2 for ; Wed, 10 Jul 2013 12:59:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.449 X-Spam-Level: X-Spam-Status: No, score=-3.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1bvbgCvnuKY for ; Wed, 10 Jul 2013 12:59:01 -0700 (PDT) Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 313BC21F98AD for ; Wed, 10 Jul 2013 12:59:01 -0700 (PDT) Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id F404D2CA21; Wed, 10 Jul 2013 12:58:48 -0700 (PDT) From: "Jim Schaad" To: "'Sam Hartman'" , References: In-Reply-To: Date: Wed, 10 Jul 2013 12:57:48 -0700 Message-ID: <038c01ce7da7$c13e2950$43ba7bf0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIubpXZl3H9pi7IXZhT2EvxGJEYSJieceNg Content-Language: en-us Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 19:59:06 -0000 > -----Original Message----- > From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf > Of Sam Hartman > Sent: Wednesday, July 10, 2013 4:51 AM > To: abfab@ietf.org > Subject: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what > Moonshot actually does > > > > On one of the Moonshot lists, we recently noticed that Moonshot simply > expects the AAA server to send back a SAML assertion in the AAA message. > > However, draft-ietf-abfab-aaa-saml expects a SAML response. > > One answer is that Moonshot is broken and should be fixed to conform to > the spec. > > However, Scott seemed to think the current behavior might be reasonable, > and it's certainly a lot easier to implement. (Well, OK, we do have a full > SAML library, so parsing a response should be relatively easy too) > > There are a couple of advantages to the current text. > First, it permits a request/response protocol. Second, it permits multiple > assertions, which Jim is interested in for some of his use cases. > > There are some advantages to the Moonshot approach. It's simpler and it is > shorter in a space-constrained RADIUS packet. > > My recommendation is that if an AAA server is sending an unsolicited > response with a single assertion, it just include the assertion. > Otherwise, it should include a response. > What do people think of this? I think this is reasonable with one caveat, I don't believe that an unsolicited response should be returned if the IDP make a request. Jim > > --Sam > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From ietf@augustcellars.com Wed Jul 10 13:02:48 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6770721F9D91 for ; Wed, 10 Jul 2013 13:02:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.47 X-Spam-Level: X-Spam-Status: No, score=-3.47 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAGCOEWDcfUI for ; Wed, 10 Jul 2013 13:02:43 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 180AD21F9DA1 for ; Wed, 10 Jul 2013 13:02:41 -0700 (PDT) Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 934A12CA2E; Wed, 10 Jul 2013 13:02:39 -0700 (PDT) From: "Jim Schaad" To: "'Sam Hartman'" , "'Cantor, Scott'" References: In-Reply-To: Date: Wed, 10 Jul 2013 13:01:39 -0700 Message-ID: <038d01ce7da8$4aae07a0$e00a16e0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQCi/lEyCgwpLxobVh5yTeImdsDxGwLwYLAUm53P3wA= Content-Language: en-us Cc: abfab@ietf.org Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 20:02:48 -0000 > -----Original Message----- > From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf > Of Sam Hartman > Sent: Wednesday, July 10, 2013 12:22 PM > To: Cantor, Scott > Cc: abfab@ietf.org > Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what > Moonshot actually does > > >>>>> "Cantor," == Cantor, Scott writes: > > >> My recommendation is that if an AAA server is sending an > >> unsolicited response with a single assertion, it just include the > >> assertion. Otherwise, it should include a response. What do > >> people think of this? > > Cantor,> From a coding PoV, if you have to handle the response in at > Cantor,> least some cases than the main win would appear to be > Cantor,> space, which is not insignificant in this context I > Cantor,> suppose. > > Well, if you are an IDP who doesn't care about solicited requests--if > the request will never influence your behavior--then you can simply > your processing. Similarly if you're a client that wouldn't know > what to do with multiple assertions andnever sends a request, you > can simply processing. > > Cantor,> I did note in the same thread that you may want to speak to > Cantor,> encryption in this as well. I don't know if it's even > Cantor,> possible, let alone desirable, to do XML Encryption here, > Cantor,> but you should answer that somewhere if you haven't > Cantor,> already. > > I don't think encryption should be an MTI, but nor do I think it should be > forbidden. > Figuring out the keys is unspecified, although metadata is the obvious > answer. > I.E. I don't think we have anything new to say about encryption. Yeah, my first thought was how would a key for the IDP ever be figured out. We are basically assuming that any and all proxies have to be extremely trusted and all links are encrypted. I don't see that we are going to buy anything by having encryption except to make things bigger which would be a problem. Jim > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab From cantor.2@osu.edu Wed Jul 10 13:39:34 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 448C321F9B8C for ; Wed, 10 Jul 2013 13:39:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oIL621ZQQJoq for ; Wed, 10 Jul 2013 13:39:28 -0700 (PDT) Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe002.messaging.microsoft.com [216.32.180.185]) by ietfa.amsl.com (Postfix) with ESMTP id C89A021F9AB7 for ; Wed, 10 Jul 2013 13:39:27 -0700 (PDT) Received: from mail22-co1-R.bigfish.com (10.243.78.239) by CO1EHSOBE012.bigfish.com (10.243.66.75) with Microsoft SMTP Server id 14.1.225.22; Wed, 10 Jul 2013 20:39:26 +0000 Received: from mail22-co1 (localhost [127.0.0.1]) by mail22-co1-R.bigfish.com (Postfix) with ESMTP id D2448CA0523; Wed, 10 Jul 2013 20:39:26 +0000 (UTC) X-Forefront-Antispam-Report: CIP:164.107.81.214; KIP:(null); UIP:(null); IPV:NLI; H:cio-krc-pf07; RD:none; EFVD:NLI X-SpamScore: 3 X-BigFish: VPS3(zzbb2dI98dI9371I1432Izz1f42h1d77h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz8275bhz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h) Received-SPF: pass (mail22-co1: domain of osu.edu designates 164.107.81.214 as permitted sender) client-ip=164.107.81.214; envelope-from=cantor.2@osu.edu; helo=cio-krc-pf07 ; cio-krc-pf07 ; Received: from mail22-co1 (localhost.localdomain [127.0.0.1]) by mail22-co1 (MessageSwitch) id 1373488764543130_31591; Wed, 10 Jul 2013 20:39:24 +0000 (UTC) Received: from CO1EHSMHS009.bigfish.com (unknown [10.243.78.249]) by mail22-co1.bigfish.com (Postfix) with ESMTP id 7B1BE8800A1; Wed, 10 Jul 2013 20:39:24 +0000 (UTC) Received: from cio-krc-pf07 (164.107.81.214) by CO1EHSMHS009.bigfish.com (10.243.66.19) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 10 Jul 2013 20:39:23 +0000 Received: from CIO-TNC-HT07.osuad.osu.edu (localhost [127.0.0.1]) by cio-krc-pf07 (Postfix) with ESMTP id DB2B6500056; Wed, 10 Jul 2013 16:39:22 -0400 (EDT) Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT07.osuad.osu.edu ([fe80::1c0f:4d2:f020:9937%12]) with mapi id 14.03.0123.003; Wed, 10 Jul 2013 16:39:22 -0400 From: "Cantor, Scott" To: Sam Hartman Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does Thread-Index: AQHOfXDA4WMZULhUcEiwF47oqkzlw5leSuQogAAVV4A= Date: Wed, 10 Jul 2013 20:39:22 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.185.101.41] Content-Type: text/plain; charset="us-ascii" Content-ID: <4A2694977BEAAF4B86009E01C16598CD@osu.edu> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Forward X-OriginatorOrg: osu.edu Cc: "abfab@ietf.org" Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 20:39:34 -0000 On 7/10/13 3:22 PM, "Sam Hartman" wrote: > >Well, if you are an IDP who doesn't care about solicited requests--if > the request will never influence your behavior--then you can simply > your processing. Similarly if you're a client that wouldn't know > what to do with multiple assertions andnever sends a request, you > can simply processing. A SAML IdP would generally have more trouble handling the requirement to not generate a response, but of course if you're generating an assertion as part of some other software that's not an issue. Certainly it's true that a client that could preclude the other case would be able to simplify, but as a library developer, I tend not to think about such cases. >I don't think encryption should be an MTI, but nor do I think it should >be forbidden. >Figuring out the keys is unspecified, although metadata is the obvious >answer. >I.E. I don't think we have anything new to say about encryption. Ok, then it's relevant that a client might not get just an Assertion but alternatively an EncryptedAssertion, different elements. -- Scott From cantor.2@osu.edu Wed Jul 10 13:40:51 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19E2D21F84AA for ; Wed, 10 Jul 2013 13:40:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Gqgff4eahcs for ; Wed, 10 Jul 2013 13:40:44 -0700 (PDT) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id 6E58321F93BA for ; Wed, 10 Jul 2013 13:40:44 -0700 (PDT) Received: from mail64-ch1-R.bigfish.com (10.43.68.235) by CH1EHSOBE005.bigfish.com (10.43.70.55) with Microsoft SMTP Server id 14.1.225.22; Wed, 10 Jul 2013 20:40:43 +0000 Received: from mail64-ch1 (localhost [127.0.0.1]) by mail64-ch1-R.bigfish.com (Postfix) with ESMTP id BC8082E0084; Wed, 10 Jul 2013 20:40:43 +0000 (UTC) X-Forefront-Antispam-Report: CIP:164.107.81.218; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf04; RD:none; EFVD:NLI X-SpamScore: 6 X-BigFish: VPS6(zz1432Izz1f42h1d77h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzzz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h) Received-SPF: pass (mail64-ch1: domain of osu.edu designates 164.107.81.218 as permitted sender) client-ip=164.107.81.218; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf04 ; cio-tnc-pf04 ; Received: from mail64-ch1 (localhost.localdomain [127.0.0.1]) by mail64-ch1 (MessageSwitch) id 137348884118330_10969; Wed, 10 Jul 2013 20:40:41 +0000 (UTC) Received: from CH1EHSMHS007.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.250]) by mail64-ch1.bigfish.com (Postfix) with ESMTP id 010764004D; Wed, 10 Jul 2013 20:40:41 +0000 (UTC) Received: from cio-tnc-pf04 (164.107.81.218) by CH1EHSMHS007.bigfish.com (10.43.70.7) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 10 Jul 2013 20:40:39 +0000 Received: from CIO-TNC-HT06.osuad.osu.edu (localhost [127.0.0.1]) by cio-tnc-pf04 (Postfix) with ESMTP id 5778738004D; Wed, 10 Jul 2013 16:40:39 -0400 (EDT) Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::3d16:84bd:8d88:7cfd%12]) with mapi id 14.03.0123.003; Wed, 10 Jul 2013 16:40:39 -0400 From: "Cantor, Scott" To: Jim Schaad , 'Sam Hartman' Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does Thread-Index: AQHOfa28yaYyv17+LU+Fma1ENsxdvA== Date: Wed, 10 Jul 2013 20:40:38 +0000 Message-ID: In-Reply-To: <038d01ce7da8$4aae07a0$e00a16e0$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.185.101.41] Content-Type: text/plain; charset="us-ascii" Content-ID: <90809E8C850EB644916E7ADE6F8391DD@osu.edu> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Forward X-OriginatorOrg: osu.edu X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Cc: "abfab@ietf.org" Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 20:40:51 -0000 >> I.E. I don't think we have anything new to say about encryption. > >Yeah, my first thought was how would a key for the IDP ever be figured >out. SP, not IdP. The relying party's key is what's used to encrypt, in general. >We are basically assuming that any and all proxies have to be extremely >trusted and all links are encrypted. I don't see that we are going to buy >anything by having encryption except to make things bigger which would be >a >problem. I assumed as much so wondered if you wanted to preclude it. -- Scott From hartmans@painless-security.com Wed Jul 10 15:34:28 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240D611E813F for ; Wed, 10 Jul 2013 15:34:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.414 X-Spam-Level: X-Spam-Status: No, score=-2.414 tagged_above=-999 required=5 tests=[AWL=0.185, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRVowZCxUvMG for ; Wed, 10 Jul 2013 15:34:22 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 251A311E8124 for ; Wed, 10 Jul 2013 15:34:21 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id D27FA20188; Wed, 10 Jul 2013 18:29:35 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWSrA0Q9ZR6F; Wed, 10 Jul 2013 18:29:35 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 10 Jul 2013 18:29:35 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id CC63288408; Wed, 10 Jul 2013 18:33:34 -0400 (EDT) From: Sam Hartman To: "Cantor\, Scott" References: Date: Wed, 10 Jul 2013 18:33:34 -0400 In-Reply-To: (Scott Cantor's message of "Wed, 10 Jul 2013 20:40:38 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 22:34:28 -0000 >>>>> "Cantor," == Cantor, Scott writes: >>> I.E. I don't think we have anything new to say about encryption. >> >> Yeah, my first thought was how would a key for the IDP ever be >> figured out. Cantor,> SP, not IdP. The relying party's key is what's used to Cantor,> encrypt, in general. >> We are basically assuming that any and all proxies have to be >> extremely trusted and all links are encrypted. I don't see that >> we are going to buy anything by having encryption except to make >> things bigger which would be a problem. Cantor,> I assumed as much so wondered if you wanted to preclude it. seems to me that if you have a way of getting a credible key for the SP, then it's fine to use it. If you encrypt in a key that the other party doesn't know, interop may be impacted. This is probably unsurprising:-) From cantor.2@osu.edu Wed Jul 10 16:54:10 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEDDE21F9CA7 for ; Wed, 10 Jul 2013 16:54:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.099 X-Spam-Level: X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8GvcD0tkpPX for ; Wed, 10 Jul 2013 16:54:04 -0700 (PDT) Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id 7487921F9C9B for ; Wed, 10 Jul 2013 16:54:03 -0700 (PDT) Received: from mail69-tx2-R.bigfish.com (10.9.14.245) by TX2EHSOBE010.bigfish.com (10.9.40.30) with Microsoft SMTP Server id 14.1.225.22; Wed, 10 Jul 2013 23:54:02 +0000 Received: from mail69-tx2 (localhost [127.0.0.1]) by mail69-tx2-R.bigfish.com (Postfix) with ESMTP id BBC712001D6; Wed, 10 Jul 2013 23:54:02 +0000 (UTC) X-Forefront-Antispam-Report: CIP:164.107.81.216; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf02; RD:none; EFVD:NLI X-SpamScore: 1 X-BigFish: VPS1(zzbb2dI98dI9371I1431J1432Izz1f42h1d77h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz8275bhz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h) Received-SPF: pass (mail69-tx2: domain of osu.edu designates 164.107.81.216 as permitted sender) client-ip=164.107.81.216; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf02 ; cio-tnc-pf02 ; Received: from mail69-tx2 (localhost.localdomain [127.0.0.1]) by mail69-tx2 (MessageSwitch) id 1373500441522872_8576; Wed, 10 Jul 2013 23:54:01 +0000 (UTC) Received: from TX2EHSMHS018.bigfish.com (unknown [10.9.14.227]) by mail69-tx2.bigfish.com (Postfix) with ESMTP id 7B703480075; Wed, 10 Jul 2013 23:54:01 +0000 (UTC) Received: from cio-tnc-pf02 (164.107.81.216) by TX2EHSMHS018.bigfish.com (10.9.99.118) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 10 Jul 2013 23:54:01 +0000 Received: from CIO-TNC-HT06.osuad.osu.edu (localhost [127.0.0.1]) by cio-tnc-pf02 (Postfix) with ESMTP id 7D02A20046; Wed, 10 Jul 2013 19:54:00 -0400 (EDT) Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::3d16:84bd:8d88:7cfd%12]) with mapi id 14.03.0123.003; Wed, 10 Jul 2013 19:54:00 -0400 From: "Cantor, Scott" To: Sam Hartman Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does Thread-Index: AQHOfa28yaYyv17+LU+Fma1ENsxdvJlef+cigAAWOgA= Date: Wed, 10 Jul 2013 23:53:59 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [128.146.178.3] Content-Type: text/plain; charset="us-ascii" Content-ID: <4483003E7C10DF4D9D8164FCFE3B9825@osu.edu> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Forward X-OriginatorOrg: osu.edu Cc: Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 23:54:11 -0000 On 7/10/13 6:33 PM, "Sam Hartman" wrote: > >seems to me that if you have a way of getting a credible key for the SP, >then it's fine to use it. > >If you encrypt in a key that the other party doesn't know, interop may >be impacted. This is probably unsurprising:-) I have no issue with allowing it, I just wanted to note it as another case where the object "at hand" might not be . I also don't know if it warrants defining a different RADIUS attribute to carry it. -- Scott From hartmans@painless-security.com Wed Jul 10 18:43:43 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E97A21F9C21 for ; Wed, 10 Jul 2013 18:43:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.44 X-Spam-Level: X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6R5PH+O8Qal for ; Wed, 10 Jul 2013 18:43:37 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 30F9F21F9C16 for ; Wed, 10 Jul 2013 18:43:36 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 47F2020134; Wed, 10 Jul 2013 21:38:49 -0400 (EDT) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqccrQSsDHll; Wed, 10 Jul 2013 21:38:48 -0400 (EDT) Received: from android-336ebdc6deedff1b.lan (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: hartmans-smtp@mail.suchdamage.org) by mail.painless-security.com (Postfix) with ESMTPSA; Wed, 10 Jul 2013 21:38:47 -0400 (EDT) User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----VDW1G0W02ZIGX97BLK72ODNMPN0FW7" From: Sam Hartman Date: Wed, 10 Jul 2013 21:43:26 -0400 To: "Cantor, Scott" Message-ID: <03a45aa9-45d3-475f-a6ff-ac5d32d92d0f@email.android.com> Cc: Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jul 2013 01:43:43 -0000 ------VDW1G0W02ZIGX97BLK72ODNMPN0FW7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In this case I think you should send a response rather than encrypted assertion "Cantoris Scott" wrote: >On 7/10/13 6:33 PM, "Sam Hartman" >wrote: >> >>seems to me that if you have a way of getting a credible key for the >SP, >>then it's fine to use it. >> >>If you encrypt in a key that the other party doesn't know, interop may >>be impacted. This is probably unsurprising:-) > >I have no issue with allowing it, I just wanted to note it as another >case >where the object "at hand" might not be . I also don't >know if it warrants defining a different RADIUS attribute to carry it. > >-- Scott -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ------VDW1G0W02ZIGX97BLK72ODNMPN0FW7 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit In this case I think you should send a response rather than encrypted assertion

"Cantor, Scott" <cantor.2@osu.edu> wrote:
On 7/10/13 6:33 PM, "Sam Hartman" <hartmans@painless-security.com> wrote:

seems to me that if you have a way of getting a credible key for the SP,
then it's fine to use it.

If you encrypt in a key that the other party doesn't know, interop may
be impacted. This is probably unsurprising:-)

I have no issue with allowing it, I just wanted to note it as another case
where the object "at hand" might not be <saml:Assertion>. I also don't
know if it warrants defining a different RADIUS attribute to carry it.

-- Scott



--
Sent from my Android phone with K-9 Mail. Please excuse my brevity. ------VDW1G0W02ZIGX97BLK72ODNMPN0FW7-- From gabilm@um.es Thu Jul 11 00:43:09 2013 Return-Path: X-Original-To: abfab@ietfa.amsl.com Delivered-To: abfab@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB4F21F9E15 for ; Thu, 11 Jul 2013 00:43:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.298 X-Spam-Level: X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aNQMVKFF6WL for ; Thu, 11 Jul 2013 00:43:02 -0700 (PDT) Received: from xenon11.um.es (xenon11.um.es [155.54.212.165]) by ietfa.amsl.com (Postfix) with ESMTP id 2AAAA21F964C for ; Thu, 11 Jul 2013 00:43:02 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by xenon11.um.es (Postfix) with ESMTP id F348A5388B; Thu, 11 Jul 2013 09:42:59 +0200 (CEST) X-Virus-Scanned: by antispam in UMU at xenon11.um.es Received: from xenon11.um.es ([127.0.0.1]) by localhost (xenon11.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qb-l2iK6v81Y; Thu, 11 Jul 2013 09:42:59 +0200 (CEST) Received: from MacBook-Pro-de-Gabriel-Lopez.local (166.Red-88-16-96.dynamicIP.rima-tde.net [88.16.96.166]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: gabilm) by xenon11.um.es (Postfix) with ESMTPSA id 4D8EC5379F; Thu, 11 Jul 2013 09:42:50 +0200 (CEST) Message-ID: <51DE62B2.8000205@um.es> Date: Thu, 11 Jul 2013 09:45:54 +0200 From: =?ISO-8859-1?Q?Gabriel_L=F3pez?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Sam Hartman References: <03a45aa9-45d3-475f-a6ff-ac5d32d92d0f@email.android.com> In-Reply-To: <03a45aa9-45d3-475f-a6ff-ac5d32d92d0f@email.android.com> X-Enigmail-Version: 1.5.1 OpenPGP: id=8D119153 Content-Type: multipart/alternative; boundary="------------050308050202070105050509" Cc: Jim Schaad , "abfab@ietf.org" Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does X-BeenThere: abfab@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jul 2013 07:43:09 -0000 This is a multi-part message in MIME format. --------------050308050202070105050509 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit El 11/07/13 03:43, Sam Hartman escribió: > In this case I think you should send a response rather than encrypted assertion I agree. And in this case I think it would be a more elegant solution if the client specifies (AuthnQuery, AttributeQuery, AuthzDeciscionQuery) the kind of assertion to be returned by the idP . I think current draft version points out a MAY in this case. It also would help the idP to do not spend time processing SAML data if the client does not support it. regards, Gabi. > > "Cantoris Scott" wrote: >> On 7/10/13 6:33 PM, "Sam Hartman" >> wrote: >>> seems to me that if you have a way of getting a credible key for the >> SP, >>> then it's fine to use it. >>> >>> If you encrypt in a key that the other party doesn't know, interop may >>> be impacted. This is probably unsurprising:-) >> I have no issue with allowing it, I just wanted to note it as another >> case >> where the object "at hand" might not be . I also don't >> know if it warrants defining a different RADIUS attribute to carry it. >> >> -- Scott > > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab -- -------------------------------------------------------------- Gabriel López Millán Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gabilm@um.es --------------050308050202070105050509 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
El 11/07/13 03:43, Sam Hartman escribió:
In this case I think you should send a response rather than encrypted assertion
    I agree.

    And in this case I think it would be a more elegant solution if the client specifies (AuthnQuery, AttributeQuery, AuthzDeciscionQuery) the kind of assertion to be returned by the idP . I think current draft version points out a MAY in this case. It also would help the idP to do not spend time processing SAML data if the client does not support it.
   

    regards, Gabi.

"Cantoris Scott" <cantor.2@osu.edu> wrote:

On 7/10/13 6:33 PM, "Sam Hartman" <hartmans@painless-security.com>
wrote:

seems to me that if you have a way of getting a credible key for the

SP,

then it's fine to use it.

If you encrypt in a key that the other party doesn't know, interop may
be impacted. This is probably unsurprising:-)

I have no issue with allowing it, I just wanted to note it as another
case
where the object "at hand" might not be <saml:Assertion>. I also don't
know if it warrants defining a different RADIUS attribute to carry it.

-- Scott


      

      

      

      
_______________________________________________
abfab mailing list
abfab@ietf.org
https://www.ietf.org/mailman/listinfo/abfab


    

    

    

    
-- 
--------------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: gabilm@um.es

  


--------------050308050202070105050509--

From d.w.chadwick@kent.ac.uk  Thu Jul 11 02:06:08 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA54221F9D9B for ; Thu, 11 Jul 2013 02:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A-xwj1ihjLCk for ; Thu, 11 Jul 2013 02:06:02 -0700 (PDT)
Received: from mx3.kent.ac.uk (mx3.kent.ac.uk [129.12.21.34]) by ietfa.amsl.com (Postfix) with ESMTP id 92C3321F964C for ; Thu, 11 Jul 2013 02:06:02 -0700 (PDT)
Received: from [46.208.193.218] (helo=[192.168.1.69]) by mx3.kent.ac.uk with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72) (envelope-from ) id 1UxCp1-0007p9-S5; Thu, 11 Jul 2013 10:05:55 +0100
Message-ID: <51DE756F.4000500@kent.ac.uk>
Date: Thu, 11 Jul 2013 10:05:51 +0100
From: David Chadwick 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: "Cantor, Scott" 
References: 
In-Reply-To: 
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Jim Schaad , "abfab@ietf.org" 
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 11 Jul 2013 09:06:08 -0000

in my opinion you should have different Radius attributes for each 
different type of encoded attribute: response, assertion, encrypted 
assertion etc. so that the RP/SP knows what it is receiving

David

On 11/07/2013 00:53, Cantor, Scott wrote:
> On 7/10/13 6:33 PM, "Sam Hartman"  wrote:
>>
>> seems to me that if you have a way of getting a credible key for the SP,
>> then it's fine to use it.
>>
>> If you encrypt in a key that the other party doesn't know, interop may
>> be impacted. This is probably unsurprising:-)
>
> I have no issue with allowing it, I just wanted to note it as another case
> where the object "at hand" might not be . I also don't
> know if it warrants defining a different RADIUS attribute to carry it.
>
> -- Scott
>
>
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab
>

From alex@um.es  Thu Jul 11 02:11:26 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43A8221F85B4 for ; Thu, 11 Jul 2013 02:11:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1AZ8qamJL9Gr for ; Thu, 11 Jul 2013 02:11:21 -0700 (PDT)
Received: from xenon13.um.es (xenon13.um.es [155.54.212.167]) by ietfa.amsl.com (Postfix) with ESMTP id 47B2121F9B0F for ; Thu, 11 Jul 2013 02:11:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon13.um.es (Postfix) with ESMTP id 7A84A5D6B6 for ; Thu, 11 Jul 2013 11:11:11 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon13.um.es
Received: from xenon13.um.es ([127.0.0.1]) by localhost (xenon13.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id OaIGuFBTd1e9 for ; Thu, 11 Jul 2013 11:11:10 +0200 (CEST)
Received: from [155.54.205.73] (inf-205-73.inf.um.es [155.54.205.73]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon13.um.es (Postfix) with ESMTPSA id A9A565D550 for ; Thu, 11 Jul 2013 11:11:09 +0200 (CEST)
Message-ID: <51DE76AD.6000008@um.es>
Date: Thu, 11 Jul 2013 11:11:09 +0200
From: Alejandro Perez Mendez 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7
MIME-Version: 1.0
To: abfab@ietf.org
References:  <51DE756F.4000500@kent.ac.uk>
In-Reply-To: <51DE756F.4000500@kent.ac.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 11 Jul 2013 09:11:26 -0000

Hi,

I think a better option would be to  define a "type" subfield in the 
SAML-AAA attribute, indicating what's coming next in the value field 
(i.e. Response, Assertion..).

Regards,
Alejandro

> in my opinion you should have different Radius attributes for each 
> different type of encoded attribute: response, assertion, encrypted 
> assertion etc. so that the RP/SP knows what it is receiving
>
> David
>
> On 11/07/2013 00:53, Cantor, Scott wrote:
>> On 7/10/13 6:33 PM, "Sam Hartman"  
>> wrote:
>>>
>>> seems to me that if you have a way of getting a credible key for the 
>>> SP,
>>> then it's fine to use it.
>>>
>>> If you encrypt in a key that the other party doesn't know, interop may
>>> be impacted. This is probably unsurprising:-)
>>
>> I have no issue with allowing it, I just wanted to note it as another 
>> case
>> where the object "at hand" might not be . I also don't
>> know if it warrants defining a different RADIUS attribute to carry it.
>>
>> -- Scott
>>
>>
>> _______________________________________________
>> abfab mailing list
>> abfab@ietf.org
>> https://www.ietf.org/mailman/listinfo/abfab
>>
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab


From hartmans@painless-security.com  Thu Jul 11 03:21:16 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 132AA21F9F36 for ; Thu, 11 Jul 2013 03:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.46
X-Spam-Level: 
X-Spam-Status: No, score=-2.46 tagged_above=-999 required=5 tests=[AWL=0.139,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YooDWFiRHpKp for ; Thu, 11 Jul 2013 03:21:10 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id AD30821F9C8F for ; Thu, 11 Jul 2013 03:21:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 15A7720134; Thu, 11 Jul 2013 06:16:12 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlazyhBIPRYF; Thu, 11 Jul 2013 06:16:10 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Thu, 11 Jul 2013 06:16:10 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 43E8388408; Thu, 11 Jul 2013 06:20:06 -0400 (EDT)
From: Sam Hartman 
To: Alejandro Perez Mendez 
References:  <51DE756F.4000500@kent.ac.uk> <51DE76AD.6000008@um.es>
Date: Thu, 11 Jul 2013 06:20:06 -0400
In-Reply-To: <51DE76AD.6000008@um.es> (Alejandro Perez Mendez's message of "Thu, 11 Jul 2013 11:11:09 +0200")
Message-ID: 
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: abfab@ietf.org
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 11 Jul 2013 10:21:16 -0000

>>>>> "Alejandro" == Alejandro Perez Mendez  writes:

    Alejandro> Hi, I think a better option would be to define a "type"
    Alejandro> subfield in the SAML-AAA attribute, indicating what's
    Alejandro> coming next in the value field (i.e. Response,
    Alejandro> Assertion..).

    Alejandro> Regards, Alejandro

I thought we had this for context anway.
I agree though.

From Josh.Howlett@ja.net  Fri Jul 12 01:43:22 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8B621F9DD7 for ; Fri, 12 Jul 2013 01:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level: 
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1FlBC-Y8sWm for ; Fri, 12 Jul 2013 01:43:17 -0700 (PDT)
Received: from egw001.ukerna.ac.uk (egw001.ukerna.ac.uk [194.82.140.74]) by ietfa.amsl.com (Postfix) with ESMTP id 00DC421F9DCE for ; Fri, 12 Jul 2013 01:43:16 -0700 (PDT)
Received: from egw001.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 7F7751AA2F88_1DFC1A1B; Fri, 12 Jul 2013 08:43:13 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw001.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 530931AA2F73_1DFC1A0F; Fri, 12 Jul 2013 08:43:12 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Fri, 12 Jul 2013 09:43:12 +0100
From: Josh Howlett 
To: Alejandro Perez Mendez , "abfab@ietf.org" 
Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
Thread-Index: AQHOfcjRvzRJ0SB/7kKVqy/NvsNXA5lfH1mAgAABe4CAAZs3gA==
Date: Fri, 12 Jul 2013 08:43:11 +0000
Message-ID: 
In-Reply-To: <51DE76AD.6000008@um.es>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 12 Jul 2013 08:43:22 -0000

Why?

Isn't it sufficient for the AAA layer to know that it is a SAML blob? Why
does the AAA layer care about the semantics of the blob?

Josh.

On 11/07/2013 10:11, "Alejandro Perez Mendez"  wrote:

>Hi,
>
>I think a better option would be to  define a "type" subfield in the
>SAML-AAA attribute, indicating what's coming next in the value field
>(i.e. Response, Assertion..).
>
>Regards,
>Alejandro
>
>> in my opinion you should have different Radius attributes for each
>> different type of encoded attribute: response, assertion, encrypted
>> assertion etc. so that the RP/SP knows what it is receiving
>>
>> David
>>
>> On 11/07/2013 00:53, Cantor, Scott wrote:
>>> On 7/10/13 6:33 PM, "Sam Hartman" 
>>> wrote:
>>>>
>>>> seems to me that if you have a way of getting a credible key for the
>>>> SP,
>>>> then it's fine to use it.
>>>>
>>>> If you encrypt in a key that the other party doesn't know, interop may
>>>> be impacted. This is probably unsurprising:-)
>>>
>>> I have no issue with allowing it, I just wanted to note it as another
>>> case
>>> where the object "at hand" might not be . I also don't
>>> know if it warrants defining a different RADIUS attribute to carry it.
>>>
>>> -- Scott
>>>
>>>
>>> _______________________________________________
>>> abfab mailing list
>>> abfab@ietf.org
>>> https://www.ietf.org/mailman/listinfo/abfab
>>>
>> _______________________________________________
>> abfab mailing list
>> abfab@ietf.org
>> https://www.ietf.org/mailman/listinfo/abfab
>
>_______________________________________________
>abfab mailing list
>abfab@ietf.org
>https://www.ietf.org/mailman/listinfo/abfab


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a=20
not-for-profit company which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


From d.w.chadwick@kent.ac.uk  Fri Jul 12 01:52:13 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A23F21F9EEF for ; Fri, 12 Jul 2013 01:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8JGBls1Z-FVW for ; Fri, 12 Jul 2013 01:52:08 -0700 (PDT)
Received: from mx2.kent.ac.uk (mx2.kent.ac.uk [129.12.21.33]) by ietfa.amsl.com (Postfix) with ESMTP id 1127F21F9F21 for ; Fri, 12 Jul 2013 01:52:07 -0700 (PDT)
Received: from edue4c7.kent.ac.uk ([129.12.228.199]) by mx2.kent.ac.uk with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72) (envelope-from ) id 1UxZ59-0001gf-Jt; Fri, 12 Jul 2013 09:52:03 +0100
Message-ID: <51DFC3B1.7030300@kent.ac.uk>
Date: Fri, 12 Jul 2013 09:52:01 +0100
From: David Chadwick 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Josh Howlett 
References: 
In-Reply-To: 
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 12 Jul 2013 08:52:13 -0000

To make parsing and diagnostics somewhat easier. Why does Radius 
differentiate between attributes at all? Or, to follow your argument, 
why not simply have an XML attribute type to say that what follows is a 
blob of XML? Why bother saying that it is SAML?

regards

David

On 12/07/2013 09:43, Josh Howlett wrote:
> Why?
>
> Isn't it sufficient for the AAA layer to know that it is a SAML blob? Why
> does the AAA layer care about the semantics of the blob?
>
> Josh.
>
> On 11/07/2013 10:11, "Alejandro Perez Mendez"  wrote:
>
>> Hi,
>>
>> I think a better option would be to  define a "type" subfield in the
>> SAML-AAA attribute, indicating what's coming next in the value field
>> (i.e. Response, Assertion..).
>>
>> Regards,
>> Alejandro
>>
>>> in my opinion you should have different Radius attributes for each
>>> different type of encoded attribute: response, assertion, encrypted
>>> assertion etc. so that the RP/SP knows what it is receiving
>>>
>>> David
>>>
>>> On 11/07/2013 00:53, Cantor, Scott wrote:
>>>> On 7/10/13 6:33 PM, "Sam Hartman" 
>>>> wrote:
>>>>>
>>>>> seems to me that if you have a way of getting a credible key for the
>>>>> SP,
>>>>> then it's fine to use it.
>>>>>
>>>>> If you encrypt in a key that the other party doesn't know, interop may
>>>>> be impacted. This is probably unsurprising:-)
>>>>
>>>> I have no issue with allowing it, I just wanted to note it as another
>>>> case
>>>> where the object "at hand" might not be . I also don't
>>>> know if it warrants defining a different RADIUS attribute to carry it.
>>>>
>>>> -- Scott
>>>>
>>>>
>>>> _______________________________________________
>>>> abfab mailing list
>>>> abfab@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/abfab
>>>>
>>> _______________________________________________
>>> abfab mailing list
>>> abfab@ietf.org
>>> https://www.ietf.org/mailman/listinfo/abfab
>>
>> _______________________________________________
>> abfab mailing list
>> abfab@ietf.org
>> https://www.ietf.org/mailman/listinfo/abfab
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab
>

From hartmans@painless-security.com  Fri Jul 12 03:38:25 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0867A21F9D7D for ; Fri, 12 Jul 2013 03:38:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ql4tCXfOs0tG for ; Fri, 12 Jul 2013 03:38:16 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 45C6021F9D31 for ; Fri, 12 Jul 2013 03:38:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id EC83F20181; Fri, 12 Jul 2013 06:33:25 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUcJTVI5QDqn; Fri, 12 Jul 2013 06:33:24 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [209.117.47.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Fri, 12 Jul 2013 06:33:24 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id A3DD6809B9; Fri, 12 Jul 2013 06:37:24 -0400 (EDT)
From: Sam Hartman 
To: Josh Howlett 
References: 
Date: Fri, 12 Jul 2013 06:37:24 -0400
In-Reply-To:  (Josh Howlett's message of "Fri, 12 Jul 2013 08:43:11 +0000")
Message-ID: 
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 12 Jul 2013 10:38:25 -0000

>>>>> "Josh" == Josh Howlett  writes:

    Josh> Why?  Isn't it sufficient for the AAA layer to know that it is
    Josh> a SAML blob? Why does the AAA layer care about the semantics
    Josh> of the blob?

You and I should get together in person and work through this again and
write text in the same session.

Unfortunately this seems to be a case where the discussion expires from
the cache too soon.:-)

From cantor.2@osu.edu  Fri Jul 12 06:58:06 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7699211E810C for ; Fri, 12 Jul 2013 06:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pon09g2Tcd3G for ; Fri, 12 Jul 2013 06:58:00 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE2711E80FE for ; Fri, 12 Jul 2013 06:57:59 -0700 (PDT)
Received: from mail66-tx2-R.bigfish.com (10.9.14.238) by TX2EHSOBE012.bigfish.com (10.9.40.32) with Microsoft SMTP Server id 14.1.225.22; Fri, 12 Jul 2013 13:57:59 +0000
Received: from mail66-tx2 (localhost [127.0.0.1])	by mail66-tx2-R.bigfish.com (Postfix) with ESMTP id 57D363405B1; Fri, 12 Jul 2013 13:57:59 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.214; KIP:(null); UIP:(null); IPV:NLI; H:cio-krc-pf07; RD:none; EFVD:NLI
X-SpamScore: 4
X-BigFish: VPS4(zz1432I1506Jzz1f42h1d77h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzzz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1b1cn1b1bi1155h)
Received-SPF: pass (mail66-tx2: domain of osu.edu designates 164.107.81.214 as permitted sender) client-ip=164.107.81.214; envelope-from=cantor.2@osu.edu; helo=cio-krc-pf07 ; cio-krc-pf07 ; 
Received: from mail66-tx2 (localhost.localdomain [127.0.0.1]) by mail66-tx2 (MessageSwitch) id 1373637477173472_25303; Fri, 12 Jul 2013 13:57:57 +0000 (UTC)
Received: from TX2EHSMHS008.bigfish.com (unknown [10.9.14.252])	by mail66-tx2.bigfish.com (Postfix) with ESMTP id 263024A00E0; Fri, 12 Jul 2013 13:57:57 +0000 (UTC)
Received: from cio-krc-pf07 (164.107.81.214) by TX2EHSMHS008.bigfish.com (10.9.99.108) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 12 Jul 2013 13:57:54 +0000
Received: from CIO-TNC-HT07.osuad.osu.edu (localhost [127.0.0.1])	by cio-krc-pf07 (Postfix) with ESMTP id 294FC500056; Fri, 12 Jul 2013 09:57:54 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT07.osuad.osu.edu ([fe80::1c0f:4d2:f020:9937%12]) with mapi id 14.03.0123.003; Fri, 12 Jul 2013 09:57:54 -0400
From: "Cantor, Scott" 
To: Sam Hartman , Josh Howlett 
Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
Thread-Index: AQHOfuv08xPL5gT/20qgYXqrqQzMLplhESqA
Date: Fri, 12 Jul 2013 13:57:53 +0000
Message-ID: 
References:  
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [164.107.161.117]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what	Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 12 Jul 2013 13:58:06 -0000

>     Josh> Why?  Isn't it sufficient for the AAA layer to know that it is
>     Josh> a SAML blob? Why does the AAA layer care about the semantics
>     Josh> of the blob?
>=20
> You and I should get together in person and work through this again and
> write text in the same session.
>=20
> Unfortunately this seems to be a case where the discussion expires from
> the cache too soon.:-)

Ultimately you just have to strike a balance between overly specifying thin=
gs and not signaling enough. I don't know enough about RADIUS to judge, but=
 for me the rule of thumb is to either signal based on broad semantic categ=
ories (assertion vs. protocol messages) or be consistent and signal differe=
nt XML elements uniquely based on Qname/xsi:type.

-- Scott



From david.black@emc.com  Fri Jul 12 08:04:41 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534A511E810E; Fri, 12 Jul 2013 08:04:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.477
X-Spam-Level: 
X-Spam-Status: No, score=-102.477 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFaD0y+EAbNI; Fri, 12 Jul 2013 08:04:37 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 1381811E811A; Fri, 12 Jul 2013 08:04:32 -0700 (PDT)
Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r6CF4Cqn004158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 12 Jul 2013 11:04:13 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd02.lss.emc.com [10.254.221.253]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor); Fri, 12 Jul 2013 11:04:04 -0400
Received: from mxhub17.corp.emc.com (mxhub17.corp.emc.com [10.254.93.46]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r6CF43ka003859; Fri, 12 Jul 2013 11:04:03 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub17.corp.emc.com ([10.254.93.46]) with mapi; Fri, 12 Jul 2013 11:04:03 -0400
From: "Black, David" 
To: "stefan.winter@restena.lu" , "jsalowey@cisco.com" , General Area Review Team 
Date: Fri, 12 Jul 2013 11:04:01 -0400
Thread-Topic: Gen-ART review of draft-ietf-abfab-eapapplicability-05
Thread-Index: Ac5rzQ3h5Vr98eb9RParuraCHgwUcgQTfgIgAL1zdeA=
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712983F32EC@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com> <8D3D17ACE214DC429325B2B98F3AE712983F2C87@MX15A.corp.emc.com>
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE712983F2C87@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "abfab@ietf.org" , "ietf@ietf.org" , "Black, David" 
Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-05
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 12 Jul 2013 15:04:41 -0000

And the -05 version includes the text to address that editorial nit - it's
ready for publication as a Proposed Standard RFC.  Many thanks to the autho=
rs
for productively addressing the review comments.

Thanks,
--David

> -----Original Message-----
> From: Black, David
> Sent: Monday, July 08, 2013 4:44 PM
> To: Black, David; stefan.winter@restena.lu; jsalowey@cisco.com; General A=
rea
> Review Team
> Cc: ietf@ietf.org; abfab@ietf.org
> Subject: Gen-ART review of draft-ietf-abfab-eapapplicability-04
>=20
> The -04 version of this draft resolves the minor issue noted in
> the Gen-ART review of the -03 version.
>=20
> There is a remaining editorial nit, in that the one use of
> "non-network" in the -04 version would benefit from clarification.
> I suggest the following text change to the start of the paragraph
> that's split across pages 3 and 4 (change is to last line of excerpt):
>=20
> OLD
>    Operators need to carefully consider the security implications before
>    relaxing these requirements.  One potentially serious attack exists
>    when channel binding is not required and EAP authentication is
>    introduced into an existing non-network service.
>=20
> NEW
>    Operators need to carefully consider the security implications before
>    relaxing these requirements.  One potentially serious attack exists
>    when channel binding is not required and EAP authentication is
>    introduced into an existing service other than network access.
>=20
> Thanks,
> --David
>=20
> > -----Original Message-----
> > From: Black, David
> > Sent: Monday, June 17, 2013 10:39 PM
> > To: stefan.winter@restena.lu; jsalowey@cisco.com; General Area Review T=
eam
> > Cc: ietf@ietf.org; abfab@ietf.org; Black, David
> > Subject: Gen-ART review of draft-ietf-abfab-eapapplicability-03
> >
> > I am the assigned Gen-ART reviewer for this draft. For background on
> > Gen-ART, please see the FAQ at
> >
> > .
> >
> > Please resolve these comments along with any other Last Call comments
> > you may receive.
> >
> > Document: draft-ietf-abfab-eapapplicability-03
> > Reviewer: David L. Black
> > Review Date: June 17, 2003
> > IETF LC End Date: June 17, 2003
> >
> > Summary:
> > This draft is on the right track but has open issues, described in the
> review.
> >
> > This draft updates the applicability statement for EAP to include usage
> > for application layer access via EAP over GSSAPI.  Additional security
> > requirements are introduced for environments in which EAP is used for
> > that purpose.
> >
> > I found one open issue, which is minor, and may be editorial
> >
> > Major issues: None
> >
> > Minor issues: One
> >
> > The next to last paragraph on p.3 begins with this sentence:
> >
> >    For these reasons, channel binding MUST be implemented by peers, EAP
> >    servers and AAA servers in environments where EAP authentication is
> >    used to access application layer services.
> >
> > It appear that this "MUST" requirement applies to all uses of EAP,
> > including network access authentication, not just application layer acc=
ess
> > authentication.  If so, that's not immediately obvious from the text, a=
nd
> > an additional sentence should be added to make this clearer.  If not,
> > the above sentence needs to exclude network access authentication from
> > that requirement.
> >
> > Nits/editorial comments:
> >
> > The same paragraph (p.3) continues with:
> >
> >    In addition, channel
> >    binding MUST default to being required by peers for non-network
> >    authentication.  If the EAP server is aware that authentication is
> >    for something other than a network service, it too MUST default to
> >    requiring channel binding.
> >
> > What is meant by "non-network authentication" and "other than a network
> > service"?  If those mean "other than for network access authentication"
> > as the term "network access authentication" is used in section 1 and
> > RFC 3748, that meaning should be clarified.
> >
> > idnits 2.12.17 generated this comment:
> >
> >   -- The document seems to lack a disclaimer for pre-RFC5378 work, but =
may
> >      have content which was first submitted before 10 November 2008.  I=
f you
> >      have contacted all the original authors and they are all willing t=
o
> grant
> >      the BCP78 rights to the IETF Trust, then this is fine, and you can
> ignore
> >      this comment.  If not, you may need to add the pre-RFC5378 disclai=
mer.
> >      (See the Legal Provisions document at
> >      http://trustee.ietf.org/license-info for more information.)
> >
> > idnits appears to be confused ;-).  The -00 version of this draft is fr=
om
> > 2012,
> > and this draft does not contain sufficient material from RFC 3748 that =
would
> > raise that concern, so this comment should be ok to ignore.
> >
> > Thanks,
> > --David
> > ----------------------------------------------------
> > David L. Black, Distinguished Engineer
> > EMC Corporation, 176 South St., Hopkinton, MA=A0 01748
> > +1 (508) 293-7953=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 FAX: +1 (508) 293=
-7786
> > david.black@emc.com=A0=A0=A0=A0=A0=A0=A0 Mobile: +1 (978) 394-7754
> > ----------------------------------------------------


From jari.arkko@piuha.net  Mon Jul 15 23:24:14 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FBFA21F9DBE; Mon, 15 Jul 2013 23:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.562
X-Spam-Level: 
X-Spam-Status: No, score=-102.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UEABjIvSuYk0; Mon, 15 Jul 2013 23:24:09 -0700 (PDT)
Received: from p130.piuha.net (p130.piuha.net [193.234.218.130]) by ietfa.amsl.com (Postfix) with ESMTP id 02F0921F9D09; Mon, 15 Jul 2013 23:24:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 4ED882CC53; Tue, 16 Jul 2013 09:24:08 +0300 (EEST)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cufW7r3I3BaK; Tue, 16 Jul 2013 09:24:07 +0300 (EEST)
Received: from [127.0.0.1] (p130.piuha.net [IPv6:2001:14b8:400::130]) by p130.piuha.net (Postfix) with ESMTP id E5A002CC3C; Tue, 16 Jul 2013 09:24:05 +0300 (EEST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Jari Arkko 
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE712983F32EC@MX15A.corp.emc.com>
Date: Tue, 16 Jul 2013 08:24:04 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6356DA73-32CE-4B32-B760-48AED3B04120@piuha.net>
References: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com> <8D3D17ACE214DC429325B2B98F3AE712983F2C87@MX15A.corp.emc.com> <8D3D17ACE214DC429325B2B98F3AE712983F32EC@MX15A.corp.emc.com>
To: "Black, David" 
X-Mailer: Apple Mail (2.1508)
Cc: General Area Review Team , "abfab@ietf.org" , "ietf@ietf.org" 
Subject: Re: [abfab] [Gen-art] Gen-ART review of draft-ietf-abfab-eapapplicability-05
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 16 Jul 2013 06:24:14 -0000

> And the -05 version includes the text to address that editorial nit - =
it's
> ready for publication as a Proposed Standard RFC.  Many thanks to the =
authors
> for productively addressing the review comments.

And many thanks to you, David, for your review. Based on this review and =
my own review of this document, I have balloted Yes on the document.=20

Jari


From leifj@sunet.se  Wed Jul 17 00:36:33 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84BDC21F9A18 for ; Wed, 17 Jul 2013 00:36:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETK-YD8NGC25 for ; Wed, 17 Jul 2013 00:36:33 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) by ietfa.amsl.com (Postfix) with ESMTP id 94F6421F9A72 for ; Wed, 17 Jul 2013 00:36:29 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.3/8.14.3/Debian-9.4) with ESMTP id r6H7aQqH002125 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 17 Jul 2013 09:36:27 +0200
Received: from [192.168.55.62] (scandic742.host.songnetworks.se [87.54.0.66]) (authenticated bits=0) by smtp1.nordu.net (8.14.6/8.14.6) with ESMTP id r6H7aNTo006923 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 17 Jul 2013 07:36:26 GMT
Message-ID: <51E64977.5090903@sunet.se>
Date: Wed, 17 Jul 2013 09:36:23 +0200
From: Leif Johansson 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: abfab@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, nordu-net:default, base:default, @@RPTN)
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=87.54.0.66; country=DK; latitude=56.0000; longitude=10.0000; http://maps.google.com/maps?q=56.0000,10.0000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aK1jAr7L - 0d1412b491db - 20130717
X-Antispam-Training-Forget: https://mailfilter.nordu.net/canit/b.php?i=0aK1jAr7L&m=0d1412b491db&t=20130717&c=f
X-Antispam-Training-Nonspam: https://mailfilter.nordu.net/canit/b.php?i=0aK1jAr7L&m=0d1412b491db&t=20130717&c=n
X-Antispam-Training-Spam: https://mailfilter.nordu.net/canit/b.php?i=0aK1jAr7L&m=0d1412b491db&t=20130717&c=s
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com)
Subject: [abfab] agenda for berlin
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 17 Jul 2013 07:36:33 -0000

Right now it looks like we have

- aaa-saml open issues
- remaining document status

anything else we should add to the agenda at this time?

        Cheers Leif

From leifj@nordu.net  Wed Jul 17 12:50:43 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339C411E80E6 for ; Wed, 17 Jul 2013 12:50:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.705
X-Spam-Level: 
X-Spam-Status: No, score=0.705 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_ILLEGAL_IP=1.908]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ChEz-x4grdVK for ; Wed, 17 Jul 2013 12:50:38 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) by ietfa.amsl.com (Postfix) with ESMTP id 44D5711E80AE for ; Wed, 17 Jul 2013 12:50:36 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.3/8.14.3/Debian-9.4) with ESMTP id r6HJoT9P016757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 Jul 2013 21:50:30 +0200
Received: from kerio.nordu.net (kerio.nordu.net [109.105.110.42]) by smtp1.nordu.net (8.14.6/8.14.6) with ESMTP id r6HJoQJc023519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 Jul 2013 19:50:29 GMT
VBR-Info: md=nordu.net; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nordu.net; s=default; t=1374090629; bh=60cLOGD514HgztiqW9mFUkR65DCMTWTq3D07EhAnANs=; h=From:Subject:References:In-Reply-To:Date:To:Cc; b=JIdw97R7a/hTCK9/joGEyFzXB63atGj4pUXLyVMNJYt0rwa43A0YiT4k394rTh6w0 7Igj0y65sWGdRQ/TATHbUwoYTzhHS/F3RlPOgEZ70QCXcwGSUUy1NvzUPovtRsNWNA U0gk/ytF/ZLNTD6JVaQu+7R2O5NdNHn2kaFxG5Uo=
X-Footer: bm9yZHUubmV0
Received: from [2.71.231.89] ([2.71.231.89]) by kerio.nordu.net; Wed, 17 Jul 2013 21:50:25 +0200
From: "Leif Johansson" 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
References: <51E64977.5090903@sunet.se>
Mime-Version: 1.0 (1.0)
In-Reply-To: <51E64977.5090903@sunet.se>
Message-Id: <6001626E-6E16-4556-94A0-016F7A3B2941@nordu.net>
Date: Wed, 17 Jul 2013 21:50:22 +0200
To: Leif Johansson 
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=109.105.110.42; country=SE; latitude=62.0000; longitude=15.0000; http://maps.google.com/maps?q=62.0000,15.0000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aK1vOubV - 0020fd9575b6 - 20130717
X-Antispam-Training-Forget: https://mailfilter.nordu.net/canit/b.php?i=0aK1vOubV&m=0020fd9575b6&t=20130717&c=f
X-Antispam-Training-Nonspam: https://mailfilter.nordu.net/canit/b.php?i=0aK1vOubV&m=0020fd9575b6&t=20130717&c=n
X-Antispam-Training-Spam: https://mailfilter.nordu.net/canit/b.php?i=0aK1vOubV&m=0020fd9575b6&t=20130717&c=s
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com)
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] agenda for berlin
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 17 Jul 2013 19:50:43 -0000

I dropped a prelim agenda just now. Feel free to send proposed changes & add=
itions!

17 jul 2013 kl. 09:36 skrev "Leif Johansson" :

>=20
> Right now it looks like we have
>=20
> - aaa-saml open issues
> - remaining document status
>=20
> anything else we should add to the agenda at this time?
>=20
>        Cheers Leif
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab


From Josh.Howlett@ja.net  Thu Jul 18 06:33:50 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F0F11E813B for ; Thu, 18 Jul 2013 06:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.299
X-Spam-Level: 
X-Spam-Status: No, score=-103.299 tagged_above=-999 required=5 tests=[AWL=-0.700, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxOTfjn7KryB for ; Thu, 18 Jul 2013 06:33:44 -0700 (PDT)
Received: from egw002.ukerna.ac.uk (egw002.ukerna.ac.uk [194.81.3.65]) by ietfa.amsl.com (Postfix) with ESMTP id 4655921F8B4E for ; Thu, 18 Jul 2013 06:33:44 -0700 (PDT)
Received: from egw002.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 5655E20C723D_1E7EEB3B; Thu, 18 Jul 2013 13:33:39 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw002.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 84BE920C71C5_1E7EEB2F; Thu, 18 Jul 2013 13:33:38 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Thu, 18 Jul 2013 14:33:38 +0100
From: Josh Howlett 
To: "Cantor, Scott" , Sam Hartman 
Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
Thread-Index: AQHOg7toHFCb26hMYk+VR9qDWkcsug==
Date: Thu, 18 Jul 2013 13:33:37 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 18 Jul 2013 13:33:50 -0000

>
>Ultimately you just have to strike a balance between overly specifying
>things and not signaling enough. I don't know enough about RADIUS to
>judge, but for me the rule of thumb is to either signal based on broad
>semantic categories (assertion vs. protocol messages) or be consistent
>and signal different XML elements uniquely based on Qname/xsi:type.

Right. And on this basis, from my knowledge of SAML and RADIUS, I see no
reason not to follow the pattern set by the existing SAML bindings. I
would welcome some reasoning from those arguing otherwise as to why we
shouldn't do this. I.e. what makes RADIUS a special case? Clearly we could
move the payload semantics to the RADIUS layer, but why do it? ("Because
we can" does not cut it!)

Josh.



Janet(UK) is a trading name of Jisc Collections and Janet Limited, a=20
not-for-profit company which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


From cantor.2@osu.edu  Thu Jul 18 07:07:39 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 918D911E80BA for ; Thu, 18 Jul 2013 07:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level: 
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3wAOc4Ph6UO for ; Thu, 18 Jul 2013 07:07:33 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id 3009311E8146 for ; Thu, 18 Jul 2013 07:07:32 -0700 (PDT)
Received: from mail13-ch1-R.bigfish.com (10.43.68.245) by CH1EHSOBE021.bigfish.com (10.43.70.78) with Microsoft SMTP Server id 14.1.225.22; Thu, 18 Jul 2013 14:07:32 +0000
Received: from mail13-ch1 (localhost [127.0.0.1])	by mail13-ch1-R.bigfish.com (Postfix) with ESMTP id 3F4C32C0230; Thu, 18 Jul 2013 14:07:32 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.218; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf04; RD:none; EFVD:NLI
X-SpamScore: 7
X-BigFish: VPS7(zzzz1f42h1d77h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzzz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1b1cn1b1bi1155h)
Received-SPF: pass (mail13-ch1: domain of osu.edu designates 164.107.81.218 as permitted sender) client-ip=164.107.81.218; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf04 ; cio-tnc-pf04 ; 
Received: from mail13-ch1 (localhost.localdomain [127.0.0.1]) by mail13-ch1 (MessageSwitch) id 1374156450284847_9776; Thu, 18 Jul 2013 14:07:30 +0000 (UTC)
Received: from CH1EHSMHS033.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.228])	by mail13-ch1.bigfish.com (Postfix) with ESMTP id 40D09200072;	Thu, 18 Jul 2013 14:07:30 +0000 (UTC)
Received: from cio-tnc-pf04 (164.107.81.218) by CH1EHSMHS033.bigfish.com (10.43.70.33) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 18 Jul 2013 14:07:28 +0000
Received: from CIO-TNC-HT06.osuad.osu.edu (localhost [127.0.0.1])	by cio-tnc-pf04 (Postfix) with ESMTP id E29FA380053; Thu, 18 Jul 2013 10:07:27 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::3d16:84bd:8d88:7cfd%12]) with mapi id 14.03.0123.003; Thu, 18 Jul 2013 10:07:27 -0400
From: "Cantor, Scott" 
To: Josh Howlett , Sam Hartman 
Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
Thread-Index: AQHOg7tsbsIUC1Rhu0SIcMIjTr7o0JlqeIsg
Date: Thu, 18 Jul 2013 14:07:26 +0000
Message-ID: 
References:  
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [164.107.161.117]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 18 Jul 2013 14:07:39 -0000

> Right. And on this basis, from my knowledge of SAML and RADIUS, I see no
> reason not to follow the pattern set by the existing SAML bindings. I
> would welcome some reasoning from those arguing otherwise as to why we
> shouldn't do this. I.e. what makes RADIUS a special case? Clearly we coul=
d
> move the payload semantics to the RADIUS layer, but why do it? ("Because
> we can" does not cut it!)

Since bindings in general don't carry Assertion alone, that distinction is =
probably worthy of a separate attribute.
=20
-- Scott



From Josh.Howlett@ja.net  Thu Jul 18 07:18:25 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDA8211E80BA for ; Thu, 18 Jul 2013 07:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.182
X-Spam-Level: 
X-Spam-Status: No, score=-103.182 tagged_above=-999 required=5 tests=[AWL=-0.583, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1MtKWkXB9C-M for ; Thu, 18 Jul 2013 07:18:19 -0700 (PDT)
Received: from egw001.ukerna.ac.uk (egw001.ukerna.ac.uk [194.82.140.74]) by ietfa.amsl.com (Postfix) with ESMTP id 9239C11E80E3 for ; Thu, 18 Jul 2013 07:18:14 -0700 (PDT)
Received: from egw001.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 4C6611C040A8_1E7F923B; Thu, 18 Jul 2013 14:18:11 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw001.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 269581C040B7_1E7F923F; Thu, 18 Jul 2013 14:18:11 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Thu, 18 Jul 2013 15:18:10 +0100
From: Josh Howlett 
To: "Cantor, Scott" , Sam Hartman 
Thread-Topic: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
Thread-Index: AQHOg7toHFCb26hMYk+VR9qDWkcsuplqaAgAgAATtoA=
Date: Thu, 18 Jul 2013 14:18:09 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <02ED74956D45A544AEF198D02A719A3F@ukerna.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] Conflict between draft-ietf-abfab-aaa-saml and what Moonshot actually does
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 18 Jul 2013 14:18:25 -0000

>
>Since bindings in general don't carry Assertion alone, that distinction
>is probably worthy of a separate attribute.

Yes, good point. This would fit nicely with Sam's proposal for returning
an unsolicited response as a raw assertion. That differentiation adds
value in this case: we can assume that the acceptor isn't interested in
the response semantics and so we avoid some needless parsing.

Thanks, Josh.



Janet(UK) is a trading name of Jisc Collections and Janet Limited, a=20
not-for-profit company which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


From hartmans@painless-security.com  Mon Jul 29 05:53:26 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0370D21F9F5F for ; Mon, 29 Jul 2013 05:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lbo9iZO1PctP for ; Mon, 29 Jul 2013 05:53:13 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 1CD3021F9E43 for ; Mon, 29 Jul 2013 05:53:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id BD79920134 for ; Mon, 29 Jul 2013 08:52:36 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hFVGmkFdQxmP for ; Mon, 29 Jul 2013 08:52:36 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-4332.meeting.ietf.org [130.129.67.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for ; Mon, 29 Jul 2013 08:52:36 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C521087FB2; Mon, 29 Jul 2013 08:53:07 -0400 (EDT)
From: Sam Hartman 
To: abfab@ietf.org
Date: Mon, 29 Jul 2013 08:53:07 -0400
Message-ID: 
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 12:53:26 -0000

Jim was reviewing some notes Josh and I are exchanging about
abfab-aaa-saml.

Consider what happens if a signed SAML request is included  in  an
access request.

Assume that the AAA server/SAML IDP validates the signature against
metadata and applies policy based on the entity ID in the SAML request.

If the response (especially assertions) is encrypted to a key associated
with that  entity from metadata, then everything is fine.

Similarly if metadata contains some indication that binds this
particular RADIUS NAS to the entity ID, everything is also fine.

However, without that binding, the IDP only knows that at some point the
entity generated this authentication request.
In the SAML Web SSO profile, the assertion is going to be sent to a URI
from metadata (as I understand it) so the IDP knows the assertion is
being sent to the correct RP.

However, for our RADIUS binding, we're planning on returning the
assertion in an access-accept.
Under the assumptions so far we know that the SAML entity generating the
request is entitled to be treated as described by the metadata.  We know
according to assumptions Josh and I propose to add to the RADIUS binding
that the NAS claims to be that SAML entity.
However, we don't know if this claim is credible.

The NAS may have captured the SAML request from somewhere.
We may be about to release attributes to the NAS that the NAS is not
entitled to receive.

I find this interesting, because so far I've generally assumed that if
you get a signed SAML request you could apply the policy you'd use if
you got the same request in the web SSO profile.
However that appears not to be the case.

--Sam


From hartmans@painless-security.com  Mon Jul 29 05:56:56 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C93BB21F9B30 for ; Mon, 29 Jul 2013 05:56:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id soS1j7l409B1 for ; Mon, 29 Jul 2013 05:56:42 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD4A21F9AC5 for ; Mon, 29 Jul 2013 05:56:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id BC6F420134; Mon, 29 Jul 2013 08:56:04 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_mKK0ryw5LG; Mon, 29 Jul 2013 08:56:04 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-4332.meeting.ietf.org [130.129.67.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 29 Jul 2013 08:56:04 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9E4D487FB2; Mon, 29 Jul 2013 08:56:35 -0400 (EDT)
From: Sam Hartman 
To: josh.howlett@ja.net
Date: Mon, 29 Jul 2013 08:56:35 -0400
Message-ID: 
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: abfab@ietf.org
Subject: [abfab] Jim's additional issues with aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 12:57:02 -0000

I met with Jim today to go over our proposed resolutions to his issues
and our discussion of naming and name congruence that we'll be
presenting tomorrow.

He brought up the following additional issues.

1) He wants a name ID form to describe a NAI.  That is, he wants to say
that the subject of this SAML message is the NAI "foo@bar.com"

2) He convinced me that including the word state in the RADIUS state
subject confirmation method is probably wrong; he also believes section
9 needs more clarity.

We also discussed which service type should be used in the query
profile, but I want to have a round of that discussion in person with
you before trying to present to the WG.

--Sam

From cantor.2@osu.edu  Mon Jul 29 06:43:29 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FEA521F9F0A for ; Mon, 29 Jul 2013 06:43:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqODNUrm9ZDg for ; Mon, 29 Jul 2013 06:43:22 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe003.messaging.microsoft.com [216.32.181.183]) by ietfa.amsl.com (Postfix) with ESMTP id 72A6621F9EDF for ; Mon, 29 Jul 2013 06:43:13 -0700 (PDT)
Received: from mail30-ch1-R.bigfish.com (10.43.68.237) by CH1EHSOBE018.bigfish.com (10.43.70.68) with Microsoft SMTP Server id 14.1.225.22; Mon, 29 Jul 2013 13:43:12 +0000
Received: from mail30-ch1 (localhost [127.0.0.1])	by mail30-ch1-R.bigfish.com (Postfix) with ESMTP id 6B7B24E0158; Mon, 29 Jul 2013 13:43:12 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.212; KIP:(null); UIP:(null); IPV:NLI; H:cio-krc-pf05; RD:none; EFVD:NLI
X-SpamScore: 4
X-BigFish: VPS4(zzbb2dI98dI9371Izz1f42h1d77h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h8275bh1de097hz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h)
Received-SPF: pass (mail30-ch1: domain of osu.edu designates 164.107.81.212 as permitted sender) client-ip=164.107.81.212; envelope-from=cantor.2@osu.edu; helo=cio-krc-pf05 ; cio-krc-pf05 ; 
Received: from mail30-ch1 (localhost.localdomain [127.0.0.1]) by mail30-ch1 (MessageSwitch) id 1375105391445505_7810; Mon, 29 Jul 2013 13:43:11 +0000 (UTC)
Received: from CH1EHSMHS027.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.225])	by mail30-ch1.bigfish.com (Postfix) with ESMTP id 6779618004A;	Mon, 29 Jul 2013 13:43:11 +0000 (UTC)
Received: from cio-krc-pf05 (164.107.81.212) by CH1EHSMHS027.bigfish.com (10.43.70.27) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 29 Jul 2013 13:43:11 +0000
Received: from CIO-KRC-HT03.osuad.osu.edu (localhost [127.0.0.1])	by cio-krc-pf05 (Postfix) with ESMTP id BE4F560047; Mon, 29 Jul 2013 09:43:10 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT03.osuad.osu.edu ([fe80::2572:c08d:8186:46a4%12]) with mapi id 14.03.0123.003; Mon, 29 Jul 2013 09:43:11 -0400
From: "Cantor, Scott" 
To: Sam Hartman , "abfab@ietf.org" 
Thread-Topic: [abfab] SAML binding attack (thanks Jim Schaad)
Thread-Index: AQHOjFqzg6trAIwPXU2n2Ma5rRQnRZl7qmyA
Date: Mon, 29 Jul 2013 13:43:10 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [164.107.161.117]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <65B7FB0022B6FB4F9187330208011A7A@osu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 13:43:29 -0000

On 7/29/13 8:53 AM, "Sam Hartman"  wrote:

>However, without that binding, the IDP only knows that at some point the
>entity generated this authentication request.
>In the SAML Web SSO profile, the assertion is going to be sent to a URI
>from metadata (as I understand it) so the IDP knows the assertion is
>being sent to the correct RP.

Typically, but it's not uncommon to rely on request signing as a
substitute for explicitly checking. But the difference, I guess, is that
if you request a response for a web site you don't control, you obviously
aren't going to get much out of it.

>The NAS may have captured the SAML request from somewhere.
>We may be about to release attributes to the NAS that the NAS is not
>entitled to receive.

That window on capture ought to be a few minutes.

>I find this interesting, because so far I've generally assumed that if
>you get a signed SAML request you could apply the policy you'd use if
>you got the same request in the web SSO profile.
>However that appears not to be the case.

I don't think there's really a major difference. It comes down to
freshness and replay.

-- Scott



From hartmans@painless-security.com  Mon Jul 29 07:14:19 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B816321F8934 for ; Mon, 29 Jul 2013 07:14:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xedi4abLMiiE for ; Mon, 29 Jul 2013 07:14:12 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 77DA621F99E8 for ; Mon, 29 Jul 2013 07:14:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 61485201FA; Mon, 29 Jul 2013 10:13:36 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LONjkNkS_uiZ; Mon, 29 Jul 2013 10:13:35 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-4332.meeting.ietf.org [130.129.67.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 29 Jul 2013 10:13:35 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 770D287FB2; Mon, 29 Jul 2013 10:14:07 -0400 (EDT)
From: Sam Hartman 
To: "Cantor\, Scott" 
References: 
Date: Mon, 29 Jul 2013 10:14:07 -0400
In-Reply-To:  (Scott Cantor's message of "Mon, 29 Jul 2013 13:43:10 +0000")
Message-ID: 
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 14:14:19 -0000

>>>>> "Cantor," == Cantor, Scott  writes:


    >> The NAS may have captured the SAML request from somewhere.  We
    >> may be about to release attributes to the NAS that the NAS is not
    >> entitled to receive.

    Cantor,> That window on capture ought to be a few minutes.

Sure, but it takes a lot less than a few minutes to generate an HTTP
request.

Consider for example an attacker who runs a development IDP somewhere in
a set of SAML metadata.  Cant't that attacker go ask random websites to
send SAML requests?
In the SAML ECP gss mechanism is the SAML request sent directly to the
IDP or is it sent to the client?
If client, then the attacker can get SAML requests from many RPs.

So, I don't see how making the window short helps much.
It seems like there are important classes of attacker who can easily get
fresh new requests.
Or am I missing something?

--Sam

From cantor.2@osu.edu  Mon Jul 29 07:31:09 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE7AA21F9BF0 for ; Mon, 29 Jul 2013 07:31:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bB732gk62hER for ; Mon, 29 Jul 2013 07:30:56 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe004.messaging.microsoft.com [216.32.180.187]) by ietfa.amsl.com (Postfix) with ESMTP id E389321F9D31 for ; Mon, 29 Jul 2013 07:30:02 -0700 (PDT)
Received: from mail168-co1-R.bigfish.com (10.243.78.239) by CO1EHSOBE006.bigfish.com (10.243.66.69) with Microsoft SMTP Server id 14.1.225.22; Mon, 29 Jul 2013 14:29:52 +0000
Received: from mail168-co1 (localhost [127.0.0.1])	by mail168-co1-R.bigfish.com (Postfix) with ESMTP id 2545FAC00FC; Mon, 29 Jul 2013 14:29:52 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.214; KIP:(null); UIP:(null); IPV:NLI; H:cio-krc-pf07; RD:none; EFVD:NLI
X-SpamScore: 4
X-BigFish: VPS4(zzbb2dI98dI9371Izz1f42h1d77h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h8275bh1de097hz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h)
Received-SPF: pass (mail168-co1: domain of osu.edu designates 164.107.81.214 as permitted sender) client-ip=164.107.81.214; envelope-from=cantor.2@osu.edu; helo=cio-krc-pf07 ; cio-krc-pf07 ; 
Received: from mail168-co1 (localhost.localdomain [127.0.0.1]) by mail168-co1 (MessageSwitch) id 1375108190664559_17684; Mon, 29 Jul 2013 14:29:50 +0000 (UTC)
Received: from CO1EHSMHS019.bigfish.com (unknown [10.243.78.245])	by mail168-co1.bigfish.com (Postfix) with ESMTP id 9EAAD9001CD; Mon, 29 Jul 2013 14:29:50 +0000 (UTC)
Received: from cio-krc-pf07 (164.107.81.214) by CO1EHSMHS019.bigfish.com (10.243.66.29) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 29 Jul 2013 14:29:49 +0000
Received: from CIO-KRC-HT01.osuad.osu.edu (localhost [127.0.0.1])	by cio-krc-pf07 (Postfix) with ESMTP id 4F977500056; Mon, 29 Jul 2013 10:29:48 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT01.osuad.osu.edu ([fe80::6d8f:7dea:5691:1620%12]) with mapi id 14.03.0123.003; Mon, 29 Jul 2013 10:29:48 -0400
From: "Cantor, Scott" 
To: Sam Hartman 
Thread-Topic: [abfab] SAML binding attack (thanks Jim Schaad)
Thread-Index: AQHOjFqzg6trAIwPXU2n2Ma5rRQnRZl7qmyAgAAIsP+AAARSgA==
Date: Mon, 29 Jul 2013 14:29:47 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [164.107.161.117]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9468FB55922F99478621ECF6E45290C2@osu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 14:31:11 -0000

On 7/29/13 10:14 AM, "Sam Hartman"  wrote:

>Consider for example an attacker who runs a development IDP somewhere in
>a set of SAML metadata.  Cant't that attacker go ask random websites to
>send SAML requests?

Yes, but in the browser case, they'll be signed with that IdP's endpoint
location in them, and be useless to send anywhere else. That's what you're
missing here, I expect (and is also missing in ECP).

In the ECP case, the issue is more the weakness of replayable
authentication, but the attacker does have to compromise both legs of
communication. If all you do is get between the client and RP, then the
protection is, as mentioned, encryption, or the use of CB to detect that
the client talking to the IdP is talking to a different TLS endpoint than
the one owned by the actual SP that signed the request.

That's why I was interested in adding CB to the underlying profile, GSS
aside.

But if you compromise both legs, it's game over unless the client/IdP
exchange is mutual TLS or something like that.

>In the SAML ECP gss mechanism is the SAML request sent directly to the
>IDP or is it sent to the client?

The client.

>If client, then the attacker can get SAML requests from many RPs.

That's true, modulo the above.

But in ECP, if you really, really care about the confidentiality, you can
always omit the attributes and do queries for them, the same as Shibboleth
did in the SAML 1.1 days.

It's one trust fabric for me, so I can mix and match.

-- Scott



From hartmans@painless-security.com  Mon Jul 29 08:17:31 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8651711E80FB for ; Mon, 29 Jul 2013 08:17:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level: 
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1T3ytSYCfP-N for ; Mon, 29 Jul 2013 08:17:25 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id CAA2311E810B for ; Mon, 29 Jul 2013 08:17:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 65F9A20134; Mon, 29 Jul 2013 11:16:37 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IlK9D72cmoC; Mon, 29 Jul 2013 11:16:37 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [130.129.67.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 29 Jul 2013 11:16:36 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id CEACB87FB2; Mon, 29 Jul 2013 11:17:08 -0400 (EDT)
From: Sam Hartman 
To: "Cantor\, Scott" 
References: 
Date: Mon, 29 Jul 2013 11:17:08 -0400
In-Reply-To:  (Scott Cantor's message of "Mon, 29 Jul 2013 14:29:47 +0000")
Message-ID: 
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 15:17:31 -0000

So, if I'm understanding correctly.

A moonshot RP could take an ECP SAML request and forward to a moonshot
IDP+AAA combination.
If this was a fresh request then the SAML request might not correspond
to the AAA RP.

A Moonshot RP that can intercept SAML requests towards an interesting
IDP and suppress them from getting to the IDP can do the same for web
SSO.
(I don't consider this particularly interesting)

ECP can protect itself against this  because the client potentilaly
evaluate the request before forwarding to the IDP.

Do I have it right now?

From cantor.2@osu.edu  Mon Jul 29 08:35:12 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3FEE11E80F7 for ; Mon, 29 Jul 2013 08:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level: 
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[AWL=1.500,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfW7WSAvuwPO for ; Mon, 29 Jul 2013 08:35:05 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id E4BFE11E80E6 for ; Mon, 29 Jul 2013 08:35:04 -0700 (PDT)
Received: from mail37-tx2-R.bigfish.com (10.9.14.243) by TX2EHSOBE006.bigfish.com (10.9.40.26) with Microsoft SMTP Server id 14.1.225.22; Mon, 29 Jul 2013 15:35:03 +0000
Received: from mail37-tx2 (localhost [127.0.0.1])	by mail37-tx2-R.bigfish.com (Postfix) with ESMTP id 00AC34600AC; Mon, 29 Jul 2013 15:35:03 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.222; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf08; RD:none; EFVD:NLI
X-SpamScore: 3
X-BigFish: VPS3(zzbb2dI98dI9371I1418Izz1f42h1d77h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h8275bh1de097hz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h)
Received-SPF: pass (mail37-tx2: domain of osu.edu designates 164.107.81.222 as permitted sender) client-ip=164.107.81.222; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf08 ; cio-tnc-pf08 ; 
Received: from mail37-tx2 (localhost.localdomain [127.0.0.1]) by mail37-tx2 (MessageSwitch) id 13751121002433_30594; Mon, 29 Jul 2013 15:35:00 +0000 (UTC)
Received: from TX2EHSMHS001.bigfish.com (unknown [10.9.14.243])	by mail37-tx2.bigfish.com (Postfix) with ESMTP id EE1651A0204; Mon, 29 Jul 2013 15:34:59 +0000 (UTC)
Received: from cio-tnc-pf08 (164.107.81.222) by TX2EHSMHS001.bigfish.com (10.9.99.101) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 29 Jul 2013 15:34:57 +0000
Received: from CIO-KRC-HT02.osuad.osu.edu (localhost [127.0.0.1])	by cio-tnc-pf08 (Postfix) with ESMTP id 1991B2E006E; Mon, 29 Jul 2013 11:34:57 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT02.osuad.osu.edu ([fe80::8554:1787:2a7:72c9%12]) with mapi id 14.03.0123.003; Mon, 29 Jul 2013 11:34:56 -0400
From: "Cantor, Scott" 
To: Sam Hartman 
Thread-Topic: [abfab] SAML binding attack (thanks Jim Schaad)
Thread-Index: AQHOjFqzg6trAIwPXU2n2Ma5rRQnRZl7qmyAgAAIsP+AAARSgIAADUkngAAE6wA=
Date: Mon, 29 Jul 2013 15:34:56 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [164.107.161.117]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1711CF12FA1B7F448D1275636C343CE7@osu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 15:35:12 -0000

On 7/29/13 11:17 AM, "Sam Hartman"  wrote:

>A moonshot RP could take an ECP SAML request and forward to a moonshot
>IDP+AAA combination.
>If this was a fresh request then the SAML request might not correspond
>to the AAA RP.

I think that's true, yes.

>ECP can protect itself against this  because the client potentilaly
>evaluate the request before forwarding to the IDP.

Possibly. There are a variety of spots where problems can be prevented,
including channel binding, but also including the use of the field
normally used to identify the web site URL to identify the GSS acceptor
(in the GSS case with something like SSH that lacks channel binding).

So for example if you open a connection to service@host, that goes in the
SAML request and would be checked against metadata by the IdP to ensure
the signing key used is authorized for use by that identity.

The mutual flag in GSS depends on signing the request, and obviously in
the absence of encryption an IdP probably shouldn't be sending sensitive
data for delivery to requester it can't verify.

-- Scott



From cantor.2@osu.edu  Mon Jul 29 10:15:43 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35B6F11E80E9 for ; Mon, 29 Jul 2013 10:15:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.099
X-Spam-Level: 
X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P+h5+1WGtS1X for ; Mon, 29 Jul 2013 10:15:27 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by ietfa.amsl.com (Postfix) with ESMTP id 13A8A21F9C7A for ; Mon, 29 Jul 2013 10:12:17 -0700 (PDT)
Received: from mail184-ch1-R.bigfish.com (10.43.68.238) by CH1EHSOBE018.bigfish.com (10.43.70.68) with Microsoft SMTP Server id 14.1.225.22; Mon, 29 Jul 2013 17:12:17 +0000
Received: from mail184-ch1 (localhost [127.0.0.1])	by mail184-ch1-R.bigfish.com (Postfix) with ESMTP id 2A570320231; Mon, 29 Jul 2013 17:12:17 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.222; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf08; RD:none; EFVD:NLI
X-SpamScore: 3
X-BigFish: VPS3(zzbb2dI98dI9371I1432Izz1f42h1d77h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1de097hz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h)
Received-SPF: pass (mail184-ch1: domain of osu.edu designates 164.107.81.222 as permitted sender) client-ip=164.107.81.222; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf08 ; cio-tnc-pf08 ; 
Received: from mail184-ch1 (localhost.localdomain [127.0.0.1]) by mail184-ch1 (MessageSwitch) id 1375117934680696_25250; Mon, 29 Jul 2013 17:12:14 +0000 (UTC)
Received: from CH1EHSMHS032.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.235])	by mail184-ch1.bigfish.com (Postfix) with ESMTP id A1BAC140047;	Mon, 29 Jul 2013 17:12:14 +0000 (UTC)
Received: from cio-tnc-pf08 (164.107.81.222) by CH1EHSMHS032.bigfish.com (10.43.70.32) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 29 Jul 2013 17:12:13 +0000
Received: from CIO-TNC-HT05.osuad.osu.edu (localhost [127.0.0.1])	by cio-tnc-pf08 (Postfix) with ESMTP id 478622E0059; Mon, 29 Jul 2013 13:12:13 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT05.osuad.osu.edu ([fe80::d0be:603:484c:5a2f%10]) with mapi id 14.03.0123.003; Mon, 29 Jul 2013 13:12:13 -0400
From: "Cantor, Scott" 
To: Sam Hartman 
Thread-Topic: [abfab] SAML binding attack (thanks Jim Schaad)
Thread-Index: AQHOjFqzg6trAIwPXU2n2Ma5rRQnRZl7qmyAgAAIsP+AAARSgIAADUkngAAE6wCAABsvgA==
Date: Mon, 29 Jul 2013 17:12:11 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [164.107.161.117]
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 17:15:44 -0000

On 7/29/13 11:34 AM, "Cantor, Scott"  wrote:

>Possibly. There are a variety of spots where problems can be prevented,
>including channel binding, but also including the use of the field
>normally used to identify the web site URL to identify the GSS acceptor
>(in the GSS case with something like SSH that lacks channel binding).
>
>So for example if you open a connection to service@host, that goes in the
>SAML request and would be checked against metadata by the IdP to ensure
>the signing key used is authorized for use by that identity.

Strike that, that really doesn't prevent the attack you're talking about.
If there's no CB, then the attacker can just relay messages and the IdP
can't help the client much.

So the real answer is, yes, it's an issue that bugged me adapting ECP to
non-web, and the best solution I came up with was channel binding. But
there's not much I can do about first-contact SSH, no. There's XML
encryption and/or use of queries, that's about it.

-- Scott



From nico@cryptonector.com  Mon Jul 29 10:32:50 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5225D21E8087 for ; Mon, 29 Jul 2013 10:32:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level: 
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBl4zxyeqzWa for ; Mon, 29 Jul 2013 10:32:45 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by ietfa.amsl.com (Postfix) with ESMTP id BF8F411E8117 for ; Mon, 29 Jul 2013 10:30:45 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 5E32C67C06B for ; Mon, 29 Jul 2013 10:30:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=5Znbl78QMoD60K4gbG59 7tNxE8U=; b=lkU7uipgK9sMD8qpIscooqKYgF+1OJCSVjl1X3AvLRVOllldVWbL Mfakc1QZWS2M7J4mZdXbLGDCEI5Zljqf+mUWIU1UlLlEycI7TZrrxfFeLqvzC+jI jdKvdQ0T7qqefG0smTNdefq77WCOK9r+c7+fowNIwBC8OJzFC8Fdt6A=
Received: from mail-oa0-f42.google.com (mail-oa0-f42.google.com [209.85.219.42]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 3706C67C076 for ; Mon, 29 Jul 2013 10:30:44 -0700 (PDT)
Received: by mail-oa0-f42.google.com with SMTP id i18so5362154oag.15 for ; Mon, 29 Jul 2013 10:30:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=s4kh6p8jIfOxRQyMni3P73EtmhZEbMW6US5nPdZJQlI=; b=PJ/WRE+dA7oTxWvr3LveUW17y1U8942pLqgqPO8M9LYGZhSpYD06HfbU2lHwZTlq3u M/p2SwVgObOMxkpYIcAh3jQSuxA2UdVZifsXfUVQBV08WxOFo8RQf5JsDyrPRdYYfK3E 6uUV1sRTiTCWhMQcsZmytFrwrsNd5/enI7fi9GsqWWdOzz7eIaN1MDB2odGiMnOn6Zbb oeiQsxz7STry9ZkGvjPZ5IinXI8eIGBnXGQZqDQxNeWxcf500PWO1NuiS5czS+B2l25R cU4hobyN1IwEzbWG2VVmWSepCMH2ai8+Tv+rRKykvxeE0T2fnDfTSIAy4wVYbDQwLSq+ mh2Q==
MIME-Version: 1.0
X-Received: by 10.43.157.66 with SMTP id lp2mr5932687icc.69.1375119044215; Mon, 29 Jul 2013 10:30:44 -0700 (PDT)
Received: by 10.64.130.169 with HTTP; Mon, 29 Jul 2013 10:30:44 -0700 (PDT)
In-Reply-To: 
References:  
Date: Mon, 29 Jul 2013 12:30:44 -0500
Message-ID: 
From: Nico Williams 
To: "Cantor, Scott" 
Content-Type: text/plain; charset=UTF-8
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 17:32:50 -0000

Regarding SSH, maybe we should:

a) add a new userauth type that does use CB,

b) ditto key exchange.

From cantor.2@osu.edu  Mon Jul 29 10:40:57 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A23921F9A4C for ; Mon, 29 Jul 2013 10:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.474
X-Spam-Level: 
X-Spam-Status: No, score=-5.474 tagged_above=-999 required=5 tests=[AWL=1.125,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-rjJB2KpBJu for ; Mon, 29 Jul 2013 10:40:48 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id A967321F9A3D for ; Mon, 29 Jul 2013 10:39:27 -0700 (PDT)
Received: from mail173-tx2-R.bigfish.com (10.9.14.245) by TX2EHSOBE014.bigfish.com (10.9.40.34) with Microsoft SMTP Server id 14.1.225.22; Mon, 29 Jul 2013 17:39:22 +0000
Received: from mail173-tx2 (localhost [127.0.0.1])	by mail173-tx2-R.bigfish.com (Postfix) with ESMTP id 921594800C2; Mon, 29 Jul 2013 17:39:22 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:164.107.81.220; KIP:(null); UIP:(null); IPV:NLI; H:cio-tnc-pf06; RD:none; EFVD:NLI
X-SpamScore: 3
X-BigFish: VPS3(zzbb2dI98dI9371I1432Izz1f42h1d77h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h8275bh1de097hz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1b1cn1b1bi1155h)
Received-SPF: pass (mail173-tx2: domain of osu.edu designates 164.107.81.220 as permitted sender) client-ip=164.107.81.220; envelope-from=cantor.2@osu.edu; helo=cio-tnc-pf06 ; cio-tnc-pf06 ; 
Received: from mail173-tx2 (localhost.localdomain [127.0.0.1]) by mail173-tx2 (MessageSwitch) id 13751195607241_12940; Mon, 29 Jul 2013 17:39:20 +0000 (UTC)
Received: from TX2EHSMHS017.bigfish.com (unknown [10.9.14.230])	by mail173-tx2.bigfish.com (Postfix) with ESMTP id DC224220049; Mon, 29 Jul 2013 17:39:19 +0000 (UTC)
Received: from cio-tnc-pf06 (164.107.81.220) by TX2EHSMHS017.bigfish.com (10.9.99.117) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 29 Jul 2013 17:39:19 +0000
Received: from CIO-KRC-HT03.osuad.osu.edu (localhost [127.0.0.1])	by cio-tnc-pf06 (Postfix) with ESMTP id 61B873C005B; Mon, 29 Jul 2013 13:38:21 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT03.osuad.osu.edu ([fe80::2572:c08d:8186:46a4%12]) with mapi id 14.03.0123.003; Mon, 29 Jul 2013 13:39:18 -0400
From: "Cantor, Scott" 
To: Nico Williams 
Thread-Topic: [abfab] SAML binding attack (thanks Jim Schaad)
Thread-Index: AQHOjFqzg6trAIwPXU2n2Ma5rRQnRZl7qmyAgAAIsP+AAARSgIAADUkngAAE6wCAABsvgIAASD0A//+/VAA=
Date: Mon, 29 Jul 2013 17:39:17 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [164.107.161.117]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5C1E63BC9E5E5B4B812581C3C17C5E47@osu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-OriginatorOrg: osu.edu
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 17:40:57 -0000

On 7/29/13 1:30 PM, "Nico Williams"  wrote:

>Regarding SSH, maybe we should:
>
>a) add a new userauth type that does use CB,
>
>b) ditto key exchange.

There would have to be a CB type defined for SSH also, of course, but in
any case I'm just noting current state.

It's worth reviewing my security text for the next draft I'm doing for
sure, but that's a topic for kitten, not here.

-- Scott



From nico@cryptonector.com  Mon Jul 29 10:50:40 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B39F511E80FA for ; Mon, 29 Jul 2013 10:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level: 
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ei46o5Euq7Sy for ; Mon, 29 Jul 2013 10:50:07 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE0D21F99F4 for ; Mon, 29 Jul 2013 10:50:03 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTP id C6CED428083 for ; Mon, 29 Jul 2013 10:49:56 -0700 (PDT)
Received: from mail-oa0-f47.google.com (mail-oa0-f47.google.com [209.85.219.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTPSA id 66FDE428080 for ; Mon, 29 Jul 2013 10:49:55 -0700 (PDT)
Received: by mail-oa0-f47.google.com with SMTP id m6so6736418oag.6 for ; Mon, 29 Jul 2013 10:49:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=d5AEgjt2c8TIASX/Owxf+58QxATIMJxozHkLDWB3wuo=; b=RL6B1RdGSpEQ+g/IMpVqnSf4D/goTUd+/82WFTlEDTwY5enHKOMdY3a0vCSnRjhW0Y uc8Dt0Bkmzi2pRov5/Fu4hMzkw0aPqv31PcpyDNZ9C6hXZy9hCf/OZT5L6LApp8Oepxq xEpOBSntkzgEsGpppifV3ZRveRmR3HNFT1Y0/qyEXBcy38bedLdqYKE/jdLfoyuGFhvZ HTa7PtZONKjVMFIgc2dosS/aTpp2lo9zanTXHhw14LrRBgDySVTRf86RYGRy0jFGELj1 LOZH4c7PyC5d5jNMOF16gPcPqg8khRs4gWFiIC/zl8gy8hRw1XXb0CFhaPYBHte6XRdd NnrQ==
MIME-Version: 1.0
X-Received: by 10.50.62.72 with SMTP id w8mr1130610igr.24.1375120194306; Mon, 29 Jul 2013 10:49:54 -0700 (PDT)
Received: by 10.64.130.169 with HTTP; Mon, 29 Jul 2013 10:49:54 -0700 (PDT)
In-Reply-To: 
References:  
Date: Mon, 29 Jul 2013 12:49:54 -0500
Message-ID: 
From: Nico Williams 
To: "Cantor, Scott" 
Content-Type: text/plain; charset=UTF-8
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] SAML binding attack (thanks Jim Schaad)
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 29 Jul 2013 17:50:40 -0000

On Mon, Jul 29, 2013 at 12:39 PM, Cantor, Scott  wrote:
> There would have to be a CB type defined for SSH also, of course, but in
> any case I'm just noting current state.

Oh, maybe I misunderstood.  The CB for SSHv2 connections is not
defined, but quite obviously the session ID works; it is not available
until *after* initial key exchange completes.  So if you need to use
it you'd not be able to use it in GSS key exchange, but you could
create a new key exchange alg that uses something else.

> It's worth reviewing my security text for the next draft I'm doing for
> sure, but that's a topic for kitten, not here.
>
> -- Scott
>
>

From Josh.Howlett@ja.net  Tue Jul 30 01:41:27 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4D821F9F20 for ; Tue, 30 Jul 2013 01:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvFiBeU3CsYb for ; Tue, 30 Jul 2013 01:41:17 -0700 (PDT)
Received: from egw002.ukerna.ac.uk (egw002.ukerna.ac.uk [194.81.3.65]) by ietfa.amsl.com (Postfix) with ESMTP id 35C5D21F88BA for ; Tue, 30 Jul 2013 01:39:18 -0700 (PDT)
Received: from egw002.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id D221620C7DF4_1F77BB4B; Tue, 30 Jul 2013 08:39:16 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw002.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 45DFE20C70FC_1F77BB4F; Tue, 30 Jul 2013 08:39:16 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Tue, 30 Jul 2013 09:39:15 +0100
From: Josh Howlett 
To: Sam Hartman 
Thread-Topic: Jim's additional issues with aaa-saml
Thread-Index: AQHOjFs+FkefBS4qHkWB9GILn2OYkZl8+JAA
Date: Tue, 30 Jul 2013 08:39:14 +0000
Message-ID: 
In-Reply-To: 
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <20C0128AE6F1114DA82FAF53AC9DDCE2@ukerna.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "abfab@ietf.org" 
Subject: Re: [abfab] Jim's additional issues with aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 30 Jul 2013 08:41:27 -0000

>
>He brought up the following additional issues.
>
>1) He wants a name ID form to describe a NAI.  That is, he wants to say
>that the subject of this SAML message is the NAI "foo@bar.com"

It's there: Section 6 (Network Access Identifier Name Identifier Format).

>2) He convinced me that including the word state in the RADIUS state
>subject confirmation method is probably wrong; he also believes section
>9 needs more clarity.

As discussed yesterday, I feel this is probably the right name as we're
using the RADIUS State attribute (and not the XML) to convey the value
used to link the sessions. But I don't feel hugely strongly about it. I
agree that the existing text is way too terse.

>We also discussed which service type should be used in the query
>profile, but I want to have a round of that discussion in person with
>you before trying to present to the WG.

Yes, we ought to have a different service type and we can discuss this PM.

Josh.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a=20
not-for-profit company which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


From Josh.Howlett@ja.net  Tue Jul 30 06:10:45 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0945411E81D9 for ; Tue, 30 Jul 2013 06:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9q++mM17adxu for ; Tue, 30 Jul 2013 06:10:38 -0700 (PDT)
Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by ietfa.amsl.com (Postfix) with ESMTP id 68F0511E81CB for ; Tue, 30 Jul 2013 06:10:36 -0700 (PDT)
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id B0CAF4A6B6E_1F7BB4BB for ; Tue, 30 Jul 2013 13:10:35 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 39F534A6B77_1F7BB4AF for ; Tue, 30 Jul 2013 13:10:34 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Tue, 30 Jul 2013 14:10:33 +0100
From: Josh Howlett 
To: "abfab@ietf.org" 
Thread-Topic: Today's aaa-saml slides
Thread-Index: AQHOjSYsY4ZBzDYfkUqxVr26eDhI+g==
Date: Tue, 30 Jul 2013 13:10:33 +0000
Message-ID: 
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [194.82.140.76]
Content-Type: multipart/mixed; boundary="_002_CE1D87E42334FJoshHowlettjanet_"
MIME-Version: 1.0
Subject: [abfab] Today's aaa-saml slides
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 30 Jul 2013 13:10:45 -0000

--_002_CE1D87E42334FJoshHowlettjanet_
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable




Janet(UK) is a trading name of Jisc Collections and Janet Limited, a=20
not-for-profit company which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


--_002_CE1D87E42334FJoshHowlettjanet_
Content-Type: application/pdf; name="ABFAB aaa-saml - IETF 87.pdf"
Content-Description: ABFAB aaa-saml - IETF 87.pdf
Content-Disposition: attachment; filename="ABFAB aaa-saml - IETF 87.pdf";
	size=57838; creation-date="Tue, 30 Jul 2013 13:10:33 GMT";
	modification-date="Tue, 30 Jul 2013 13:10:33 GMT"
Content-ID: <47B106D1DD48654BAA458492FCDF46A2@ukerna.ac.uk>
Content-Transfer-Encoding: base64

JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVyIC9G
bGF0ZURlY29kZSA+PgpzdHJlYW0KeAGFU8tu2zAQvPMrtlWbSmlNc/kQJfedoD3kFkBADk1PQnII
4AKu/x/ocCXSSpW00oFrWrOzM7t7oGs6kCGjDR7rrA8dU+Re93goeEO/7+iGftH28sg0HonlPY4F
1LJxgdsFyE1oBeT9eQLaBAQJXgAPyJBCppY1C4/zRscYaNzTxUDey/84okcdDsk33qthT9vvQAA4
3NMPql80tDHaU/2ygQCc1asUOKpfN/SThiv6Noi+5/jUxCfiAw3jgplj0Kbr+sRMK+azNw2qqG/r
wqOSj8/xrHRZ57WxJjyRHbWr4eF/la8z+qh9z/avjGpyqrptslfnEliYdbqDXTAy3VVVid/KJVRW
75KrVtWbovafrq5qC9ZhvNruUW1KuljrhrJao4OLNvgebOvo0eAwB5RrXer6uFeYGWdlZnAEr0M0
jmmDH6vObUUL1UbUYVSKTJYbr1JJcAPCbfnIzSg4gL8C1ei/TJzPaQooZLRu1JSmzaDZSFowVHl0
42Qy3O7kc0wzUpYhVqfhmrRzb0V72hfQYHkxpuPCBmtYR9tidbCObUzbnM2YrMcC9bv3IIPSfrck
W0zyTObbQnYymoMVp08M6xX98FHUwOdPOUiU4mGx7PPs7pf5/JrOsGjELl2gzOx6Nq204yznfNq8
6z/4WvGZCmVuZHN0cmVhbQplbmRvYmoKNSAwIG9iago0OTgKZW5kb2JqCjIgMCBvYmoKPDwgL1R5
cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDYgMCBSIC9Db250ZW50cyA0IDAgUiAv
TWVkaWFCb3ggWzAgMCA3MjAgNTQwXQo+PgplbmRvYmoKNiAwIG9iago8PCAvUHJvY1NldCBbIC9Q
REYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MyIDggMCBSIC9DczEgNyAwIFIgPj4gL0ZvbnQg
PDwKL0YxLjEgMTAgMCBSID4+ID4+CmVuZG9iagoxMSAwIG9iago8PCAvTGVuZ3RoIDEyIDAgUiAv
TiAzIC9BbHRlcm5hdGUgL0RldmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0K
eAGdlndUU9kWh8+9N73QEiIgJfQaegkg0jtIFQRRiUmAUAKGhCZ2RAVGFBEpVmRUwAFHhyJjRRQL
g4Ji1wnyEFDGwVFEReXdjGsJ7601896a/cdZ39nnt9fZZ+9917oAUPyCBMJ0WAGANKFYFO7rwVwS
E8vE9wIYEAEOWAHA4WZmBEf4RALU/L09mZmoSMaz9u4ugGS72yy/UCZz1v9/kSI3QyQGAApF1TY8
fiYX5QKUU7PFGTL/BMr0lSkyhjEyFqEJoqwi48SvbPan5iu7yZiXJuShGlnOGbw0noy7UN6aJeGj
jAShXJgl4GejfAdlvVRJmgDl9yjT0/icTAAwFJlfzOcmoWyJMkUUGe6J8gIACJTEObxyDov5OWie
AHimZ+SKBIlJYqYR15hp5ejIZvrxs1P5YjErlMNN4Yh4TM/0tAyOMBeAr2+WRQElWW2ZaJHtrRzt
7VnW5mj5v9nfHn5T/T3IevtV8Sbsz55BjJ5Z32zsrC+9FgD2JFqbHbO+lVUAtG0GQOXhrE/vIADy
BQC03pzzHoZsXpLE4gwnC4vs7GxzAZ9rLivoN/ufgm/Kv4Y595nL7vtWO6YXP4EjSRUzZUXlpqem
S0TMzAwOl89k/fcQ/+PAOWnNycMsnJ/AF/GF6FVR6JQJhIlou4U8gViQLmQKhH/V4X8YNicHGX6d
axRodV8AfYU5ULhJB8hvPQBDIwMkbj96An3rWxAxCsi+vGitka9zjzJ6/uf6Hwtcim7hTEEiU+b2
DI9kciWiLBmj34RswQISkAd0oAo0gS4wAixgDRyAM3AD3iAAhIBIEAOWAy5IAmlABLJBPtgACkEx
2AF2g2pwANSBetAEToI2cAZcBFfADXALDIBHQAqGwUswAd6BaQiC8BAVokGqkBakD5lC1hAbWgh5
Q0FQOBQDxUOJkBCSQPnQJqgYKoOqoUNQPfQjdBq6CF2D+qAH0CA0Bv0BfYQRmALTYQ3YALaA2bA7
HAhHwsvgRHgVnAcXwNvhSrgWPg63whfhG/AALIVfwpMIQMgIA9FGWAgb8URCkFgkAREha5EipAKp
RZqQDqQbuY1IkXHkAwaHoWGYGBbGGeOHWYzhYlZh1mJKMNWYY5hWTBfmNmYQM4H5gqVi1bGmWCes
P3YJNhGbjS3EVmCPYFuwl7ED2GHsOxwOx8AZ4hxwfrgYXDJuNa4Etw/XjLuA68MN4SbxeLwq3hTv
gg/Bc/BifCG+Cn8cfx7fjx/GvyeQCVoEa4IPIZYgJGwkVBAaCOcI/YQRwjRRgahPdCKGEHnEXGIp
sY7YQbxJHCZOkxRJhiQXUiQpmbSBVElqIl0mPSa9IZPJOmRHchhZQF5PriSfIF8lD5I/UJQoJhRP
ShxFQtlOOUq5QHlAeUOlUg2obtRYqpi6nVpPvUR9Sn0vR5Mzl/OX48mtk6uRa5Xrl3slT5TXl3eX
Xy6fJ18hf0r+pvy4AlHBQMFTgaOwVqFG4bTCPYVJRZqilWKIYppiiWKD4jXFUSW8koGStxJPqUDp
sNIlpSEaQtOledK4tE20Otpl2jAdRzek+9OT6cX0H+i99AllJWVb5SjlHOUa5bPKUgbCMGD4M1IZ
pYyTjLuMj/M05rnP48/bNq9pXv+8KZX5Km4qfJUilWaVAZWPqkxVb9UU1Z2qbapP1DBqJmphatlq
+9Uuq43Pp893ns+dXzT/5PyH6rC6iXq4+mr1w+o96pMamhq+GhkaVRqXNMY1GZpumsma5ZrnNMe0
aFoLtQRa5VrntV4wlZnuzFRmJbOLOaGtru2nLdE+pN2rPa1jqLNYZ6NOs84TXZIuWzdBt1y3U3dC
T0svWC9fr1HvoT5Rn62fpL9Hv1t/ysDQINpgi0GbwaihiqG/YZ5ho+FjI6qRq9Eqo1qjO8Y4Y7Zx
ivE+41smsImdSZJJjclNU9jU3lRgus+0zwxr5mgmNKs1u8eisNxZWaxG1qA5wzzIfKN5m/krCz2L
WIudFt0WXyztLFMt6ywfWSlZBVhttOqw+sPaxJprXWN9x4Zq42Ozzqbd5rWtqS3fdr/tfTuaXbDd
FrtOu8/2DvYi+yb7MQc9h3iHvQ732HR2KLuEfdUR6+jhuM7xjOMHJ3snsdNJp9+dWc4pzg3OowsM
F/AX1C0YctFx4bgccpEuZC6MX3hwodRV25XjWuv6zE3Xjed2xG3E3dg92f24+ysPSw+RR4vHlKeT
5xrPC16Il69XkVevt5L3Yu9q76c+Oj6JPo0+E752vqt9L/hh/QL9dvrd89fw5/rX+08EOASsCegK
pARGBFYHPgsyCRIFdQTDwQHBu4IfL9JfJFzUFgJC/EN2hTwJNQxdFfpzGC4sNKwm7Hm4VXh+eHcE
LWJFREPEu0iPyNLIR4uNFksWd0bJR8VF1UdNRXtFl0VLl1gsWbPkRoxajCCmPRYfGxV7JHZyqffS
3UuH4+ziCuPuLjNclrPs2nK15anLz66QX8FZcSoeGx8d3xD/iRPCqeVMrvRfuXflBNeTu4f7kufG
K+eN8V34ZfyRBJeEsoTRRJfEXYljSa5JFUnjAk9BteB1sl/ygeSplJCUoykzqdGpzWmEtPi000Il
YYqwK10zPSe9L8M0ozBDuspp1e5VE6JA0ZFMKHNZZruYjv5M9UiMJJslg1kLs2qy3mdHZZ/KUcwR
5vTkmuRuyx3J88n7fjVmNXd1Z752/ob8wTXuaw6thdauXNu5Tnddwbrh9b7rj20gbUjZ8MtGy41l
G99uit7UUaBRsL5gaLPv5sZCuUJR4b0tzlsObMVsFWzt3WazrWrblyJe0fViy+KK4k8l3JLr31l9
V/ndzPaE7b2l9qX7d+B2CHfc3em681iZYlle2dCu4F2t5czyovK3u1fsvlZhW3FgD2mPZI+0Mqiy
vUqvakfVp+qk6oEaj5rmvep7t+2d2sfb17/fbX/TAY0DxQc+HhQcvH/I91BrrUFtxWHc4azDz+ui
6rq/Z39ff0TtSPGRz0eFR6XHwo911TvU1zeoN5Q2wo2SxrHjccdv/eD1Q3sTq+lQM6O5+AQ4ITnx
4sf4H++eDDzZeYp9qukn/Z/2ttBailqh1tzWibakNml7THvf6YDTnR3OHS0/m/989Iz2mZqzymdL
z5HOFZybOZ93fvJCxoXxi4kXhzpXdD66tOTSna6wrt7LgZevXvG5cqnbvfv8VZerZ645XTt9nX29
7Yb9jdYeu56WX+x+aem172296XCz/ZbjrY6+BX3n+l37L972un3ljv+dGwOLBvruLr57/17cPel9
3v3RB6kPXj/Mejj9aP1j7OOiJwpPKp6qP6391fjXZqm99Oyg12DPs4hnj4a4Qy//lfmvT8MFz6nP
K0a0RupHrUfPjPmM3Xqx9MXwy4yX0+OFvyn+tveV0auffnf7vWdiycTwa9HrmT9K3qi+OfrW9m3n
ZOjk03dp76anit6rvj/2gf2h+2P0x5Hp7E/4T5WfjT93fAn88ngmbWbm3/eE8/sKZW5kc3RyZWFt
CmVuZG9iagoxMiAwIG9iagoyNjEyCmVuZG9iago4IDAgb2JqClsgL0lDQ0Jhc2VkIDExIDAgUiBd
CmVuZG9iagoxMyAwIG9iago8PCAvTGVuZ3RoIDE0IDAgUiAvTiAzIC9BbHRlcm5hdGUgL0Rldmlj
ZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGFVM9rE0EU/jZuqdAiCFprDrJ4
kCJJWatoRdQ2/RFiawzbH7ZFkGQzSdZuNuvuJrWliOTi0SreRe2hB/+AHnrwZC9KhVpFKN6rKGKh
Fy3xzW5MtqXqwM5+8943731vdt8ADXLSNPWABOQNx1KiEWlsfEJq/IgAjqIJQTQlVdvsTiQGQYNz
+Xvn2HoPgVtWw3v7d7J3rZrStpoHhP1A4Eea2Sqw7xdxClkSAog836Epx3QI3+PY8uyPOU55eMG1
Dys9xFkifEA1Lc5/TbhTzSXTQINIOJT1cVI+nNeLlNcdB2luZsbIEL1PkKa7zO6rYqGcTvYOkL2d
9H5Os94+wiHCCxmtP0a4jZ71jNU/4mHhpObEhj0cGDX0+GAVtxqp+DXCFF8QTSeiVHHZLg3xmK79
VvJKgnCQOMpkYYBzWkhP10xu+LqHBX0m1xOv4ndWUeF5jxNn3tTd70XaAq8wDh0MGgyaDUhQEEUE
YZiwUECGPBoxNLJyPyOrBhuTezJ1JGq7dGJEsUF7Ntw9t1Gk3Tz+KCJxlEO1CJL8Qf4qr8lP5Xn5
y1yw2Fb3lK2bmrry4DvF5Zm5Gh7X08jjc01efJXUdpNXR5aseXq8muwaP+xXlzHmgjWPxHOw+/Et
X5XMlymMFMXjVfPqS4R1WjE3359sfzs94i7PLrXWc62JizdWm5dn/WpI++6qvJPmVflPXvXx/GfN
xGPiKTEmdornIYmXxS7xkthLqwviYG3HCJ2VhinSbZH6JNVgYJq89S9dP1t4vUZ/DPVRlBnM0lSJ
93/CKmQ0nbkOb/qP28f8F+T3iuefKAIvbODImbptU3HvEKFlpW5zrgIXv9F98LZua6N+OPwEWDyr
Fq1SNZ8gvAEcdod6HugpmNOWls05Uocsn5O66cpiUsxQ20NSUtcl12VLFrOZVWLpdtiZ0x1uHKE5
QvfEp0plk/qv8RGw/bBS+fmsUtl+ThrWgZf6b8C8/UUKZW5kc3RyZWFtCmVuZG9iagoxNCAwIG9i
ago3MzcKZW5kb2JqCjcgMCBvYmoKWyAvSUNDQmFzZWQgMTMgMCBSIF0KZW5kb2JqCjE2IDAgb2Jq
Cjw8IC9MZW5ndGggMTcgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AbVX227U
MBB991cMjUSdtpvmtpsNFAn1Ci0FFgLl+rSiD0hFWvr/EmPHc+Jc9taKrtREscfHM+fMjL2gGS0o
pjiK+S/N0nw8TahIyqjkPxrnMf39RTf0hw5P7hOa31Nif/dzGE2SOBsnE88oq60VW97uGcPUGDII
/9hwwSuY14TyLEosTl6WUVHkJc3v6LiiPLcT+JFOeEo2LWiU56q6o8PzJDI7qG7pO+mj/ZBGMX/Q
eDm2X3LSuyE7xU+MRCH9pOqSziqaqaE9JGZ+vQFe1ISDqjll9b7tY8T/25vQJ6ehqn7bRRGilZ56
KM3SacruT7OUGKF2MxU39ZOQPID1oWwAVAOQx9HYetR3geN41o2VBI9jVsc3DhW/ZKT37JeUNIaK
pBtyDE27I5kBSlVjfF466AtZ90g2M7Ffxh6S7OqVHWHWi91QWZIBxMHifXr04wM2FeR2Dvuy47Cf
1khK/wjFHDJiiFpHsEcE4u46B9Y7s2EFpQ2pPSvG65VWRCw/J3hlBa9fn7akYNNxldZ8nEYKntYY
45Fq8yCG1ea7gbx9IZEDb5cmdMxocFUzoJq8BRUjO8SCCN7YN54OCrAQaMLQnpWur1isCCsUCVgB
zImDdL1FpfEB0uhrDNoVeV+/rf3y1LzjtCsCwx5cCIa8w5yOkZdR2B6c45AMyXEqxTfLEsixkUnc
1CK/5K7IdvH1mePyufBVDygtA+BILEBIf3V4Ac4vTdyMVPAFpGEyEN657N1xT0x9bzeXKQ2iJaRL
woVelZabZW+nXenZltnr4Xip1c7eukI8uFdYCFW3vIZ5r1cMZu8HE0tOQ2HvCNFGqiHMEndMESPR
Qkck5InEdBzmWSygfbwIYwKyVBBeenx04oTkuotUTimfrEC4bJzLDIer9JXkMtyE8Hp7g+NLlKi0
UyI9QInjFInLsTL9XfVOLH0K9edtlWhwejJ5sBKHDl+p58rmSryQ0o6ih/hLQwHPGMELjByNSoNG
sAaG0fUxhMnBgZEMKwULTu2++BRyY0b4pMFGQyW4qSlx2WWyf/ZEt0Y91l+2ZbLB+W81xUD0xLKu
pkiSX0lq4WVkY8nlBtEVajdqAF0CvVIACMxBL+hhSVXwiRzScTKZbEQkjnb2TKT01y2J9HGafGmn
5COPdh6Ep5V1RH4TAqVqSnEO+ucnL6h1qQcR/WyTHJNl960suD0gnQNJNpniczV0DE84XO7CZ1rN
8IVvoHy+XMkVn9U7l1sPx7tNtrkabOTKXFU3uj8PQ7S56pxH+Np3LZEqAhxhgyJAhZNEAy2u5HmH
cyQKFpA1wfvSrmy4cz2+RdXsH8SKIgkKZW5kc3RyZWFtCmVuZG9iagoxNyAwIG9iago5OTkKZW5k
b2JqCjE1IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyAxOCAw
IFIgL0NvbnRlbnRzIDE2IDAgUiAvTWVkaWFCb3gKWzAgMCA3MjAgNTQwXSA+PgplbmRvYmoKMTgg
MCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMiA4IDAg
UiAvQ3MxIDcgMCBSID4+IC9Gb250IDw8Ci9GMS4xIDEwIDAgUiAvRjIuMSAyMCAwIFIgPj4gPj4K
ZW5kb2JqCjIyIDAgb2JqCjw8IC9MZW5ndGggMjMgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+
CnN0cmVhbQp4AZ1UXUvDMBR9z6+4OtB0upivNi2ID5NtMkEYFHxYfRruQZgw95v8n94kzW3dyh7W
QBvS3HNuzjntHlawBwlSSLy00TYvFThViQovyK2En094h294eD4o2BxAhXHYUFGhpMlV0SsysZph
5XbsC7UvRBIcWLhHBD9VYI1QkUcrYZytYLODaQ3I6gc+bCGK0uUwsZLVO3iYK+EbqLewBj7LsG8L
/C6DicR1ftsuiLQgw8QAH4eJBt6+YtypsITlJ1Xl8RvjcbviruQl7FSIlkCo9uoYhBaou3nV9rsI
e5HgcZaxcKQirOSh3w+olzCrg1MnyllnhpXTEiUtbTks3cgGAlTmuu3hJjE2WZihMNM0odOJjEWl
SU9SOOHcd1qdb1zhQVn02+jgd3hM8B6cNsJHBJ3mvxnUX1GBlMIYkOEw2UFkpYSWRmkgAp2ixNGa
HsFRWtmp5p6gjWrXunbxG+oI+ll9i1oySptbe6HQYUov5YIyROI6erf0VRh1GZxA/2gz4ZBtyYqU
TQKhrRGN8VFyL8GflBDN6BiVwF7TEUcDKGezYJweEFSikpUoHP4h4rd/cSJ6+KwzrJeIliYG7+Jc
9GjQJPyfGqg30BH2EvKPEHOCIfNJf2qaRdOgTymOqz/L1xU7CmVuZHN0cmVhbQplbmRvYmoKMjMg
MCBvYmoKNDg0CmVuZG9iagoyMSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9S
ZXNvdXJjZXMgMjQgMCBSIC9Db250ZW50cyAyMiAwIFIgL01lZGlhQm94ClswIDAgNzIwIDU0MF0g
Pj4KZW5kb2JqCjI0IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNl
IDw8IC9DczIgOCAwIFIgL0NzMSA3IDAgUiA+PiAvRm9udCA8PAovRjIuMSAyMCAwIFIgL0YxLjEg
MTAgMCBSIC9GMy4wIDI1IDAgUiA+PiA+PgplbmRvYmoKMjcgMCBvYmoKPDwgL0xlbmd0aCAyOCAw
IFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBpVjbbtw2EH3nVzCrxNE6XVnX1W7j
FmjauEDstAmwQB4aN03c5KFACrj+pv5nh5dzyBVpre3aDytQ5FzPmRnqWr/V17rWdVXLX9u1/bBp
9Nhsq6386aGv9T+f9Tv9tz758abRVze6sf83Vzy0bupuaNbRoc6dVnLyy7E52JqDokT+5eC1SDCP
je67qnF62qbqxn6rr77qFzstWs2//HSbqu3qftSrvla7r/rkrKmMBbsv+jddfrfUq7rqdLmxD70u
Xy3FlUaXxTlWntkHWXqBldVSyalBNl3gXW0fYkFV8urYrrS65CsvUQX1VEaBK3tKlB3hASZyYXxq
jBbjH1nD5IEa1ji09Vte/2JX3J5LvXulX+5sCpOQ9mNnQ6qmIa2r9dB2fbcxMdVJTBdeE4yiS+ew
jr4x6tyTHKIn9NYfUsHJsYFPOM5TcJu5S/duYBaTiQDfKb2/ened26qkc2+sUQIJZjCybj7yjWTT
h70dLZLtz6rtq9bC3Qa9qwwFBMjlv0u9+8slEixzBMiTpc/K31b90K47Ycq+mhZ8EXjFagIn1Ywa
T8jgRju6SjFVY2mpHC3nUSvcEzZ+Y+IuZEJQCSH/oMrindkiCUi2EB7FFKx8M+58XolaApDwYGL5
gEMUA9UELQ+fA7M0nBiluCJitilUMbO7pbL+06yAbC6RX2JPDnGjRNLiqds0d0FcXDovz+Db7/CE
Djw1tomxdG38wIgMdrckkCtBEvczOLUlZ1xXuQfqg+hjK1owgawWAImPSFRogY1bIsPG0g2teOJK
YABxrVddXY0b11EeTMRIuArCAxGtDldhD7Pwls5odSTFJLAw0hGn9zTGjmOcq6Wq/NYwQxL43IZb
OhOKLF4wswGSSBZfmaQ7kOTg49oZUx3Bh9jmSy9ShQaJrBNFJBRPg4ZcGGnZkYWcuJVGYMYfYp+n
pFoayiqWH6CS1qBa0AiezaNToUcH3jZjHp37JTxO7Psl7ErVepOjWSNnkUPDHyAb4/WTExzqLRd+
MIiRiDLGtwZSlWdA089QcPrSl2K2BcrBXqQTvw5uKhQgouUJpM6Wryn+PlpMSGVJPCkYIQaP1mW9
vFTpzHUgn8OwroZmm+mYggjXMU+pXeaR+VKfhcywlQYgeoKOybBscocZI8zfNLzdHADiRJzM3mBp
ARowbsgixzrOVP4hSmxSWEZupjwQD3tHknXhaxCTyDMhr1z6ZKEjMOZxHvPwiqY/kpwsg1dcSJv7
FTRUFm9SY+d74/TyQpTD0w+egnZYzsGCfa4dNvlKEvUH2+fMiHbfgTMvfNLnHEIe3OciHVEvPdjn
vrchlwGDYGN+mFQiYPoqqmhpvv/0VQu54K0xwXsGsqjSoZjSiM9Gbpe2lUQsAEdCgHH4JZuIYyo5
RpnkYZCIW3LVzdyLBbUoyxgI5iaFHCpDWWm7+86l0E2Sxna6iYPuXlgvxWCE6h43PsUpkyF6AywR
DMg9O6FEL+cwadhsb3F4SsOH3Pvywic0vMe4qUIj2HcgmZcP0vA5hi4GM8EbixtZCByf27jLfcPH
PRoFkVie4b2OOO4Mn6KLJF94sZlEUyGtpXHIOKUE+BUyY6rD2ffBEybJB7Ve7650uBp066EaBvM1
y+LBlcweF3Rpqo8WxeMnR2LESlB99L60dUQej59JsHK6SbXGNAB/T8jqljvP/lS5rxeaFl65KXei
uDqJjBAbzFpdFNhtMiYrpvjKz+OFubHd2cwQl3a9qcw3qamJ8eD7Ohkjfe2PviTNlF3gEQmOhwg3
LvJDErZwJiMYgLUAR7YdQskXLlWaK8l8LFrhbsK1JE8SBM6J/3ee4GACH1lLwbT5D6dmYpEJCnU2
GpgoKBmxZ4LGODL2DHXBJ0qGzRDIHdM7hyqzd47ZZGy3VSffUjZz+UiH4KIX5NuPVMAXXQpY9IjQ
JSdGpoG3sE9WjoSWlyQ0wvDFl3cfvPJVKzNOw5oLK9ZwFnYymhxWP9pXUkH3ytvb/wC/jmpoCmVu
ZHN0cmVhbQplbmRvYmoKMjggMCBvYmoKMTUwMgplbmRvYmoKMjYgMCBvYmoKPDwgL1R5cGUgL1Bh
Z2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDI5IDAgUiAvQ29udGVudHMgMjcgMCBSIC9NZWRp
YUJveApbMCAwIDcyMCA1NDBdID4+CmVuZG9iagoyOSAwIG9iago8PCAvUHJvY1NldCBbIC9QREYg
L1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MyIDggMCBSIC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwK
L0Y0LjEgMzEgMCBSIC9GMi4xIDIwIDAgUiAvRjEuMSAxMCAwIFIgL0YzLjAgMjUgMCBSID4+ID4+
CmVuZG9iagozMyAwIG9iago8PCAvTGVuZ3RoIDM0IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+
PgpzdHJlYW0KeAGdWdty3EQQfZ+vGLxFog1YkUa3XXBRRSAOlQRCYKk8kECCywZSFaqMvyn/wyfR
czmnx5JWXtv7IEWa6e7pc/pMj3JpX9pLW9mqrOTPNa7tNrUd6m25lT/btZX999y+sv/Yh99c1fbs
ytbhd3XGSX1dNV3dZ5OaONvIzIsHfqLzE8WJ/GTipVjwt7Vtm7KOflxdNkO7tWcf7KOdFa/+J5du
KPuh2TT2uK3M7oN9eFqXPoLdhf3VFj+tJfDOFlt/bW1xUq7tcSUDigfhxtmiCjeNLY7SmDTEcNIX
/oVM+TKMzKzhBY3CzWfwkm5McT8Zh5PnGEH3m/BEYqS1n5PfR3gTjRhGuktGf1nbN3b31D7eBbAm
yWuHZj559bYpXVW7+eSdIujfEMAoEltwoQOjfrE2IdVYKRf4Y7AiiT4ON5JH2Je5y/HXYtFE5F0X
kA+XY1fZAHlTerII5MXHtd29j4kAHyNV5mnVzlrelEPn2ra2dODAqeKTaw5GvDXT1HsHibQauhti
NamDnLSRRaYAvQ7nHfEZakAGzpBeZN7TRK8VnxAqDs5QjQV0lNDl0EVUY6kxKrIFQfEB/YwDz8ph
fy2/XZub+TMBoe235VC7dgSCicqxL2jViQswHDRekdifR0KbvQWZsSIIq7O7M6v86LZtue03m2uh
Cbk8w99JrkBxFcpBFCoIZbPpZwhXzVgSebxRBHW1BJyJSbQxBdnyyjNKCvwQNCGVYGG8qlCSGrz5
NFBaFPsgXTKRe6pLXCtg44oEraoUu3vDNvrq9EXSXB1MO02ys4IH0QqJQiSdayjXiGtUoMH7HIlv
ALYTaXddG0g83f5OGIGEfQfrfdWVfSV7qxvvrT4jMyzcgoW9Uxa6qNj+cuxcuRmEqDFW1e3/1NyC
bg8z9o2j/dqVrumaTt3E7eG26j3nxqobWUPne6GxG9VwU7xeA3vSQx9dQDG+C4OktViBg88wLWmJ
FsS3eIOKoWHMFUhmMWbSGpEGbKNMWgbKeDO9LSiz9u8Oirm2Zyso3g3UnMtYBCVp+opKxdzxCXop
JJMjqHepiE1xC/i0x5mBz0uBqCU8UlHeBqRFkO6FG2mUWMYgDsN+HobUphiwAJrhbA5eeMUx90ft
G+cgTISgOzVTxTDfxRUE3VymZLYRaoHNUTLtfrel5Kz9KSWjHB2oEzydKCXVTSZHi5QMe/mFql62
lbNevdVJvbYSZb/Z9vvVR0k31hdTjPVFx84Q1O9ekaA3gziJs5YtoGlr38MkzY/yoiqZ7bhjypub
KW8PpHzacKfVkFEevW28LlHeW5MNfS/l9+7jPMm6TRPky8gxVjs+T/l+rL+3PMwEy8CBx6TsMJMc
HEjz6WEGofsTuIaeHWaSgxziux9m2DTxJkqPnn+T+GVwEFNiuOcQjcbWFNBNOUQLtoe2l+krgraX
dzv2ike/+/PgwD2GBONCuDQIMK5UXeaJc2TDS4Tlo7lT1Gx140DhushXAd0o6J6v6fCdo80mm/Gj
F2YA8YHREuIGSzi5VBwoqE208mdqw7Fd8cWzAKOUKBwzEr7hEyYMxKIV3dxWCvEfwbRsx8snPyGR
Kc4wlia/f5xC7vHqq3CTn5e0RQS4PDAwS6Ogs+bga+9AwhOXy4i6re4r1Ik9iOJQQ/3U1KSlmeIU
h7knYUVSQyeTxTIPXD6WCKDOfech2aAnNLoYyAMgE4faJbQYyrQRazKTgRBORM8U6xLTdJUcBvcX
XDGq16/D6qWeyV/WNQI9C/UYMUq1z8GsY0aoccCZvCK0JmsZWKxyYGNvfBO0GWxeJQ6EbVgNWTRp
ES2ojO9DzJNSWtM7mU9wwAXmHV0nc7LiHUHHJJg993WQE4nWGAKLiNZWfDfNOiGiQj31XPXKzSck
Ggf/nepdXfBVDvUbM/1yy0N/vakPx7MHuZxSEXX4QwBIZPEJSpRhceFMSkxk9tWDaA65EpOJcx/s
a/kwP8/Efnz2/6hd8MLZnw1UZjnbkO7c5rCbv+5g0kcttzn4VotCZ3bvARSCD1mjOBAA0oL55qS4
E2aQaB1wzJSC1CaOoa9jxMUwGPIbSjRHaxW/R6Wj2uJy5AD6Ow3gFU3jAaoZ/2ZYuslK9aWWBYNo
dvrtbUXK8gazjkL1SVh8I3bmGKu1JgjPM9Y3Oub6fyypSGQNgj5EFIz9GeoPAokR+8TKFkw+V8B8
Kst8rrwOcfA0BiaZWgUGqpIn5mX8wqY4vnJF5ChZiyUlh6agw4WPE1wcDU9XwN2cg/m9DD7ndenl
/yU5SU4KZW5kc3RyZWFtCmVuZG9iagozNCAwIG9iagoxNzA2CmVuZG9iagozMiAwIG9iago8PCAv
VHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgMzUgMCBSIC9Db250ZW50cyAzMyAw
IFIgL01lZGlhQm94ClswIDAgNzIwIDU0MF0gPj4KZW5kb2JqCjM1IDAgb2JqCjw8IC9Qcm9jU2V0
IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczIgOCAwIFIgL0NzMSA3IDAgUiA+PiAv
Rm9udCA8PAovRjIuMSAyMCAwIFIgL0YxLjEgMTAgMCBSIC9GMy4wIDI1IDAgUiA+PiA+PgplbmRv
YmoKMzcgMCBvYmoKPDwgL0xlbmd0aCAzOCAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3Ry
ZWFtCngBtVnbahw5EH3XVygZSHocW2mp72ACOxvbkOyFwIAfctldjPNgyILX35T/ySdt6VJH6pHc
M06cGOKmJdX11Klq+Va+k7eylrWq6Z9pTNuNWg56UhP9k11by/+u5aX8V7789U7Lqzup3c/dFQ71
um463SeHGn9a0MnPR/agsQdJCf3QwVuSYB+1bBulnZ52mtQwtJO8+iI3W9m2bgP90mZUfdMN8qRt
xfaLfHmulbVg+1m+l9XFWp7UysjqmXvoZPXCPWhZvVmTT/R74160yUrYIuKh2u1pZDXyZsVisHTk
3pAqLGHz6ngt5lZg6dJaQYLp0Ee5fSPPti7euf+6Vq13XpjBOe9+nRitOhch53ujbNTI9+rrWm5v
vDhOzGJ8rXzhgxvlT6rtTN9QcOdqDIe4ejJTE9Mo7kljdENGNWbw4NpV4zIpfCbPbKDSLD0PLxDu
hUwgo3woS/7TIA04Gba78slVwhKZEBSJ6thuoYyvcAp5hVV4QyDwu9kGIFGtRSn3wxSw34wd514a
D3z368S0arLJlzH3NlrVt1lSXFEWcr9Hvm5U0w59T0kJanx57c/9vIRLakR0wxjVWWKJarw3aRW/
cpGnKtGcAo4hhY5yQlWMYPLKwzMsLJhnGZZLGYZGpDoBoLUqpYKhYLnVRZb3Tikx0xQA9/sfbEaQ
nBARlOIB9MWOM5Jh1goQfOKiRQjG2jkrvXA6yeRTLjTYRZtL8NS1Jhebro+8kWKTGoTJMwmzd629
ts5Thp9bpiQLcy/4DZ+ED5xphB/+XlphJJSPbjiwLAM7h1+sfkoCpKKk+fDTYBmfhStvd6WyQb+5
BUpxdI6UuPAH1MLkIw4/9OeIySwKe0XsSkscE+D2N2uCuNfRfh97vMiCkhtFNiyAo2keAg4gjkE5
qwSrRuy0x4BBqyYMBpFY+lpN7WSIWEpQFIQ0nwxgAOkC9Z9e7PWO1AqaR6Ja3YyqG7uprDYBWFqW
gXbAZgeWpScQBig7tDpxCe1ifwKoGIi8JZl++DRg/Q8D5Z72hNGsKfb0mgh9VPVQaE9fD2pPe+Qn
o0lQ833tqaQmmbCS0WTmTdqezgKSEDqOJfK5UOfgpOw05/WBZV4qR/RgMwzliuQen4wSboz8dlCu
9sjPRwmvZv8oMR8j52qyil8cJcIYuTRKBIZcISU53QWyEBXIgsl+NXDWMUWg7BbL2baCtPFA+z5A
0NwJ7go6Rexfy2TqmWMFFXhgJ7jbwU9AGDrfh5aJs4u9wLRjGXkldpbVR9iPeHxYc6O6cQ9N5HBO
wvAXYr7i8mGPsMIvPrG4DY9FaIk5T/IheJ9PDF5hNIo/7WAJgBEI2k47vgchhHgI1gr+2JDVj4wI
dgTyvT3T+JajwCscS2Seg8Eb7ukHvhcbc8+3SjnN12FCO6QhYSxBJvEQqlqUPhC4qhFaPLBDjBR4
XDtA0OCIbEMTcsiHIY3jxtICmEQVcZudgdicabA0oyNLFjRAsiDYB9PZigPoSMTbkQcO/aY2GLjc
vRDdvFwlMxD1/nK6Ny/IchqIKUb0/2vycbFbaSJ8XEqkHxeP1K3K8h+9Wzk1P6tbnf8ZOASAASLD
N2fCIRsudjAQ8IzjwBQYf8DaM1cY1K2wifEGgVAByQxWSFmFJ3EQy0e0s66E5VFkMAhaiiVVgpsn
Lt1ph+n5NH8vkmdVGcZ3djTYUhoSUKcIbm44EwiL+8TtCaHlFWR6SLmx5CMmJ3td+lNLqij/8UvK
qgkl5RiokTMGKo6CYn43/EpTHImGCDH7Q5aVb98qPeiRvvOYjPLb51PUABXpd+iYOmVM341LOoB3
rg5UYryVPLYUQXc7wAsKMBbJKlZ5fMlAg5KFsUxUN34sWyxY4P7IbU7vyOI0i++mxQHVj077K6p0
fQaHir6WUuVZgv4K0dAX7cg35WlTKrc8xDy7m0ESopfLZoWhHTSwa3tyEYSoMCoOmAeSv5bQPODH
RUzhsAza4RiDhHlrl4v8pc27/wHzjthACmVuZHN0cmVhbQplbmRvYmoKMzggMCBvYmoKMTUwMgpl
bmRvYmoKMzYgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDM5
IDAgUiAvQ29udGVudHMgMzcgMCBSIC9NZWRpYUJveApbMCAwIDcyMCA1NDBdID4+CmVuZG9iagoz
OSAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MyIDgg
MCBSIC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwKL0YyLjEgMjAgMCBSIC9GMS4xIDEwIDAgUiAvRjMu
MCAyNSAwIFIgPj4gPj4KZW5kb2JqCjQxIDAgb2JqCjw8IC9MZW5ndGggNDIgMCBSIC9GaWx0ZXIg
L0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ad1ZzW4bNxC+8ynYqEgoJ9qI+ysBObl1DERJgAQCcrCb
i5Ec0qSA62fK++SROvyZj9wld7VSbLSofdCCS86QM998M8O9le/krVzLdbGmv7Iq62ajZae3xZb+
ZFOv5d+f5Af5l3z+252WN3dS2/+7Gyxq9bpqdBstqtxqQSs/n5mFpVlISuifFt6SBPOoZV0V2uqp
t9ui6+qtvPkmz/eyru0E+tFVU6x128pVXYv9N/n8pS7MDvaf5ZVU2yVtvJZqt5Sr/sPKjjRSPeaH
V2aulmrx2o5oodb2oZJqYx9ITuFeyfDqzI6U0SvowvLVUpD2nK693x/J/UPuX8mLvTV3enxtdm/P
LsrGnt3+rMq1tIeuCmMuOrT6vpT7L04Qe2TSsEaycFYNkjdF15R1rSUUlGxV9UtPwcBzYmrrMigo
O4enoCB224U1i1BP2dxPgp3IkuQk2Da1P/u8/yuC7+DNxTMjlnzH4qFvxB/d1sOx2rTBaqXzh/lZ
lWWx6UxgDLzyo2c0GycZrxyQr8uirJqqGao57BvRi6q+Gh9SJY5BZ2hMrA/VWA8JF1it9QxBmq38
5q0diWOEAwq+guG9nYU650VDTzzyDo894jwPzeX1NcPjYilsdGMPl/ZNHJWLHavCAyggikKjQwS6
wNYxN6GLwWKprpesafHUBj7BlQFGsUMaYiNBA4xD2HMn7TTPdssjCL9ks+OgL1zMSAX7jGBYrzVB
vmqjsIfnCcC6KxrLuAmXwhV8GPbRJ+OrSuCQPH5lxgkiWIiT8QyWtIB5HQ6E+p2PPnKKAGHKJZ4Z
ZYBwFIkuKQR+PDYSg3wR5J8eiTa/gSUPHGMyEm2KE8HfDIlMJAK0cAUeztnQT3wMsW8wA14DsnqR
Rz4mPL9lMR6QEVaPiLwoUSMuZiVPFzC9yPNBxBDzkRftCxoOR16U3d97UG+9uWAUmAnGRrDzHqDI
VxhSdY497K4mC4BKVwHmvQKg7acacWwBkJccFQCti6DDSWakdIsURLVLVAD4E6QFQEQdbEJYeW2p
lWqztACASyYiAq7wNUBgrxj3OZcgZMtN5JKYQrkG+EnmieQ/JPNEaiIC/W8xzxv25J+WZsjrwEHC
LkIhmSSpeccshdjHXEQtVy17H+DQNINdon1Bg0daRDzDvB6tYvJluH/kDSc0DZh2PJfX5tJuDsiu
ECibkUp2vBBghYihmM5cIfbiMt/QRDqTsrMjAmhbKp1Rg6T9HJyx+NUWHaGy4tNjhqtKqJ3zLhah
0wMxc6sXdXgfvFzICd5adH5QqDDIxsB83gi/yLnQ5UzvQpKGxQw+oGdYF8PtWAL+e+QBm6zF1Ild
h7Tm9tZyy0qLs+DRDVWR1I0gK+mtbYPsz4quBzpTRiI3UcUzvznVE8Lbom30pqEeiHWclp6mdOgN
N6d9HXGGSg1mCg6qdmFtMArg5iAhwnVCHDjO7ulqRBleQd5jdhKDFio7Rr2cYENgyS8TiuVAJ4MY
KrGJQzDPJNQAc+wTW4BcjJwz9X31uObYwGLeHHZrFEyAlYp2vumYButRNykeSFnhKVhdQByupfoN
e6TD02Y4QApWp4PBKuga7HSwRsz4mptZX7TmoA5XwJ8dAwX+9B4m2mMHpuga0l63wJxFt4BwABeo
wSuMQO9Xw+zUqhzCkePjcRzpTeg4gxtM63wPpJcXnuLoZ0gvryPFUZp+L21M0rUKYpAZAwN55nFV
QeocLGM5ANAYNoRiQPGMgwmW2ixoDryIBiJRicl4g5QaBA3xJdRcfLnt5PCF1kK3HagqXDpElxrI
q56qfhx3vZiXf/qlRp+t+sdI6rzJ1uJfv14cbTWESlqNqeS64/QF7ESthv8cwEyU9CnHtBqTnykm
Kj6EHpCM20pQJocYh9xxrYWuj75jZIWIvLhCmtNaWJ0J5P6nrQU8l4JtY5M1ZTvMYdOC3Rh9AOgw
6WJpwZn/jPmfAZGshfQs8gzpicE3LtcSakqe2Wvc8TaU7sAdIi55V9k7cHc1iLOwGfgE3CYOrz/p
IDmKdpXYdlNU9pLcfTfLVgEue4Z75++zKDonXwT5aSEwt6Ds3zvn1MigJq0F+jWlvBJq5icIZ362
Nls/pOFnxonxhxrwEjgAmEINiDlcNvgBKt2CZPBtQq8AQyIHOhkOUIlNDI8CYbuE8b20qe+Y2AHE
QBFGzlnwfXVCHXXt9IFP+8++we+5IvaEZmhU/unw7VcYDr6s5riWyFcY9wJfoZgz4TU4FFCa84q6
JMdl8DW8f0qXRLVK2iVFuQBbghboTatYX6xw6OJc0912Uz4sRfblPxhF9tUcSZFITADFgK+oFZjH
V8YH9Bk5kQNnsHfm8JUXtmNaQRKHNMCCxQIwYbt+VXSblUyGPGgY758k9U8uBLguwWFZLsT1kffu
H2C0y7cKZW5kc3RyZWFtCmVuZG9iago0MiAwIG9iagoxODA2CmVuZG9iago0MCAwIG9iago8PCAv
VHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgNDMgMCBSIC9Db250ZW50cyA0MSAw
IFIgL01lZGlhQm94ClswIDAgNzIwIDU0MF0gPj4KZW5kb2JqCjQzIDAgb2JqCjw8IC9Qcm9jU2V0
IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczIgOCAwIFIgL0NzMSA3IDAgUiA+PiAv
Rm9udCA8PAovRjIuMSAyMCAwIFIgL0YxLjEgMTAgMCBSIC9GMy4wIDI1IDAgUiA+PiA+PgplbmRv
YmoKNDUgMCBvYmoKPDwgL0xlbmd0aCA0NiAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3Ry
ZWFtCngBrVfbTttAEH3fr5gSiTrQGO/aztoS6gNtqURLK6RISAWeEDxUohLlm/gfPqmzlzm7jk1I
pCYSXtY7l51z5pJHuqBHqqgqK/6Y2jRtp8nqvuz5Q21T0d87uqQ/dPTpSdPtE2n/fbqF0FJXdauX
mVAdpBVL3h84QeME2Qh/WfCRNbilpqYutbfT9H1pbdPT7QOdrKhp/AF+mGpZtk3X0aJp1OqBjk51
6TxY3dMVFdfXc1pUvFFY7VcNFe/nfBl+7sVnKUf2/aKl4nCugtChvDpZF8Yblr6h1Rl9WflAjR3X
bEwFr2vjvfaPBf/17taluyi7WzzPafU7KJJYbgzJpGatS1PV2hAMGIlH8W5gYC3matr1GPDkurGB
CclAHvBfIVBqFOXZmQs3A4Eo29U6AJUXrqk48AtDRSlIfHBneUPAQ/yxmF26IywsR15BxvaRUrU1
QMZ0Hhn/WNRNaUfgvAxi54k+Ac4bynVbttYYy7FLNrbCR6WcGNqI+KQLGFO2LlMHNnKIPvqYcqBG
GYFMOO0jNF8FiOMvcWfpdzhJ4mHF2RJTTAIviXW3Bojsw4wciLirAmkmZBm5CGNQAq6APXtz5RMc
RxLlxuK4j1z5/Ie/DxcIlr9R49TWFacY1TWzZxT8ihaMxKgMBfampIAbWIzYizefc3ek0kzRwfTd
tEcZ11KxET6rCxTuTXyeVr7G51B/t+JzVuPB58yG2onPjn8b+KyK05+RvVfu6St85Cw4shBeC4uF
nPJ/PKCE+FSAcKAgtFnhOhgNPC0O7ftEZG+6DOLXuhXkxR+oiQxWxSSDg76dymfIHhhkQ1MdLqSB
aV8hnU8DNezGUIm0RggRJ+DAzYp9D2noLqGK67lsjWIg9QL6EFLYRBFAd7eiBocTNrUjCvcbSKX5
AYHnLTcnZCNFerUd/u6GjL+YVcU3uSHCgL4pzuJCMAYfcQ+0zeS1iG9G0zTTJcR049lqhyaRxbGT
mCFpJFQz3GycPYKvBU+CVCqpk2UyqzKYJHWvccc01XDh5qF0aXnYDDdNlfJ5q84/pV8l/dlYFs2E
LrFlsRwPZ9PXyIazgZnU/1VxLlSwM+TYzM5AJ4n127mk3EQ5zACA+d2/4Xlvg5rERe5CEwOOblpA
lRqCgypNTwmnl4jTlh1tWvn/7WiZjV062rGU63E5CNipQk4Ilkh9O9sy8q6mEuvhas91DnmVkhCE
wBYOwS8sIsoKv6qkpmXdDUxI76ARNrJiFourzPXw542RTWakjFGhV+mKq1v8KTagk+9Va78c1wM8
SpY0Gl78AzMX1msKZW5kc3RyZWFtCmVuZG9iago0NiAwIG9iago5NzYKZW5kb2JqCjQ0IDAgb2Jq
Cjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyA0NyAwIFIgL0NvbnRlbnRz
IDQ1IDAgUiAvTWVkaWFCb3gKWzAgMCA3MjAgNTQwXSA+PgplbmRvYmoKNDcgMCBvYmoKPDwgL1By
b2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMiA4IDAgUiAvQ3MxIDcgMCBS
ID4+IC9Gb250IDw8Ci9GMi4xIDIwIDAgUiAvRjEuMSAxMCAwIFIgL0YzLjAgMjUgMCBSID4+ID4+
CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvTWVkaWFCb3ggWzAgMCA3MjAgNTQwXSAv
Q291bnQgOCAvS2lkcyBbIDIgMCBSIDE1IDAgUiAyMSAwIFIKMjYgMCBSIDMyIDAgUiAzNiAwIFIg
NDAgMCBSIDQ0IDAgUiBdID4+CmVuZG9iago0OCAwIG9iago8PCAvVHlwZSAvQ2F0YWxvZyAvUGFn
ZXMgMyAwIFIgPj4KZW5kb2JqCjQ5IDAgb2JqCjw8IC9MZW5ndGggNTAgMCBSIC9MZW5ndGgxIDE0
Nzk2IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AeWbeXxURbb4q+7tTu9b0t3ppJN0
J53uLJ10Zw+BQG5WOgkBQtKaAIGEAAYFg4HIoiCOIzBR1HEdVxxlXCYqNw1iIyiouIs6DqMObqg4
ipqRcZ1Bk7xT93SH4Ojv9968z3vzx2v69Lfq1Km6VedU1a17P2F1X/8SoiGbCE/yuld0rSTSx9MJ
mNx94WqnlCXWrwmJUS5dec4KzCf9QIgq7pzl65Zi3vMcIbFHe5Z0LcY8gXJS0gMKzNMiYHrPitVr
Me8xAmcv7+2OlHtug3z2iq61keuTtyHvPL9rxRK0L9sBzFzZtyRSTtsIsbA64x9KWdLJjyuInhCm
M1MnMZLHiIJwQD/pJETbTSuJDEpZufyOcMHX56kXGsq/IQlKUBCy77OLX2J8dst9V3x/dGSb6nPF
02CrghbwA/UUd4wcJUR95/dHT21WfS61FCmUYB5S8WHuH6GUZEeY+3soxQv4LpSSA/gW8Q3iayz7
CnNfIv6GOIn4AvFXtBxGfI7KzxCfIk4gPkF8jPgL4iPE8VCKCjrxIeY+QLwfSo4F5bFQcgLgvVCy
H/Au4h3E24i30OQo5v6MeBPxBuJ1xJ8QRxB/RLyG+APiVcQriJexE4cRLyFeRLyAl30eLZ9DPIt4
BvE04hDiKcSTiCcQBxEHsM3HEY+hcj9iH+JRxF5EGPEIYg/iYcRuxC5ECDEUSioAD4qInaGkQsg9
hHgQ8QBiEPH7UFI+mNyPuA/r3Yu4B/E7xA7E3Yi7sPpvEXcitiPuQNyOuA2bvhVxC1a/GfEbxE2I
GxE3YL3rEdchrkX8GnEN4mrEVdj0Nqx+JeIKxADiV4itWGELYjPicsQvEZchfhGyF4FfLkVsQlyC
2IjYgLgYcRFiPWIdYi1iDeJCRD9iNWIVog9xAWIlojeUWAydOB+xArEccR7iXMQyRA/iHMRSxBLE
YkQ3YhGiC9GJWIhYgOhAzEfMQ8xFtIcSSqFnbYizEWchgohWRAtiDqIZMRsxCzET0YSYgWhENCDq
EQHEdEQdohZRg6hGVCEqEQKiAjENMRVRjpiCmIwoC9nKYHyTEKWIEkQxoghRiChA5CPyJPA0ZPNB
K35U+hC5iByEF5GNyEJkIjIQHoQ7FD8FGktHuELxbKGnheInA1JR6UQ4ECmIZEQSwo5IRCQgbIh4
hBVhwSuY8QpxqIxFmBBGhAGhR+gQWoQGoUaosE0lQoHKGIQcIUPwCA5BEUQCHUOMIkYQPyC+R5xC
/APxd8R30mXpt9KI6Deo/BrxFeJLxN8QJxFfIP6KGEZ8jvgM8SniBOITxMd4vb+ErC5HmH6EOB6y
wsqhHyI+CFknQe59xLGQtRpy74WsNYB3Ee8g3g5Za0H5VshaBziK+DPiTWz6DcTr2NifsLEjiD8i
XsPG/oD1XkW8gngZcRjxEuJFrPcCNv084jns/LOIZ/B6T4esVdCzQ1jhKbzQk9jrJ7Cxg4gDiMcR
jyH2I/YhHsWm92LTYWz6EWx6D+JhxG680C5ECDGElxUROxEPYdMPIh5ADCJ+j7g/ZIFdn94XslQC
7kXcE7I0Qe53IctMwI6QZRbg7pBlDuCukEUA/BZN7kST7WhyB5rcjmW3oeWtmLsFLW9G/AYr3IS4
MWSZDW3egNWvR1yHuBa79Gu0vAYtr0ZcFbI0Q71taHkl4grEQMjcBmW/CpnbAVtD5vmALSFzB2Bz
yNwAuDxkngf4JZZdhpa/QJNLhZ1getJQ6/hCH3Ac0850PAnyBMhBkAOasxwhkCEQEWQnyEMgD4I8
ADII8nuQ+0HuA7kX5B6Q34HsALkb5C6Q34LcCbId5A51j+MWkJtBfgNyE8iNIDeAXA9yHci1IL8G
uUbV47ga5CqQbSBXglSquB+4U+Qs4uC+B/YQB70kFAdbJt0YimULcDViVcjEZm0f4gLESkQv4nzE
CsRyxHmIcxHliCkhI2tsMqIMMQlRiihBFCOKEIWIghA4OEzzEXmIWIQJYUQYEHqELgRBCVMtQoNQ
I1QIJUIR0rFQxwjzgH8FGQb5HOQzkE9BTkA43wN5F+QdkLdB3gI5CvJnCMubIG+APA7yGMh+kH0g
j4LcDqG4DSRMN6Gn14dMbHGsQ+esRaxBXIjoR1QjqtAPlQgBUYGYhpiKQ7YgzIg4hr08z3MhwbHj
cZ4ju0EOgfA8wb5chGjBqM/BnjUjZiNmIWYimhAzEI2IBkQ9IoCYjqhD1CJqEGmIVOy8E+FApCCS
EUkIOyIRkYCw4TDjEVbhVhjuCMgPIN+DnAL5B8yBv4N8B/ItyDcgX4N8BVH9EuRvIB+D/AXkI5Dj
IB+CfADyPkT3MMhLIC+CvADyPMhzIM+CPAPyNMghkKdAwiCPQMT3gDwMshtkF8itLPrcCPp4A+Ji
xLKQCY5CtAdxDrplKWIJYjGiG7EI0YXoRCxELEB0IOYj5iHmItoRbYizEWchgohWhB/hQ1fnInIQ
XkQ2IguRichAeBBujE06woWQI2QIHsEhKK5IItwFQRoDGQX5BBz7OsifQI6A/BHkNZA/gLwK8grI
y+DovSCX827HL3mf4zLqc/wisCl46eCm4CWBDcGNgxuCmg1TNjRu4DUb7ICLNgxueGtDzMWB9cGL
BtcHZevN6zn1usCa4NrBNUHNGqq9MNAfbO0/3v91P2/ub+1f3L+6//r+I6BQ7Ojf3X+onw+PHRRi
+ydNqdvUf00/Z4ZyjvRTA1On9mv0dasDfcFVg31BWV9RHzfl6z56rI9yeX10dl9nHwdWu/rSM+uY
dXGfNbHO2JfXJ/TxFwR6gysHe4Ozent7L+nd3nugV35J79W93E5IcUKvSld3fmBF8L0VlOznxogR
5CA3FuLVvfu4UXjr8QU3KozR88AB54IjlvnOCfYMnhNc6lscXDK4ONjtWxTs8nUGF/o6ggsGO4Lz
fXOD8wbnBtt9bcGzwf4sX2swONgabPE1B+cMNgdn+WYGZ4K+ydcYnDHYGGzwBYL1g4Hg7ACd7qsL
1vIlDriDkBT4rkzZlHIyRabpTF6ZzK1MPpZ8MplfmXQyibvETg2JlyRencgb4IfDnwRHwtUJ2xN2
JsgNUoLXrozdFMutNG0ycXkmwfSq6ZhJRkx3mjjD1Ybthp0GfpZhoeELw5hBttNAd+oP6F/R87P0
C/W9et6gZ3neKOh9+XUGnUMnTPfr+HK/rkI3S8dfraOCzldQJ+jSM+oqtLO0C7X8di0VtJ6sui/U
Y2pOUEPBF6oxFTemooSnTnhzRY0AXsliRC2OujAlu6xUTsP0mqHWFq+3MawYm9MoKmfPE+lW0d3C
foXmuWLMVpEE585rG6L0qvYhylW3iubG5rmYv3zbNlKV3Cgmt7SJdya3N4qbICGwxBgkSPKQlVS1
exes6l+1arV3lRd+QBasAs3qfvhKoPAL6X74YSkCJt6f+TALKARryWhV/8J+aAOMQc1a74cEyzCT
n2nif1fN+vZv+9B/25X/z1/YtnABe3tLyOh1E17YXkouJbeRQfIweZQ8QV4gfyRfUTW8K76cHCAf
kk/Jl+R7WKYKaqFJNGtCvf9mcvQy+Qqi4w+SGBJPyNipsROj94+dgJfS+gma6yAXL/Oc1ozFjg3/
WDd63Wh49OUYDTFKdY3ci9DaSTo8doqrgJrGsRKW57awtHSlk4o7RneObj9jACtJH+kna8k6sp5c
RDaQjeQSchnZTLaQreRX4ItLIH0FuZJsI1eRq8k15NfkWnIduZ7cQG4kN5HfkJvJLeRW8OPt5A6y
PVLG8nfAvxulUlZyF7mH3E8eAN5NdpDfkXvJfZD/PXj/AfIQ6FCD+QdBcyf5LWjvATtm9QB5kOyE
fyIZIiGyi+yGmGE+mguTg2QPeYSEyV6I5j6yH97+Pw5xPAiRfVLSMU00//OWaP8UOUSeJs+QZ8lz
5HmYGS+Sl8hh8jJ5hfwrJU+Pt8JaeJX8gbwGc+0I+RN5nbxB/kzeIu+S98gx8gHMus//qfxNsDgK
Nu9ErN4Hq4/ICbAchpawHbR5G9p4n3witXAE2j5GjlMl+YZy5HsyBikWvRulCN0sxZFF7xaI2w7J
zyweOyHPIoReZ7F5EHz+IMSXRYalb4lE4yGwHQK/Rj3NvPzPvnk5Eiv0936wYb5g/kRvvgoexpix
dh4f9/iLkp9CUkSfHI/F6SgwHzL/vUGi3nl7gg8/In+RPMO8+6bku7cneI95+Th4kEWBtXGmbz+A
uhgdVpf5nPk0WoeVHYX8CdgdPgdPM34mReIz8vF4+uNI+TD5K/mCfCP9niR/g/3kK/I15L8FzUnI
fQG/Z2p/rPmOfEf+Tv5BTkEEfyAjE3IT06xkhIxCjAmllKM8GT2dOq1lJVQGR4wY2NOUVEXVVEt1
VE8NcBRR/KhEM15i+qeS07VOl6mkdmJpHDXDfhlPbTSR2mHfTKYp1EFTaRo9XZYwXuKEEhdNp+5I
PatUM2G8rgOOSPGRVphtFs2ja+DXS33UD+l8WkSLaSktA00u5AsgPxnK8iRWkdlkEVlOTsk/4V6C
fplhVxkS6hYu6Jg/b257W7C1ZU7z7Fkzm2Y0NtQHptfV1lRXVQoV06aWT5lcNqm0pNjvy83J9LjT
XWkOm9lkNOg0apVSESOX8RwlObWuuk6n6OkUZR5XIJDL8q4uUHRNUHSKTlDVnWkjOlm9Lig6w1IA
y6U/shTQUhi3pEZnOSnPzXHWupzi4RqXM0znNrdBeluNq90pDkvpJikt80gZHWRSU6GGs9bWU+MU
aaezVqy7sGegtrMmN4cOadTVruol6twcMqTWQFIDKTHTtXKIZk6jUoLLrJ08xBGljl1W5N21XYvF
2c1ttTX21NR2SUeqpbbEmGpRIbXlXCZCn8kVzqGcgwNXho1kUadXu9i1uGt+m8h3QaUBvnZgYIto
8opZrhoxa/1xGzhwiZjjqqkVvS7oWOOc8QtQUe42upwD3xDovGv4c+j1BE1XRBPjNn5DWCEb4rib
RNoVTRPoG/QQxpeayvpyRVggiyAjbmpuw7yTLLKHiOD3totcJys5GC2xBFnJpmjJePVOF3i21lXb
Gfle2GMTNy1y5uZAZKWvW5S5odwp8p7ORd09jF1LBlw1MELwJWmF03kNJISuiDNrh/L8YN/VCYNY
xtzQ3Cb6XStFs6sKvQ0KaMRdu6ylTaqC2lrRXC2Szu5ILdFfC3VhitQOsMCwDrK2XM1te0nh2LGh
Iqd9VyEpIu2sH6K1GoLiqR1oW7xUdHTaF8P8XOpss6eKQju4r93VtqSdRcllFLOOweXgAwGUasHY
fmQdNYZhiwq30tnG2fl2Fi1QOOvgx1VVDgVGMQazLKJV5c42aidRM7hKxIKlzmgHMry7OgCVgVC1
OmBPhcktff4fXbLjAKAbonK8TzLohPx0n/A6P9s1tGYdynLWLqmZ0MEzGoWM1MFIaz/dT475IuIM
6IKShTPAxpCbw0HaCcVKkYNxSioWRZtTJLOdba4lrnYXzCFhdhsLDvO1FN/GFhd7ApSiHZklrWfk
sHwSlokktbG1LZqB58c2sc4rxZWFVcpPl/Lj2cCPiuujxc4BpauxZYBd3BVpkDhhBUFwYjz1XVdM
ii2CxVoHG6WrrsvlNDrrBrrCY5sWDQwJwsDK2s6eybAMBlz1iwdcLW3lEEtp3W+wr2eXjiWNtLG1
KjcH9p6qIRfd2jwk0K0tc9v2wlnWubW1LcTB029nVftQOpS17XUSIkhajmmZkpk4WYa1NAcySsne
vlcgZJNUKpMUUr4bHsAlHRqBjpLuMIc6Y9SOA50MdYKka4cPrDBbD4QA9uFa52IWnovbewY629ni
IlYIJXypSF3TiMi5psEze4xWVLuWVIkaVxXTVzB9BepjmF7hqhKplYJzwrAnDXS6YJ+CKddG7LQd
ZoeRzX7O7QyPjbW2pR62D7enwpKYDzK3TVR54T4gdzeA3XQmnaCeLm7q7mL9IEFY6mxl1ne3w1qI
Nggm9aIKWlBFWgCLOqkOm45QqRtiAwGU6m+CjLipXWz3sou2LWM9cjqNIgm4JkPYsU25h13I3z4Q
6ypgExtMRbV7C4MK+kbgbYSksUMWLgYbLhuRQgs973ZBUXenEyIgI90tMNVxL1WzuIFmCWyJMs8S
SdT2SCFhw+LdGp1aVPmgQfiytMYHDcJX0Q5OYYOXclsiBnBto6iBHnkmuDJSAbwDRfWsL/DdAp1n
pk+wZprDZI5rLWyNrNPSpRRQLOrc9V2w+WN9DWhck6KVoS2lm6lYG4dQq2Aj14LfeXdreOxe1zq2
A0Q/uTkudnNgE5PY98LEJu0DP1aI87y5Ocofa3WSemBAqfvpCugvpW6c0AqRsT+beoUQ/isynW8n
AVkjaZQpSAP9jpwHshHyG2VNkn4j9ybZyOeTeu4ZeD7dGZFGso5/gVjBlnBG9lQLi0f62yyihWfP
HMinEhM8gyohr4K/yoqBvzzTETmEMw7sNFCmJhz74y3pA0+OdABW7n5+K/+OzCG7R54g3xczWaFT
7FCIygzl3ao4VamK/VWaHJ7oV/FvwdMvD62WkSYyk7TuJzp6O3RiMn1xd02NMlfxOGQ54qQvwvUp
vV2Ik3E6u73CVRxzJd9sqq9QXMm1koqRd995Bn4Ox5b5D1P/O8OvDxtHnjGV+YePDOfnUVOqSRKz
nlMoYmJcaT6uOMNTUlhYMI0rLvK40vScpCsqKZ3GFxakcDxYomYax/KUf+uHWXztSDq3LnVKS76c
et3xjjilknek6NyFTkNjk6skM1EuU8bwcqUio6TKFVzTkPay2paRlJxhUwOTk4AjT8r1p76U678/
W1bz/X7uk7K2aekx63QaTq5S3p6ZYknPT5raqDPo5Hp7fGKSQmnSq7MDXSM3J7rj1ep4d2KSm7Xl
HpkCHpk+doK/kH+DFBKBZrFXicG2kCq+KMzN200yMsjkMFcrGE18PP0qnsaHtUX0hyJaxN4lq7Q6
OqOoyFeZHaY2wX4sjfIb0ralcULa7LTONN6Q5kjjtLK0NFlyeOyYoNca6Ixkm5E2JZ/yNUwNj30i
qCAz9bigbZIRm78isWnYWzHs9YLn4Wze0bGwY9gEaW/HBcMdF1D/8KEyv3G4oCw/zy4Y/s29yc9r
d5tZ+D2e4uLINCiCABcWF/kg3OMhl7GQWxRMYzFbCwtKSvkLzd7s3CxT6bazpq85O2/qut1rzjZl
VOZVdM8oNGpMmhh1Ut2C3inLbujM+a5z6lklCdMritt9Dr1RoTDqp0+pctcvD8xc1Zhekl2RbU5K
S9IneuId6cmulLis4Ob5R2PTC1MnCSXwJ5eUBMY+5VP510kxuT0S1SSS8Ti3GhaYjcLLdJI+9slu
DQQlPUwdobgG2aM0QPIhrhoNbcrPsbGinDCtCwmqJmKD8Ix4j3iHK+B3mEWjAAKx/7/dkuRJPS4k
5sGClBiLWcq60iCVAhpcODAUucI2ueFs3znbl5dWr92xKLOputiqkvNmo8lTFChY1JNY2FRY1DjJ
o1NpFTIx0WUzxKcmGoUNu1dvfmrTNL0txWqwuRIm+8FtN10bOL/B7fA41PZs2KxII6yBl+B9nAd2
jxsi3tLYy/Zx8MKQ+Lk+QR2XWqcpy7DL9NkwcyW3wayvF1S2hiLJU0WQ2y3om+QzwFfRuRwbX1YB
vjoSmbaqf7UN9BJuJBPnW4E13oRe4yy8R9p+oj4r5V9S27JSnJkJmtqb5i/d1p5ZuOjahY3ryzXJ
eW53XpL2VEl3Sf50ryU2q6YoMb+wxJmmMahlMrVB090wZ9bmXd1rHt8cmDqFfqg2amJiNEb1SFFN
IH/OkuJJ57YUGNJKM5nfGsBve2Dv8JIiKke/7YqLS80Jc9Uhb5EszDyXyufE5XD2nKdkbNOI19Em
IjPKuBmzZZ0y7k6ZKONksiQ/eHWXgTYxCk6w8R/3NNi+JXqjnjPxepVNS5tUNjBQ/UNIik5H7xHY
KIYje0bHBQs6vMMLOsDfBe8Mw8bBNgrV/+61IU4UZm/qhHlrMZ8xuzlLRokUJwW/Jyt95H37lI7K
qsX1eQaVVslzMqVu8tzVVWt2rZ0y7cL7z125fWne1/y8hXnT/QkcPeXLKeuoTIuLj1PEpiZYHVaD
3hZvKl//6IY1By6vq+q/c4Hz3HXpU1v8EJfzxk7RbfKZxAJ33FqMywFi5Q6QJGLhOuE266AXPSwk
GOtxur4Oe680T8Fne3+ibOL8G59wcWydeoqLSgoLrHS9VppWydoo46a1BqdMDbaWp6kNarkcfvj1
MLdgJhnUNG/G5En1M6aUwS61EXq6Xr4SesqOvnDvEQw6C4UtSKOmOkI1MhLmOh8W1MY67Cr1Q1/z
86Q7RId9V1T9kz38516Nd0buik5r7AP/GsziAnIp9mEoO24fuCmFaLiFIZJiDI+d3AWbIvCT3ew2
ZgzTJkEj5DZkJ6TXJ8zAnlXElknr3kv9R4aNw+xGtRdevv9Xap45CnYriVGYoieIccdbSsDlcF/h
X9Mm5ae785O0cellnrxFxVHfqxOzHM7seHXDzS3zNjSljQ+ajlQ2FCfXVY/sHI/JxdHUObNnl58z
0AVzJzB2QiYDb8SRDHJBdO6YuX7YCVPgV00SIhtgQpgmCipDg0vaAF1hmhQS5Lg2pTv56Rn1n60h
rZ/xu6d0YJJH7qjRfU0mK18fvmiNuHrS1PWPXLRWXDVpdMRS0FIxqbXEbs1vnVbWWpJIT/Tt39pQ
tTF8Yd9jWxoqN4Yvreqd48ua1TsdmJs1sxdGuXH0BhmBUWaTqeRGHGUotUTNwm4hXu5yQUUs6pLi
VJk8L7rh54Vpo6DzNNjrjbPKpDGXhWnDxDFXwF4Eez5OAOmosudfbWOCKzJ+Ygrg6TLqHIXJCqeL
aZyMwCa/IKNyarlzfC4kZDlSshLUGY0zW/yLBs7OHD1lyqouSIAdP6W4syi/NsdCh9cc2BwwOHyO
0fnRVSF7NzoxlmVOzTI3bQ6tKVs2J9+QVpI5erS6vqB5Ka4bbh/4sJDAe0K2doc8BlitgpYkGtQO
tV/N63g129hh7ajDtEVQC94Gj8HirLdId8nYMlwxsJip/1Bkxaj///YTfMOOVj+1RCT/xHD7YEdV
K80JKbGW7FxYKJFNKrpAXNMmTUrSpThtGrmM4xvTfYlqhVJhSi/PGTkSHT8/vkR6Cyo9Bl6hUmst
2TD6+rET3Jcw+npyAke/l1RyvofTC9ILtPYwVyOkEa3MR33HS2ErU39sKhXYFlLqLOX4UlOpyWoo
p+WwsQh2dtAqP15pl2c1WI3sTA2PUEaZ9cvxxQT+8cLuUjbs7TCVlfn9Czu8xuEO+LKJBnq/H3ZE
u+D8H77aabfLiiOnDnzu8cVE8nBiw9WLJ96UGO7Lsp6rWgrmBfKsWplSq9J4hWBJWnGG2T21qblp
qrtgwZbW7FlCTpxSxvMKrVLlKWvMSytwGj3TZjXPmuahKTNWz8wwxNssuTnJLosiISVRn5iZmOJ1
JqXlCHMrhPNmZGtjLQaDxRFvTzMrLDaLPtFldmQ7k1JzhHaIUvzY59xVsiEymVyHUXrEZNJNySKu
3DDs7fG63OjqzoVT8C5XIFkXVejYsTg+kB+m00OCIrKvwQI/DEL9hSMFhwrY84m0zedGtsT/UiPg
T7dZL5MeD03SrRQfIfDAa7FImzzcZF0m9uyAWu4qTazLX5rUeH4g7bw4M7uvnqtJxrvAk2zKmuOe
8k0xOxNMihhNjHx9jj8ObrqeWWvn0Of9pcmZ8epnYYnL5XCee1Ydn5lc6h/tqK9XqBQKS/rYGPOW
rEY+k/MQA2z3ChLLPQKUvCjLAy9WkoqQv9IIrtvtTUnxwmpfuIcv9lYGjF7mvinFATO4a5e7STWD
wGZYcXi4AA7AeB6DhzdwFi2wWk7vZ6kThgZz5+d9wX+UnRq92432ThihOjb9Z9zBH0xP++G+6DLm
Xjs90KScXMvPegVGu449DfDPwHngvMi+psnARwEHt1AwxOXWZ2jkCfXp0j0Anp6afnTwZ/uadPOT
Hlb1/xlznAtnnvDHb/gm6TxZUjqugLM9bOupWTa4xc+Zv6EpVZoCecnaWDccBLpKo2f88Ts/u7v3
/GopN64YVdZJRwGuOeogGLd19AZ+N4w7nfTguPdQlUpPEmE3q9ojpCc61Ym2MLdKMAj6REd9gjqu
Xt0om0Ua2RNPBTv+0AS/7Qicz2LLEo3vJAJgfRxmW5P2J81h0Kk8Pj6Xxnk8GdRThEeb+LjCODbf
rVazgrtsuWp2U2aejVOs0Vnko4d1NngpUJCkV7zGH4yJyyn1ltmVo4cSrAqjzUS9MQl6vsjltih5
bUL8yCDXlWhSKq3uBPa0QviD0qlYA++fzPA+jTuwO0bFawOk4l1418Pe70w80tJt0SPs6CrZS5ET
6+ggWw2jb9N7aCqxE8uQEc6nV+2K1cQnEeMR1soz+XmwquH1kJ5nK7s0LrpX0nuUsUmWzQqTLS0x
Od1I5euNaUVueDFqCGdWTi5NPqjWK+GgbNRQ8x1p2VaFwgqPptLqi4Vrsk8MnMlIe+2c1tY2b3XX
8mWL+pblVvUuZ//x8j8AUfik1wplbmRzdHJlYW0KZW5kb2JqCjUwIDAgb2JqCjc5MDcKZW5kb2Jq
CjUxIDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvQXNjZW50IDk1MiAvQ2FwSGVpZ2h0
IDY0NiAvRGVzY2VudCAtMjY5IC9GbGFncyA0Ci9Gb250QkJveCBbLTUxOSAtMzA2IDEyNDAgOTcx
XSAvRm9udE5hbWUgL1lFUlRUWCtDYWxpYnJpLUJvbGQgL0l0YWxpY0FuZ2xlCjAgL1N0ZW1WIDAg
L0F2Z1dpZHRoIDUzNiAvTWF4V2lkdGggMTMyOCAvWEhlaWdodCA0ODMgL0ZvbnRGaWxlMiA0OSAw
IFIgPj4KZW5kb2JqCjUyIDAgb2JqClsgNTM3IDUzNyAzOTkgNTM4IDI0NiAyNDYgNDE4IDM0NyA1
MDMgNTM3IDI1OCAyMjYgMzU1IDQ3NCA1MzcgNDk0IDU4NSBdCmVuZG9iago1MyAwIG9iago8PCAv
TGVuZ3RoIDU0IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAFdkstqwzAQRff+
ilmmi2DZeTVgDCUl4EUf1O0HyNI4NdSykJ2F/753FJNCF1dwdHVHj1F6qp4r102UvofB1DxR2zkb
eByuwTA1fOlckuVkOzMtFOdMr32SIlzP48R95dqBiiIhSj8QGacw0+rJDg0/yNxbsBw6d6HV16mO
M/XV+x/u2U2kkrIkyy3KvWj/qnumNEbXlYXfTfMaqb8Vn7NnwomQyG5HMoPl0WvDQbsLJ4VSZXE+
lwk7+89aAk1rvnVIityUBSmljjJYDLnCoBXF7LIq2912adqlfJ6VhUipw65EkRwIKbVnwQ0QgrsR
3AIhuK3gDggBjeAeCAGPggcgBIzZRyCEUltxj0AIbtxXAyFgdBsghEvEyhYIIZtLloEQMG7UAiGg
grvBg4lQKluufrurvKB0+t4Zcw0BTYnfIfZL+tA5vv8YP3h596hfgC6r1QplbmRzdHJlYW0KZW5k
b2JqCjU0IDAgb2JqCjM0MAplbmRvYmoKMzEgMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUg
L1RydWVUeXBlIC9CYXNlRm9udCAvWUVSVFRYK0NhbGlicmktQm9sZCAvRm9udERlc2NyaXB0b3IK
NTEgMCBSIC9XaWR0aHMgNTIgMCBSIC9GaXJzdENoYXIgMzMgL0xhc3RDaGFyIDQ5IC9Ub1VuaWNv
ZGUgNTMgMCBSID4+CmVuZG9iago1NSAwIG9iago8PCAvTGVuZ3RoIDU2IDAgUiAvTGVuZ3RoMSA1
MDY0IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ab1Yf3AU1R3/vv1xdyGhJgHkknDs
Xpcjvy6GRKVAKDmOu5AQwECA3iHIXZKLSSSSwZAKDvRGwcqBVItQBUelP6xAkeXC0A0ojYxWnVZF
HalaZ5T6q9ORsb/oqGi2n7eXnIRRJn8w7pu335/vvc/7vHdvd6977boYjaY4idSwPNrVStY15mEI
b3NntCtl5z4Fmd/c062mbLmISFzd2nVzZ8p2PEA0ynXz6vWD7XPfg7+tLRZtScXpS8ip3JGy2XWQ
k9o6u29P2blHIR2r1zQPxnPfhG3rjN4+OD69A1u9NdoZS+WP4e0mda25rXvQroWc0rU2NpjPQsD3
CjF4BVpDGXQL2aFlo6wksv99lIskRHkcV4s3c+eqq2aepxyHZa9a8DNL/tH91JnPYl8WZt7v+ByO
jKF8Lm3FA8VEWQzxc5n3pyNWO9wEgxpLDapDrUa9HrW0dLaT4uxxug/1MVSR2tk2Wo+6FfUhVCmt
7YfVx7YlJYfvOFtP+WyeL1NSlozNU5yjMpXXDGY7+ojylvP9EywPq3eW5SVHU8bsUewx9ii1kMJ+
Qx62gWqpiO3pLV6tRBDaT12ocVTRujO2PzmxUjnJvOSRGNpMpokSO6Z8XFGmfFhhCCypnCo0JIhn
JsLyXaX0ux5R/uC6WTmJejAVOlCMjGPKftdqZedEg+1JKj93GQxt7k+JdS40PaZ0Fu9WWiqs+Pzd
hnAwqUxHfJkvU5k6za1c7/pAKS80HAx2mWu+UlLxkjIJDZGmolOPL0eZ4NqpzEBooitYOAP1BDvA
9lIJ25v0zFOOQ8V0e+uKp+022B29tUUVHoNt8E2tLdpdXFvoKZ6veIprCguhL3vBvtl+o322vdJe
ai+yT7a77QX2sY5cR7bje44sxyiHw2E32O+S1YrtBDtI1aDlYK/D5pAN9iSc0gl2yHIe+r1DcggO
cow1zPeweRmNNdjBo9lcg3LMZmk2gx3qTbkO+RSJa5IVyBa4jhvuJDCHQPNIZ/caNtpydU+1szp3
Vs70msC33SJWZOhe+u2Xk7n03fWNIf2AK6xXcsV0hYfSnUPKt8rudQjF/KWl9YvX9/Z0dbQGY1ow
ogVjqBF9W0+bU483qeqRji4eUHVxcqSpuY3LaEzv0mIBvUMLqEd6rHaXhFt5uEcLHKHW4JLQkVZf
LJDs8fUEtWgg3NvkX7ty2Fhb02Ot9X/DWH7e2Vo+VpPV7pKxVvJwEx9rJR9rJR+ryddkjcUnH2xv
9N/Wjd2pBtvrVb2oUa9btDykq9FwwGCPwxlYR3I/ZctPU5Ecp3ypnBQi8y3Ut7kcWGp+JD9P2QOd
5r/EKixqH6/CQPVM6qd7aS8dJhs9Ab2IbqIH6UXWgd/2CjpKZ9hEugZnr0QGzac/M9N8lVrp18jv
plO0i45QFtp00jhEdzCPuQG2D3oTbTZ/SZNoGt1NT9N09LqDzpn7zV5EF9NSOkAH0f5PTBOOSGPM
J80PyEGL0OdmRF4155uHKZe85KcGeDfTSeYR3zbbyElVQPcwPUr76Bn6hN3JjpptZo952jyLreqk
CdSIspEdZWfFw9Ld5sPmP8wBMFFEJRg1QjvpV+j/MEo/jtYgu4V1s51sl+AT7hSOSlvk8QNfgYdi
motSi1P5HjDQR8/Sv+lz9qngFLPFbvE583rzP5RJ9Zgln0mMelB+irIDczrBbGwKm8Ma2Eb2ANvF
XhdKhKVCSPixcLvwkbhQXCGuF1+XbpOS8nb5QVvmwHnzhPm8+QaNJxfdSGtpE2Z3ik7Tf+kLJqKv
CczDqpif3YQSZ3uFPraP9QkNrJ+dFg6wd9n77FN2QZCFLGGcUCp0CzuFg8Ip4WWxXdwlPiS+K56X
ZsmCvE/+0Oax/3WgaWDrwMtmlXnW/AxHrIPcWBk/LaRVFMVsu+g6+glmcQjlMFbtWXqOXrTK+2wC
naPPwAKxXJbPKtkClIXsBtbK2tkj7DjKSQvL/wQshJAh5AjjhQlCo9AkdApx4Q0hLhaIJeI8cbl4
GOUF8Yx4QbwgydIYaZw0V6qj7VKntAflcekJKSm9Ik+XZ8kL5WVyXN4qbxeb5VflM7ZNth22pO1T
2z9xLM63r7Fvx+q8iD37DPby15fEJgF9Jd1KzSzAmmg3VmMfi1ICu6uF3QO+uqjIXCluEucKU7Ab
TtId2K17aCNtFVfQPvNN8QD9BTtlNbqM028lP7nkX2B17qQp2EWDxVdcUlxUONkzSfu+W8WRP6Eg
P885/upxY8fk5mSPzsocleGw22RJFBh5g1pNRNUnR3RpslZbW8ZtLQpH9CJHBD9lVa8ZnqOrvF0U
oWGZPmS2XpLpS2X60pksW51JM8u8alBT9ZcCmmqw5YtC0O8NaGFVP2fpCyz9PksfDd3tRgM16GwL
qDqLqEG9pqctEYwEyryszwc6RpV5+cHho0zesU5zohtxwNIcnhHU87VAUM/ToCMmeoLRFr1hUSgY
KHC7w/DBtTiEMcq87Tpw0rasFq1lm+GjpgjXoitCuhgN60KE95VTqo/XAvr4DR86vzaHtOD2i4K6
4KmJxhI1ui+yDeRyM8Kt6HZY9Y0quhW2hEM62zIIgmPsAFION/VM8EQ6VD1D82ttiY4IyKXFoWS+
L986fHVqCCXzfHmWUebtc26qcmP2fWWzy2ZzWeV2bkrJj+9K+V/r59K56dn3IOsXpwlgnAGtDjh1
tdkaRAPYafwWm0aJ5mngCVeYYZrtwDNHF7BnRI8ue+qierxxCEZbIAUu0hFIZuTlWw8hfxj5kUT2
DKwU8rM1NXEeT+uIdu6T4Z7ooMfmyT5PPMgXOr1XdBYd0nv4w9KDWbc5tTa+vj3WmsLWnMGLHLA5
NRyzPhYP8IaQW1fDcOBt0ltvUEZD6AhjO8IGM7cYFHD14R1VXHUTwl6+1doDGB9GmReOEje0a7xq
DUau4XtFTaiJupaEWqO2YTNJHksiEEuEy8FgYwg80RKM6AsXpNVYODwD/ZTzftAE6YkweugY7AHS
cpV/haQpXjxMxckNoUUhPR4o0H2BMFYB27e/IaT3Y+eGw8iqSCMF4o3tzkHMlcBcUYL4tale8O4S
RxfhRIL32RjS3Hp/IlGQ4L+3lG0wutThG3QYxFM45QaLN6AthOYusNbArbkBK8w5vQ5bemhH4Z39
8gxPTeNGyx8A7VSL4WlXiOHpI2F4xogYrkojHcbwTGCu4gz/8LtjeNYwhqsvz7AvjRsgZwOtz2LY
f4UYnjMShgMjYjiYRjqM4RpgDnKG5353DNcOY7ju8gzPS+MGyHqgnWcxPP8KMbxgJAwvHBHDN6SR
DmO4AZhv4Awv+u4YXjyM4cbLM7wkjRsglwLtEovhZVeI4R+NhOHQiBgOp5EOY3g5MIc5wzemGfYV
6HTxORy/5NilK34wr7iIcrwpybnkZy4o/PMZH9C4svBlkQXpTnsI79v8XyYB7+Aknca3m4j/gKpT
/8s4yvHwRHVkG0SnUbkNXXzHIAmVoNvfoeNoQbSs9Dh6kSGnVFyb484pRPVLO4wv/yY//cUcQ1pw
Ad/4yLAuM4Zvlm+6EGeCfd2t7ZVTKmusBIavsBR6G/6XotCiuhq/v7Q2tron1t3eHEVOKsqTEacJ
5uDFHWmdqeXc/j+TH2ORCmVuZHN0cmVhbQplbmRvYmoKNTYgMCBvYmoKMjcxNgplbmRvYmoKNTcg
MCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Bc2NlbnQgNzcwIC9DYXBIZWlnaHQgNzE3
IC9EZXNjZW50IC0yMzAgL0ZsYWdzIDQKL0ZvbnRCQm94IFstOTUxIC00ODEgMTQ0NSAxMTIyXSAv
Rm9udE5hbWUgL1hRSUZCQitIZWx2ZXRpY2EgL0l0YWxpY0FuZ2xlIDAKL1N0ZW1WIDAgL0F2Z1dp
ZHRoIC00NDEgL01heFdpZHRoIDE1MDAgL1hIZWlnaHQgNTIzIC9Gb250RmlsZTIgNTUgMCBSID4+
CmVuZG9iago1OCAwIG9iagpbIDEzOSBdCmVuZG9iago1OSAwIG9iago8PCAvTGVuZ3RoIDYwIDAg
UiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAFdkMFuwyAQRO98xR6TQ4TtM0KqUkXy
oW1UJx+AYbGQakBrfPDfF4iTSj3sgZl5MCw/9++9dwn4lYIeMIF13hAuYSWNMOLkPGs7ME6n/VQ1
PavIeIaHbUk4994GEIIB8O+MLIk2OLyZMOKxaF9kkJyf4HA/D1UZ1hh/cEafoGFSgkGbr/tQ8VPN
CLyip95k36XtlKm/xG2LCLlRJtpHJR0MLlFpJOUnZKJppLhcJENv/lk7MNo92bVS1Gk6W/NPp6Dl
i69KeiXKbeoeatFSwHl8rSqGWB6s8wt+2nBKCmVuZHN0cmVhbQplbmRvYmoKNjAgMCBvYmoKMjIy
CmVuZG9iagoyMCAwIG9iago8PCAvVHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VG
b250IC9YUUlGQkIrSGVsdmV0aWNhIC9Gb250RGVzY3JpcHRvcgo1NyAwIFIgL1dpZHRocyA1OCAw
IFIgL0ZpcnN0Q2hhciAzMyAvTGFzdENoYXIgMzMgL1RvVW5pY29kZSA1OSAwIFIgPj4KZW5kb2Jq
CjYxIDAgb2JqCjw8IC9MZW5ndGggNjIgMCBSIC9MZW5ndGgxIDM1MjY4IC9GaWx0ZXIgL0ZsYXRl
RGVjb2RlID4+CnN0cmVhbQp4AdS9d3xcxdk2POec7b0XrbRFq12VVe/N0trqzbZky5Zsy03uuBds
sAFjUw0GQo0TAiShBROQZRvLkASTxykkMYGEkgaBJwVCYgKpNMnfNTM7skx53ry/75/nlXzvdc3M
OUdn7mn33DOz3r51x0piJHuJQoqHNyzbTNhP+e8BI8MXbw/zcGwNIer0VZtXb+DhvKsI0aetXn/J
Kh6urCZkzro1K5et4GHyMbByDSJ4WCoHZq3ZsH0XD5fdR4jUvH7TcCq94nbE379h2a7U3ye/QTi8
cdmGlfz66++n4c1bV6bSpQE8zrZ507btPN3ZDiy+MN2CP4HYXilMbOS/iJbIwCKCJ9pvkfYRFVJp
uvqesYP//rF9ibX+n8SvQwQhT/15z08o/uDah2/46MPxG/R/0T6BoB5P4D+4T3vP+K8IMdz30Ycf
3qf/C3tSKpFB76heCY/JVx3T+6ROkP2C7BPkSkH2CnKFIJcLcpkgewTZLcilglwiyC5BdgpysSA7
BNkuyDZBtgiyWZBNgmwUZIMg6wW5SJB1gqwVZI0gqwVZJchKQVYIMizIckGWCbJUkCWCLBZkSJBF
giwUZIEgg4IMCDJfkHmC9AsyV5A5gvQJ0ivIbEFmCTJTkB5BugXpEqRTkA5B2gVpE6RVkBZBmgVp
EmSGINMFSQrSKEiDINMEqRekTpBaQWoEqRakSpBKQSoEKRekTJBSQUoEKRakSJBCQQoEyRckIUie
ILmC5AiSLUhckJggWYJEBckUJCJIWJCQIEFBMgRJFyQgSJogfkF8gngF8QjiFsQliFMQhyB2QWyC
WAWxCGIWxCSIURCDIHpBdIJoBdEIohZEJYgiiCyIJAhJEemcIBOCjAvysSAfCfKhIB8I8r4g/xbk
X4L8U5B/CPJ3Qf4myHuCvCvIXwV5R5CzgvxFkD8L8rYgfxLkLUHeFOSPgvxBkN8L8jtB/luQNwR5
XZDfCvKaIK8K8htBfi3IrwT5pSC/EOQVQV4W5CVBXhTk54L8TJAXBHlekJ8K8pwgZwT5iSA/FuRH
gjwryA8F+YEg3xfke4KcFuS/BPmuIM8IckqQpwX5jiDfFuRbgjwlyJOCnBRkTJATgjwhyHFBjgly
VJBRQY4IMiLI44I8Jsg3BXlUkMOCPCLINwR5WJCHBHlQkAcEuV+QrwvyNUG+Ksh9gtwryD2CfEWQ
uwX5siBfEuSQIF8U5C5B7hTkDkFuF+Q2QW4V5AuC3CLIzYLcJMhBQW4U5AZBDghyvSDXCXKtINcI
crUgVwmyX5B9glwpyF5BrhDkckEuE2SPILsFuVSQSwTZJchOQS4WZIcg2wXZJshWQbYIslmQTYJs
FGSDIOsFuUiQdYKsFWSNIKsFWSXISkFWCDIsyHJBlgmyVJAlgiwWZEiQRYIsFGSBIIOCDAgyX5B5
gvQLMleQOYL0CTJbkFmCzBSkW5AuQToF6RCkXZA2QVoFaRGkWZCmo9RahtU8GmwIwWYeDboB+3jo
ytFgLUJ7eegKDpePBk2IvIyH9nDYzeFSDpeMZkzHJbtGM5oAOzlczGEHT9vOQ9s4bOWRW0YzZuCG
zRw2cdjIL9nAYT2Hi0bTW3DlOg5rOazhsJrDqtH0ZlyykodWcBjmsJzDMg5LOSzhsJjfN8RDizgs
5LCAwyCHAQ7zOczj0M9hLoc5HPo49HKYzWEWh5kcejh0c+ji0Dka6EAeOji0jwY6EWrj0Doa6EKo
ZTTQDWjm0MRhBk+bzu9Lcmjk9zVwmMahnl9Zx6GW317DoZpDFYdKDhX8YeUcyvhTSjmUcCjmDyvi
UMjvK+CQzyHBIY9DLoccDtn80XEOMf7MLA5RDpn80REOYX5fiEOQQwaHdA4BDmmjaTOhLD8H32ja
LIS8HDw80s3BxSOdHBwc7DzNxsHKIy0czBxMPM3IwcBBz9N0HLQcNKP+2fjr6lF/L0DFQeGRMg9J
HAgD6RyHCXaJNM5DH3P4iMOHPO0DHnqfw785/IvDP0d9c0Nj0j9GfXMAf+ehv3F4j8O7PO2vPPQO
h7Mc/sLT/szhbR75Jw5vcXiTwx/5JX/god/z0O946L85vMHhdZ72Ww6v8chXOfyGw685/Ipf8kse
+gWHV0a985GVl0e98wAvcXiRR/6cw884vMDheX7JTzk8xyPPcPgJhx9z+BG/5FkOP+SRP+DwfQ7f
43Caw3/xK7/LQ89wOMXhaZ72HQ7f5pHf4vAUhyc5nOQwxq88wUNPcDjO4RiHo6OeRmR6dNSzEHCE
wwiHxzk8xuGbHB7lcJjDI6Me9PrSN/hTHubwEE97kMMDHO7n8HUOX+PwVQ73cbiXP+we/pSvcLib
p32Zw5c4HOLwRX7DXTx0J4c7ONzO027jT7mVwxd42i0cbuZwE4eDHG7kV97AQwc4XM/hOg7Xcrhm
1L0Meb961L0ccBWH/aPuVQjt43DlqLsfob2jbgw20hWj7krA5Rwu47fv4fft5nDpqHsFLrmE376L
w04OF3PYwWE7h2380Vv57Vs4bB51D+Mpm/jDNvIrN3BYz+EiDus4rOX3reGwmr/ZKn77Sg4r+JXD
HJZzWMZhKYclHBbzTA/xN1vEYSHP9AL+6EH+hwY4zOevO4//oX7+lLkc5nDo49A76koiY7NHXVSt
s0ZdtMHOHHXtB/SMugoA3fySLg6doy4YElIHD7VzaOORraOuy5HWMuq6FtA86roC0DTq2guYMepo
BUznkOTQyKFh1AG7QJrGQ/Wj9kGE6jjUjtppO6rhUD1qb0OoatQ+AKgctS8AVPC0cg5lo/Z8RJby
K0tG7TRjxaN22iEVcSjktxfwv5DPIcEflschlz8sh0M2hziH2KidaimLQ5Q/M5M/M8IfFuZPCXEI
8vsyOKRzCHBI4+AftQ3hmb5R22KAd9S2BODh4Obg4uDk4OA32PkNNh5p5WDhYOZg4lca+ZUGHqnn
oOOg5aDhV6r5lSoeqXCQOUgcSPKcdXmIyoR1ODRuXRH6GPwjyIeQDxD3PuL+DfkX5J+QfyD+75C/
Ie09hN+F/BXyDuQs4v8C+TPS3kb4T5C3IG9C/mhZHfqDZU3o95DfQf4b8gbiXgf+FvIa5FWEfwP8
NeRXkF9CfmG+KPSKuST0MvAl8/rQi+Z46OeQn4G/YE6Enof8FPIc0s8g7ifmDaEfg/8I/FnwH5rX
hX5gXhv6vnlN6Hvm1aHTuPe/8LzvQp6BJM+dwufTkO9Avm3aEvqWaWvoKdO20JOm7aGTkDHICcQ/
ATmOtGNIO4q4UcgRyAjkceMloceMl4a+adwTetR4Weiw8fLQI5BvQB6GPAR5EPKAsSB0P/DrkK/h
nq8C7zNeFLoX/B7wr0DuBv8ynvUlPOsQnvVFxN0FuRNyB+R2yG2QW3HfF/C8WwwzQzcbZoVuMqwO
HTQ8ELrR8FDoaiUWukqpDu2XqkP7+vf2X3l4b/8V/Zf1X374sn7jZZLxssBlXZftvuzwZb++LOnQ
GPb0X9q/+/Cl/Zf07+zfdXhn/5PyNWSVfHWyvv/iwzv6VTtcO7bvUP6xQzq8Q2reIRXvkGSyw7Yj
vEMxbe/f2r/t8NZ+snX21r1bR7aq6ka2vr5VJlslw9i5U0e3BoKtwOSerWZb65b+Tf2bD2/q37hq
Q/86vODa6tX9aw6v7l9VvaJ/5eEV/cPVy/uXVS/tX1I91L/48FD/ouoF/QsPL+gfrB7on4/r51XP
7e8/PLd/TnVvf9/h3v5Z1TP7ZyK+p7qrv/twV39ndXt/x+H2/rbq1v4WZJ6k29LD6YqNvsDMdLwJ
CUgzigPJwOuBdwMqEhgJnAooDmtaKE3Otfqlpll+aZP/Cv/NfsXq+6lPTvpy81ut3p96f+v9q1fl
THpzC1uJx+YJexQ3zZunZy7N21FPYzPHkgqW1x5PNN5qdUtWd8gtt4TcErG/bn/Xrriftv3UJlut
ktV6zionrbjcaglZZPpxzqIkLSVVrVZzyCzTj3NmxZM0I4a+fLZp9txWqzFklPsbjbOMctLY2NSa
NBYUtxJFCktY+bEBFB19G8kdah2TyFGPpJbGpFuOzJ2TSHSN6Uhf14hu9sIR6bqR2Bz6mexdMKK5
boT0L1g4cESSbho8IslNc0dcXb0LePjqgwfJjIyukYw5AyP3ZQx2jewFSVJyDoRkHPGQGYOJxdt2
bEskti/Gx+Jt2xPsH0LSDhrCDxLwb9t2hOkvAGFCUz7/h1+G65Zsww97DH/659/y/0CK9P/AO/4v
f8UjBFV0YPo5+SqyQt4P2Qe5ErIXcgXkcshlkD2Q3ZBLIZdAdkF2Qi6G7IBsh2yDbIFshmyCbIRs
gKyHXARZB1kLWQNZDVkFWQlZARmGLIcsgyyFLIEshgxBFkEWQhZABiEDkPmQeZB+yFzIHEgfpBcy
GzILMhPSA+mGdEE6IR2QdkgbpBXSAmmGNEFmQKZDkpBGSANkGqQeUgephdRAqiFVkEpIBaQcUgYp
hZRAiiFFkEJIASQfkoDkQXIhOZBsSBwSg2RBopBMSAQShoQgQUgGJB0SgKRB/BAfxAvxQNwQF8QJ
cUDsEBvECrFAzBATxAgxQPQQHUQL0UDUENX0c/hUIDJEghCyQkKcNAEZh3wM+QjyIeQDyPuQf0P+
Bfkn5B+Qv0P+BnkP8i7kr5B3IGchf4H8GfI25E+QtyBvQv4I+QPk95DfQf4b8gbkdchvIa9BXoX8
BvJryK8gv4T8AvIK5GXIS5AXIT+H/AzyAuR5yE8hz0HOQH4C+THkR5BnIT+E/ADyfcj3IKch/wX5
LuQZyCnI05DvQL4N+RbkKciTkJOQMcgJyBOQ45BjkKOQUcgRyAjkcchjkG9CHoUchjwC+QbkYchD
kAchD0Duh3wd8jXIVyH3Qe6F3AP5CuRuyJchX4IcgnwRchfkTsgdkNsht0FuhXwBcgvkZshNkIOQ
GyE3QA5ArodcB7kWcg3karJi+l7pKrD9kH2QKyF7IVdALodcBtkD2Q25FHIJZBdkJ+RiyA7Idsg2
yFbIFshmyCbIRsgGyHrIRZB1kLWQNZDVkFWQlZAVkGHIcsgyyFLIEshiyBBkEWQhZAFkEDIAmQ+Z
B+mHzIXMgfRBZkNmQWZCuiFdkE5IB6Qd0gZphbRAmiFNZMX/8m76f/vrDf5vf8H/5e/nW7KY7hgi
ZOK2qZuEyGyyjmwje/F7DTlIbiNPk1+T5WQ/2CFyH3mQfIOMkGfIs+SVC+76/xmYuES9gZiUE0RD
nISc+/Dc2YkHIWNqy5SY2xByqsLnY87Zzr3zibh3Jm47Z5sY0ziIgd1rln+Gp/1dGj/3IcZXDTGf
q6Rh+VpwK/tL72nvmXh84qELMjCb9JIFZCFZRIbIUrIM+V9B1pC10MxFZD3ZQDay0EakrQZfhdAS
XIW+hPHzV20im8kmspVsJzvIxfjdDL4tFaJpW1h4B9mJ313kEnIp2U32kMtSnztZzB6kXMpidyHl
cnIFSuZKso8xgTxmP7mKXI1Su5ZcR65HiX1+6PrJqw6QG8iNKOebyM3k8/jBC1JuIbeQL5BbUR9u
J3eQO8kXUS++TO7+ROxdLP5L5B5yL+oMveMOxNzL2J3kLvIt8n1ynDxGHidPMF0OQ7dcI0Ivq5im
N0MHe5Dn/VPemGtz56S2Loc2aL4PpPK9C/rbN+WOi1N6pNrbjyupdg6kyoE+5bJUjNDELcgZ5+fz
SXVE83DzBfkUd/yfYmmOqZ7uhr6EZqjO7kTclz4VO/WKqfxO8hW0wK/ik2qVsq+Bc3Yv41Pj75m8
9j6W9nVyP3kAZfEQoUwgj3kQcQ+Rh9G2HyGHyaP4Pc+nMp76GPkmK7kRcoSMkqPkGEryCXKCjLH4
/yntcfQdn7znaOpZo5NPOUmeJE+hhnyHnEJP8138iphvI+7pVOxpdhUPfxd7KU+zq2jqd1G3foAe
6kfkx+Qn5Kfkewg9xz5/iNDz5Gfk5+QVyQz2AvkTPsfJ8+rfEwuZjo2XT6I07iaLyeJk24oli4cW
LVwwONA/d05f7+xZM3u6uzo72ttaW5qbZkxPNjZMq6+rramuqqwoKizIz4nHsqKZIZ/LbrOajQa9
TqtRqxRYtvkt0dal4ZH40hFVPNreXkDD0WWIWDYlYulIGFGtF14zEqb3LUPSBVcmceWqT1yZ5Fcm
J6+UbOF6Ul+QH26JhkfONEfDY9KC3gHwg83RwfDIWcZ7GFfFWcCMQCSCO8ItvjXN4RFpabhlpPXi
NQdaljYX5EtHjIamaNNKQ0E+OWIwghrBRnKim49IOQ0SI3JOS+0RmejM9M+OKLGWZStGZvcOtDQH
IpFBFkea2LNGNE0jWvas8NoRvDO5IXwk/9SBG8dsZPnShGlFdMWyRQMjyjLcdEBpOXDg2hF7YiQ3
2jySe+nvfVDgypH8aHPLSCKKF+vqm/wD0og6ZouGD/yT4OWjZ/+Ct54SsywVo4nZ/kloIs3ipJpG
pGWCE7wb3hD5i0Tou9wwliTLERjZ2zvAw2GyPDBKkkWJwRF5KU05JVLc/TRlr0iZvH1pFJptibYs
Tf27eI1vZO/ycEE+Spb9i42oYkgPjyjxpcuH11BctvJAtBk5hC7JXDhtmkGSy1LKbDlSXITrly1F
JtZSNfQOjBRFN4+4ojO4thGBh8Ra1s4ZYLfw2JYRV9MIWTqcumukqAX3ooq0HKAFQ1+QPivaO3CS
lJ17/Uh5OHC0jJSTQfoeI54mFEq85cDAilUjoaWBFaifq8IDgchIchDqG4wOrBykpRS1jeS+jj+H
HxQguwt5+8TV4mJke0Qb04UH5IAySEsLEeFWfERn1CPBNqLhQVqiM+rDA1KAiMvwV1JXUHbBcxBQ
Yk3tuBmIW5vaAxFUbvbzP7xSgGcArzGim3wnFV5Cff6d+N/53FfjV9MXyg23rGye8oIXPBQB9oKp
p332e8pUFyll4BV0tDjbaR4K8mXwMJJ1IzLyyaJoKfrCI2R2eCC6MjoYRR1Kzh6ghUN1zcq3a06U
OgZZaadqydwLQjy9mqeNkEjX3AERoD6bkdYEK1darCzcxsKTwfZPJHeI5PABXbRrzgH6x6OpB5Iw
WhAKRxPvWHZDtaMcjbUVHWW0dVk0bAu3Hlg2dm7v8gNHkskDm1uWrqlFMzgQ7VhxIDpnoB5lydr9
ZYFL6Z92kC6pa+6Mgnz0PTOORKXreo8kpevmLBg4aSMkfN3cgVEZTtGlMwaPZCFt4GSYkCSLlWks
jaSXhGmAPqkPAR27PnAySchelqpiESw8DL8si+MXIU4iw2Myj7OJ62TEqXhcksUN4gctzLcGRYB+
uCW8ghbPnsE1B5YO0sZFPChK/JNGpGgDGZGjDXDlakwjhujKGSPG6Awa30jjG3m8hsZrozNGJI8E
5YyhTzqwNIp+ClVuAC7yQdQOG639ciw8du7c3IHImcDZwQiaxCLIgoERfQLjgDrWievaqCxFdNvI
3uFl9D1IP5o6bZkdw4NoC+KBuKRjRI8n6FNPwBWt7B5aHXHTMMoGBcju34vAyN7BkcEE/aMDa+kb
hcO2EdIerUWx82eq4/QPFQ0ecERLacXGpSOG2LUU9Hg3Aic1iwkgiD+GDpfmSGvCmw9HkTS8NIwS
UJHhOajqvC810HJDzEp0iar4SiaGQCqR0GwpMaPZMKIvxAPxj3JjIR6If9pBKIVmnoWuTV2Av20b
MeKN4lNUmboB2kFSB30X/LsWL08vfYY+pneM9EV3oWukL83+lBbJI+ZYxzJ0/vx+I2Ki1eJmPEsX
o1H0Gad5rJbm3AS9K7G5Y+ceil5CewDxU5AfpYMDrZgkcBIVmwwe+GTEyMJEQb7uk7FmFn3ggM78
2TdwfenMk0ifEm7BWEOIih5j+SnwqySqWkAeVf2FPKq8Bfkm+MfkUVkFOUi0yhB5VPMKeVSdB+km
w6pM4HLgALu2TfkjsaozySOqAyRTGyTTEA4qL5FFqnJySFlOFgCXKh+RIXkLianqSUxzMfAsiSmn
SQW9Br64q6W3z72kfJ3xQ5oV5BCNV1WzeylfKv8Iz4qQXvkxElH9EbKDi9oJLCe3K18hmeoxUqHs
JLnKvSRTySWDeC6BLzJPziLt8FbeRbkySK6DJBQvkeB1boGX+WrIpeodmEVnM51cBL30QR6DbIWs
hhRDVkJo2jCkT/mYtEBWosD4WR9CTJiLfg3hCOkmaSRBvCSEgswkAVJIfCSd5JM4ieFqPcnBNVqM
xyWkidhJAckmMs5IaYiOqImDzCQ9pIaUkjZSh1m0DW2ggrQTP8nFCSMjMcDCzSAd+GtWUkkaSScJ
ky78RRepJ2Yyi+Rh5j+dzCDTSAPJImWkmbhJFaklUeIhQbwdwXzjq1KR9Ae5T35OqVJeUWWqrlW9
pN6nydDcobVov6Gbq4/rDxp8hgPGgPEGU63p5+Yl5n9Z7rKmWb9pu8Ze7og4HnAGnQ+4Gl373MPu
f3j2ef3eUV/C955/Q1paWjzt7sDMwGvpd2RsyBgPLg8+E/xDyBNaH7op9HTYE94YvjN8MiJH+jKd
mf+Mfj3r2djeeDjblf3LnJty7sytyJ2WuzP3OLRAJrYpP8PMX4GeaqCPmWTht4gZLjoPqZWOH3c3
N+sKtN+B+00mYTjwdESSmpJWlWw+kZbWGD1RoTmo2DvGpIJjjdqDcE03jr82/lzR+GtnHTVFZ6Wi
V9947Q3be8/Za4rK3njxjZJiyR6xM3FZZK3WpYlmFsoV2fHKsrLSBrmiPB7NtMgsrryyqkEpKw3K
Cq7kMQ0yDUvKzz5eoMwa18iXRxvnlamDaVaXWaOW032OgvqYbc7CWH1hhlbRahS1TptTNSOza31L
5q+09gy3J8Oh0zkyPO4Mu3b812rLh39TWz5qUq3/6HZFU7eoMUv5okEnqzSasaDPn1cX6ZhnddpU
RqfN7tFpHXZTTvOi8Wvc6fQZ6W43f9Z4D9QSPfeh6nK1C/UvTr5ykmSde+uYySZ1R8dSJD527t1j
RsQYBcEa8bvJNBoVs9FPM/s0sc9kjhSjyflGqScrGo/9w2Q0+TIzogaz5FGZiMlmkh+PPh39aVSJ
mqImR0afo1/dTxobGx01NUVFQ0N2b40d1F5mO1tqL4PGE0Pcr4bVx5jHo2Eqz1YiikWJZsbjlVUS
17NXG1XQ1nWSLRYKxZx61abxP65TDM5oekbMKumkUZXZnx0M56VZVLul30rfneYJWFSK1qSX6iae
1Zv1KrUl4FGNGi06RdFZjQfHdxPUqUfRziXUriBaaTX5YTIt5LNJPSGblX6Y8eEz4SOMvGLHYmEy
J82dRLo7iXS325hPL86nF+fTi/Ppxfn04vwn5VL4ok4dByfxMmj6KK4EvnsUFzPE9cB/HcUtLB1X
lo3JtqT5PuMpo2xMy/5HSYk2a0zCTpLe8jHJeEQ7lzSebWT1tkYqGnqDaa30xQQnqM6JRA3nUKrL
oopGMuMV9vLKsghqpZvW56AilRfK0aidVmbneaqSQtWzhrd0TDzmzc31SvHttw+XehLT8yoWteRM
jKdVL+gcPd3UV+mfGWu7qPe5D+sGmuLStmmr+xry3KFs1b7sUP7cS3sK57ZVOwwVfRtlqai7In1i
KFo3a/zV2oH60ER1elUf6iHV9c3QtQO94c5kRmNEclL9Oan+nC7ow+mAMpw+aML5FNUfSeN6S0vp
jSGuAzK9Ad86iqvTnsKKlZ74JNOopTcwJsWPqLmupCKukBeFXoagGPkCxWinqOHmeQ+8++DEO0wJ
sYff+krv8fJNj1zz+JE9j2ytkb/08EcP9PHszv/6W4fWHr+q82N7w95naK+PnCl7kLN8cvGRtOxU
aQNZaTPEWwPZW7N0vHX2mGxP6vXOsDOMl08bk3RJ8964dCouPR+X4nGNfwz5MfdmA45oJst+aMtW
dFtFrDHZeLZKS4pjn8wWLe9oxC6KPkWVPSqDWTd+G82hvEpn1qnV+JjQSKM6NBCVHnymLOnMBlWb
I+DQ8dzqHAGXI2DXTazT29KdjjSbdqJEZw+wfJ/7UJmLfGeTRUe0zlS+gSzfDGmppvLN0mnZIt/H
zRkkmKFF1o46nX7NmJRzNLPXT7uJVL9cdNqeqszIHS+0qZmhuaM9s6jeylxkTDsB7Wnx8ownda5w
mi/TpUNWW1nsaWc6ctGutQXczoBdP/4HrVmrVuND9Vh2CB1vKkeq2egri8jYscYSKWpKZQrIMsUQ
mQKywmTpyJSJFma6N8tIa7SR1mgj7RGMBtRoI63RRtq2vSTpRoeQdNIPm13qJkmkEy/dIIIEik8g
zZvXh4afn7SeMknPmyTThb1o0dCWs40SWvuLtAdIVYHzVWGI1QWmnIj9vJ744OTG8FaeoqrZOlfE
lxZ26caPgvmprnSuTJ8/4tLJPUx7YGk6E1WSSSc3jH9XcNWvBBv/UNYIntKfNAD9ucnsE43eWd7H
vQpJqRDIVMgQugEyFbJ0aIg8iVZsOHfqBDRhsPWxQQPZnGy65/MlciANiPfWuyNe+t6Tb3v+Delb
ac+9I/0eb5VD4AYhvFP5j14nA69jl3oyLNE+/VNSKYwwn1R4RD0PZsSLtBDOvx6ro5mFmorUyzF7
YVLX0u/Tmzf1pVcVZhq1alnRGXU6f7QwlFkctvEsOPVSa8/eBSV6q91ksvsdHtgAVofVXtg7XbkH
2lepoOVUT9OFnKSR9pPEzXOCXU9MsQyhWCBTLJB1j27UzWNEb+1zj0mJVFciFZ0Rip3Sd0xWEmrX
dKE/0I+f9uaKSiE9T4fRLlfAqUfP8Jgo9o++qrenp8pek0BvUE8eTdqWNmxukM3Fxd6iIkOhz8e6
ajQN1oWjdTDEuwLZu7J0VII02o6CWSUmk4G2JANtSQbakgy0JRloSzLQeoKxNemnlSarstfo85qL
fCWFmlBOb6hfmBuNDhgaZSgjMULC2hCtxF5mr5lWVFZG7Y8p7SUqUZujUM6WolNaDrX9grJXKqOG
CKVuTULnCvm9EadOnihTjO4MlzvoMsoTbRJajd8XdmrzA2vCxVk+vbRTLV1jTAvF/RusAafpfPVc
/dHtWoNWUWkNGhh4h4QuVQ/mZZnScgIfz1ceDOb5jXpnhpuWOrPg7LDkrz6abbW6Ui2KIRTEEDoC
vkvtCRaGclxMmUFDYWEpVWapD9eW+nBhqQ1XlVJlltJLbCRY3WcotGar/LQXpoMNzDVvDVVeqn85
r7si6IxVGa6peDw76vG4P0NfQcVbFqcWiOhvLje708xVadnRqHtiTXh6uizLOmfI5ws5dPlpfRnZ
oQy7VJtRWVrikzAIOUN+T9iha3PBojVmlGbLr9dcVtd+Z+fHf5/sth/JyTR4c0PjPywfXjpUNOvw
LPk7sPcwjqGpwN4YPndW9ZY6gkabTfYk01xUBy5aoVzU2HBRY8NFdQA1lSX1YVKMdTiFBFPKBbJW
BfzLUVwPfIcql6XjruBTchmmYH4pd9Q6J0pbFu0WYKBNGh0pEy01ftEeOaUKZnNgIuF2BTFlaJBV
b3Xe9trtt750Q3Pn7a/dfvOLB1uOZy/84ubNX1ySG19w19YtX1qcI9/5lY+PLJn/4L/uO/Th40vm
PfD3b2z89g0z59741Oqtp27omXvzt6h9hdH4B2h/6Zgf7jqSpUllBMgywhAZAbImx9KREQ2tAl57
BlVPBlVPhs1klrozqB2bMSaXjhJ7bEwyHNVoTMim8ai71zRloOYVRDSsVF4vbD4wQlRTzCzlB8md
39x1m94Z8dMuOy9Ncuf1rN3QnXu8bv5Q/r1fnrm6NUu5bdndG+snCifbBYpa621cdMn8WevKLeMf
5LQN8xKerr4WJZyN+fFNyQxDxJFDc5FDc5FDCzmHFnIOLeQc5CRpIOH04vS96Up6aUo5QKYcICtl
ICtllo7b0D7KjjkiBnPBmJR7zDsnpqqiRW2mRf3iGWqtwBbnbeTFodOcIK6kWJ0aerP5hEYUPbfD
1cwOn1IDkAuDSeMa3H5VQ8mdw6Im3PDzm9uduQ15HRvbc1y6iUc/WSm2ekN2TaRxQX0wf96D/77v
Sx/QmvG3r/TeftXmgvqmTKszKr++8Vs3zJxz8Mk1W5++EdXk21RrtDcxop5UwiPwhWTQVmiv0iGr
VVRrVazsq6gWq6jaqpD/E7l0zpPbaKe6AmOIaxlCyUBWoYBsvLGjQo2mF9pg0T6xOSklk95pqDfH
I73e1EyQ2nhDZycVN2UOA8WJYT5bKVQwVTlvwdCJjMcbVFJTGa/T45HK49nxeGpCozJqXFnBtIjL
qNrpLmiYW7dNVDHMaZwl09O6ts3Mjs5YVBMuL8hxbbfoJsabZ/sby77wcPPwjBC6ZgyyenSMJeXz
G6Pjv5ysejAO1Yq5et6mpumrZ9W6LIn6mSUTv8vKUK7uXuvVaia6I3Wz0Ue3nTurDKMudpA3T5Lp
mFpbMXGeTlUGFTGE6hiiSgKZqqaPyfnJRGnS6ZK6S5OwNLJKs0pNAR+9N0CHvYANdwVodx2gxRF4
EnsDMfYdDTD76dRRfwpdHJ+wUqPSVPiUlA1Xj0GKJ432cJVUlTSapG6Uz6mkgbIqe5XdUw/r+/j0
gDp3jgd1O9V7oe6etdOJeiIxZDtrQ2c2xcpkkw5hck52aypRt7mLZNIE0rA5CLo96jNBV6dRhpt2
fnVo+qb5dV4jzBmdpWz2ls7qoaas0r61G9f0ldWt/cLcxPyeeqdGJSsao9ZY1DxUWzm7PK10zrqN
6+aUSRctvAkT03CmLxaCr0SbmRMNVs0uq5pZV1LWMHfLrN4r5hVY/SGn0e5zOtKd+vRoRkbxjFjl
zPrSsmlztqCMrOghX0HNzyQrT/iSUK/PDjPw1DEwwrpDKJt1k6jdDJEAvLC7pOaHHVN7pNk1Djp1
yUj1iKUwV99j0/LvJWynEykNTbHCI2IQoPMy+NvohOt2YcOCpSZkylVsOsbmKx/dM1kRl+vs6U4n
d+xQe+sRjG+XwBZMkEPJjKUFUpi22jBtxWFadcLUYgrTWoNvBrIl7VPnHqhpxJPqAoGsC2SI+4As
wywdd3uexF5Q2OV0hkIPDyT1mKIY4n22Pky1Rb1hE5JUPzg5K4FxlTKL6UxNGJepQe98jOqSlr1j
Oy4aubyZT9mcuvw5Ozq6dvTCzMK0JALb+LWLT+6d0XDJEzuVqFDHx39bcA3WXwb2zVe8Io5qJRO9
2xpoJYtsTGZk0Y4tJ0tKoxhPk3Lg3TBL+X4p3yf5kX/WSBmhQ55PxFCSdNAov8/vi8dCfT61g89I
HDWNdofEW0gCRUyGhqShoSE4sWLMeFRlY+5eWTnFZCyFU0srn1BZ/NkZnojPbtIqE4M6yZGTmR5x
6FXSNklaq+jQdYWyzIouSB1UkkqNKYJqlLmwMB3/6GlVI42nLiyax2nnPtS8jjzWk9VH4/USBqv3
k020YcdQBXWU5BRJcN3RmJiU6aMkN1PyhSkpKJEKiqWCLKkgKlX15fVFi43KVDcd7L5GlBx+qGsu
9cszRy1j5pejNvInszlpI7MMq/erbOm5wVAi3aKaeE/+ULGk5YYj+elWZeIRjWSPh0NZTq0sRSXJ
pehdsWB6xKVXpFxZylA0zmhGMGqT1HGLnVpzdovywsdFgqsOe+HiU3QW40enVbVGK50aWY0ffV9V
ZwBXW9K8VENBZgu54AMf/L+b8ZlQ0b1sfn8qiQrQY4r1BTSOPg01eVD2dN7Nqzla9/nB6bwyMCp5
yyorq5zUa8lKvoPPn9y6iVuNamt2JBjzGNVH/aVpsrfEf0wxOjPTsnJtaqP074nJyi29Kv+KZlMF
x8XEjRXb62q2VEkXGyxamkEPxvBFGG0alR/Bq58kI8mwdUZoRtEMxaj3lpvQ6stp+y+nTb/cRocS
+A//nYSbJttKJBOhPQSppa0elwLfoiMUQ9xAkbWK2jFZl3TZvd8j5bZyue5UuUTKpfLywul5Y1Ig
aX0+U8rMVGW8Xdg57TemHhUpSvkmh87CuwsXxeIhYQifTiweqiniFmIpBvjFmHFRowhzg4opxlFZ
BfXETbrXG1RsqqXlg4enrLSySmm0pQfSQpa6L/S2bestaNj+8No9npKZNdOWdZSYdDD8tYEZ81aV
L7tubvz+g80rZoQGZ0/fNM1nMsFyNS1obI21rprevbkz1lo+uyKQEc3Q2fxWf0ZaNMOZ33/53NPe
gsbc1jkzmqHdQ9DuS+otqD2YcR1vbJQMkcpUrwhkIzqQjeA0zPRVOSa9nwy4E9TiTISh0QTVf4L2
yQmq8cSYbEjqidtQWRFRqYvHJPUT8c5Aq627BvSIuofOHaj7ywu7KDXrOq+zyX40Wwyq57tPO/eP
i0mF1u6Bthpk5aWy4VuGEh2trdnw4LkxjdJonWGfH3OqnK729pzlN8zPecxdPi8Zbki2ZDfvaWoY
qPJLb+546qpWe7w2dyP6VFQ/k05dzSwjfIz/Ibc6apu5f2RHy74V0xx5M0onDs2ZXz+8G+1tATQW
Vp7F+tT1R9LpmEoNReDrtG4B3zoGZRDm+kQCc4lCJ0BmbZ93iZ57m94A16gxaS6ySBb/m6Gkwdwe
gj9MPubsVP5cQsdrvbm9JH9M0hzRQ23jLybOso9Jp/hpjEDcKcrXb/jQA3uEBaOZYHziRauYEpbV
Wn9910DRsjtXVkzfcmgw0dtc4dNrZIfZml3fX7vzikhyqL5mXmPCRKfsX7P77WZ/LMOR3H10x9VP
X1pnS8v0WZw+R3YokhM58dj8/QOJrERU54Q/USZLoZe7sRM2jrWrG5KhxjrJGKihrbOGjs411Lqr
obWjhlaWmqdwLoKQIq61IlrDkA5k4zND3MTicXURrVAGZ6TVWJMdUFnQLNWjvk40ddVRSw8WZ1GZ
WHVCn5UamDnQNnje6TG1CcK8nhymFdjVUyYoVcrdWnu6iy4vtR1aOHzj/JzS5V9YMmt/UusK0Tql
f7DpsuZG1CDUqOmRacnWbL+oQDt75vXsP7J8+1NXtbU0yUYxex9vQd1ZvifZvG8l6lITzFqZDEFb
h9CrJbAi+lgyr6iysXJTpeKkrckZhpaczkg+tYXzqbb4kgvr31AXPjjenLg/ISegrOO0tZWrUpUP
yOoYC+M2IO/gVFR/kUj+D/aqblHJp1TS8ypJpUov+k280/f2Ustmi2zRv53OKtgQX3fhvnemxdJX
E3x6z9ZdmKGjiUamVCu006mVT3ZnVzKFapVD2f7x0WDr5t7kio4ik9aoUWRFa6yctyW56aGttfVb
7hted8fSggeVS3ZOW9SQCSdJdqRr17xCd5pba/E7zE6ryej3ORsuHbt0+8krW5q3fXnAue/2wu6V
VXTci2FX9DXqXbAMVox6bLQBsoYXSPVaFFlvBcKMPCDrxmDKfTBanIeVveeTDuqZjhnOVralxc8W
t4e7be3UIXS2lPo2EqfLmIl7OlF2enIKwE18N+ux0cimzNrQzbPpAXp3Zv+p5Gtg22i07mBuIFYe
tjyrM+rVDuuzOnRNcJzprrDZ6NTgimj7hs7ojCwTbB6r02tR6416X1lv7XKtPc2ZFf74z9Q8UuFD
cYeznGl27dDia+flmq0mJ9YlZKoF5Qn1JfD89JOmIy3kKZwiM5AQstjfi32THyTdlcX5ve09Z+vb
wvlnK63qyvZ4t582mcYXz2BdEi0HDtKyN0pffe/FN547n00x05lc84U7fXKC+smsTu1v3Ji6upUn
9J7sYEa212DwZmcEsz16h8j2xHrBhAKy2tY2e/KzAvAPygaTzp4WS2+plbVpftVP0uP0CfH09Jhf
r/fHPio5r4xPK2bZ0NXzclU6vcFo89nD6VqddtXm4YAvpSX1e0xLe8iWY7NnF+yiujmWP5S/nozJ
m54w5OO3BufkPxjdswj+jw+SoaZpNbvarWp10/azw22L2gfOdrQWhGvONrWXdQsFop5Q/bGFnDNC
jW+wqaPtjeeoH7EUbeY/1On/oF7VlO7cHUmVzKd0rn5P752qcy/TOfXdaicuEjr/DO23X9SWPyOE
6of1Mnc4199ZL90ea0WRFERRJGoZq00OfzzQUociSfuPi+TTxdNPi8dqRr11hjNQyVdtnv+5JUZb
919Vj6J1rySDR5Kd1OAwrYxGSfnKlabWgTKCIjrqsZlmYghIupf0JNvL2mtrPQVn09s6iemsp13D
BgVaPCgB2qJ5JX/xNIJlEBQNyuXzazRUztfd2MgwqXTZPbXlM+OD9wRYg6YTXru0Tmha1O5o2wbY
YUFMhRSNTq1z0d6gDD38nToHdaA7dH+kc2GH9c3Kdk8s3a3FRfDNBHOLPG0rkhlK4acVyToArsip
/cXLwiH8Mu85JgxDS/QGvdric2Rk2ix6TQxeIZxxVEjFxG3K9coPsVdmJs5+PJ90Owra6MjcpsOA
0xa2OaXutrJGzLSo1QxkYzLw9SdoUqN2FmjSbHVI3bMCKmuxUqbV0hEIAzj62FNJM0hBmTYQ0JYV
qGi/nCzHYEQG6J8YCNtw20BeLGkExqzFWqW681emOW+53UurlT/Vt+eFZ/yyunPhL8OzUlsAGpmV
ffZlbi4mys4kEqcTXrhtqOPGDhvSdiaBfwnxQZsb+mU46lkJxuGVdLs83pQ3jZUS+ucqmOTY10I/
aWft8aLXgott0gSnmwbi2dkWuOC4iXm903plNL10aO/MquGAwzu98s9Nm/sKyy96cMuGQ8vzbZGS
cElRaSyUVb7oyu7ctpBks9snJlYOFbcVeVcuLGkv8s5Z0vuncK5Pf9XFXSsbAsr2aChrftHMXXPy
MzyOwmC0UDbIkWmDdQ2b+0tiycHySEN1md/fnT9taTw2NKPn0rkFel1k4r1Fq8PVHTmDq0JV7eOL
axtlnb8gN8c9vSmjuIGOiYcwGtwHa76UXHKssVzKO78QnRoMp6xQM9veSVuWN8gXb6mxxldwmalh
pGkGvm6LFRo4OTUnCjqzWv3dzORi/d7kuiA34C+wt+xslqPRnm9lfGCU3XbuNXAr96ERMDvdV9hR
3LCnmbcJp1aY7223dCzY3R3xi25ftvYsbs4a6B+/QcRMtdm7Oqatun4Z7e+vPveh1KsuwtpshNx4
ojE6K7opqnioAYAsAs97feDgQZhVXqDwDjFDwfMU9u6lY+mRaerTS40plWKp8f0nDCG6TwYDSMMx
v62D6efls4mUOZqa48CFct4YnbQ+ndRUp5URtVBq+KQCnPl1tQkqkypQrhJrpFJxbV5uDQQ5PvfS
xG3SCuQ4C2s71xydVUp3LrEJBvBvtB0DuTEI8i7dShKj38WXMKGBsuuATCtAbjeBMDXQvjZp8PtJ
aSHNYyHyeDQn1OFC13tEzVopcmovK0tl9jTPLfKaWhdIOU1ZMzo/lbsg273B5Iq2cIEPLiJFq9dq
ot5IUdAielKqg7xEXV2edcXuuQmdwWx3mOneDLWroL1DOfxpdfB2sAftoJzckTQ1Vkq5JVJJ0iH1
YEr1PDMKQdh8Dfg21Q4LQyklT+GkeSYxpXTw+Xsg0DTSPAUFhKqENxFPplGd05HeahfNA4aAVIQJ
GkYbZkeWvs4cptDMZDXInjIETTaO1C4wDPpaSfJ4lD06+E0CUZ9VM3HVJ+uHNFfn8GMjQ6Zbb7ZO
PCltNBuZe1/RmvXS3ybMn24mH/8M3hWzXoEhrjf5bBNPTsTs7lTfITVAZ26SZPsZNrH9DKzuT6kb
qSoxWUek948ZbK2swqcqwGfW8k/X7MkKfb4Fp95C/TzmRbPJ28mAw4YiYbuk4szDl83ce5v7pNYp
/Rh7I4TZgg1DFAmQ1WrWvwWDHjT7YLCUr6zTbo4vr7NuzoD6fWI2XZGY3YDZOWsEU2bp7LEIs66B
IW7PfgpH+kuJTdKMdnViwq5Jmqd3NrQWVHcUwLhOdY8ofzovFXPSmtTqPDZgpvxqtLdkX0QiFoLQ
PKhj6IIu81MRKeeyO+V55S4Rt/p53pU6da785sKabS209VDbz5PfVFizfbJn1TjSvZ4Mm7b75o7q
weZiW0FvV1vW/Is7QpPlIUdrPtHHfjoGbnsjqpDeqNvZPyutaHpOSXOeE51vtxiDUIKl5PaklZcg
LcbUcPTJUkqNQlztKLVUaaJ5BYJGGywJvrmI2g5TdxhJ759IDUx0WEoaCjrz/FkdQvXwXkLtQs2p
FduUtv8nXV+o2s8fniaVeFfP/2F4ukBRUNBSOjpRD9Jr0BBdrX84md6YK+U4pFw79dfHTVJcJ8W1
Uh7zELMVeCgByOofkHVbwAtX6OkEP1hkkAxTlv6pL2HK0v+TsoGup52wkp7NKCbsuZNGrZ1Y55ZT
LjmobChVM8WeS9pXpX4mlzdS/ZRwwgkHk/Ja7bZvbt30wMbKmm2PbgNWPRZoWDerY21zJNC4blb7
uuaw9IeNJ6/pmnH5sa3ATuCejn3La8qX7Ovp3LespnzxPujm0MTtykvQDfVH7qX+yEgl3aJLx20g
a5w0zDpxEFZd0IJhxLi5K5I5JdmqIvdKfqYvssM263N9kZ/livy0CeP+fFfkrYtzmqcns0RXjcri
cgcc2tzunt6C5QeoK7KMuSJbs5svbWoYrEqT/nTxt/a32TLLoxMNwgOp+hMaF7bvGvWX5DXkuruv
enxHy5Ur6p25TSUTX8I5ohV7aE1aCm3dndLWNckA1BUyJmj/lqA+N64A1sklqL8tD+fiWLUpS1Un
IOslgWLXLlModufC3+aOdRinJUIqG4Z89WhaZzX1t9l66Jj/2f425m6brCdYyxDWNp0jeYVHwf1p
f5ueWoEhlza3s70jm6qodPgLS3JaW9ry6AZvV7pd+ymf28QxoSnpTG5N1Cr8bvZYXe4GobqJf3LH
G3fiwvHGLAP5IWisjAwf21whxa2pSgVkWQfyykUJrXVWWrkcqY2MdDGRNiuShjoXS+oTnXGrO9zh
prNN1t2zAZ83ItrfCGXQecVn2MG8Emnkh2SNXqfzZmS5/cUVtdEpNYf11bHptTUZ5khWhkmlSMpy
T9Cu1+t1rsLuqvERMcCf72j2VzZnWxWdwaC3sJ2rvefO4szDj7Ba/1zSVNTV2DWr64qux7vUUxbs
WbNiYXSzwFNHYRazMPoehujAp49Jv0mG+Ko9rWIBWsVSi/ZIDtAuOvAkvuKGblgzIEBMScTDhDqV
jON5jabHTbKp8NUqw5/ts+1L7ZvtCl+c/zVdme/0vMUXBqBGviyfWpTHlnmxrQ1JRSkHL7WlU8r9
jxfl5efKFu+bWTy/pdhjUNFF90TjvOq85tJAdnJ2f28yO7dvd19We22uG1N1BbvV9JmVHUV5yVx3
TrKvf04yW7K0rEd5e/2urJAT9mcgHHBEK2Px8pxQZqJhXn3Fso58k8NtM1k9NrvfpvX4Pc5ocXp2
RU44M69+LrVuIuf+Km9QfRMnUxYdyyX2aEGqITKEToGsLICsQTKEEuGSggPEay44G23PMJ/1tpdQ
61vLVlLOYm+OhDMdzLgsPXOaLwek/BGf9NR9jgND3qCzhXMLva1wOVxuddCt0peJOdibdL0J/omq
Nm9Wukun1qtVC6c6FLhX8vO9D6l8qz6CN2cFGTzeN3166YoymiH/zPR4KSnNxK95YOaK9sWLNWXx
mWcH2rHxSJU0tPfkd6e3e85q2lILRtTfRt05yO1pWhXgYTtTCk8OLCrqZUt1MCnXTcqpP9Vfwz06
FdST+Rmum89QlVIL52xHZhN1zjLvTaKYunLhw2Uumx+JhjqRmKKcz9ekcuK879ZJXTcO4+d4eqf6
biL2Sd/NJ1V97hytUcpf1UVyHPM+HOYi1TK+FYXXNOU3qGnTybTRoukwkt4/lggGE+jNPkialIrE
9HZb4mxdRTudxh2N9ej5IsoZOISlotJX4cSkLjKqVXhzz49+/7nmHg56YIF6/XB0TxT9h9oJpH18
12R/5v4PdcDzqnpB9Qv4CpcirxbkdTQxc4DmNGSeYU7HL6lIzCUz26e319WF24vb5fYBS+JsRTu2
tKhGYz2LpjQmWsdOYxEXQ2nRaeoq5PXsDVrPoA5Yj6mW9QlV8BUQ+2dUovPb0HEYhR5PYasGkxVQ
9YLOzr19jcGJ6VM0haUSazDns9uk9LSYHP+RtU7Lm5Vtk97DhRkRm8WQcvdN0aLdZTebzcIP+Mm6
JElia8nEuU86EKHj2+nqnvItWPW3Ym2vXDJm0zEgm44B2XTHSTYzM7KppY9jHB88QeiEioRSgyiQ
9WvA95npRgl1QtALRATzSlAfPLbdFHRkG9X+Dkyt1OeX+OgIK2ZTk4PCBS4nscQ36V2xs3WqyqrJ
CCzuOTLc3gy7pudOZrxrXXw5xlvUXtywuwWLfNQrq5+cDu3sn1m/+vrlcqaY8Yz/Y9aSpthAv7xD
xND2hr04ym7oJ5/87iSOocEepRtQQmyHSiwkBTkJSszJhIyzHexAsYFZTH0cKTvEDsUkq3BBFeYF
dinbJuWopcwcREzLlLIypQilOFeUFZHCLDYsZYWlbKt0cUSK0KUtvd3dHglj3EXoraQeA3kkjEGZ
hqjDA/hu0oRnRHI6Isa0DiM3YaBfNo6QxBCz/RN0v89Qgu77SZ1do7tkEnTo1U5uIT+/3dfr9PLt
IFhs3i3JijxxRmVOywkGc/zYG/OcSk03O3szojjTNqFSPpKxphvwBu1a5V6V3mDSfvwNuvVHpbMY
lPkmh15BjcQJApN+PM1kkv+oRy8s64xU2xXnPlRfBW23kNdOYjviqeQ0ZA2r99i7WS1VUYwVSvGI
FA9L8ZAUD0rxDCk7XcpRSbmKVFsn1dVKdQVSfb5kC2OrF76elTkAKWIJHhFhPMEGC5BFU2QbZKw0
2jq9g11Hldlom2XbZLvCprIlHZ52W1lHrKP2lnwpn6blU7vH5vS0r87fmS+3INbbzXrZl6gmh043
Np6BJrm+mc7ZBiu+xYpPubii4QRKbdVXsrVTdiQJc3qKyqdQ9VUq9cS/FbM3JxjK85uUb8vy44o5
DbuUshGa+ECtor1zeqZDp/xSln8g6x2o9tidLr8iSy/L2E2a5sOxDOVerct6vlDkg3r9+LbzRWR1
afVGlBB8TeNpej1KyAzTCf64cZ8IyTpMOiWSi9bRhfIqItecJCVQjB01D9u34E6kPUZdoYR9aO8+
AVruk3A2iPUNtKmwKI+kp7U1D8mE3lNPpOqoVGmUjGHqIKClYjSWFOd2RI32jA7hf6O9Bd2/BuWm
9q5B7fQfrcgxD9uYg81dyvnTl1O2Nk3uaZKUJp0zOxSMuo2qX7yiMrozcQjTLukl38S/dZIzO5wR
dRlUZ55XGeyhQEbMIesnPsi3OE1q+Ne00sqJLwMUtclpkU5ID1mcZpWiMWgnjkizAIrK6LJOLKa9
B+Zxe6CfLNJ3kgSQ1wpksyog5QYkH90AEPdJcUulRc7WS2nUqK5Nk/zVwDq/FOrwG5wdhi7VLJyI
xkoX3bqFpotc8s16Q4mIwvceVTlxgkGKl09u2XOypQ+PSyuX7dKUlKaF7bJmj96mTDyts2UFg5ku
vVqSlPc19sxwepZdM3HcZlebXBapRuUwKIvcPosax0vN44Xyy06jmq4zISeDmJa+gu9CS5C6k8SG
nHjo3sI422tdhPRyfbNe1sfscDsc9bdbMVbA/YAXpyvR2NE3dAb9DoqHrt3QQ520lldJlFG3Azvj
R9d1tBKl8isanUU3/rI7QLsM6eDEFTYnPckjq4zYekjjJnZID2KDqaYVp+C06ZFMi8fjt8nrIjGc
8tNqLB572OLzptnG78RJOTqfJsoJtm5gxElzF3bTyVuOafSKCZsCXjuDkYevLU1666Ve4Z2feFx1
JuWMnziCXOZNvCZtI6/jFLxh1OhNJ7YXz/Dt3lotb8xVTtF+pW0ai9d+vdrs9DvtXoOkutroy0rz
Z3mNN4fKCwv8z2kNMD7RqCTn3kDYptHYwvRN2yd+Kx1U7oAPqYhEjmS5nsI3uMaRsPu4IZQoVltJ
0Rn8Ubzzi298n752yvZNOW+oRfcZr3JQ788JhXPQen054VCOX68xe+3Xqc0Ov4O92n6TN8vvw6sp
4XB+wGgM5IczCygWjPewl/2JzqDFhkWjXrJPvqxE7jr3b2kjtGEk3iN08/GpJ9BioVcMOXjDxDNU
NVMWQTYWNdQXUtnQVlTYAqE9SJ6yQ9qGGUSA6KFRzAigUDYK/V8oVB0PlRUV+J7T0sVYelzaeUVa
2KHROJhGr1N2KoXsL1QR8zFNpqcUf6XsDF0nFovBrDamDsNrPyPWQ9vSg0Zv1OfL9BihPNu1ahOU
Z/MYJPWE9zMS0Kuo2i5PvUVasAwFfobpEAU+cfZzEmj5J5Sd8guTb2vM9pZNvu1k2cbj5efrmXoy
ulA+Hyu/QN/yOpXZ4XPY3EblKoM36vdGPcaJL01JwOurWArNljo7hNf0ndEZaVFDi3Zo0a7R2MNp
n5eA8pMm3lQM6u9gdUF3xKYmdMLmTTWF1HqH9mGV2ZXh9kccKo08pDI7g27stlKp3zNjs6vW7DRr
dputepSby4zntUjH5EJ5Gr4PwnKMaI1nsS3zLNb4eQtl/QU/DS4XOuwTix34kb6GnkAtfZAdDMXj
QY09DU+5euIh6e/qG/A9EZlJt0KHIoW6MRTWXSnukPFq0liE6SZGDDxZA+Pd4Z08uF+osPrAHYHS
X5cMLVmoliwZfkea06RU9lWnh2r6yiScJPZ4022yevmzE4MvvzKx4Mcmu1GNo6TqVS/84tUtW37z
y5+txjcdYFjAN/5I5FK80Zt4owgpO0kccEHhnWATMu8vxeO0O3VgQeYUHRrhh+JvmCjlr0gLmaqV
fptApaOiXM6Oc6e21+OQ3kyv7q1UTM40R1qGWVIvWrx4sUq2pXvdOCwsr94h+7e8+osXVmHPkqxG
B/oj6aFXXpYeelZvM+DtNKozE7PwrRwE31oZUneSufjmQ/ptj0VJQ8e28uAu/wKtdeOYpByf2ZOb
a4VzVXO8uWfFX6ytqWV8bJrFWn1JsZN26FxzqZ0T9LC+t0FhXT2LYh18EHuKK9kiPvMiYiUezkSV
BHOeXpvaP6ukdqHhgbhAWh9Mru7IqYnZ8oZuXTNwZX8iPnf/UObs+QvzYeObtDYcswu5YNuUBAua
ikIGg8OInJrCaa7iZH9N3tDabU2NW5Z2V8BUtIYKQh3D9QF3YWtJRUeRZ3u0eVVT7sy2ZKB89dLB
WGlTrmPiDam/anhofn7lQHdLtGHL/LJ46/C0uuWLFpbmDi6YnxNo6Zmdm4WVNpWstZr91etXL87J
Kg6aZJ3P7w9aDTpLtL4wszbX68ltmLVckQPV01oTuS3JZFZGRa4vUFA/nlM+rzFqz8j1Fixbvqww
3NiYVK7G7g1yzqzZpS7EN3DSb8lcd3TLfh8OrW1IlhSafAXVZLev39dPWoe3vxHKCZVc/o59wTuz
Z3dpTfsLt2Sp7SH8Lp72zvqrerv+uhhNpvFFeq4Lh+y9NdSNgmMw9OwoWtIzzMPyjO2Fl3FG5g0I
627Z3DdVFqj8bOOyt4obFFpFQye1cMfRJSvLBTtPUaTo4LPYdgsNLWQ1c8/AVcPmwVWSZpc93rBg
Z09ua2VMi027LZHEjLIsn8ESrp6ztTtcV1maZlelxx1+i1oetBU35c4ozfQYirY+fcvFYzeuaMnz
aMsuf/GrHRfPr4TfTi1L2M5bs2zfzKcmxr/ebgxVD17xzd8evP+vd3ePfys+uww+v6hHX9HoK61u
jH/0sSI133TNzgVlzqyaWE5Nls0eKcY+lMSmi7cMVlnDxZEBiwWHV7UT5fPn5LYOrV5fOv8rO9vK
B7fvv/6Kzdmbxq7ptDtxgtlrtzisJoPLZRm4/483lV976N4vXruydtYtPz2VbM6d3jevN9Q52x6t
yVbo90NchNn0t9VhrE+3k0MnSScsYq9V7lnaKSV2NEqrGqWmRqm8UcpqlBrH5Kaky5Sebrq0QlpX
IXVVSLUVUqJCqkDCE1jICaPToBMVdFt0xf4EHkOKcZJ+7NyH8MLKPabac8XF6ji++GvUOdg8JrmP
qJeINolyTgzh1NPQ0BtsysG8Poxh1IMBid6EtrpUSaNEuRXBvNmfWP9ItUTl2+XrH9zSu2fRtJjN
UThr54MbY93JfGzmlyWsNxvjlT1lQ9f05ypp03vmlay9ZTD+mLdywYxYZ0tjWqRxcWNycUOG9PX+
ey/pyOlcf+D+xXMeueeG1fV6q8NotjotWPTXWeyW7r3fWGQN+qw1K69fWrtkRpbZG3Jc+djaguJe
fDGRQvqg2yfZSckq0ibtO0kqqYsB+zwr0X0eo91nBSU0hhEaUy5iGKExbIkELgyG0G0H7XFpEXVI
xeI5jNBDB1NjXqc9djH+G7qk35XDxhGc0cQ1KU6PmuKApi+ZFrRGg8gFXADsI+gKGqrZ9dV0+u7O
wISW3ZiKpDdWPyk3of2/eJQW8vlCP3U0dSYutRP9FF23oEME2xA7A6+bNNA8zSjGQ2mQeVwYYdH0
SXj6DFrV7AY6vzBUTFMXjPsHW8YnKwv2MqQWB9kxuUQqwHqPRALA1834J609bGWbOhOmGp+f7voV
vuRNlxG9lZX0q1rQv7B+oVJ5sn7LgxetuGdjbU7Xxpb6RclIyfChVctvHsqn29TbNnVl/yKjek7F
+k2Bmvn1K9fnZbasbm5cMi109VV790vdc/cvKMzr29UzbdW8rsxQS++iyuadA2VFvRsbyxbP7QhH
O/uXyEvymov9y/uzm+prQuWXj3+tsGv6tEioYUZH/rJ1F6FhPYYKda/ai++y+kMyKysoZWVIWelS
NCBlpUlZfolOy7xSLlu8ddC5KCoC9r/RalIsEVpiJJf6W5ACZGM4QxQPkHnEgGyym0uPJluCOLeE
o3pG+mmEC4g1ayArceAp+qgp8aeoKwfhd5N63HEfvs/JCZ9m49FoXy5cvlr+DQiljeMws+msFz9n
sHuOb2tOfI8uoqCYmHOHuxxS866UQyeCOZKGb5GrivH27mY+TOVeDXaFji/SmowaDU72SZYPqTsb
Jxn1Up7KBFsSLjTN2zqLXt1MV0q0tjR8m4pdr/ziDoPKHPTafTaT5mlFhV3o2BT+0c16GGPQ9lZo
+2603AbsHDDnVkqJoJSbQb03SapW1kEmJQ89ZoKtn6jPHqomz5hc8ERZDL+kJqXrmifxX3EYoSzq
GIASk0a0MqO9uiYcrsHu78Inyjyawjk2GCk5QkOov1h1ot81Qx1gbyTO0EGR1WWmI3bw7QLlUDeX
MENSy5xsYGPGi5YderxbrbfqxyssbqtWMVhNH81fW+NIr5hdzg7xwC2gktU6X93gRXWLDw4Vetqu
2XRGLsP5LnUnPdGptQU9rqDXa5YMi27dtTyR6KnNzMzJ1DmCbiwvWdxZUV/FoktbGnbf/PjWl/UO
ttK3Gj3frdDfgKQ+iU0Gp5LptCYukEp0UFkJNWxLmN5KqN5KxuSKpGHmnPjMmT54CaHit5JxXBKn
zqskYuNJxRKgd/KVPXZngN6JTZ6sygag+ePMIYO+BnvL0CdZUlUWyGo78FTSiWKw1CXx2DrqRusu
qpNYVUYERd431dnr7B4cLDLCnpyT//dwWN1BD+saJw/rFp2tsU2e10WnQn1m6In4shfMF7YfFBtC
U/3QlPFLwzbXBdn3D7Aim1yWTh3jZXv6P1WI7qCi3Nqw/ZGLpm8ZqLXqNIrFrK+Ys6l5xormzMSc
S3p2o6y0GqNFv2XG2o7stPLeitpl3aUG6u+Bde+s7d+UXHDdwoJww4K6pk2zC6StgzevqnJnhCwW
zHKy0sOxcGZDf2nVQDITzcPt9Fu1mcnBqpyOylA0J6q2BjzUpHCinAvn7mibtra3xihrK2ZfBOuh
GN60n+NMZB76pY+StdTVWSBl50tZ2VJWXIqlS/GAFGUdVMwnxXAO1CPF3VLcJcVtWPCWstRSlkpK
BOhAdirp4L1VgccH4qGdGPxurN+heAJl50kvxAn3cx8nM3CFjTY/G61LNroAYKMLADY6cbLRb6bK
JireV+HoyfO0+dGjKEkDklWq4qLsAHYSoIBViYjNZoj0GfhJQ7S6Mqy6pHx1idRKZgKGKN3WS483
oZdiLZB3UpOfbKPvlMWp1JFj8TVqtK/y4NhlRPm5y3Gr+L6S8bdNNjPmXwat9DO1M5gfxHTAdqvd
PfFVeWKh9JC0ORKfeFesQkk2jS3ocwb9XrPiwIYDfJGdWf/x96Pyn8ZraY+1Ei3uTpyybiDPJM3Z
VVJ2Jdu+o7Aei5kLSakq1SsB8d1zqP9V9Fh1DlSfA1Xm0HaRY5lVuqn0ilKl9LO/muJJfP8G/S4f
2sRQZvTUDzYkgJ2gloXT6UPDyU+a8mv/Ec7EWUV1fq/vgqYzBLuebjuTbC+nWszpoRd54+HKpdpN
DdNoLXzGeL5xMN+M+P4pun4VSW3gVe5s3Xtkff36uZVWHBSA30dryGtb2960ubcwu3fPvGkD8XRf
KEOeprMa1C7HREa0o3jTg5tqpPvWfG1Trd3vs5jsaQ47vnALZxPDzas7G5Y0hkxpMdkaCevRCWbl
TNyhliuWHcA6Z8pixv/B00Ko5ofRBh6H5kPklZM4o/5W0mCPSN12G1SKTgWq4uMitYRYGHURiP3M
qIvb2ZIKqnTqLhu9iwbpXUC274MlG+kizg60mv9vwJV+IHGgZuDECaQhqAhqd4MrZCB9A9zUAk7q
gCsdIA1eTAKmgWYC6QdbgZEnygoc99TdLBXIDT5WBDjeCUrgwFQOigXQPAsIwCZawKNb4LF/8NGA
yGOgzOuZWTnZ/umx8ourSCmpAYdtGV/9nSwszMrFx8n0iU+Um43liJCstCTf73M8wCETNuDgCYuX
hoowsF4BrkYChia0jQwMTTdwaLoyxDJPZ1EDnrHJs1mcXxI4PnMWMmIJrP9B259BacKc0Qy8ph64
KBVYMk5n4eLn/vOGiwe4YJeNWVBcEDgLwPO3hqkBOFrDvEgSeIccG2Mfq5qKgIwQLxNjD7eEvqwS
0F3/jv47xc4tqgzKOwxxzDtYFIExyLNZSEaADWonxNvwdgcjI2iwwMxMTBy0FHYHCxsX25/33AKg
XjUfN1Pr33qgfUzADRPczCJcvEx2gtIi3Mz/SkDjMMDZDVEeVkZbRlM2bjFlWeCQBxPbv2JW4HGn
IMAIPJuPEcxiYwCeCBvl7+gSHq7tnJiTmVSUCQCDa8ywCmVuZHN0cmVhbQplbmRvYmoKNjIgMCBv
YmoKMjAzMDgKZW5kb2JqCjYzIDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvQXNjZW50
IDk1MiAvQ2FwSGVpZ2h0IDY0NCAvRGVzY2VudCAtMjY5IC9GbGFncyA0Ci9Gb250QkJveCBbLTUw
MyAtMzA3IDEyNDAgOTY0XSAvRm9udE5hbWUgL1pPQURXVytDYWxpYnJpIC9JdGFsaWNBbmdsZSAw
IC9TdGVtVgowIC9BdmdXaWR0aCA1MjEgL01heFdpZHRoIDEzMjggL1hIZWlnaHQgNDc2IC9Gb250
RmlsZTIgNjEgMCBSID4+CmVuZG9iago2NCAwIG9iagpbIDUyNSAzNDkgNDc5IDYxNiAzMDYgMjI5
IDQ5OCA2MTIgNTI1IDMwNSAzOTEgNzk5IDIyOSAyMjYgMzE5IDUyNyA1MjUgNjIzCjcxNSA2MzQg
NjgyIDQ1OSAzMzUgNTI1IDU3OSA1NDQgNDU5IDI1MiA0ODggNDg3IDUwNyA1MDcgMjUwIDUyNSA1
MDcgMjUyIDY0Mgo1NDMgNjE1IDQzMyA1MDcgNDIzIDUyNSA1NTcgODU1IDQyMCA1MTcgNTI5IDUw
NyA2NDYgNjczIDQ1MyAzODYgNTA3IDQ3MSA1MDcKNTA3IDU2NyAyNTAgNjYyIDQ5OCA1MjUgNDk4
IDMwMyAzMDMgNDE4IDQxOCA0NTUgNDUyIDg5NCA4OTAgMzk1IDI2OCAyMzkgNDg3CjgwOCBdCmVu
ZG9iago2NSAwIG9iago8PCAvTGVuZ3RoIDY2IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+Pgpz
dHJlYW0KeAFdlMtu2zAURPf6Ci7TRWBaIuUGEAQUKQJ40Qfq9gP0oFIBtSzIysJ/3zPXbtpmMQZG
vI+Ze01uHvcf99O4us3X5dQd0uqGceqXdD69LF1ybXoep2ybu37s1huzb92xmbMNyYfLeU3H/TSc
XFVlzm2+kXJel4u7+9Cf2vRO374sfVrG6dnd/Xg82JfDyzz/Ssc0rc5nde36NFDuUzN/bo7JbSz1
ft9zPq6Xe7L+Rny/zMmhiIztVVJ36tN5brq0NNNzyirv6+rpqc7S1L85uiW0Q/ezWbIqj3XlvM97
fpre5X7rnaXdAt6GJwv3D4R75eReif/nRH8V1Q43Nfm2rgTvy1DTM4cC73e5aAEFnG5FSyiAPoju
oAAaRR+gAGq5DRRAS522UEDlQrSDAk570R4KoJ3oAAXehwZaMDKB00EUvQL0vSh6BYKNorcwzbud
TpmiwDwko0C+4H2UjAL5Aqpkv3gPBVROorgpzEKQ/QL5Ao2sFPILsxA0jQL5AqeaRsE6BBpZZdwU
5oj6WRVwI3hPdyhuBETKfsCNgCqVCrgRCJaMEKCAYImkm4FGFow55HEatYWAOQFVksGEDFQ2GRhE
vCpbMF4ZOLTUcAJeBYK9KOYESmllAXMC1DRjLpjBqGB+DEPrpTliTqCRKiPNQK4ssAoDmi0YcwxN
fTVYbBnwq+1HzAmUkqOIOQHNmmTEYLw60jQibgQqszKu3J8//rZ8cxEiRgWumTVlsfG6XGuK72je
2Thl8S2g0ATjO16XKzsl3rkvnOYaMrehYp6qrFzumQHBrSjuBErpT8VdMTAZjRFPBvTLHf93A8G6
F9xCA6OwUhgtr+uzU9zQQt7liItlYCOs4J9R6CHSg/n6wHUvy8LbZq+qPXt6zsYpvT6882lWAcNv
ksBqFAplbmRzdHJlYW0KZW5kb2JqCjY2IDAgb2JqCjY4MgplbmRvYmoKMTAgMCBvYmoKPDwgL1R5
cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvWk9BRFdXK0NhbGlicmkgL0Zv
bnREZXNjcmlwdG9yCjYzIDAgUiAvV2lkdGhzIDY0IDAgUiAvRmlyc3RDaGFyIDMzIC9MYXN0Q2hh
ciAxMDggL1RvVW5pY29kZSA2NSAwIFIgPj4KZW5kb2JqCjY3IDAgb2JqCjw8IC9MZW5ndGggNjgg
MCBSIC9MZW5ndGgxIDcwMDAgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBrVl5eBRV
tj/33uolG+kEyNpJV9OkkXRiIIABEpPO0gGN7EG7MUiHEEkQTDSAOzSjCLYsygCjuOAyKuoolQ4y
HdAhijojivDU0XEFlxl0vkHQ71NHxdT73eoGieM3759XN79zzj3n3O3UqVu3OkuvXtZKyRQiQd6W
Jc2dZFzZn4N1tixfqsbqKVlE5sbLOxcuidUHL0b9yoWLr7s8Vs8Jgj/d1tq8IFanU+DntUERq7Ox
4MPbliy9NlbP/gA8eXFHS9ye40fduqT52vj4JO3qlc1LWmP+ueNlvbOja2m8bgM/p/Pq1rg/Q/uk
Pw2sDyJi8BL0NVXQfWQhTjYqoYuJlD8oeWRCXdpNqU2/3fPY+HmpFd9Yc61G9w99OqJQCi/dM/+S
H3b+tNBG1mRUEwx/aUA7S2X/VKq10Q87f7gek5E9nX2JXmoU5/S4sxyHnxUj6SjAxciIJ8/RK0aI
vEi5wxsVrp70oaWp1cVCRfsSg6qgHcBOYB+g0DyRD6sNdCUQAnYC+4DDgBkLzDesKngHsB04CphF
nrBHVIeteoTIRttsrDdVZNIJQAcEOUBLgGnAPGAjsB0wG35S0wGsBPYBJwEzeUVmZNMYzD0zcrvB
ehYtLjWqzbFq01yj2nNJIManzIjxugtibhNjbqPHxtTn1sT4iKIYTy8oDaHznsSU0r7qDJGBRWZg
4p2gjL9IqYyRgx4QQ0kDuMBUDY1XpPcMd5du3ycUYoILRgvIofcJFklJK61O5Do/Qenk4F/y4zEL
P94zKK10e/WF/BPaCewDBP8E5WP+Ma3kR2XMQauA7cA+4BBwAjDzoyhHUD7iH1Eq/5BKgCpgHrAd
2AecACz8Q1Ab/0Dmh0GlXAVw/gGojb+PZb0Pmsrfg/Qef0/v429GyiaU9hqCpyQuOAriQmZuXEjP
KI3yNyLfj0RGuXGnkVF7xTCqpDFiWKRgtCMqsiIV7Y4o/7RH9TgeqB7F3yIN4JjJWxj5LVKB6UAQ
6ATMkN6G9DaFgDuABwANQJaB2gCVHwBeA96mUYAXmA5Y+eEIhonyQxF3jaM6g7/O/0yZiPhB/heD
v8ZfNvir/CWDvwKeD/sB/nIk30HVSbAT2tjAbeAlsJv48z3D0x16dRrfhwg6QEuAKmAaMA/YCJj5
Pj4sssCRjk720gE8ww4eoS8M/ig9ZCXvIofXXYsEVCVxTzwfEsh2dbube91b70ZVEveGTZAkcd+y
DpIk7utXQZLEvXg5JEncCxZBksQ9Zx4kSdzTGiGBRPn9fxw+wlE27QqmVqfyaxClaxClaxCla0jh
18hC3ytyjvdECgsRsW1ez8hCR2gPCz3LQjNZ6CEWamWhFSy0ioUqWOgyFvKwkJ2F8lnIy0J72XiE
IsS8uwZUJ3izWOgACz3FQl0s5GahAhYazkIqK/NGuTNyAZ46MJ/BeqrlQ8edPedXYvdJ5U5E1Imc
d2JP2Ad6CNCNmhdO6rCYc3a+5MN6Cqti9XMnlnZUT+b70XA/bsN+OgIouEH7kUb70cl+dJcKWgXM
A/qAE4AOmOE9DOvYaNBU0BKgCpgHrAROAGZjOicwFU4doHKKO42JlYBWAdNkje9HGYbi5E5vns1u
89gmi412lprPpuXr+byMMjKwN6enWdOiLGX3dyn//i6FEqoT+Aa+kfJwI+6I842R7/McUXZXxL3X
UT2U/Y7yFWQdm0BuVgA+nrqM+jiyW6V+LNn5k+ClEfvFaJYacRc59rBBstVux/f2zxxf2KMc4uf2
vY531KjCIo6/QvPkbsdb9tscr5RErdA8644ysD2q4dprH+946oDhugqGbRHHCsl2O26yT3JcYTcM
rTHDZV2oeVMdM91zHJPRX519vsPbhT53O6rslzkqYl7jZJvdjlGYgicmFmKyI+3GoK58o8PZZVHW
5i2ybLX4LdMs51lKLUUWp8VhybPkWoZY06026yBrsjXRarWarYqVW8k6JKof9XrkW2+I2Xj5mZHQ
jBRDtmGHYXKbASXOrJwuJG2waOANs2pYg9bXQg3zVe3bWa4oS5wxRzO5apiW3kANjTXaeE9D1KLP
1Mo8DZpl+qX+bsY2BKDV+Nooo0Z/lOlStTpXS6/19xJjaavX50p+zur1gQBlZSyvyqpKr0ybUF/3
KyRoKIN1np+vrJ9FT5YnT9vaMMuvPZEX0EqloOcFGrTfzlKb/L3sa3bSV9fLvpIs4O8Vlexr30yp
F5V1gUBDlF1s+JHKvoIfMgYMftZ8UqUfqdb8mN+2mF8B2sNvuGTwS0igAsOvICHB8FOY9OvuGu6r
6x4OAp9MlboMn65M9WyfAwXwKQCBT0aIDhg+BzJC0kerNLqx2+GSDwIXlkN2w8XOcgwXY+bdhktJ
3OW2My63GSOJ2GwMH0nQTcrR0z4pR+FzViD/u9ha4/GwnvJAS5Ov1eULunytQFC7fXlblhaar6rd
LQFpUDXhDs5vaZO8uVULuFrrtBZXndpdbrT7hblJmstddd3U5Gv0dzd5W+si5d5yn6u5LtAzafrY
sgFj3XZmrLHTf2Ws6bKzsXKsSUa7X4xVJs2T5FhlcqwyOdYk7yRjLDJyfLq/20o1gVrcP8l7eFIi
8jWY6wzUZNg6K43kLXdmrcjdg9PKDkryBLRkV42WAsi8Lq4urpYmPFPSNAjq1Lgpa0W5M3cP2xE3
2aBOc9WQZ+myrmWU5Wuvi/114YJq6TJ5K2LUI3W/esHFp3mb6+TZukErnNWgVc2Y4++2WKAN1gWg
m3hal5Tki+p9MeW5UE6UjkKccZS6CqlLSIg7/mcuGHOCGtHpxUFjbw/z5rOl1BUQWn5DI8dW0DgH
YWia49+Ds5R8SXQFsMAu5mFdp3uT6zBkimkIy+46jaXL4lI8Fkvj3HDt8pCn63RITnfnkcEyiBGr
pR5sbaY9lA3kmB6jbMVNWUT6MQDfRfqx/nb9c2mXnP8TG100DqId9BRrp6doH73ATqLVTuqlXSSP
QHV0L91Im2kNXmtzoLmNZqKYoN/MsvVd+DJ5EC/MB+kgfC+hFbSHMliW/gWtpNXiTbRaTSk0jKpp
OnXQenaRvoya6IhyM5XRRXQldbKQ7tc36Jv039Mj1Cv+ov9ESZRDLSgH9S9Nf9M/oGK02EJ30xG2
KeEZ8mKUEDzvo6tpm5irMH2h/gNm4KRrMAeFptBB1sc96L2VjrEsdqOoRS8P65r+IrzsNJfaaBvt
YePYJO40NelT9IOUgTGuRa93U4R2o0TpOXqPJZtO6r/XT1I2FdEFWM8uep31if6fVvVXIW4mRGkk
TYClg/5Ef6bDzMWe5x2mZFOpyWu6Xn+LhtBomo3ZPoaW/2Df8RUoK8XLSr1eQ4MQlztltOkl+pjl
sBI2jV3MR/IOfr+4mqwYcTTKAmpHvO9C7x8hjXbzZH5IPKw8qfxozus/qg/CHXHTPXQfPc9SsFKV
dbHfsLfZp7yWz+P38E/EZuVx5Q1LM1Z9GS2h9fQkfcfS2Xg2g13K2tiNbA27k93NDrLD7HNezRv5
FfyEaBNXieeUGpRZSpdys+lW0+3mz/v9/S/2/0//d3qpfivNQD6swuy30P1YWS8dondRjtAnzMSS
2CAUlTnZbHYDygq2nj3EdrDH2S6Mcph9wr7AK+kb9iPHm5abeS4OP/II5OJX44S5md/LD6Ec5v/i
34tMMUx4xDhRIQKiA7NaI+5AeUZ8rOQohxQdcS41bTVtN+0wPWl6wXTSnGz5Dd7xr516+KfCnz7q
p/61/Vv7I/279I9pKO4h3h74BKvA7JtRFuF+b0XG7aQ3WTJil8MKWSW7CJGZxxaxq9i1iOQtbBt7
xJj70+xZROkddgJzTuF2Y87n8nG8hk9DuYy38qtwGNvEd/G3+Q/CIpJEqhgqCsUkMVe0iqXiOrFV
aOI18aH4RHwrTqHoSqLiUIYpbsWjTFLmKcuU+5VjyjFTk+lV09/NieYl5lvNUfNXONVUWqZbZljm
WjZadlvesgaRnfvpGfojMvDMxY6KVcInnqENfIySjU+Y15HP82iBmMKRqXwHW8tvYrv4cNO15nJe
zqbSScWNWL/Mt/NvebmYwhrYLFrER8c6NA9RnoBUoeyn48qzWNvr6PlaczJbwU+YkymCM9IEnJFe
EqMUj3iV3hNHmEV5kN5XElkmO84fE9ORBc8plSY/OcW99LS4it1Ez3AfUeKP1nXI46nsCewLjayU
/VvoOAZPRRaViU/pZrqC/42O4zleS79jC5SFtIHGsBvpGD2Kp2Kk6UpzoXkoe4W3K2E+mO0irjyO
1U1gw5kwDaFb2FyxzXyCv0vL6JCSSB+JP2D2h/jTYopy0jSTteEJuIlupav0VXSdya+8wRaSYBdT
gXIUu9uNolRxgq/ErtKEPW03nu492AeqxRRospA5FyEvZmOH2IZyF/YJBRnUjmf8Euxir9MucyOP
0kLTIIZdB7/UvNo/k+boj9Ld+kK6Ut9ExdgP1ug3oscd9HfaSDvY6v4bqBOfku/i2b7IVM8Pmer1
Yh7m7/JZfOvA+4toF7As+ifK07gzlaa9FFbeoVlUpa/T/4rsPgc77N00HwfWz7DKLzHCZNFHY/qn
8m69XnRivUdohv6Y7mCJ1KYvpmn0LD1iMVGzxYN7rLE3sN4bqJXP1JeK1v52xGEjouBFtJZh/7nN
Wzu7sdpbVXl+RfnECePLxo0dUzp6VMm5xUWewpHnjHAXDHcNc6qO/Dx7bk52VmbG0CGD09NsqYNS
kpMSE6wWs0kRnFGRz1UfVDV3UFPcrsmTi2Xd1QxF81mKoKZCVT/QR1Nlu2aYBnh64Xn5Lzy9MU/v
GU9mUyuoorhI9blU7WCdS42yOTP8kNfXuQKqdtyQpxjyHYacAtnpRAPVl9VWp2osqPq0+uVtYV+w
rriIdScl1rpqWxOLi6g7MQliEiQt09XZzTIrmSHwTN/Ebk7WFCxRy3HV+bRsF5qiG1Hga16gTZ/h
99XlOp2B4iKN1ba45mskT0oew4VqjWE0c61mMYZR23HG0eh2tbuoL7wuaqP5QU/yAteC5ia/JprR
h09L82DcOi3z+s+yfq6ic5zJ1pxtzRVhX1a7Kp3D4TWq9sAM/1ltc52yh0AAfaAtL6gPhusx9Drc
qQZ5Ftf46oBfY6sxJA6WBcaqYuuLnXoLgotULcFV42oLLwri1uSENZp5nTOSk+Pt1Y9Sjk8NN/pd
Tq0q1xVorrN3D6HwzOt6sr1q9kBLcVG3LS0W2O5BqXEhOeVsoRVBj9kMyXCXUsPMM5Flco6uC3AS
1NQWFTPxu7Cm8ZK0jqdwy3jcAFwBhlbaAtyRdi2hNhi2TZR6LJFppgKbSw1/Q8gA1/F/DdQ0xzXm
Ats3JI0yT86kmsaaT8uax6MVFsoUsdTinmKOlUZ9XHHR8ih3uTpt+H6WHw00HbFtDkwsQfidTnmD
b496aT4qWmiGP1ZXaX5uhLwlOFvzoLT0nbYMnS0todOWM82DLmTyLvk9S0M1q/vMX6otY7CvbaLG
Mv6LuTVmb5jlasDRWPWFg/GsbWgcUIvZZUARN9jikja41i9yOXRS4rnCsMZOyKddcFz2J2tKAf7M
RlIviFqsyEpDw9R6zRacHKOBRKcz/sz8X42i+knZymA/N4svQ5voiU80Nm2tfEB9wPSSw6KhEVsO
x8k+HE4cYEOqxWZ5QZwh4/Gh71RrNZqNJ7MAf/jkGC8RyNW8CBksjXiKDHUgN14d4JgbbxTAJbOz
uKgee2Y4XO9S68PBcHNUD813qTZXuJe/wF8Id/qw28USJ6rvuT1Xq18XQMTa2EQ8Hpxqul1s7Yxu
L1s7a46/Fz9xqGsb/RHOeG2wJtA9HDZ/r0rkNbRcaqVSuqiyQg0Mi4xwq+Gf2+slChlWxVAY9Rb8
umHoYk7QMWqJ8pjOdtqPQ6fEdF5DJ9cn95jaRn/8thgJIR895BD+Q4Nu+EFaonTp8v8xDEVeyTDM
B38Ep+OYxlD/PxJu9DWUyvFWxytLHvJN8j8xFiJnmjOtAAS/FtEpVfSd8proR1KVPjm/Jewwb8NZ
KIkcvThUzPIOSjC/ptIonHGXJV/yWJbH9u3c41RyfPSowWPPG1OKN6TZNcy9ZEtb+5Yt7W1b+Ovt
mze3Q0Zf+il2QOngl2LUfG8qG0c8x6RiiGyl5/osz1TbZ3Nt/6CSKehKjHMOVZQuduDOO+W0Y3Mn
fQTOtb92CSjX4Nwi55sej58Z3yE0eea0ORde5Km+ur158ZTG/wVB0R3ACmVuZHN0cmVhbQplbmRv
YmoKNjggMCBvYmoKNDY2NwplbmRvYmoKNjkgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9y
IC9Bc2NlbnQgOTA1IC9DYXBIZWlnaHQgNzI4IC9EZXNjZW50IC0yMTIgL0ZsYWdzIDMyCi9Gb250
QkJveCBbLTY2NSAtMzI1IDIwMDAgMTAwNl0gL0ZvbnROYW1lIC9IUk9aSkwrQXJpYWxNVCAvSXRh
bGljQW5nbGUgMCAvU3RlbVYKMCAvQXZnV2lkdGggNDQxIC9MZWFkaW5nIDMzIC9NYXhXaWR0aCAy
MDAwIC9YSGVpZ2h0IDUzMCAvRm9udEZpbGUyIDY3IDAgUgo+PgplbmRvYmoKNzAgMCBvYmoKWyAz
NTAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg
MCAwIDAgMCAwIDAgMAowIDAgMCAwIDAgMCAwIDAgNTU2IF0KZW5kb2JqCjI1IDAgb2JqCjw8IC9U
eXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL0hST1pKTCtBcmlhbE1UIC9G
b250RGVzY3JpcHRvcgo2OSAwIFIgL1dpZHRocyA3MCAwIFIgL0ZpcnN0Q2hhciAxNjUgL0xhc3RD
aGFyIDIwOCAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2RpbmcKPj4KZW5kb2JqCjcxIDAgb2JqCihN
YWMgT1MgWCAxMC42LjggUXVhcnR6IFBERkNvbnRleHQpCmVuZG9iago3MiAwIG9iagooSm9zaCBI
b3dsZXR0KQplbmRvYmoKNzMgMCBvYmoKKE1pY3Jvc29mdCBQb3dlclBvaW50KQplbmRvYmoKNzQg
MCBvYmoKKEQ6MjAxMzA3MzAxMzA5MjhaMDAnMDAnKQplbmRvYmoKNzUgMCBvYmoKKCkKZW5kb2Jq
Cjc2IDAgb2JqClsgXQplbmRvYmoKMSAwIG9iago8PCAvQXV0aG9yIDcyIDAgUiAvUHJvZHVjZXIg
NzEgMCBSIC9DcmVhdG9yIDczIDAgUiAvQ3JlYXRpb25EYXRlIDc0IDAgUiAvTW9kRGF0ZQo3NCAw
IFIgL0tleXdvcmRzIDc1IDAgUiAvQUFQTDpLZXl3b3JkcyA3NiAwIFIgPj4KZW5kb2JqCnhyZWYK
MCA3NwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwNTU5OTUgMDAwMDAgbiAKMDAwMDAwMDYxMyAw
MDAwMCBuIAowMDAwMDE1ODU0IDAwMDAwIG4gCjAwMDAwMDAwMjIgMDAwMDAgbiAKMDAwMDAwMDU5
NCAwMDAwMCBuIAowMDAwMDAwNzE3IDAwMDAwIG4gCjAwMDAwMDQ0NTkgMDAwMDAgbiAKMDAwMDAw
MzU2MyAwMDAwMCBuIAowMDAwMDAwMDAwIDAwMDAwIG4gCjAwMDAwNTAzMTYgMDAwMDAgbiAKMDAw
MDAwMDgyNyAwMDAwMCBuIAowMDAwMDAzNTQyIDAwMDAwIG4gCjAwMDAwMDM1OTkgMDAwMDAgbiAK
MDAwMDAwNDQzOSAwMDAwMCBuIAowMDAwMDA1NTkwIDAwMDAwIG4gCjAwMDAwMDQ0OTUgMDAwMDAg
biAKMDAwMDAwNTU3MCAwMDAwMCBuIAowMDAwMDA1Njk3IDAwMDAwIG4gCjAwMDAwMDAwMDAgMDAw
MDAgbiAKMDAwMDAyODM5NCAwMDAwMCBuIAowMDAwMDA2NDAxIDAwMDAwIG4gCjAwMDAwMDU4MjEg
MDAwMDAgbiAKMDAwMDAwNjM4MSAwMDAwMCBuIAowMDAwMDA2NTA4IDAwMDAwIG4gCjAwMDAwNTU2
MTggMDAwMDAgbiAKMDAwMDAwODI0NCAwMDAwMCBuIAowMDAwMDA2NjQ1IDAwMDAwIG4gCjAwMDAw
MDgyMjMgMDAwMDAgbiAKMDAwMDAwODM1MSAwMDAwMCBuIAowMDAwMDAwMDAwIDAwMDAwIG4gCjAw
MDAwMjQ4MTkgMDAwMDAgbiAKMDAwMDAxMDMwNCAwMDAwMCBuIAowMDAwMDA4NTAxIDAwMDAwIG4g
CjAwMDAwMTAyODMgMDAwMDAgbiAKMDAwMDAxMDQxMSAwMDAwMCBuIAowMDAwMDEyMTQ3IDAwMDAw
IG4gCjAwMDAwMTA1NDggMDAwMDAgbiAKMDAwMDAxMjEyNiAwMDAwMCBuIAowMDAwMDEyMjU0IDAw
MDAwIG4gCjAwMDAwMTQyOTQgMDAwMDAgbiAKMDAwMDAxMjM5MSAwMDAwMCBuIAowMDAwMDE0Mjcz
IDAwMDAwIG4gCjAwMDAwMTQ0MDEgMDAwMDAgbiAKMDAwMDAxNTYxMCAwMDAwMCBuIAowMDAwMDE0
NTM4IDAwMDAwIG4gCjAwMDAwMTU1OTAgMDAwMDAgbiAKMDAwMDAxNTcxNyAwMDAwMCBuIAowMDAw
MDE1OTg2IDAwMDAwIG4gCjAwMDAwMTYwMzYgMDAwMDAgbiAKMDAwMDAyNDAzNCAwMDAwMCBuIAow
MDAwMDI0MDU1IDAwMDAwIG4gCjAwMDAwMjQyOTUgMDAwMDAgbiAKMDAwMDAyNDM4MyAwMDAwMCBu
IAowMDAwMDI0Nzk5IDAwMDAwIG4gCjAwMDAwMjQ5ODYgMDAwMDAgbiAKMDAwMDAyNzc5MiAwMDAw
MCBuIAowMDAwMDI3ODEzIDAwMDAwIG4gCjAwMDAwMjgwNTIgMDAwMDAgbiAKMDAwMDAyODA3NiAw
MDAwMCBuIAowMDAwMDI4Mzc0IDAwMDAwIG4gCjAwMDAwMjg1NTggMDAwMDAgbiAKMDAwMDA0ODk1
NyAwMDAwMCBuIAowMDAwMDQ4OTc5IDAwMDAwIG4gCjAwMDAwNDkyMTQgMDAwMDAgbiAKMDAwMDA0
OTUzOCAwMDAwMCBuIAowMDAwMDUwMjk2IDAwMDAwIG4gCjAwMDAwNTA0NzkgMDAwMDAgbiAKMDAw
MDA1NTIzNiAwMDAwMCBuIAowMDAwMDU1MjU3IDAwMDAwIG4gCjAwMDAwNTU1MDYgMDAwMDAgbiAK
MDAwMDA1NTc5MiAwMDAwMCBuIAowMDAwMDU1ODQ0IDAwMDAwIG4gCjAwMDAwNTU4NzUgMDAwMDAg
biAKMDAwMDA1NTkxNCAwMDAwMCBuIAowMDAwMDU1OTU2IDAwMDAwIG4gCjAwMDAwNTU5NzUgMDAw
MDAgbiAKdHJhaWxlcgo8PCAvU2l6ZSA3NyAvUm9vdCA0OCAwIFIgL0luZm8gMSAwIFIgL0lEIFsg
PDI2YTkyNWUwYzFhOTVmMDM5ZDQ3MjJmNjU2ODdlYjU3Pgo8MjZhOTI1ZTBjMWE5NWYwMzlkNDcy
MmY2NTY4N2ViNTc+IF0gPj4Kc3RhcnR4cmVmCjU2MTQwCiUlRU9GCg==

--_002_CE1D87E42334FJoshHowlettjanet_--

From internet-drafts@ietf.org  Tue Jul 30 06:19:27 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6819021E80D8; Tue, 30 Jul 2013 06:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.539
X-Spam-Level: 
X-Spam-Status: No, score=-102.539 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-djy6e+EzRT; Tue, 30 Jul 2013 06:19:26 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8A211E8213; Tue, 30 Jul 2013 06:19:26 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 4.60p1
Message-ID: <20130730131926.4590.94196.idtracker@ietfa.amsl.com>
Date: Tue, 30 Jul 2013 06:19:26 -0700
Cc: abfab@ietf.org
Subject: [abfab] I-D Action: draft-ietf-abfab-arch-07.txt
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 30 Jul 2013 13:19:27 -0000

A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.
 This draft is a work item of the Application Bridging for Federated Access=
 Beyond web Working Group of the IETF.

	Title           : Application Bridging for Federated Access Beyond Web (AB=
FAB) Architecture
	Author(s)       : Josh Howlett
                          Sam Hartman
                          Hannes Tschofenig
                          Eliot Lear
                          Jim Schaad
	Filename        : draft-ietf-abfab-arch-07.txt
	Pages           : 44
	Date            : 2013-07-30

Abstract:
   Over the last decade a substantial amount of work has occurred in the
   space of federated access management.  Most of this effort has
   focused on two use cases: network access and web-based access.
   However, the solutions to these use cases that have been proposed and
   deployed tend to have few common building blocks in common.

   This memo describes an architecture that makes use of extensions to
   the commonly used security mechanisms for both federated and non-
   federated access management, including the Remote Authentication Dial
   In User Service (RADIUS) and the Diameter protocol, the Generic
   Security Service (GSS), the Extensible Authentication Protocol (EAP)
   and the Security Assertion Markup Language (SAML).  The architecture
   addresses the problem of federated access management to primarily
   non-web-based services, in a manner that will scale to large numbers
   of identity providers, relying parties, and federations.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-abfab-arch

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-abfab-arch-07

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-abfab-arch-07


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From klaas@wierenga.net  Tue Jul 30 06:24:55 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4D521F9DDE for ; Tue, 30 Jul 2013 06:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCHDhhhlhgS3 for ; Tue, 30 Jul 2013 06:24:49 -0700 (PDT)
Received: from out22-ams.mf.surf.net (out22-ams.mf.surf.net [145.0.1.22]) by ietfa.amsl.com (Postfix) with ESMTP id 5A43621F84A8 for ; Tue, 30 Jul 2013 06:24:42 -0700 (PDT)
Received: from teletubbie.het.net.je (teletubbie.het.net.je [192.87.110.29]) by outgoing1-ams.mf.surf.net (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id r6UDOQkF016188 for ; Tue, 30 Jul 2013 15:24:27 +0200
Received: from 5355139f.cm-6-6a.dynamic.ziggo.nl ([83.85.19.159] helo=[192.168.16.100]) by teletubbie.het.net.je with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1V49tv-000PG4-TJ; Tue, 30 Jul 2013 15:23:48 +0200
From: Klaas Wierenga 
Content-Type: multipart/mixed; boundary=Apple-Mail-72C5511B-FB9E-4EC8-BA56-7419DD2B7FFC
X-Mailer: iPhone Mail (10B350)
Message-Id: <07DEA383-6560-462F-8E14-E2F9697CBBA4@wierenga.net>
Date: Tue, 30 Jul 2013 15:24:21 +0200
To: abfab@ietf.org
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
X-Antivirus: no malware found
X-Bayes-Prob: 0.0001 (Score 0, tokens from: @@RPTN)
X-CanIt-Geo: ip=192.87.110.29; country=NL; latitude=52.5000; longitude=5.7500; http://maps.google.com/maps?q=52.5000,5.7500&z=6
X-CanItPRO-Stream: p-out:default (inherits from p:default,base:default)
X-Canit-Stats-ID: 0uK6BorPr - ffc0d2a29c5a - 20130730 (trained as not-spam)
X-Scanned-By: CanIt (www . roaringpenguin . com)
Subject: [abfab] Birth spam
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 30 Jul 2013 13:24:55 -0000

--Apple-Mail-72C5511B-FB9E-4EC8-BA56-7419DD2B7FFC
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit

http://www.wierenga.net/lara


--Apple-Mail-72C5511B-FB9E-4EC8-BA56-7419DD2B7FFC
Content-Type: image/jpeg;
	name=image.jpeg
Content-Disposition: inline;
	filename=image.jpeg
Content-Transfer-Encoding: base64

/9j/4R/+RXhpZgAATU0AKgAAAAgABgESAAMAAAABAAEAAAEaAAUAAAABAAAAVgEbAAUAAAABAAAA
XgEoAAMAAAABAAIAAAITAAMAAAABAAEAAIdpAAQAAAABAAAAZgAAAMAAAABIAAAAAQAAAEgAAAAB
AAeQAAAHAAAABDAyMjGRAQAHAAAABAECAwCgAAAHAAAABDAxMDCgAQADAAAAAQABAACgAgAEAAAA
AQAAAligAwAEAAAAAQAAAyCkBgADAAAAAQAAAAAAAAAAAAYBAwADAAAAAQAGAAABGgAFAAAAAQAA
AQ4BGwAFAAAAAQAAARYBKAADAAAAAQACAAACAQAEAAAAAQAAAR4CAgAEAAAAAQAAG/wAAAAAAAAA
SAAAAAEAAABIAAAAAf/Y/9sAQwACAQECAQECAgECAgICAgMFAwMDAwMGBAQDBQcGBwcHBgYGBwgL
CQcICggGBgkNCQoLCwwMDAcJDQ4NDA4LDAwL/9sAQwECAgIDAgMFAwMFCwgGCAsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL/8AAEQgAoAB4AwEiAAIRAQMR
Af/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQEC
AwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNE
RUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqy
s7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEB
AQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEH
YXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZX
WFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLD
xMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A+wSgEWeDnmqk
sQD4AGP5VdKlAM9hVST5Tlj+VfFRjc9paEc0XOV59/SocYIJ7n0qWV+SPSq0suxl+v5VaiUk2StK
FAxnJPFRmXOd+AKqzXACDqfwqs2ojB2nGP0rTlGostTuRnBH0FUbm5XoOvTNMutUAQhc1mm73n7w
60rWbHyOxa3eauPemnbuBNQrKXPB/WrEbAjLDPrzVIXI7k0aDyhlevSmPGGU7hUiIxiAAbn05obC
Aglsn2osmwa6lC9gBU4HSsa801XU4HXrW/MvmBinI7cGqUkO9sA5/Cna6GtDhtbsTbq+AcH06UVv
a7pwaBgfTuKKwdN32Ljd7Hscj7VwfSqU5AyRipJblQnBOSKo3NyCpAJz6CrjqZWsJcTZxnGBVC7u
wrckYwRTr28W3Tc52r+prnrnWZr26KWcBC/32PFaKJ10MNOsrxRZ1LVfIXEXLHp6VlyrPd8yM2D2
zgVaXS2nfc+Wb17CrtvpfloQ4PPFdEI9z6LB4ONKOq1OcltpIZgFZhngjn/PahoJ4hmE49BXUx6H
uJ+XjnBNLLoSpH6kelDpne8LCV7o5Aa1ewKQ8Uee5xVy08Rtt/0iMgdyp4H4VrXWi/NkqPpWfc6L
tPyAce1Q6djmeW0WmnE3NNvobyPNtIr4GMd/xFWmttxBJ61xdxby2mHiJVlPVe1dH4T8VC/dLfUR
tn6A44k/wNQ1Znj4zK5UVzQ1X4lyewIz1GaqvalEbHWuhntgygtx+FUZrYBm7j6UWueU420Of1Gz
8y3IPpzRWrdWe9WUg4A9OaKTiuokrm7MxC+31qjcThAQxA9RmrEs/wAvy8A1g6/eMseyEjdIdoAq
YRKo0/aTjDuNvJDqN0QR8o6VZstLCfdGWPPFLpGmNJMkcKNLM5wFHPNdtp3w+FvbrNrkgDHkRJ2+
p/z1ruhBdj7DDYdWUYLRHM6do8l25ECNLjA4/qfxrasvAdxOAbmVYlAHCjJ/OujjXT/DGlPe+ILq
00zTrfAaaZwiZJwBk+rHFcp8Vf2pfCfwY146Rfw3epX4tftISADyxuGUUsT1Pt0FbeybWx7+WZTX
zGr7DDQcp2vZdjch+HMIyJXmfHbOPT0qaX4fWqkja5YdMk1w/wAI/wBriPx9oWq3Gp6MUu9NtpLr
yrVsh1TGVG49eRz9a8/uv2wvFF9faxc+HLS1uftNnb3ljZwt/aJtEJKyAiNVw+VJ2t6CumhgKmJv
y9O7NM3wc8jrvC4uFprotdz2m4+H6sCLeI4HOSTxWPqHgMrykbDB5KnNeS698Tfid8TPBy22oaZq
VhDLFIlw1rpmWuJlYNHyWDRqwHDLwCRn2r+J/EPxU1LxZp0yR6jYCymXyI/sf+jGN4AC0rg4fEgY
MrDjgitHlfSVSN/U8mWMhuoO3oeg6v4VkEbGMA54weDXMXlrNpk4O1kZDkN6Guu+FXj25+LGiXup
X9nHaQpcm3gjAIYbAA+45wxD7hkcdKta9o6yRssiblJ/GvIq0nRk4S3RpKkqsOeGxNoOpjV9Lhlc
HcRhvr3qyYBJ3zz19KwvCSjTrmW2fiMncme3qK6aADPDf/WrJHx2NoexqOLKEtiSj49OoGKK2ntl
khZhnkHt7UVSSR5/KnucNd+Ko1jwyP2Gag0eU+Ir9UtVJkLYBb+H1NZ11MsigHBrqvA2mi0tEkQY
kl+bJ7DtTpwXNsduVUva1knsjsPDWkW/hrDqQ8zcM5689hW3PeeawOc+g4/z/wDqrCgl2OWyS5/S
rBuMMuMnAB9jXamfb0ko6I5T9q7SG8Ufs8eKbaEZkSzM8Q9HjIkB4/3a8+8bfs1J+0H4U0LxN4ev
o9N1S70uDzkmjLQz4UYzjkYwR09K9xlZZrby7lFkQjBVhkEfStTw34Nv/EsiRafCUi4UHGAB7ela
vEP2Sp263/D/AIB6uV47EZRiljMNPlla3y879Dzz4BfCK0+DvhYw3BgutUuRi5lTJjGcgKm7nFeg
eGfCNjaZ/s+zhtVZjIwhjEYycZyF6mvTfDPwChtIRJquWbHOfxrpYvA+k6WCGKk4I55znFZezqS1
M8dmyx+IliK8uacnq/66dkeUjSYEClo+nBz9KiudKtbiNhJCMdPpXqs+k6VDGFUIc88cn/P+FZOp
abprbjGqDJ7j/P8AkVnKnJEU6iqbR/A8lfwxY6ZD5WjwRW0QJIRFCrn6CsPWtJwjAdjXpevaXbBT
9mwvPOBXH6xp5UMEyQO1c099S3TstjzbVbI2s4kiyGQ8YrorDSJrmBHj2sHUEVX8QWfytkEMOhFb
vgIC40mISnJXINZdT5POqKVpoRNAvPsrbELcHoaK6fzPJjO1jx6UVrbyPmnBnzK+pqzKMgjgda9I
0GfNuAoGcAemBXjLaiIXV22naQT79K9I8D+If7UCPDyCOnpW8I8tz0clqLml8jvYwfLAQ4zxVqws
5bmcLGrN2FO8NaJPrkqiFSw7816x4C+GIEY89Mj7w3cY/wA8/nWqi5bH1tP4bvYxvh38KJNbmSXU
QfLI6Y616Hca7Y+DR9i0K3FzdpwwVflT8fWvAv2vP+CgGn/ACUeGPgrBZ6/4mjkCX25mNvYD+6zL
1k9geO/pXhv/AA838cQ7o4dA8NW8iqDuEUjsT+L+ua4K2cYTBzdNy95b2Vz0aOBq4hKpKPu9Fe1/
N+R9zf21rOssxH7vOcADpSxeHbychrpyxbv0H+eK+Dpf+CnHxOumK2baHa4Ycx2IOB/wIn0qhJ/w
UI+L+oYEGuRJkbRssYgMf981zz4jwi/mfy/4J0LBYhaU4xiv68j9A5PCt20bbAevfp+VVLnwVdsm
AMDH3ulfCVn+2l8XbmYPP4quc9dq28IX/wBArc0z9sz4pDaJfEplfByHtIj1/wCA1g+JMK/sy/D/
ADKWCxa+1H8f8j7Al+Hlwy8gnBznpWNqnw/kt0ZnBb2/rXzroP7cXxI0e+SXVLqw1aEH5oZrVU3j
0DJgivUPDP8AwUB8L61CIvibp97oM5xulUfaIM/7yjcB9RV0c6wWIdublfnp/wAAKuHxVPWSTXkL
4p8NMIX+Q9OvpVHwEDFDPD3jf+dejafqfhz4paU158PdWsNTiIOTBKGK/Veo/EVxsmhP4b8TsLiN
ljuBt6dD2/Ou219U7o+fzekqtFtbo0ANysCD09KKmQAISBxz29qKLnxLsfAmsfEi2so1F1MkXmMI
18whdzHgAE9ya+jf2c/hlfLokDa0yLc3TbwmciFT2PvX4k/FP9rT/hMfiPLq8GjG/tLWeCfTBqE0
iC0EZDFkjU7SWIzk5r9Rv2af+Cv/AMINY8MWc/ijxRb6FeCFXmtr5HVoXx8y5AwwznBHWvq8bkVb
C0oVJK99/LyOXIcbRlVlzys1td7n6LeGvBum+BNIa61KeOO2t4/MkmdtqgAckk9utfK37UX/AAVD
srPxMPDXwlvLOz0dQyahqZlKXZHbyEK4256kkE9q+e/F/wDwVz0L9rLx/rPhr4aawjeHdDhFxshD
B9QXDK7sCASqEqdo9M18X/F3xN4n0We/1y00I6jpUsjMt+rGWBxnhiVPTtz0r4fM8wkqjw0Pd89m
/Q/X8jwdHEw+sNqXZbr/AIL8j7ph+D2naZYyXOiu7reTNdEuSxdmOScnnnJPNc1q+li3vnEiDKjv
+dM/Yt+LXiT4x/ASDXfG+mpZxFjb2xV9/nInyl/UcgjBrq9S0M6lcBguDnJ9a+Iqw5G1LdPuevVr
OdQ5vQNDS4B/dhi5wMda7HS/BSRDbHGSeuT29hU/hzwq9u+QAS549cV33h3QVCIGBrklU5TthSVj
kk8GMgGIyF6H3qve2Eunyg20WSoxjqa9OvtPjtYyAAVHNcprniWx093UtCJM4ALBST6c1rRviNjz
6ldU56nnVz4kv4N6talAPWsO98TS6o7Qy4Vh1G3H610nir4iRrI8aWWWBwfmHNZWhz22uF7i7jSM
sSoUHqa0eGa95owqYq2ljm/2dviLd+CP26vBNokssdjq1vd21wEYhTlMoT+IHNfo3ruoLdW6W9y3
2h0wwc9VHpnrXxB8HP2ZtR1r44R+MNVheC3swEs1bjYozlvqTX2DZTERgSNubua+3yynLD4dQluf
JZ7mMVHkg9WtTSgOVG4cc0UyI4Trg4OTjFFegkfDOWp/NX4A8D3n7QHxEez1XW7DTrm5je4lvNRl
EaYQdAemcYAHHArh9Vs4tM16WMypcxWs7xmWM5WUZI3L7dxUjyARYdhnpiqyjbJsweex4r9/xeFj
iIuHRq3ofAUakqUubsdb8Cdcuvgt8VdL1zRSQ0LEEH7siMMFT7EZr9bP2YNZ8KfEL4f3P/CJQWd1
puqoGutLkC5hcj5wV9Cecj61+PGm358k287ElcNC390j+GvoX9mT4q3em26fYriaJo/lYxOVdR6Z
Hav534uySvhajhW+JbPuuh+2cL5tSnBOh8L3XZn6RWieFvgFodr4W8JhdPS8uJLxLISmUQbjluv3
QT0FdBHcw3TpJblfnx0NfHH/AAk730cN9HM0swIcuxyxx6k17b8HfiumuWUSvIC6cHnoa+DnQfJf
r1Pro4tyq++9z33RFU7eDu7e1dXpTt5a+WPm6YrifCsx1G2WS2PzZye+a7jw+srHdOQqAjGBzj3/
ABrz5xue3TqaLUfeWcl5kDO0DHHrXnvxG8CWV9Ey+ILRLm3YYYMM5r2JSscQKAZ9/wCdct4xs1vY
JFETM+D0NEE46oznFT0aPkH4h6GdE1T7F8N76/cE/PDMfNS3XuFZvm/DPFbnhvwpf+HLC2nuA+wO
rNk+9df4x8JR6MbnUHVEAyxbGMdOv41b0rwVrL6fbS6nIkttcp14Kr6YrseInO1hSwsKMGk0+7Z9
OeHPEEepaJaz2hBjnRXUjpyK3ba5LDPFeXfC9pdB8JWdpesC0OcZ7Ak4Fd3puqbgMH9etfoGHvOn
GTVm0j8VxclTrTjF3Sb1OotbnMeOfu0VnWd9zwccHBorsitDibvsfzlfs9L4F/4WZaj9oM3ieGhH
IZfsisz+ZtOzIT5sZ9K534iPpM/jLU2+HkVzFoX2lzp63JzMsWfl3e9c+szZbDfpV7RBb6nrVjb6
zcG1tZrhEnnxnyULAM+O+ASfwr+hueDk5Jv06fcfAcrTIIpB92Tg/wCeldR8MfHsvw919Lh8vasf
3i9wPXFbX7Tvw+8GfDvx3bWHwX19/EGntaJLPKZFkEUpz8odQAeMH2zivOFuJIyFkAZRx05ry8yy
vCZ5h/Z4mN09n1R6OX5jXy2qqtB2fbo/kfZPg74l6Zr+mpc+FbyJ9y5kty2OfbPQ+1dV4T+IJ8Pa
kuoaDKZYA+LiEHlfw9a+FbLVp9LnE2h3MttKDnKtg5+lbEXxy8T6Q4eG7ZpF/jwPnHoRjmvx3MvD
vFYSTlh5KcPufzP0jC8bUMTBKtBxl96+XU/ZD9nn4vWviCwhltZkkjkHrXvfh7VI5QHjYBWHTrX4
WfCH/goP4p+FXiOO4ubKG6tC4NxCjlN49QDkBq/Q/wDZd/4KfeAfipBb2z61HpepMvzWd9+5cHvg
n5W/A1+e5twzjcvfP7NuPlrb1PsMl4lwmPapc/veel/Q+5UMU0WH6NxwcZqtq1hFHbFiV4HU1wui
/GvQrq0E7axYiFuciUEfoa5f4sftS+HvB3hq9v7u9gNraxl5J3bZEgHu2M/QV4MaDlJR6n0869OM
ea5H8VdU0vS7C4l8TXtjY2Cj55LmZYowPUsxAr540/4x+G/Ev7THhXQfAupxapFpbS6jJLay7oIc
QtGilhwxJkzgenNfDX7aP7Vn/DTWstNHeqlpDcb47PcztcAcKSQNq4HO3gfU1xvhXxrrvw0tbC+8
KzX+lXN0FkjkiXLPHG27cw67NyfkPSv2Tg7guFSj9cqztNJpK1rNq13336H5dxzxJUw1aWCglKMl
FtqSfm1ZN2elnfXy1R+5mg66s8SFGHUV1+kagJE+90/SvnD9lr4zQfGX4R6H4hspIma9hXz1Q8Ry
jh1/BgfwNe4+H9T2xjcwrjxGHlh5ypzVmnY+Vp1lUimtmd9Y3u2Lk8gdaK5+PXViUgHHHbtRWCi+
iBzsflZrX/BBr4keF9C1WS6v7HVbyKMnT0sW2pOwGcSeaARk8cdOua+aPih+w58WfhCHfx54B8Rw
QxctNBbG5iUepaLdgfXFf0uatYxS2w8tQZH7Dtmsdfhzb6jLiWESK5xg8g+tfU0eLcdRdpqMvlb8
v8jijlVKpFzu0fyy3A+zyFLhXjdTysgKkfga9E+LHwAufhJ4B8Oa7ea1pWo/8JCm4WtsxL22UDDJ
PB4OCR0PFf0O/F//AIJx/DP4zWcifELwboWolx8zyWqrL9Q64YfnXy/8W/8Ag3B+HvjwiTwFf+I/
DBQHyo4ro3UEQ9FjmyVHsCK9vD8ZU5NKrFx9NV/n+BxTy1rWEk/wPw+k/e8t81XfCfgrUfH/AIlt
NI8I20t5qN6+yGFWALnHqeAMA8mv038e/wDBsb42t5Wb4c+PdMu4x0W/sGiYfijNn8q53wT/AMG7
f7RXw+8Z2mreA/EHg+O9s2JhnLy4GQQQVaPBBB6GvSlxLl9VNe0+9P8AyMXgqy2X4o/Nzxj4J1Hw
T4hu9K8UWktnqFhIYp4JPvRt6HHHQ5rY0/xl4d0bwRpqWOgTnxPZXLNLemXEVxC27KkdQcEDpjjN
fol40/4Np/2mvG2v3eteJNU8Gale37ebNN9tdC5wB08sYwAB+FfPf7Q//BIH4pfs4/EW38LeKzol
7qk9ml4BZyO6KrMUA3FRk5HQV5uMzDK8RG06yV/U9bJsvzOtiYPA03KpH3la2lrO/wAj5m8NfFbX
dM8QxT2Op6hptojcxWsrYQHvg9TXpnhfWtO+O/xO0qw+NnjXXIvC7wyLM8zsEt5Qp8slcEYJxziv
qP4Bf8EpvEf7SP7N02heAtE8Mx+LdIvV+3ajcSSx3FuXYsu4bclSg2gdODWvN/wbm/GC2iXPijwv
b+qBJiW+h215GHhkdKpGvKorx0Vl+Oz/ADPWx+PzilSrZfi6dpSabctJJ6PTVJJrpa2uh8h/F+Hw
BY6rar8HoGiSwie3uZGLFbmQMQkqh+fmXk9ByOBXnN/42v8ARvE2lajpV5cfa7ZtqueQq9MDPGME
jHTrX3RrP/BvF8Y7G8kaw1rw1cQk/KGaZWPuflrlvGH/AARb/aA8O+GbnSrLSPDOrWrXKXHmQ3ey
cbRjapcDAOcmvp/9YsA6Ko0qiXqfJf2bX5ueUWz07/gkJ4pdvhXrWkh90VjqfmRqTyqyIDjH1Vq+
59OlkWBSp5xXxH/wT3/Y9+Kv7PPjvxBH8RvDGoWGnXltDskDJIkkqsc42sTwGPNfatkl5paKmowz
25IyBImAa+F4gq0qmNnOjJNOz09D08FGUKKU1ZlyfUp1BCMcAUVTvLxl3Fdv4cdqK8PnZ2o7r4P/
ALeugfETxJaaP4o0+90G51GTyrSWchopn6BCw+6x6YPfivpfw95EQR5Tl8YBPbjBr86NK+AviLXv
HmlWl3a6faWFlcxTNqMc6nakciudi/eLkrgZAxnJr7g0vxK0kcUsU2VPIJ/rXBk2IxFSElitWno7
Wv8ALy7n1vGOByrB1KTyifuyV5RUuZLtrq9VuntbzPa9GkspogGVWyMEdc966TSdEhvEBu9pzklR
XmvgK+k1F8lsbsKFPJA/zivQr3xPYeB/D0l/4iu0t7K2UPPKwLbBkDooJ619BSg6jSirs+Bq1VRT
lN2S1b6W/wAjo7Lw5bSEBYVIHA44FbuneG4MneiHHYDFeAa1+3L4e0rxppcHh+R7vQZ98U13Hbu5
lnK/JHGuAc5Iz9RXpujfGqG+t45XLwCQZ8uRdrr9Rng1ti8BUwUYyrK3N3/rc83AZ1hsznUhhanN
yuzt6J3XdefVp2PR00q3VArAn1A718xft0f8E7Zv2nvF+keJ/hrrNjoWvabZPp7/AGuFnimiLF0Z
WX5kdWZj3BBwele13Pxn0vTbQy6hcIo+vJ9q4/xD+1baW8vl6ZHvJ6KuWY/gBXj4j2VSPLN/dufV
ZNmuLyXExxeEdpq61Saaas009zO/Y+/YU079l3wPqEN7qCav4h1yRZdSvRHsjO0EIkakkhVDNyeS
SSa9Ol+ElhPIrzKjFegxkCvM3/aI8S6pbk+GfD8rE/8ALS4YRKO+eay7nx/8SdbuWhj1DR9LZiyj
yojdMpC7iCeFBxjqainVo0o8kUyMwxuLzbEzxeKlect3t5JJLRJKySWyPV9R+EemmF3mWNEQZYtw
oFfH/wAaPHuu6X8WtX0Pw2dOi8NyTwRxajJZMs9lGwG90VsCXHzYJHpjNeoeIPhf4w8cxGPxX488
QeWcB/srpbJyMkgIPXjGa8L+Kv8AwTSu9eWW60jx/rttfFM/6TtuQXHXPKt0rzsypVcbCMaM3Czu
2t3ptvt/SPSyLM6OUznUr4eNa6slLZO6fNa2r09NXe6Pp/Svg54S8WWEcmiX1vdIVH7xOc8d/evH
v2jfgbaeEdWtpdYe4OkTfuiYwNqnOQWOMj6180H9lH9oH4D66bv4UeMItUtUyyBbk2zuAP4kfKc+
5r0bSv2pPizH4XTTPjz4Tt9Yt2jHnshTzUB75QkN+QzXVHEJ+64uL8r/AJnjTjzvV3R5f4/0CXwp
rU9rKd8OS0MuMeYh6GitjxfqVnr6GzczWvmxmazS4GJY8dUbPXH8iKK3hNSWps1b4T//2QAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP/bAEMABgQFBgUEBgYF
BgcHBggKEAoKCQkKFA4PDBAXFBgYFxQWFhodJR8aGyMcFhYgLCAjJicpKikZHy0wLSgwJSgpKP/b
AEMBBwcHCggKEwoKEygaFhooKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgo
KCgoKCgoKCgoKP/AABEIAyACWAMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUG
BwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR
8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5
eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj
5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQAC
AQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXx
FxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqS
k5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T1
9vf4+fr/2gAMAwEAAhEDEQA/AO/OFxgDrxj1pMHIyDj607AJ4/nQPXivOWu5uB4JHOT2oIBJwOnc
inHDAcYofggDBp2GRNyvHJpCoGQCMU/gfUcfSgZPbA7igQwcc9jxSdTgfSnHjJBFIpyT1HrQMNu0
YJH0pNuc9cU4+mBTcbsgj/Cgdxw6nBpGORz0peh689+KYRxwcA96BOQYyMA8+9B45H0pQML6ke1L
nJ6fXNADQOcgYHcUZyeefSgkZPX6UE4PNCQCYz16Cl2lhz+tA5Oc0AjpinsFxCi5APPPpTsDIxzT
VA3Zp3AP+FAgA9efSgjJyetDYJGPxNHA56VWwC9evWk5ORwRilA+XOMH60wHBwTSuMcDhcdPajnO
TyfcUDocGkye+M0WC4rdMfyoAC9/rSORjBHFB4HFIBCBt9KRucetLnnAPvzRuAz60wGkfxHGfpRz
3FHUBuc+9B7buBRa4aARg5xSEnOQOT370fe4X9KTPPQ0rAK54zjJpuc4G3jrSkgEc0nPP9KaGwOO
eSB70hxk/wBadx/+vpTeTwBTuSIVxyaG9jyO9HTHWmE4ye/YUh3Atxk9RQhOTgnj0pMHoAD+NAGQ
SaYXHDnnPSmvzweBQQRgUEc4PJ96SAbgZ2mlHXJ7GkzwQOop3QY5z9aYkIx6gYpMZGe4o7d6Mk98
Z60DbAgj7oGfzo6AUfU9Kdlm4Le4oENycAjtTgMA4pWA/EUoI2gAZHtRe5QEAAYpDkE07H4HrRgY
45oSEMChSDgZ9xQQBgEkjP504gEe/WgHBHHSk2JaDf4jwAaao+bPSn9GIPehefU0gExjp0/rTOrF
TjjripQOuaZj5id340x2EVN2eM/Sm/eBWpD05pDjAz+dMCIn6Gm4BweQPSpQCOgx3phz6kD69KLX
ENI9MgY61GQSMZ61KB06800r6elBVyIqAcY6elNIzyw5PvTwucZ4NKeDnrQ1YCIjnB+7UZHtz2ya
nPTtmmY7/wA6SAg2ZUH8hTCpUADv2qwcE4Gah7jcMikDGlicbh+ZoY9cH8M0pODwBTCuO3J5z1pB
cTHfoPpRTS2AM8Cik0ikzscccdfen4zzkEYppIJHFOTKkAjt1qloZiMMH3PajjGOjUuTuwR0pGyO
/OOlINWN68YyKQ5LcD8qXk9e3Wg46jP1oBIQjkA4IppA6jH4UrZ4xQQegAppDGgccinDqOvSm4O7
HOf5U4EgdKBXFxycde1BHNKvv1HtSEHnnIpAhpGDyOKaQQc44pRwBn1pGJ28LmqsMXjd/wDWpG4X
qM5pdp69vSm4+Ynt+VAri9gQeaXoeMZpNxJxj8KXGOnJoGhh4f3FPx37+lNz83fNO78UXBgTyM/T
mlByentTS2MAn86XqM5yCKBChhjFJ1J4OBxSevekJ59c96BhjGcYxRjnBzigHtgUDBGBQFhD1HP5
0vIBPFNI5xkY9ad645osAbt1LjrnH4Unv6UEcZGTTBDc4GM59KTA6dRTiDjII+lB4B55pANHbHQf
hRjOOmKOCOF5+lNz6EUCBgM9Pm7GjODz3pBy30oLE9egoRW4pbg7etNyc4FIev8AjQAQOvFMQpJw
ByfemDH0z3obGOOuPzoz6H9aQrDfzoUc9yO9DHnPpSbTkH9BQMfnpntQwyQe/akABz3pAAD29xQA
p9M5oxySMjPWhR83BJ5pDwD60xCn68UYAIweKNxxyMD+dIW5OAc0AAGc5xTgckGm9Wzk+lKrYPA/
GhlAeTgjn1pwxkc0xuuG6GngZ4Izj1osIXv/ADoIGOlLg56/hTccYpsAyMe9KeQOgP1poAGeAKTn
oOcVNgF78/rS4GOKaM5xkUZJXimwHcHJJ49aYo+cnqKec4B7fSmq3PXB6c0ADH0XFDfQf4UhJyet
Demf/r0ILidTj0prAEjjgd6ecDPXPemMSTgg59qaYWGsABjGPTPekA44I9etKemB839ab0JJB5pM
Yh+b/Ck+Ug5+lObpnH0pDnbnbjP60bhcZsz2P1ppXqcZ7cmpOcDrTeQMgDihiIWGRyCppmMcFfyq
Y/eqNufbFKwyJl5I7YpvHfgU9xzjOc0x8g85NSNEfG44GfrRQ2Mjriii1xHXr0AHQGnnPvmmrkdT
x64p3XBOBQSI2dw9RQwyAD1o43EijuOlMY08njp6Uoz/APXoJyMAZxSDv7UhCYJAOOlGM4xzQ33u
vFJnuQRTAPfn8KMgdc49DQc/lSnHOP1NAxPbtQM9PyoHTB70ev8ASmKwvf05pG4A5/SkPI4/Wg/h
/WhgBOBwODSAFj7UmPlyfwoGOcZJoGKD1oI+Unmkx/KlzgY9aQIYoyeCSRTuhzmkQE5I60uTn6Ux
CHAJx16ilBx1OePSmgnAwDj6Uvp270DAnJHHsaaQ27r+HoKc3J700nn1xTQDvWgc8jrmmDke57UD
k4/U0MAPXGO9KR3HbtTcgdDSnPT8aAYoYc4oJP8ADnrSEn6Y6cUA7jk/nSAUk5x0NJkjOeTSHseh
7UA5JyT6UwAk56fjSEjAzkEUuc9qQ5Gc9KQAOB3z9aYxPQk8UbsdKYxP/wCumgHdQN3I9aQnsCKT
JPApMkE5FIYA9+ABRkAEdfQ0nHJzg0ZBPNMQHHfJoz1B/Sl9+MdsUZAOSMD60gAHOeKCGxgH8KFw
RxnNI3oCaBDwex6H2po6mgk59uv40EjOT1pjF5zwOOtJz35pRgnn+VN6D1xQAo6YNJwOi5FOPTjN
IpOOvNCGKSTxmn9AOeoqPrIOhHWnk9P5ZpiFYDAPekxnH8qccjH88U0sOOeffrSGGOp7dqMdc0gO
BxxntStyaLiEPy+uKUcE5zSexI4pRyTnse1ABu4x1poPyEU9sFcgc/ypq+q0DbA8kZzim9fr704g
Ae5pp5Bz1oEhMe4xSNnqTzS54wRx3pDj3osPcaOccdaQ8dOv9Kdznrz6CgA45+lAhhIxkUE8Dp/h
S4Azg4prDlcUAAHy9D9aZyDx1qQnsM+1N5BPUUAyM9en1phGMfp708/ewOSTQwwD0BApDuQMPTn6
VHIOpz+NT8jjk5qMgbyMZNSwIduPT64opSowSwGaKaYHWAnt+dLxzSd+3X1pQ2ORSRIE5OMfrSZ6
jihSc07OR1pjEwM88Uz+LnjHFOA4zyKackHd+dAmNIz0NKSO/X0owen50oBI+YA8dKYbjd3OM4z1
4pSfl7UoGMgjntSAc/MKBgpAUcE0E89RSnpn+dNI9aNwEIBHHWgDnt+NKfvYFN57UIB3JHrSZPp+
FN9RSnPJNFhiAA+9Kx7j86B17evWkxxwB070CsIOeT19c0pOR1x9aaCcHufanDBGTTsA3POMg0Dr
wSTQRyMnNGfUc9uelAAw3EE/hSHoBTj0zk5pgJz6UWGK3IHajg45FJ1bg4xSElh2NAtxRy2CaTPy
+1ISwJ/nQCcZJHFMbF9B+NGcnIxSfKDwab/IUtAsPByOmPrS5+Xnv0FNJIbIpNx5/SgSFJOR7etI
SdxOfzFG7PJppPfP0pMYMQE4znuKYevTnsOlGeP55pvVm9KAsK2Qp6fhQT1H503PPNDfXFMBD1x8
pBp3UnIwfak4HTkGlXB47jvRYVg6H9f/AK9IP9r86UAZ55x60FvekO1gGdvGPwo5/Ckz+vanLkdD
1osIQZ5Gc+vFL3xTcgGnk5J4AI602NC9Oh4FIAQOnf8AOlLYGBwaUHjjtSEHQ8dKVRnPv0ppPPf6
U7IP3aY7CAYbjr9KDkkfL075oU5OOpFOBwcc9KdxAeOh5xRnKnNAwTkZ+lG0YwPXOcVIxnPtinZ6
UpTIxxRt6kGmIaduc0oHfP0FGP0pwHy4OOfWgBjk4KgnrRgbR1PFObhcEHmkwRz+gpgJ07cemaa3
X5ePWn+uOvfFMYEYOORSGwA6mkIBweOPSkGcHNLx0AwaBIaAM5xke1NGARyeDTj7cUDJ5zxQMQgA
88/0prFC3PPvTyvTNMIy2eDTsAuAMqM889aaOSCead94Ae9G0gjg4FJsCLbgk5z7Ujjgcc1Jjt1F
NK5BHSgRFJ2KgelMKkAEjmpSOPXPemHvwAR1pD9SAgZ/+vRTymTx60UrjOoU44KjPWlHT3xR+P50
mPQUkTYAfp+NNBG70HalUAA4GKUYznOfaqAQken50gxznFKOAKbkemD9KVhCH5SOO9KW47c96GcZ
HHFIWPOMY+lAbCEngZ/GmsWxxjPrS55Bxg4pOM845qh7i5Pcn6U3nd6jFPBJ64x9KbkZHy//AFqQ
XEDYzzmhmwc/rS/gPwpOAv0oQA2M4/OkU9v0NKWx24pQfm9jQxoaCOT39DTc8YPWnMfmwBzTcnp3
+lCY2NVsEnOAacz4GMc/lTc5OcH8acwUjI5piGh+2Pwo34Pc0DaAeKDtPagLC7vamZHTn2pTtJz3
9KTAJJ5+lACFhzwQfpTd4HrTjgk56U3C54/PNAChwCfSk3Z7D1pgIyccYpwADDOMdqYC45HvQX9e
T2pCVLcUhcZGccd6Vh2FZiBz+dIWJHrmkDKBkUb1xxyKYJNAW4x36Umflxnr+lIzcrgfWjPy5Iz6
1N2MaCO2aUk49z3NN3ZHyjoaaSScDFMLDyeRnp7UAZJ4GPemBvmz/WnEnsT60CsLhsA0oGSeTn2p
pY/Q0g68Hmi4D+Bz1o+Xvmmg496OMZJpBYcAAfalJHHFNyO44pwI69vcUxWFIAPXB9DSFfmBzjPr
R6gHBzmjNAWHYBOM9aXao6Gmj26Uo7EjmgdhwBzgHFNUYHLGlJwvOOuBSMTsycDHr3oAUR9cHNO2
nPrikU5/+vUh+UdPmoExm1gOnWmgsBUoJzQT24z60gIQSDxmnhioC5GakGMdKbhSOlMBquACeOfw
pQ429M0pQHIxmmFB0BPNFhXB29+PypTg5yaa0YOBk0u1sYzwaEAZ5zjrTNu5uhyT2o2ncefl9qXa
cj5qENDiAAfU+9JnB4xxxQFO7BI59qGBH8Q/KmA3PHY0mcYKgkdadsyeeAe9NdeM5/KkAituZsjj
0pAwzwOBSlRnHOPakVFUnGevrTEAwM+/elXgZPB/U0BRn1H9aCgZfp60hjCfmwwOfpSdG5NPZeBk
00qecEfjQIaeScVEy/PnI+lSFGx7VGyEHkn8qBvUZtJ9SeuKKCWCggflRRYpaHR8nHAx3p4+vApu
cknGB60oz/8AXpIi4ncetKw4AU80inII5x2o4OeKmwCdsk4PtTenpTj68cUhIxVBYYBx3NBB704k
4/rTR0x396AE6HB6UpJ3AY4NGe1BPt+NCAVenXgetNPc0oGF49aOAfSkAh5HJHNM9fpSt6ikGQSQ
OlNAHt0FIMjvxTiS3UZpM8mmgAEc85pj9Mg4H1pxOT04pjYbsRmlYY7oODTTnoetA+71pG6c59KY
CdDz1o4zScHp1PfFJ0GM49zTAdkbe9NB4NI4IYcigHcCBxQMCeB7U3nIPB+lIXUcZNRGTI5/nRYu
NO5LvCjPvUTTYPI6VHySuDyTSYYg5xjPUU7GqppD/NJ9j3qMyH1yc8d6UnBbABxxxQQNoz60WNOU
QEnufXik8w7cg5oAzuNJjp3pNWDlDzipwx49hUu8FAQfzqBsAZPTPrSrjH0osS6aJC/H/wBamk+3
egYz0pcgkfSiwowsCs3rjtinZIOaiKYXk8GlPGcdKVhuBIj9qeMHo1VzjqefalEm0c5o2M3TLI5H
WmkHd3qMTKcAkU4Nkkg4pEOLRMOo/lQOc/pgVHuHb9KcJFB68elFxcouecZpQfQjI70zzVDck/Sl
3DgrxTuHK0PHA9qUHABxUYIPGeKcD8v+FAmPPIyOo9aQbtp9TSNnr1pePWhiY6IgDPfvT8E9SKjX
GOvOelPZenrTAU8dTS/kRSHkc/p2p3Tr2pbCE4JyDnPYUc0YHII4pDnIwCKLjAckAn2oYYxzSnGP
f2pCMtx0o2JtYQZJGaVs56mkUYfGePSgZ3E9eKEMQk5OP50hyMDGBTznnjj2ppz1PSgQm47+Tx7U
NyucDPXNB45P0pdvHNMY1Q2cg4FNOevWlIIP19aBnvyaQCdF460DIO48nvSn7vWhOMZOaGIM5yTS
ZOPm4/CnYA+92pM8CgY35d2ev1oJJ69qUnOaO4zx2phcYR9Rj3ppH13fWpMdeOTUZ4Pb61LAjboP
fpxRTnJC5/Umii1wsbo5P/16Vhg98GmkAnIABpT8y88+1MQgzg85P6UoPPNJkDo1NHHU9+lIBSOB
SEEA0rAAg9TSdRxQFwbIQZ/lTcDkCnZIxuINNzz6fSgLiHODg0Ek4559KGIHXrTXJyO9NAKM4z3p
v+eOadnp0H4UgP5UAIT070EEA85o+p4pM5/xosAcAfMaT0Jpc9cUZ4OfyoGNzg8ZzimM3ByDzTs+
+M0xxgep9qQDwcqDwe/FNJyMUhxkntSZGQxPPYU9gFHqfpSE8YGCeuTSE9scU08YyfwoGhef8imE
449fekZznmomYEfrVG0IX1EYtnnkZ9aROMZ9c0H5ifY0o7egJqjdWAMWKn3NJ1UAdM05ecY6cnrS
oD8hA4680kNDAODx+VK2N69elOYZC7R8pNG072B7UMYw989zSdWxTyNsak85NHVjnsKQETAkDAHX
vTNpLNx7c1IpBUH9RSPyX75oCwoXJ4PajGdoPFOXhlAA4HrQBuVcHNCCxGc8/XvTsYOR37U7afmG
fxoyAw5PT1oC1yL+HPSmyL9fm56VMBwfl5HpTCvrSsJlYjBz3pyOV6elSFOT3pCoPJ7dqCbXGbye
pOKQsRgCn4FG0AdzzTQ7IQscnAJ+lPVmA5pqg9qXqPTPegfLckWVj1JqUS4AHIHSq4A60ADseOtD
RLplsSLgkfzpw5x6VSIIHBH8qekjADOaVjOVI0APlB647UrHB4qGOUEdRj0qUPyD2pGLi0KuakHO
fXFMPJAFOY8HNDIsJ0/pTs/pTSM+1Ox27igY0nJHPNLj3Bz2p4HHy0hU5piGL04/LFOAGOaQDqc0
rdBk0guIAM9DikIOPWn4+X2ppHP3aaAQ9AQMn0NNAwT1xTwBk5OT2pOgoGMboPc0gXqepFPXOCSO
tByADjikAzZleBx70KOueKWTkZIwaAPyqhCHr2pjcnBNS4zkdc0w8sR2qQGhcCnfXg0DHbkUg5HH
FACckjJ47YqM98YqYAHoaafu98UhWIhkkgYI70U4jgjp9aKGO7NoZZiSKG64/nTdwPGfzo6DnFAh
vXnApxHccUhJAHcZoOMc9qBWE6nOfpSNzSkgcEc00jjPNFhgevOOKM0H24oye/rQA3uOM0ZOR1FA
Jzx296YTjqaAHMRSAZwDxQx3dDSc9/WhDA9aQ4A4yPwoPXHfNBPGPSmDEY8dzSEjH/16d14pnXg8
4oWowJx3pjEjjOKO/SmucHH86dgDODyDQSMdKHPb+VNJ+n0oAVj/AIZprNgZ5zQWAI3c1CxYnJ6Z
xSsaRjcVj+tNIG7OcHFIW7gc+tNUE7j1OapI6FoSLw2fUUo5I9fSkHy9OKXkkn6Ux7jiCqdMDFKR
k8dhSM338fr3pw4LFRzimNITugAJ70mBl8DvTzy6Y9KRxiNjk8mgq4hQgLxx19qbtyG9RTmPKDNB
HyMR+lDAi2nCjBJpnOG+tTnJCnjFDL9/FIBm3LAMM+xpdvykAng1Iq9McYFJgBWIYg5oQDCvzH07
0bQCPSn4DtnvQwBB7EUDIyDzx3pApyCT3xUpTB+opBnAOOPY0hWItpBPFNKfgfXrU7rgnI+tJzgE
HiiwrFcxg/dHJ96CvODUrDsB09e9GMZB9OMUhbEBBzleo9aOh6deamIGQMZb6U0jBBGM/SqHcjAy
+QOtOUZIyPxpxU7cdKTacAH7tIdxM5BppUnr0NO285pwXapBPOaBjMN6Y9qdHMykA5OaCMZPIoOD
znnrQyXFMtRXAJC/oamBBPHes5gOSCc+lCyMpyCMVJjKl2NPOSeoz0pR6nk9qqwzbsCrQYYwaDFx
toO24OBilYnB6/nSDke9KcAYNMgYvTPU07B9eRzTlC44HPTpSgDPFAMaQcg5H4UmCBzkU8jBJH8q
BgjqaEJDDnaelMbnrn8KlIA5z+VM6Dkg0WGI3GM5pp5FPzjGO1BGeM/jQIjccDn65pSeBj5uKQ4y
D2NOA59KBjSPWmkEHrn9KeRt+6c0hB6joPakIbzjHQ0f404r09Pag8H2pjsMJ3AgU3+HBqRlJ9PT
FMGTx0pMWw2RfYH2opcZAGTRTC5q5GQD0pMcZ96A3vmlOQuR69ahaCQik7en4UMM8jNAII6YoPzG
i4DV6cYzj1pOeetBHOPSkOAOMUwAHPr0pCBjGOO1LjGc/nSAk9Oc+tACEkY6kdKbkbsgU4kA4pCR
uxnrz0p2ATq3U/Q0E4J/Og7etDEAHoKB2E6DPUe1ITgHHT6Ug560cEfjmmAfp70hyAfShT82OAOt
NZs8Z560IYmf0pjH09etMkmAyAaiac5789qDSNNssL0I3ZxTHYbfb6VVMrkZHAoG5s+9FilSsTFg
xwB070hBJNORNvc46UuMDgHA5pouKsRouDUhUHjvjvTjk/0xSNk49T0plpDMhh831pyndjt3pSCT
gqeeOlP24DEdcYBoRXKMVMgHGcmncbWGTjNL0YegFKoAUDoCc0ythV/1wHHA70h5Q46Z6VIo/eFs
c45poX92vPcUMBgGGHpTXyVIA96nIxIBntTGPyt/T60DQdSvYAUipywxxTiPuZ79qXu49+PagCNg
AQcfLSD5s4qULwM+tCqQx9xSuAwLyOc0MBtYMM89Kk24C0bcbgMA0wI2Uce9MK/IccGpm+UL3NIe
GoAjYHIx6U0qdpxnj1qRhwOoOeTSuMkj0HFAEGDu56kUAYA9aeeikc+tDLywz1pCG7TzjgUxsKfX
P6VIcZFIV6egosFhhyOg4FNAJH161LtwD6U37x9aQWsRc7SvagdOp6U9sZIHakx1AHHrQA3nkj6U
gH547UH7xxTj7fnTAYRjOMCkwQuafyMZGR3ppPBx196kBg3D7varNrNhgHb2qtg9T0pGIHIHzUiZ
RTNpMN0pZMbTjgn1rLt7gqQG6e9aCuHGFINKxyyhYlXlQDmjkMQaFHGKcOp96aM7B07fnR0BxxS8
jpR+mKYhmAOuDTSmV4AqU+hH40wj3JxQMTvt9utNxtzjvUhU9yKQDqMUICJwQQeM+1LzkH+VOccg
96Qc5zwDTBjWyFyRQo5DY+vpThwpOaQ4A56DrSENOTSLj/I60/3FNzjr3osAhPOeo9qQ9scEUdMY
9O9LgkAEAe1OwEfXpwM0VIFAyc/pRSGXgM8k8nqKVhxUYJbAFOOCuR2qBbCKcEnGaPqT9KTGMjHP
5UhIOCMfjTBMcRkZx7YpAOKQknvnHamknHqKBXFGeMigk4H9aQkjHJpg3bvcetMBxBPBFNYNkEYx
/OlwfxzjmjJOO1FwEIxnIBFGPxoY+vr6UfNmmFhMEMeBjvTSMHPenMxGeeKgZ+D69hSNIxbFkkK8
D9KrO7OOTj3p7ZyMimHB9vQDvTN4xSIXJzxUYUlRjp3q0qKSMjnvTggHTGTTNL2RGkWB/U1MqgDB
A460oHHtTgDk560CaGgc5H40gJ3HI4pzDacjrTsZB9RxTsOw3BAznhjjFK47jtxTgMs3HCj9aUJh
kA57mgaEUfMR/Co69qAmQo55NPUHYxOOTTgAX6/dHbvQhkSjhzk88CnIMhF696UD93nHBPenqMSc
9MYpsZHnO8jPfmheQoOetOAPkuMD64pQuNvPPPGaLhYaThwCARgUFMqRUmzL8Dnjr1pAoKtzwfSn
YdhCBlCfwNCjDyEEk+9SEAbRnPpQCN7Dn09qBjOMjPOadgBqDjYOwBxSgfP16AUmFhnRV64zinEf
MVPcdaOq8dj3pVIBGetAEXROppCuMZ5PtT2OFOOgobkcfh9aBkewBenehlIPr9alXJpjHvzSERlQ
FOOT6GkYZYeh71IANxBAP403sv1p2CwwZCfMBwaMZJzn2FSHndkUh6qRjOKQEYP8sYpuOR+Rp4Ug
5yOPWjAwdvUe1ADNvPGaaUwOc1Lg5xntTOSQFPUd6ViWMK9OKQgjgDinkYHJ4pOgANA7Ebd8/pUZ
B9MmpyPm/pTGH1oaCxF7n1poPOcA09h0HIoIHVetFySMgAZFTQSlOfwpnORikxzzmkDjc1IJxIME
1OD04rIiYxMOuK1IWDL7kdqSOacLEpPI70ueCRnAo2AkY/ClCEnBPegzEBBbOCTik4weKdtweuKY
wI6EehpiYpGBxjNIeRjmkwduOfpSbc9SaEibiNgsMHpRjC5PX1pWUBhg/pTSOwP5U9wsKcA8Z9Ka
23kH880pXAz0+lNEfIIP60WGG7A7fSk3c9D/AI08KDTSAMf/AKqQhN2e350Zw3rQEBHp9aUADg9O
lADC3XAB7UU/AyAu0UUrDLCnjB69falJyuOR7Ug4PsBRkHp+VTuSA5AJ/Kgk4xg5FLweophyOAaE
gQE8enNNJ4xnPvTvU8Uhx3ODTAQccHr70Z7gcmgnA5pMcDtTHYXJ5/yaaRg5NL3JHFIPvYGPWgBT
yO1NbpnNKSevAI96ikYZAzxQVFXGsxPHpzUROfX/ABp5/u4z3zSYXryM00dEVYZggZ5pCM4DVID8
ueN1H8XPbjJNVY0QzAHr6U8DsPyoIGTipVA47ZoBobsAPpTw20c0i5z7HtSnnAIGG5p2HYAPn+gz
0pSBlcdcZxTccBcfeNKxwXP4CgAQEIScZY0pADMwOMDFKoO5FPXrQMGIk92/OnYaQnJKAdKXJBkP
Y8DFSbR5ig9hTePLIzyTSGBAwinOOv40v/PQkY68j6UYO5QfT+tI7/LJg5HNBVhucQDByeKd1K44
60wEbPXBFKDzz15x7UCHjiTr6CkBAiOOpGBQAS5PI6UoikMQG08jg/jTuMVjgpxSZwXOOpqTyHyv
XIpfsrZbJxRcogLAqMDuKcMGTpnirC237sZ5IAOaeluByM5JxSFYpk/J2znIo3ZbnjirbQgc9sd/
WnGBM9CRxQFmUfuqc4JpcZA4q4II9+cdCRSiNRxjjrzQOxng4x9KAcIQQM1eZExnGACeKaUUtvUc
cUBYqDhuByaaykqenXrV4ouSSB3phRccDjihhZlTO0jrk96bj5cg5I9atBF6HrzSNCGJwOOKQisw
PP0pmCemOas+UuaRolAHPegCsF6ZP1pQPlPPSnmE9snPem7CGzilcQFQQfQ9KZingEEe1NY8nI+t
AWIscnt3oKjIBGecmpPTaOPQ0Ec8Yz0zTEQMoxzUfBOe1SuOeeaaPQD8KkVhoA689KRuOCtOwB6Z
FIc5oATkc/yq1ZSYbB4quwwAT2pu7YflNBMldG4re/HtSnBPFVbaQOoA7DvVvtxQcrVhrZPejqMd
D1OaUkHIzQACOSKGSN4z6/ShVx2IFKM8jHSkDYOTzQID1x+opGGf/wBVAOT7fzpc8DPWmIYRk854
o2j1/GnEE/T1puNwPSkITb2GAKRl9f0p2eo/WkcZHIJ+lLUBAB2pTgkGgKevFBXBxg0w6iDAopME
jI57ZFFMROSM/UdcUmPmGMfhQR0J4pTgke3pUIBM+3NITg8n8qcR64xTWwe9AxFwCTjrTSeueDTz
xzkcH1ppGTjJouAfTp3pOg/SgnPTHNJk55xjP1pgBY/j600HrmlYDORj3pM8e9A0hHJ7dahfhuTi
nM2aj+YdweetUjohEBk+v507Cgc4PrTNxDcYp+M8EZqjUCMg4Oeg6Uqjk5PU9KXngDHB6U/aMcg5
P6U0A1UHYZ96fxj27n0pQMA84oAznGMZ/OkMD90jjOMUBiCfVRilGeAecnNCDcOerGmOwiEBhkcA
ZNIVyqgnknNPJ+RiByeM0q8SIM8gGgLC4+c8fdHrSYG1Ap5zmkJI8wkZpWyWQA9jTKHF8M3PIFMX
JC/XnFSxwl9/IHWp1twI9wx1BzRcNSmAS27kngU6C2ZlAYYD+3atAoNsffkinsmSoxztHTtUlWZW
itFDnngcD8KekCqjY5OM5x71aVSZyAOhI/SmomQccDaOaBpDVVNq8A/NQwGwADqpqZFDK3+96e1N
HyqmeflaixViN1wDjI+7T8Yl5XALYzTzyoz1IBpefOHP8Z4/xp2GRgAlgfu7O/1pdgPXGA3H5UpX
5Tz/AA9j71IVA24wSTz+VFhMh2YCk46GhwVAPGflFSEHy1HfbQ+TIFzj5wM0h2G7Rv59T/KoNvzE
HHAFWQMEDuM9aYE++OpG0ZoERBQQd3PJwDTSB0xnpUrDoCPUUYUZzkYIxQMrDHOAepNNI5JxxwMV
YVO2eMnim+XlOc5yM0CK8gHG0HvTSvTcM9KutFgAY7Hn0qLYT37CgCvtAfgEcnimuo549OKsFfmH
qSfwpuwAFurEgUgK2AAB160FR1HtxUpAC5x6n6CkCjsMdKVg0ICoJx2zTGjLA5z7VORzgn15pCv9
MUCaKjo2cfrUTZGc5z7VebpkjgU0oCOmKRFiiwwuDimsoOeelWXhHPIz2qIxsPenclkG09cg0088
HqBUpHPrUZXJz0+tIBM84Yde+aCBnOfxoGMgHHSmgZzigLlqyk2SbW7+1aauOgFYycOCDhvStKJw
wU9CaSOeoiweM9aBz2x7UwHI5/WnDHYcD3pmVx2PypEwM5BNGQeB0FKSOcfpQIaBknBNB9x+NHbi
ncdKYhD0AHT3pFwc9Of0o6+w9qkA7jg98UC3I9vPbNITjGOaeByQTTcgHvg0DEXJJ5oA5wM460oX
IyM0Ekk4A/OgTGY64JwaKcqkjGPyopish+enH1zTdwz0+lIAc89fWhRk9zWaQh5xx/I0w4OAOBTu
RyRSH34pDQ3HoKRgCfWgkc8U0cYHFUAgOT7+9ISeePxpR97np60hwCff9aEIRicUwnIGelOPQZ9O
KglYgjnIp2N6cbjyQRk0wdOnSjgEZzj0oXGcZNWjoSsOABx0BpykbhknNNwSefzp3JyefpSHew/J
JG0H2pfbJAFAGfanEbm9RVIQoOOv1poOMD0FKy8j5euBmnAYY5x8xoRVg9SRyBTsYKdhimYB3/UU
Z+Y8Z4pjQdE45yegFHJmHynGBzT44ZHCFeFPWrkUAjnxtyG7/hSY9yukYaLfk5J5qz5KrInHJAxT
0IEbZxng05l5UggHbQUoiImJ3GepIApUx5JHpg8VJGpM53dicflTE+WN8g5CcD15oKsDoNikc8mp
W4ZfYLSIMx4yfvY/SnHHy+u0H8jTAam7zPl6ktSYPlNj+526danWM+aQOPmNMWIDgd0NAxyDIIHA
DDn8KjC/uwM54YZFSxqSr54GQaF4ReOpakwGkEjj+6KdhTJnJ5bAokH7vJPPlg+wp+MSDOAc9u/F
AETL97/dHb3p+w5UZH3jk0v8WMY+TOD7GnbRy3QbuCT1yKBkLoAoUknC9RTShEoGTywxmpmaKPar
sASMYH8qjZgZmJ4EYLEk9z0p8oriAbicehpGAy4I6FRUmSqFegIHT1NNRSdwPP7z+QpDG+XkDORn
PNIVGAT04HWpTlYwxPRDUcnCkAngLRYAWP255FP2qBz04/ChRk8g4DdqqagzrZzYyCIyQw6DFCWp
LdiaVAzHLYUDkk00BW2kdCeD9K8/h1m5tlEksrSRlsOM9q7qCVJIrZwy4ZcjNazp8quSp3HYU8nj
gkU7ZkgH/DtT3VSgI7Ljn61leItQfTrPzogm8OAN3OazUbjuXngJ+UDJwKa0e5uBgZ/lXOaV4pmu
7i6geONGjGQ47CuliYPCsiHcpXjHcmnKm47gmmV9p2k9sHim7Cp6f/WqyV5YYOMhR/WmSKVHB4ya
zKZXIyMnpTGB3gAd+9TbMjG7AGM4pnBPsAaQiIg9xmmMuc5H0qU5xux3pCRn3oBoqSxg5OOe5qIw
nbjqaujacg8U1skUWM3EznQjtkjt60hwCex6Vblj3c1WdSM9MUiXoM6dM5q9Zv8AKVqjjB4qW2bb
J1oJkro1h755FHbp+lNB3jkD8aUE8ig5rWH+mOvWm5G1geppcAdB2pcEDvk0CGA44AqQZ6ZzSAhc
nk0owfce9MVhMc/rRj1z9aUD5enfml9qBDMH8M0vIPNPAzwKTaM89+KBAMY7H2pB1OBnFKVHHQYo
JA9cU7CGnrnA5opXwBiiiwxDwT600DgnPHtQMknGM+9IoOMDp0IqEIXPQj+dITkDAOaTB5PqaTkd
s0WFcU5x04pjc+op3OOv0qM57jigBW6YOaZ2AxQVOBimnIHPWhBuMc9fX3qDOX5p8jYIPOaiA3Nn
+dWkdkFZE/UZ7Uq9Of5UJjHBFSBQaZbYIpPFP5UdvSg4HTgUqMNxB70WFYUEbs96d7Dg0zPy5APH
el3EgYBzmnYpIVT83I4zQpBUDqc96fBC0hA56Z6VftrL90zN1ABxQVYzhDIeg4PNXYbTBIfGSOlX
gi7CFH3OPzqMkIY2bPQH60WKSIhtWIjA4xTjgFG7cUBdxk6n2NITkRkD8KZQ5lDRyck8EfrSkjZH
sPqDmgKTIffII+tSwp+6AK+hoAIxiYFu4BNLHHtnKnB+8PpUrxD923IzkZp7geduz8pb+lAyBFAU
8ZbKnj+dPkUlQQBkKQKkWII75IHy4A+lLLNDbqvmMBk8c+opFRTewIpMqseSSCfenhRvPI6MBnua
rw3cUgTy3B4IyDzkVQ1nWYLFH3zIJTzHk4wDTNFRlKXKkanmRru8wqvIJ59qjjKOi4YEgMcA8V5f
LqtzcTM8s+1N2M+orStb+aCQyW0js20Dy2OBTsej/ZclG99T0CYMu/gHAVee5pxz5uOcl+4rL0fV
Y7p40lIjnJLshOSavwzB0R8yfNIc560jzalOVN2kPVclBjAIbr0qNwwgLZAOzOarXuoW1lbJLcMi
BGK5z61ycnjuMs0cVqzMBsB4q403LYxc0iDxC80PiOQeaTHIgdVDfdOOtaHhG8mlmntZ2Ej7dwYn
OR24rlfF3iCC8iidIfLuxJgK3Urjr9KsaDft/aljPG23cwVgOhyK7eS8LMw5tT0pbmL7P5jOoGMF
u2RWTqHi3S4GwJw7btwCD2rkfFkusvLPGysLAP8AKQMc1laZZWzlXu7qKIZ27SfmJrGFFPVjlVaO
3svGNtdTkPFIsa8FyOPwrYju4ru0luEKsrvxg46V5Ot3bxa3cWtpcmeFTj057itvQpp5Jp9Mibap
O5WPVeOaudFWuifaM3tZ8WpZ3ISCPzApye3asqHxqzylby3AgbAG0/d+tYOrn7I0hMgdSdhkYjjm
uks/DdlcafCrHzHIOJAfyzQ4Qgk2Ck2cz9oi1JbqO3DhXc7McZFd74dnaLw9btdlEMPGevSuOutL
h0i4FsmWV1yD79+a0NJnb+w5rBZSpjySQOoNVNKUVYltot6p4uFveMLdBIoGA3Ymsy88QJqyfZ7k
CEIhlLdmasCZlfWILJnCKxAJIP6V0niXw9G2mq1nGxAAyq9TStCNh3bObtmNt4jgl3ErKNpQH1rr
9L8Si21QadcQMiuf3WOR+NcXdLt+xzFNqQkZx1zWr4qgukCX1pklWDoQORTqRTBSaZ6fHLumwAuy
MZOOuaqS6nardrbtJhyKxtL1WS60GGcZaZ/9ZtOCMVyl35l/qSbifmfr3A/CuSNK7dzX2mp6UDuL
leVHJPvTCvzYz2AqKwj8u3jiDkgDceetTNhRuYc8tWDVmbLUY3Oe3U5qJ1/vA47VPgFAO/HSkmwe
PXtQOxXAwSST+FIRjjNPZcHkc570wg8mlcmww4x6ioXQdQOtTMMEYz06Uny0CaKksXAxzUWQH9MV
cPKn86ryx5ORyKloztYvwuDH1OcetSpgD3PeqVm3UE9O1X4+OAOtM5pqzFbaeOuKQ4C5xjJpRyAf
09KD19aDIacAjNOzk8dfbpTiORj8qTA79+lO4CgccZyD3pSTwBjpTeP0p+Mt0pIQuQQAPwpP504c
EYobOM4HvimD1G+lAU56U4ZJo245P5U7kkb4A7deKKewyQfaiixRWxgcfWheFpOgIA59qB1P5VHo
QB6dcmgsdvNKeD2NNJB4PU+tBQbuv6CmluAG6UpO36UxiDQITfzxnFMdsng04nI5FRswIIwScdaE
NbkLDLEimovB60i89RzU8KYyT3qzsWxJGo6nAFSAcn19aQnC4xzTeg9CKdgSHnIJxxRwTxg0Y3D+
hp8MJc5546kHpTKAKzH5fy9quwWh2hmI61ZtrYKRgZJHX8KsJlUkz0BB6U7GkVcVUWNtyqMHAJ7Y
NOXar7SME5Qf0pm4tCgwGABU+5FJMVbawxk4br370FpDY87X5OWGcfSo3JZVwOmRmnIAly0Y9f51
FgbHI7EHg0wHjImYeo9evFNVTtXr97nj2pzc7GwM4/lU6D5mXt2+vakIAMneucYBH4datKACMn5T
7djUStxy2wk/Lx0NZPiPW102weQKWccFT/DVKN3ZDehsyMI0IfgAg/0o3bgMFSccZ9RXl9j4xuLy
eVrhggByAOa9BsrlbizEsBUu4EkWePrVzpuG5KkmP1vUEsLN5yc8/J7nuK8w1PW7y+v3eUMFJ2oI
zwB7V0nj2/NwIoYQGQjJXGOfauFdZDKu/cVzjaDgVCR9FltCKhztanQWlxtjQiUoQcKQ3f3rJ1i5
lvHWOZWmKPjzexFQXBTy9zOu5fuhT8qfX1qVmDW6KJEU/e3en4d6dj0+RXvbUBExBRmYO3ZevHar
kM3lx7Uwr9G2sXNUi0pj/dBxkZLFsOfpjoKXTUcpiVFiQckjljQW0btrcGC7tri3AcodhyecH3rt
43YWMgCuSj5A7mvPpM7YVjbymMg2LjlvcivQYPntSSMGRQT9RUPc8DNkk0cV4s82bWVhkkPkSAOq
Z6HvWZoljHqGuT25XYsS5B/vV0/imykkngvCieTDH8zk9B7VxA1SXS9YFwqu9qy5Z06mu+m7wsj5
+W+p12r+FrSeJ3wseYsCTP3W9K5fw/OICqqUeW3c4fsx9a3dT8a2d5beTp0bzyy8YKYVSeua5fQ7
TUTfSQ/ZZBFk4/u0U20nzMVr7HTazqd1NbC0SPbbyHJkJyTXMNCrX6WsRzMxwfYV2thpdxNYJDc7
UUN83y8+2Kz7vwMbu/Esl1IGThdvBz65qVVjG6HyM5/xXbW2kTWwtSWus5fA6CrkGpy2KxXsUXnb
02uRjIFdLY+E4YWY3GZ2GSXc5LfWrdv4atYpA+0jLZVQeB+FH1iNrMFTZyN9ZQXGnedPG0hY70jV
Tx9ar+HPFcunxm11S3kWJDw6qRgds16c9jCsWxEUAqOBUMmk2kiPEYI9rEAjArF1k9GX7NnnHiHW
Jb/VopYoWks4x8vy7etaGjTxLfhWQCKdcHIPB9K7WHSrWIHES9Mcj0qYWMEbcRRgn2p+392wezfU
8z+IumzW13bX2nxDZFyQgNXtG8dpNaCOe1kWccEY4PFehNaxyRBXVWOO4zWe+h2O7esEaspyCFqF
UT3F7N9DzbVXN7BcvGDDufcFUZrstHP9p6HCkw5UBSD7d607jQLSY8oqseQVp620OmWDjJMac81c
6qkrIXJY8/tnk0LVryynO6FsmNSM9au+HJS2uhWJGUx7U3xTNY3t3DPbSiSQtk47AVoeDrPNxJP8
rehPUVomuS4ktTsLTIUj7xAxnpUp+ZSW6YGeelAXDBgoG7mlx1UZxyM1wS1Z0xG7cnPTDUwDceDk
8dKlPIIyM5zTACvAHpmgshJ+8WGOTSYGDg4+tSsByCMcnt0phAbOAMe5pCIpRkcc1CQAfU1YYZ69
BUbRjtgCghohk6buDUfBzu61OU9M1EepHcdMUmJka/K2R+NX42BUdM9hiqhwAeuKkhYA/Nn60jCc
blxSDweKVsdPT2qMNwpzSsAXyCTTObqPLYI57Up56nrTGAODnml6/SgB/QY70cZ4zTQOP1pSSO9N
CY7g4Az+dPyAOeKjX7wycZ7U/B6ZPrimyRwHIx/Kl4Kim7ckcnpShRgAsfpSBDWKhs5wKKGiXPJJ
oouBTBIbpzSk+/tSKfX1pWUKOfyqdiWNB+bB4pDkZH6ilA6kk/SkI49B2pDG5PGRSOxxnmg4JPWm
M2SADigAJzmonzjjvwKeQBkn86Dyf0pouK1I40OeetTYH5e1B4GOn4UmeuD+Rq0jpSHEg9OmKMc9
f0oClh05qxbwE5LL0FUWNghMg5GAORWpBGF3A+mcU1AApXHbg1MmVKMQcUy4xJS3yq68cYOPanf8
tec4YkdKjGTGwAPBzQW+Vc8jGKZaHKVUOB1+8OOnrTGHyA8DBI/A0shAlBy2C2MfUVEjZVwM8DPT
0pFDnIE6yLzuUHP0pUjIklTgK2e2Kjc/IhPTcV6etPMnyowOMDHT0NFxMehVoiB1HOcfhTkJKdSC
Pk49expE+ScrnCk4x9ajU7Zu+JFIz6EUwRIf3nLZxJwf9lh3rn/FymbSJCfleRSrbeckdq3VO9ZD
k9A4+oqlqUYktJlxgb8hu65HWqho7ky2PGdJnki1VI4U3MzYxjj8a9c0Uslkys4JgkC7sfwntXkc
jtY6wPmLN5hBcc5r1jSblp7d13I7GJW2jtXZiFeKZhB2Zi+O7NzNG6jaiE8L3z0zXIvhrbLjcBwT
3zXqfiLT1vtOnR/lJ2FW968y1S0ltpHSVFjKvgbu6+tcKZ9TltdShydUMYh7bKlG28bcYAAqFbff
H9oUbR/vcn2FKgCK3zEHqBjn60WLKWk+RSrDj1/+tVHq3HwMwYqpYuRyq96u2LF3yZcIOQsS/wAz
Qv71EMAkUE4KKcZ9yav6VYSXl0bYIBGWAZhnA/xoInUUItyNbQrT7Tci5aCPYnAPU/XNddZpsjZc
8BuPoah021jtYxEvGEK1bjIEBJHOV6dai58viq3tpuRFcwLJBtYbgyEcjrzWHL4csy5jjQom3p1H
NdBOx2KT0weaaW/fn0A/pTU2tjlcE9zmtF8P21hFM3loQTxx71uGFI40EagdelPBBhYfSpWXCLnu
pwKTk5aiUUiI/eyRxgcU+PmVsAZzTli2oAM42ipkj/fAHjn+lIuxBEoCEN6HilZemOuanRBggHOQ
fxpwXBPTAIFKwWKzIcA55C9KOWJ444qyVBQAdcHmkYbY+QB938KY7EIUHK44yRSLFkc9gOatsOVx
139/pRg9D3Xp+NIVirtAJ49RTGQnoMDjGKtlQJCP9ofypMBkJB4A9OODQhpFIrjGOoqKWJZBsdeD
1BrQZFyCBzk9RTTH8wHH3c0C5Tl5PDdlJO032dQ5P3gOtXrHTorQARLhehrZePawOcZPFMKEK2Rn
Pam5PYnkRXCcEMBkUgGWB9sVOwGQCOfSo9hBO3gZqR7Ee0gE4+pprY2nFTHkH1PrTCBtPP0zQVcj
CkuTjJJphGMgdqeoO9icYzSFcHqKQiE8nvimsB0qVhnA/Wo8DPHrigTIipBPbHpTCACf61MeDz+d
MbuOcUWIaK5wD6980K2GwOakYZH0qJ1x0Pfj2qWQ0W4myO3oRUgPXOBVWA7X5NThh1FCOScbMk69
KAPrmkwcnkCjHPXr71RLHDJXFKSeuPzpB044pcjGCf0pXEKSQRjOalGcjjJqLgjPcelOBzxxk0xD
x14xSgHIIpgyPukHFOPC89fWgQnIJIwDRTWHIye9FCYFESdc9u9J5px7VAxwCc4pgYYx+VCWhJZ8
ygycDBFVjIcnJphk5Jz09qLDLO/vkH603ePf6e9QF8LxzxUbOxxgYNAyzuyfenKc89/aqu7kepqw
rADrgYoSNKe4pbB68etPRSTx8xPbFRxjceAea1LWIDae9WdNgt4ApG4cn1q2F24HUHjkUBe3TB60
rng4zkHNBqlYEIAUHHpQdypggjafWkOCDgjPWlDHJ54YYqhokBxL7MKcVYqeuQQ1RBjgEYyO1KWP
mYxwf60rDHyZCIecAY/KgMPNOf4ucjvkUwMGhPsfX8KGAGwjkAY4+tAwyfIfjOOcH2p27fEOCfm7
e9CoFlZRxuyPpmoVO1WwDygOc9waaAmDY2Nz9wfpSykLKjDPEgP4GmH7iHGcOR19aGyzBjxkA4zx
waAHqNkrDBPDCoLlSYpwOMqGHvVhx/pHIONxHHuKhYjyXLKRiPHHWhPUUtjxTxVG9rqc7SIu8SZA
XpzXoHhC5efT5SQGQKsYwOa5bxzBHFq1wyqQdgJHqa2PAlziAQ5UbnUnnn6V3y96mcy0Z6BckuBG
GGWfBDc5xWXrGjW2oTqXiAkY43DsorSHzyoc55YmgD5nYjBCAD8a89nZSnKDumcVd+F3E080RLnH
7sE4AFcy2l3tqFLxOWBJ3FcD/wCvXrjAbCWGS3HHoKGijMuGAIGMDHpzQnY9KlmVSGj1PKbS0nlu
HtjuR3bO8ryD6Yr0nTbJbWxiUR4YJhsdyKm8mFI5JBEBISGyRzzU8p3JGOB8x6HtQ9SMVi5YhJWs
S7gZGJ+9j+lQk/uhjI5UcUuf302R90Yz+FRruCIfVulI4bEsrb2Re23+tJGN3nEkHrSY3XJ9FHFN
j/1DHGGP+NIB6oPLGR1IFTSH92CvLBTTdvyx4PXLUSEbSB/d4/GgESyBmAxkEhRTlGJRg9yM0KMY
U8YxzT9xWRR6k5pjEiGMjP8ADR1Zh1ww/lTck89MrTlJ3E+jDvRcBzkCI4znaSPWmu3yY5J+Ue9H
Vc9uQfWgcrk9ODzSGLkBgfcnijOeoPCZ9utIuMjA/iNNYgDBIGVoEOHyuxIJ+YdfpSE4U4znB/nT
SSJG57g/hQm3awIPGQMdaQx8h+7k4+b8+KbnON2OF6dTSEFlBGQAQaUgYAGcFSaYg5MuDtwDxTP4
Dgc//Xp7Abjjrn+lRYBi64wP60gsNP3uVHU9KQjdnJ4p7AY496bhgT1xn046UMRDtOc4wR6UhX5z
wMYqY8oelRjjOenrSAhJPRfTnNGOTnr1NOZRkH601z84yPlxQIgdec5OKaFwMjP41OwxjB47mo3P
BAH4UCZCy/Nimsjc4/SpSATxwAKjI7HpSEyJh8p7/jUbLk57YqdhgEVCQDjHH0ouZ2I0BDZq3GMj
PaqxAHerlr8wx0/pSMai0FCkjihQe/FT7OeOlKI6o5yAYGe1KQM5HNTbCT0GKXy/alYRFgY6cmlX
p9an2ZHWlWM46d+lAmQ4/KgZyPep/K68fSmeV/eqhEJ44GcUVK0TZxn86KLAYAyRSkDjjPvTgc+p
NJ36fiDSJI2HI9Ka6nv+GDUhJPQ/nTD3PPNMBhGD70jZwc9vSn8cc9KDg9wR0zSuNMjT73FWCeRn
FMVfmxnmrUEW+QEjAqkzopIs2cYAye46VdQjBHOevSoOM8dvapojjg59DVHUkSg59MHtijI4zkDp
xTS3ykHPBpjnIPOR1zQWSK3TPXpTXJKDGMqcUwk5IAJHBGKlA++fpQIaud7dORmps/KOmRxSDG5W
z8pHOBTVYbSOuOpxQMkTbmTbjkZpoG6M8jAPHPqKIyofHGSOeKYJD5Y3YHIoGSRnEinHBAPWiIge
auMEbsZPWmvglNvJAHT60RcTMT0DHp6YpjHbv3ZAA6qaWbBUf7pHHbmmIAIyQR0Xr9akOPkHGcH+
dJgOl5lXrhWGeeoxVeTPlsEYqwQDJ7ZNTSFVlY885OaYV4Yg88Yz3xQhHnvxBhYamJEUMrJtbHX6
03wdDdxy25NtmMnr0xz1rtZtLtZpZpZl8yQfeyP0FWbO3igW3jVQAvIwK6PbWjymfJrctRjMjYwd
oam7gVOfvMVHSl3YEh68E+nembQMHOCT/IVzmyRKeWQY/hHPpTd+Wd+oG4imnmTg9Mc/QVGJD5Dc
/e45+tIoJGzD3zkD6UpGJkA5wvI+vNNf5pEA+7ySKUEsHKEAtwPpRcLgrHy5CT944p5++o/hQZIp
saFgWAJVB+ZqTy28o5HzOQDSAYmdjt3PqfWpQpKogHGal+z/ALqMZ6tnHfAqdkAZRn+DNAJFZlIK
A9NvNSTJhXxwdox7VO6fPxniMCpLiIlHIyeVBwcmgZEQfN6jjFCKBLHnoWNWxCS5OF+9imiIb4hz
35xzQIrqM9AfumkIO4+2OBVpI8Oindkq3BpWj56EttBPp1osFyrty3GQAxGKb/ByCfl/lV4R4Z+M
At1PemrAOnIODxRYVyk2c8bvvelBTAXrnBFW2iLLwORg4FI0BLqOMZOeelIdymMAsVyQVBP4U9OZ
Djsen1FWPK+VcgD5TzSNDhhtI5waYMrZGwnjgZxTWww2g55OasmHJIx3IxTPKIGcYBwfpSsBXGCR
3PB+lJgndnHGameIcHHPIpnlHrnkmnYCIglt2ecnvQdxyQD/AEqTafm4PGDzTTwmR7UhEIDY+cZ4
4FOcAgD27UpGGyc5xTFJGPXpSAY+eOnXFIy5AJ7joaeeo4/PikJ6ZHXuKNwImJ24wfrUbAYI6H3q
Y8j71RnAJwTTEQsMYCjOevFNY9OoqV8Z4pjAHANSJohIzjr/AI1GR6VKyjHXjNR4AGfSgzZGR1PF
T2x+bHFR5yccDvSxn94AfyxSZnNXRpKemfwxTuuDTEIIz1qTJJxmmjlaDvnHFOUZx+fFCjB7Zp2K
BAFw3XB9KftANIp5Oc59qfn0HNVYW4eXkj0pwQUvpzz0oGN3J6e9Ahvlg80U8Oew4opahockDyD2
9qXdtyCP0poOMetDEmncgVSD1/lUY2nORzmlzkelIScDJznuKQxMDI7GkCqAT/Kl5+uKOvfg0DHQ
qWfAP5itKJdigce9QWsYC7sCpxwAQcmqR1Uo6Dx82acmCCGxk01e56e1KiYORzn3pm5MSDjryPWm
LnyxgHgU4HlOlOTjryCOaCriEZBxx8vSpMY4OeRTNuWUhuCMYxTwR8pGD2600IFPygjOKP4nIJx1
pqkYJGQAeRSrku4HXb/nFA0PGfMV+nGPrTAN8R3Feo6U9CQ6DqpzTMlY+SAcgUXGhFyuzcwJA6/j
UoKidwhH3jn8qY3AHfAxj8aASJZjkcZP6Uihc5ixgc4p6hTIvHAAH9ajQHCAYwelO34EhAyenHeg
BTwuRkZalOAc8fIM59KTuiAEYGcmkyfKPOGZu3TFMBXG9AoOdx/SlDDzGc8Ko/lSZxJnjCrzj1qM
nEJwMbsAe1IY7I8rn5gcdRQhy6KR8uMnNIx+YJx0yaCCS56buPoKLjvYYG3KzjvkAetPKn5UHQcn
3NPWMYAHG0Z+gqWBNwaTHygZGfSlcNyFU+9u54/yKmigP2dnP3m+WraW48t8jOWVeKtwweYpGPuS
jk96LAUra32xsACRuA+lTw2+5csOfMNX0gChlYceaMAf1qaGHG4g5+djzTSE5FAwkRoCOQrH/wDX
T5Ldtj5zuKDnFX44v3QYngITg1LMmFkK8NtHXpVcpHtLFIQKm5mHOBnHJouIQUfKnG8cLxV6aP5X
OdjHblqLpBhF+YbnAyKfKT7QqmPD8qD8449OKcY9rx9MbjzVySNcqMZy3ao3UNPH0+UFvpSsLnKh
iAljAOPlPHc09EzMc54QZXtU6hWmIHOxcZ780Qnc8rA5QHb+VFh8xCiBnfA5DY5qJIwQWUEZ3HB6
mrK8Ql3PByfpmmyDyoFAyWI2g07DUiB4sRD5TyBx3odDvQBQfmOfarMihnRfmGDnI9qMZlOf4V6/
WpsPmKTQ5lU4GAnX0oCZkfgDG0ZqxGNxd8Y5wPcCo0ASFnIO5iWNKxXMVym1WcAgcnGck00psjOA
QSAMd6llXZGq7WOcLx1FDgGRRz1Lce1DKRXkHzKAOeTimEZfHHGBxVgD96Tu4VcFfc0z5RvcYIyS
Md8CkMqlcKccfT61DIu35R/9frVqQfIq49M7ahYHfxnp6Uh2K5yWbH86YwwMVY25DYIPJ6VHIQCV
PUntQKxA525yOOKaWG1QeBmpZACTgDNMfG3BwRnNIRECC3A4ph+8T3qcqOP0qJsHpn8KAZGc46U3
vzzTjgAg545prHnjj2oJI5AM5zio2A7/AJVPgdcVEw5xyKRLK5H6UKw3c8e1SMp/Ko/4sCkQ0aVu
Ayg1OB3BAqta8oO9WcDHOMUzknuOVafgUiKOMYp+09/yoIBRgfyzSD07U7B9Mn6UEc0xCjpketID
/skZpe1KBwT1pgIpPYmikXOOM5opCOTBz1P5U4ntnBqPcB1HtxzSknPTI70bksMnOOaQnnPb1oJI
6UnXjpTC4uSx6Y7ZpQAWxk/Wm5IzjmprZMydDikhxV2XIwVAHtUgGfb2pNvApfpVnfFWQ9fSnqMY
7GmJwMjrUgOCD70IaDJbGM5B5zT1+oNIzfLwScHmm57jGA2aCh4bbjd0pF46etNP3QAOp9elSLnA
+vNMEIVA3kfpUic5DdccVHk4I7k0oYkPkdAKB7ilgrx5ODj86Zu3IWz8vH86dwZRjnHtTcHyvk9Q
aTQx7AnaBjtx+NNVhtmJwBnH604H5s8hQOR6UbdwUevJplXHJkMCe3NCH5QAvU80h5VmBHJwDinA
7d/+yMcetISYFshypxu+UZpMYKr93AyVpAeg/hUZNBDED+83J9hQykNcj52UfM5wMUr8uo7Lzx3N
OwSe2BT1QkjA5J49hQFyML3PJY/nViCAM3JztGTU0NuWugF6A4FXLS1Iil3dSpOe5pWuDKsNviKV
u+3n3zV+2tFKyqR8oUc+lSwwbUZVO1jGCCe1XY0JZlIUoyAj/aNUkS5WII4Nu8YwNynjvUsUR3yY
IY+YDj+6Ksqn71wCRlARkcA1JGB9okXjBAbjvVWMnUIIYhulyCv7wHPrT4Y8bgcN87YI7VLCMPMT
z82cUyM7IHJGNxJ+tURzNjNgFlhuV2Yz3qSYKINrHg4A9aa3CRxAc9D9KaXEk2c/LH/OgLXJJjl4
0B4yD+VNd990qj+AbjUW9RuuGJxjj6VCshSAyH779vT0oKUS4rhpmY9FGM+9RxOG3zsMA8D6VWnb
bHHCpw0hxkfrQ8itKkKnCKNxx6UilAm8wpAzsMSOeMfpSuMRJEGwx6n+dV/OEtyw6CP8iTSJIxeS
Q9M7VBpFchYnYtIkakY6n6U0kvOGz8qdvU1USXZFJMWY7zwCOgoDtHCFJJY8H13GgpQJ/Mwzyc46
YNNMpFsX2nLc471HL/BEGPUDPf3pssoadFJOF+bA9B0pDUSR/lgWL5gSAvvSykbkjAOOvHoKgD75
t+TuQfdzxk0eYeW7E45PQCkVyku4NKSM5XqPUmo0k3szA/Lnb9MdaiEhWLIY85bcR+VJIzeUqlgG
OBnsc9aRSQ4y/uy2R3IPb0FMb5YQiqC3APYc9aSQDeB/CW6H0FMeQsytgYAJGaQ7DnwXGPu5J46A
Coi3zHbnjAp3v7AGo1bgk55JPPUYqbBYaMhCPXJ/HNRuGGOOOeRTnOVXJGeOtJyQCeevWgRHkEdO
MGozypxx9PpUr5J6dc9aaFAXAA7ZHrQBEVyRyvPSomGOG/KpioyCABkUhzjpn3FBJCR1wOKifIOT
0qduuR19DTHBIBXn8KQiDPUcUxwN3AqQgkjHGOopj5BwORQyCJh1zTCMcdTUhGD3z9KaTjkH8DSs
RItWg6joatKGOeMiqdmck/nV1M9c0anLNakiFumD9KkJ78kUxST34p4J5waozDPI7A0BiKMkjgk0
bugPWmIQsOpBoDccAZNLuB44waOMHAoAb5mee9FBwRyoAopoDkurZx+Ap3J6jp+FMUEZzxS7j065
qdiBOMHOc/Wkzjv9M0H0oPC9aLgB/wA+9X7VcJkZBNUE+8MDv6VoxsTHjGKpG1JakjZx+FPQcios
nAyc1PHnGP0pnUx4xg8flSMeCPUUHAOO4oGffNNMpCjp37U8HDY7Z/Omjp0I9MU/B9fU0twFH3vx
oBwQR+tNHKrx75pTgdT2zzTsOwNkbQMEn3pcjDnv7Gmj+EYHFIqEoo4yWz1oKQ/7r5OeFpFJ2Rgn
rQ5ID8E7jjikGVPPYUALnKEc/Mae2QHwcFQFGfWkTGVyDgDPNKW7dSPmNIAGV2k4IA5+tK3UAjGP
mNIvCZbOeppwYfxdep/pQMTG7Pvyf8KfGpAbdgkDJGf0pVU5IwOBuJ96sRR7osHqXA9/WkVYi8oh
Y85Bck+1XhCvngHgKFHHrT44Q6xkn5ShGD65rQSLchaLbhlBX8KdgbsRRwbZlOABvIY+matRRiMx
ZUjJMYx79DUjxhonKqGGA4I7mp8Fo2PIJw+KtIylMiSMIYgzhgcoSe9ThNjwbl+bBXI7Us2zyw3G
AQwOKbcTcrjpnNVsZ6yHsQLlBk8KQaZ5ixyO+evAqGWb94uGG5uo9BVZpw027HyIOOe9Fyo02y2z
8+X/ABN8zH0FJHICzY4RPlAPc1R+0FY2kY4JPbuBTXlLRCND8xGD6gmpuaqkXPO2wvM3Vun07VFL
L5cAGcljjIHc1UuJi7JGpO0Hlh2ApIZGeRnIxjn2PpRctUrE92/mNHCpIBPJHoKRpfMmXGQqjcT2
9qro332AwWO0A/rinHhQAPvHOD6dqVy+VImWQs7v0I+UZ6E96ZFgeZPk5fsewFNZCqKmcsOuOeTT
3AyqL0zt4/WgWgAmG33E8nLkn17UjOVQKxOQAN3+0accO4b8eOmBUf8Ay2U5xgF2/GkBKSWkCnov
X6Ckz8+4/wAILYHr2pq5EJYDkjA+ppFHyc4O49/QUwEVuWzxgbce5pFAKueoJ2gdOBTjwibwAeXI
NMDkqpH93cR35pDQIpEQPPOX5pJiVi2jrtAHrzT5XJyF4OAOlIwO/p1YDI9KQDSc5DDAJCioyzFl
LfeLFvXpUgOGA9y1RAHqR0Un86BoZuLSRs4xhWNDKeSOyj+dK33s44CYxRt+Vxz1ANIbEGFJJ6lv
WoeVwPRT069asrGATjklqjC/LkdwfpQIYfvjGPvemaYzZ64BxU5jAPTIzUJQdhjNIW4xyBubPY/W
k/hUk5PHWpCmd3oM9e9MAO0E+o5oAZhWOMc4H0puME4A9gKlCYIJHJx3oYBRknOfWgkgwB1BqMjA
BPc96nK469MUxkYDqAM0hFZxgnaPxqJwQOn61b52NjB/rUMo5Ixg96RLRVOTz+VRue461NIAG4HP
rUTAde3egyZNbt82e9X0HfFZ0OARjitNMgDHShHPMeCQPT604Ec8daaDkd6cRg+/emZAMcA0qgY4
JpOD3pScAdAfegQh68fWlA4yetIB1J/SnPt96Lk2Ggc+/eigHnHQelFNAcduH580pIPQ9aavLEnn
0ppx7fXNK5D3HEj2zSZwOOlISDyMn+tJnORQNEsfLjt3q8pAUZHvWdCCzDGce9aCEseBxVI3pEwy
cEjNSqScdsetRR9s0/rnbzTR0kmem7pQrBvTpTRyOhGfSnqAFPGBQx3Hg5UZxmlBA65pVIOB6UdP
mA6DtTQ0KVBTIANNOFzuz6CnA/Nj3owcjnqaVxjWBBJ/nTiOgAxilTOcEk5/lSct0I5/lQNCKANv
HTmhTuGcYzyQaMDOfX+VOKhgAOAeT9KGMcg+U7h15I/lTiO4ABHJ5pApKkngdfwqWKMFVHdjmkMj
VTnpg4yakWInywA3JyakRAwbIyTVzaI/LZiSAoPT36UykRRxFjOo7qeoq9bwkKcfwspJI7U6JFSf
LtjLEEe56VbjUxsu5lKsCn1btTSE5WEto9u5dwJRyTkdFNWYEKuUIUshwPUIaFUrKjNt2uNr46Zq
dgI2WTAGRsYCrSMZSuJZxCNGjxt2Erj2NLGRHEUzwmQPpUdzMIJA5K4Iw1ZN3el32p/Hj8RQ2OFJ
z1Ldxd7IkjU5JOBVSS6LXAHULljz+AquJT5jMvKAHOeoPQYpIwcE9CxwuO4FTc7I0lEl87ejup+c
fJv9PWmBisCkD53OTjv2pzxiMKijBxllHfNSIibs8eWnT0GKEPREZXc6xgZRcA+gx1NSRKWZn4yM
kEfpTo0I3nHzfdBPfvTgpSPIHyuSfpRYlyK6LtLv1J4wfQdacFIRVPJJ3kdx6VZeEDYrDngZ71II
90/I7549BRYlzKrp5koQHIHy59D1NSbBJKvHy5yT7Cp40wx4+cKW46c0qIQ8mBgqoUMe9MlzIQP3
pZuwLZ/lR03eoXgkdzU6plnLDaWYID64pyJwT03P37gUiecrFfkIB9EpNud3+0wHPoKsogEYJGM5
YgnmmKmIkAXAClsHrzQPmIs/IvHUk89aaQAq56hOmfWrLQ7Uxz90DA680jpliu3jIXihoOZFOVM+
YoBztC8U4xc7QQeQtWpEy6gDO5ucegoxmRSRkZJyOgosPnK20F8qMjdz7Ypig7wScjkn0q2q/Pzy
ApOe1NEWZXAB+VcAnpzSsHMVMHePQJn2o8slnDfd2AZq75QDPgfMAFyaRIcO7AY3EDk9cUrBzlJ0
yZAB0CjmkeP5mB45Xr0q6iglztI3N1PfFMSPfl9pA3Z59B6UWGpFbZ35xuPJ7U1R8m7tt6mrapmA
sMgEE5PUUNFiMKSOcDnvRYOZFRkyx7nd1NIEJRSQMYxn8auOnIO3I5OfSkKHpg8Y5PSlYLlLyyCS
M8Z603yiUyTyMcDpVvYQBySx4570Ou48jg96LBcpkHOTgdAKidQenBNW5F3Jx82emKjZNuMcGlYR
TK7WOf1prjcQSOvTFWGTrnjPPSmFO5/OkBVdQF4xTJB13Cp3TvyT61FjHJP9aAsVZBxnBx9KhkXp
0B/WrjgYOarSqM8denSkZSRGg+bJxn1rRiztABrOAwPertucAA0HNULIGCeacetAzn60Dg8jnpTT
MQHWlIHfNITxzxQ3bvn3oEOQAd+fWl5HamDIpx7DPNMQvfpRRkseh6dqKQzhkbHrRvDdetJxz3pD
jAzkU7GQu4HByBSFuPQ0jAHHf1xRsHRetAySE/MK016D3rMtlO/gZ9a0lIA5qjekSjjls/SpEbJP
rUIYE9OKerZ469qLHQicccj8qeCMZ7H3qMdCV4p47d89qBknQdAaUY7cD2pFbHGcGl6/X2pjQp+Y
j1z3pAM8ckUBjjnGDR+nPFJlIcMhs5JAGKBnJAwO2cdaEXn3+tGBuO3P92gYoQMxYZHb8KkWNiBj
qen0pQuFYZzjjNWoY23qvUAAYoGVwhKN0IJAqzEmZIhxjilih+Vgy8ZB4NTqgVYXxkgdB3waZSGR
Q7g4AIUfN+tXbaLMWCf4iv505UCTbmJwGKkfUVbhTDEFxu+5g/3vWmkDlYaIWeMEMu/GPmH8Qq0q
h8ACM/xA/wC13pEO2T7ybXPAx0aptqxyEjG1uTx0aqWhjKTF2iSMgYw35g1DNOhtyG6r1zxSXMxg
YsoyG6j+tZdwzzqzkDnsO4zSbKp07u7IbuSSd0U84IyD0NNVCzs7fcC8N3GatrbqZ0z82Cce3FSR
xAu+MfwjnoaVjq51FWRUSHbEScglvrkCpXi+RVHGABgdRnvU4QGBjk8bjn0qVV+ZTnaCVw3rxTsQ
6lyuYt1x2OASD24pYozuk4DdFII496s7QGYEcsp+X15p4TCsSOjZAHbimZuZWjCvECOQckE9uwqU
LllA4O4DJ7ipGwsAY9wB7dadIMSxcZy2eaRLkMZT5qnByMtt7mkVcM6qvAQAr7mp1/1m08jZ170k
R/fzE9MgcUyeYaiBhIi/Mowu30oiXKsyksNxJ9sVJERtdiB94nimRybbbcCOM0XRN2MgXbAJG+Yc
sc9qdgfZ9xyRtznvzQ7YswMgkgCnXDKQqjjJAzSuPViSxqIdpzggLnuaWZOMZ2jcFBHWllYb0HGS
2fypJGVpUXI4O44ouhaivEPMTkgls8d8Uu1fNQAEEAtx3piyqZGO4bVHr3psUyb3lLcdBn0ougsx
/lkzgAcKnTPGTQsQMzEA/KAoHaiOVdjyM33jnFCSCOLLMC7HOKV0Go5UDM5HPIGKZGq5dhkgt39q
Xf5cYUfM7fpSSY2rGvfrTTQ1cRECx7yMcliCaRVCxBsHABPPWpDh12A/L0J9Ka+2VsAkKDyRRoGo
xYwsS5BwBnJ9TSGHbGqZOTwGqZirPuJ+Vf1NNMi5LE/QUh3Y1l5Crj3z3FIF3SZO0gfzpQxHYFz+
gpw2FSO3c0h3ImUDL9M8Ypnl4G0Eg9cmrBI4yPoKaWzlV5I6k0BdlcAtIeAUXp9aY4wOOGPY1Ydc
gk9B6d6jcFSWB3MegNItMrsvtwB2qF1Jxjvzz6VaZMc9B1NRNk5yufTmixSZSKnf1/A01wAQHwp9
qsyKxI5B7VCVyCQfzqWPcrldxYkcetRSJtHPP0qwwyQOmOcionGRzjikBUZeelV5VHT065q+6/L0
xn8qrSpjgDrQJootwwxirloc8nH0qtMm080+2bkA0kc1RGkADk9BS8E8dBTY8kH+XrS5OelM5WKQ
ARknil7Z45oJBHpTeSOMepoYh3TnHFLj1FL0GO9I2C2M0ITQLweM59KKdzyKKAOBTqep+tJ34FIM
56A0A9gKoyuKxGMd6Q8YPTP6Uh5xjj2pCeDkZNAXLVmwLEVcDYI9O4xWbAeRxyKuI+SMelNI6aLL
IPtUiHB9qqoxHGeKmVhnHXNM6C0hA4zUvXH86rxkjgYqReDikMnU8A9aMk9DikDcgn9KdnnP8qY0
HbgAmnAAnGOAOeaTPIOM4qUL8vIGDxxSZSBU74I4zUsceXQZJzzzSquN/pwKtQKomjLnGFHy0Fle
NSVcj1ByfrV9k+ZJBjacHNMER+YHGfb2NW1iLW4UgkgFcjtTGJHCQ7qoYLgkHr0NSwICzpk/3xx0
Bp5U+WrgsrYD468DqKn3BWWUZIHJGP4TTsJsWNMoA7AkDYx7H0NTom9QGIDD5Tx0b1pVXHzbhtA5
4/I1KwKDzFBdsAN7+9UjKUgCZUq+M9+O/rVa7u0hjYTcEj14NQ6vfwWlm9w77TGueep9q8Y8QeML
3UrkbSI44yehxmsqlVQLpUnI9ZW8j84CSUYI4+bpToLu38qRDKgKk9xXgM1/dyz7/Okyp6gmrUF7
OnV3y/fNcv1k6/YnvC6lalI5BNGTnsRQ+p2cVwQ1xENwHBYV4Q95MqkLI456Z6UhuJZSpZ+Qfyp/
WiPYnuY1nT1ikLXMe3nkntVWTxPppt1/0ldwI6V409wz9CSAMU12IjypPPOKX1pi9ij2V/Fmlef8
s4JUYbioW8a6SjyKJWO7nGO9eOxs235sgsaZ912bOee44FL6yx+xR65P4z0/7MqKkjHPy8dxUM3j
u0LphJPlPQ15fFNKj53Ee3Y1FM+TkHA3c5qXiZdBqij0x/H/AM7SLakEjCjP86ov4+ucPiJVkY9R
yBXEq+7jP0qNmCk5FS68x+yijtm8d3jW4QIBz1A61VuPGF/OFQSGONeyDqfeuTV8ABcfQ04HauD1
xxUutPuV7NHWHxpefZ2U7mlyMMegH0qq/i/UmnVhM3T1zzXMk5PB596XeG4BwOuaPay7gqaOi/4S
rUxM7i4JLDpTJvEGoSRlVuXTd97DdawwMc9BTl+cg/pio9rLuVyI0l1q+eIRPcSeWD0LVL/bN8+3
985CDC88is4JtwelPDc9OtHtJLqNRRqx67qCvve5kJ7fNQ3iC/8AN3/aptx77qy847igpu5P5U1U
l3BxRuweKdTjhKCcnPc9fzoPibVAAFuG/nmshEBHGPxFPbcoxwKPay7g4RN638WamNu9wwHUEdam
/wCEs1DP3gB6AcVzY3bs8D8KNpPNHtZ9yVTizom8YagxBWQKf92pIPGF6h/fFWB9q5rZyOuKXavR
etNV59y/Zx7HYr42ZHG5Ay+3Fa2n+LLK5cLI5ib/AGun515q6N1GPxpAOn9KpYiSIdCLPa4Z4p1y
rhgfQ9alLAYGOBxgV4zbahc2TEwSuB3ANdDpXjOdQEvxvHqBg10QxUXuYyoNbHooPzZHzHpx0FC4
JwcFh1xWBY+KdOuDsMwjPo3FbCTxzL8jKU7ba6FNS2MXFrceyhuMnYODUe0khiNuOMHvU5OR83IH
QCmHqQDknnHpVbgmQSLnC4B9SO1QtEeRx9DVxkVVOPvHuKYy9ePl65pDuURHw3qT901XdcZ46cYx
V9ozyep9O9QSR54IyPSlYopTA5C4x3wagZcE56Vfljyvyg5PrVVkPIpWGZ0w5B7emKihBV+oNXHU
k1VdNpJ4z3xUmU1dGlHyAMcU7A3dcn6VDaPvQYqwRj8RzTRwy0YhG3GcUNz9KMD096CozwaCRQMj
saCOe/tQAQP5GkBbdjmgQ5enA59qKXJxkg0UXDY89BGPvZ5oHXHHrSKRjpikZsADkVfQxHHjkgGk
b6ihm7f0pmfXFIYY6cgHvU8D4GckmqrHnnpT0cq4wcA00aU5WZpqwJFTRkcYqjC+V57nrV2I4xim
diLKnPTNSp83Hao15HB/Kp4xxkYNIY+MZzg5NSDsABTBnHI/CpocgcfhQykhyJlhwM1ZSJjs47nv
0pIYySuR2+9VyOMNHjkbe496EWiMRDzJAWOR1/Cp1UtGGBHGR/hUwjUSo5z0HH14qaGIoSp2kHpk
fxVVihqRBpFYAeW4wT7Gp4E2L5WCBnH0x0pUjDIQVGBwuD2qWNAVGVw3RsHpjoadhNjoojz1GTuA
/mKmijCgJnIOSOOo9KEUO7dQxPIz0PrT2KsNkmVbOetMzbYIfJO1smPPB9PaqOrajDplu0rSDYBn
bmquv65b6RZvNeSoFHTn7xrxLXPEtzq9zIQ5WLdgJnisKtXlRrTouTuanirxbcaldSCMbbfoFz19
zXKYLklsGrEMRJySc9x2p4hwh469hXmzqOTO6MVFaFW2hyQefWriJiTrnHOKltowuD1qUgKu7gZ5
qUF7lSaPk56EU1VwQVqeUbmPOeg+lRxgqQp7elAx6qBjj9ajmyXwOCTipScuMelIq7n5HA9PWhEi
EqoVfQdaiA47809+mT07UEjbtAFAgQHd8pHQCiVQcDHOc5pYiFyw4J7U5h5knHHHFMY6M4wMUwZY
n8qeRg8cUBfk+bOT1pARx7sDOKewJIOcHPHbNSGPgADOad5e04H3j69KGBDsJ9c+tKkYGeePap1j
YEADjualVBkYHHrRuMhRdw5xj6U9FC+wNShRgc4FP2BhQNEGCe9ORR/ez7VJsGRx+NSBdvQUhEWz
B4GTTlHTPSp9oxxwfSkC8jjFMlsFyMEng0uAW45NDrj3PvTQDnBPFAbj+T/hShTx39qUAMvPBzxU
mO4/Sk2XawwglsGmEHdwRj2FTZAAANBwR2BqQbGFNyj+tNKbQc4qUKRz3pPL465pXBMrsmcYpPI7
4q2AemKQqeOTxRcdyn5eG4yas22o3ll/qZmX0GaSQDB9faoSvPX3pxk0yWkzqLDxpPEqpdAOe56V
v6d4r0+6KqZBHIezGvMnHBIOarsMNkdR0rpjXkjGVNM9yhuY5V3K6sCOmeKeSeCPT8K8Tg1e9tiG
iuHDAcc10WjeM7hHRbwb0PG4cYrpjXT3MnTaPS2AI5ODionXBO77o54rIsvEljdYCzoHPGCa2ElV
h8p4x1zWyknsZ6orSJzuC5P1qs6Hae+K0Wwfu8H1NRvHknP50x3MZkPJwKrzqcHoK1p4j1PX2qjJ
FuHQ5FKwXuUraQxttxV8Nk9cfWqU0fluCatxNuQcVOxyVY9R5OO4zSqcjpSHBOTilAHamYMcPY4p
u8FuGp+ATySBTdiZypOfpQTcdxjqBmikYcZHSigDzkH5RzS7u+elRRnI5JoZgP8ACtTG49jg9Oaa
xHoSO1IWIzxg9qYzAn04oGK5AAwcHvSZwB3Ppmmu2Qcc4qN27ikNOzNG0YO/U1qQEdz1rBsnYt6m
t+ziLAenXpQzshK6LcY3cZwKsouMHg0kY2r0GfWnjkY7+1SapCqCxGMEGrUKYx6HNJawliM+taCw
lQCu1mB54qki0gt1wkbEbgOox6VbiULPgnIYY+lOhQIu3orHIIqVYcqAc8DI9T7U7FXHIgO5ePXk
dqlVSyMHxvXufXsaftJUH5twwB/jUwG7DH5W9P8APamhNjI0ycjaCBj8f8KeF3MduA4G3BpevQlX
HNQzziNSZMZ65BobsLVkzuicuNjYxmsDXdeS2hKIyySY6ZrG8ReJXVHhtGyehf0rjiWllaV5CWPO
T1NctSuo6I6qWGb1ZyfjLUb7Up28x2KK33ScCqOkpkAN1rpr6wExO4An1qnb2BibjkGuGU29zuUF
FaFiGEBRxmo8YBHocZNXooiq4PAqMx7g5AyPWouZN2IoVCoFxnjOakcbvT0p0KkRgEdsYoYbRnHI
NG5NyJlG1jjj1zVaBfnPX1q0QACMHntUYTEhI5PvQFyN1GCMYx0pQMLyOMfWpWA5GPwpSAMZB6Ui
Sq65EYYGpHQdAKfjdJx/CMUwkmXnORTGAjBHTmpETOfbrUyoGAJ6ipAq7T39aAKpVXbHXHahkwwI
6VOkf7wgAAdqd5e4dBRcpEceQCSOaAmecHFSiM9CMVYRBt9AO1AmQ+Wehx9KcUz0AUYqZ0AxjjNI
qHcQx4ouURKgHXOTUmwYqQLnlelOAHPNMCAA56c/SpCvzcCn4796aytu4zSE2Rvu3e355p8Y6d8V
IEBwTThH3BoZAzartyOfSmBcHH61NswDnrTGJA4HSi9ykCLuOAOamOAOQM1EjYzgE/SnF+CCcY7V
I7jR1Ix19RS5weeB2pocA80wuCxPUdhR0Fcnc8cc+tAYFcYyKi3Fup+lIXwRk896EguSZ3ZC8E85
FI55FRtJ3BqPfnqcikBKBlqjfINN8wjp+VM87dknrQhNiMRkYAPrUDgEgY5/nT2cbs8ZqJxg5H51
VhWIWGPrUD/I2R17VYkYDvxVWQ7snoaabAy9R1GeBSqvt5545r0zwRqk1zpcLCZiemScivHvEDhY
zzk12/wivPM0oxNjG71rrpMiaPXobuRQPMTdx1AqzFdo64PGexFZ0AygKEMvvTyrryquefrXYjLl
TNTg8cHiqs8IJwBn0qGOZlPOV9eMVY3ZTnn0pmck4mbdRAg8ZIpkGAmM1du8fTiqyKAOoxUM56ru
hSQeAacoPY8mm4APtmnYxQcwvJOM59MUmGDDP4CnLkelIhyc/wD6qBWFz396KfkdCPyooEeXKxGc
03OGOcGqwl4HIpDIdvPQ81rsYFjzMd/zFNY8DB69agLgkHpTGm5AGQO9MpE7uOhGTUIYscZ/KmK2
7gZGa1dIsPOOWXC560ioq7J9EtXc7zkL7iupt4wqYxUVrbrGAq8CrqIBz170jshGyGBcIep9zU9t
Axbc3T1p8KBvcVo2kajk4IzzQkaEttaFVwRwec1aEYOG444PvVhFHQjGMYxSrGVYkrlv7tUUiFV+
XaSMdqshQVAfIYHtTQvUYyO49KkHbGDz07mgdwx03fLznI9aczBQA449RUMkhjXrx7iuf13XobCE
tkF+yg9aTkojUXLY1NU1aCxhZpZFKAcZrxrxx43vLkmOwZoowfmA4Jq3quptqkzGZyB2XPSs/wDs
y1uG+dwMjNcNWu3ojtpUlHWRm+GfEiXGLe//AHc/95ujV2CxqwBQ5+lc1L4es+WLrmrNjOdPYRib
zIhwAT0rB3Zu6i6G00Y78f1qPyQWOevsKsK/nx5HI96cvHbpWbRSldFR4sJ0/SojDtGP1rQkGVH5
1Cw/WixlIzimGPGMVG6kge9XZBgkVWdCHGOooaM7laUcn6VHtwckcnNTzjCN+dQ8gKc5GOeKGCYi
qSWOMjFIxwgxzT4+hBJOaSVf3mOATyalDI+hO6nAAMSB/wDWpSDweh/nS9ZABycUDRKgyQQeKlwC
vbNNVTtAJPpSsMcZJPc+lBVhYh1I4zwKsKgz0GfSoYhuOR0FWiuDTGIEGTxihl54x1p7dOM+tCrg
nJxU3uOwgXIzj86FAzmpOT36UpU5z+WKaBBt7YpNgAqRFzyKXBzwOKdyWQlRjgUFQCAenpUrALgd
z7UuzIyB+lCM2xm044pMnGBmpcH0ppB4oHcibjjrUbA5INT7ajZeDkcUthogBwaJGKnkc084HrUT
jrg8/nTKIXmx1PFRmbJ7j3okX5z6VEV5HpQKxL5rAUvmFjxx6VFtzjnHsKDlfu0MLD2lKnrnAphc
kehoCncepHrUbhdw5JxSC5IHJIyTQykFmU1Az89frTlkH1zQSx2MhTzTu+efWjhsc0m0gEN3ouBD
L154qqwAQ5HHvVuUEdKqXOTEOfrVIm5yHiN8qw561u/CS5ZbmWDPGcisPxEcKe9O+Hd08GtoAcBu
M11U3oD1PpCxk3x4GeBirQD9ARgdMisrSXDIME4+tbKkYwetdSOduwgB6nB9qcXULjpTJCAAcGqj
NucCquZznoPkcuxyeDTR14HakU44oGSRiovc4pO7A449adnjimn1HSl/DmmRcV+RgDntSx9SaT39
uTSjI5AJ9M0CHrgHPQ0UhHcjrRTugPHxswAT+FNOzj5sjuBUJZO1UdQ1CGzjLu4wO1bRTlojC9jQ
copJLgL7msy91m1tsh5l4PPSuJ1nxJPcZSB9sfT61zVw88xLHcR711wwvWRl7S+iPY/D2pR391iA
hhnFejWahEVR3HavDvhTG66odzDaR0r3CBulYVYqLsjsoao0k7etWU+aqtuykZOT+NW4zhhwfwrE
60WFVcgjIHp61oQdtnBI4FUoz8w4BB68Vci5+6QKLFF+Jjjnp6GrC4ONxJHqByKqRkbB2p4k3Dk4
P5VQy0uDknBx3HWoZ5giEs3HuKgmmUISWx9e9chr/iBFJihl3P0IFZzmkaRjcs+JPEItY9kRy57A
153qFzLdSNK7E57VdunacGSTJJ61zuqXZTIX6Vw1Kjk9Dvo01Er310qKRkZ9axHuZZGOyRsexNMn
Z3fccj2ojkCKduOf50lG5s+xcheQJ88jY9CelQyXbrINvGCOarFy7ZJPvSyQMAGx75zVN2IcOp6Z
pJZrdMk4xWkpCtWLoNwk9nEysC22tkOp+tcz3Few5znpVdh3zVnb+JphHPT86VxMrP06VA8eMnGc
+tW5QDxVZy3I/SncyZTmXIOfoagEYHOfzq0yEnHrzUWMcZ6daTYEQG5gffimyEmQ98Cl5U57elOA
JJzSLRGvzSAHsKlQYkJPSnbQScdvWhBwc4waGXYeH708KX6dDTY49xySMdsVaRCFODUoewsSDZ7V
NgYGCMCmKMrknJHpSngKAKYEiqpGe1BQgYzmnLlQB/OpQnp+VSnYY2NQR+FLg5x+dSKpXvg/Sn47
L1NO6E0Nxx0pUTjPUZ5p6x9qcqdBSJsRMgzyKGUdqnKH15ppXnpz6U7kMg25PPNIygDipdjDqAQe
1BUAAUxFUggepqJwc4AP4VbYbuo/SkVARkg0yk7FUxk9qRoxzkE1c2KBnn6Um0EdMUWDmMxrcHsf
z60xoOcHj1rTK8cfrUe3nBGKQXMzyDkgL+vWjyWTll49KvEFTntTT0IJBzTE2Zrg9RyemKj8rAIJ
59Kvqmfuj8qjkXamDyaQmZUysWwoz2HpQFKrzyf5VdMY9CKjWNRu75PcUJE3I0B/i54x0qYt8uOv
pTgmQF/SkCHnGMU7CbIGyc/pVa4T5CQOK0GiwRx/hVO/YIjFugHrVRV2Tc4rX23uVA5FP8IW+y+V
8c1Det587ZGeeRW54dtyrqVI+mK6orQvoeu6DN+6X0xXRxsNmcf/AF65HQ22ovIB9MV0sEh2evpX
RE5pMlnfAPoaiXtxmmsdxHrTxwO5PtTkc1WQoPPSjHXHBoH60D8Pakc4H8hSjgZ70d+vFIfUfnTE
x7H5cA80R5785puOMn17U+M5zzxQxC9OT0opMnvjHtRTQJniTHCYIrz7xddPJeeUp+QdBXa3l5Db
wlppAOPWvNdcuFnu2kT7p6GvTwsPeuziqvQ6Hw/4fgktkubk78/wmtu4sdNjjO5U49a88i1q6tov
LSYhR29KpXGq3ErfNM5H1611yjqZI9K8Lz2lt4hQWpXB7dK9chcEZ6V8w6Lqk1lfRzopIDZOa+gf
CusR6lp8cocbsciuLEU7O6O/DT0szqrdsHnv2rSjb5Rngdc1iCQj5g3H1q/azqygE5zyK5bHama0
L8DONtWoZlJx0PpWdE+F4PPrUiSKM5OCD19aRaZtJLgfMQB6VBcXaxgktheuKzZ9Qjjj+YjI9+le
d+M/FYRHjtnORwSDxUylYqOrOm1zX1nZorV844LA1xemAvd3BkJY7u9ZvhW8a5SQs3zbsmtNHFtq
Rz92T+dedWm2ztppJGje/JBXGaq2ZD3rr79w8Od1cHrEm13wc8/jWaep0QZFIVEeRjj1qCNlY57+
lUftZwwJxVGa5dT1/WtkiranSPGkSLJuBJ6gdqWW/iePavJFcs1++Duclewz0qpLdPu4JxRy3Bu2
56lokwihUxMAK6GC9z/nNeI2WvXVlwjkp6E11eieJXuJ41bAJOCKznTe5jJ3PVreXcMhuamb14+t
ZWnksoOeCK0g2Bjv0rEm41yMHnIqsxBzk1JMTg4OagON3Ip2JGtgHJ/CoAPlyTwasMPlycY9qidA
Dx6Z5pDK7AF15ANKq4VsetPK4YDGCOlSIgOCRSLWhDIuQFBIJ60sa7FIx7VOVAwQckimKpzhf1oN
ESRkKgODxU6sNnOc02NCevSpMY6DNSMFHGAPxqRU/SmrzyOtTwqM9T70DFAz1B+tSAHIA6+lOGAO
cGnIp3elSwBRjk1JtB5U4/rRtzwKlRfmAI5pCYwpwPSlKlevTGetTYHA6U0jsBRchsjxx16UNycf
rTsAZH8qa2M84qkyGNxzxSEZBz1pzHscAU08jIFWkZ3Glc8UnQdMU36Hn0ozg5JytUkFwYcj5uKY
WAOFGaC/QE1Gzgcj8qdg5h2Txxk96GUAZH481CZlH8VRGdeTuGPrRyhcmcKRg4NQOAAcfrULzqcf
NUUlz8pzj86FELlhdvUGmSEenFU3ulAwCAajNxxyafKS5FrABJH5k1FInIwR/WoxKXHap4UJwc0m
rAtR0UR7GpPLAHOaeowP8KU4BHvSuDK7L8p5rnPEcwji2JkFvSumnICtnoBz7Vyd6PtV0zHOBwDj
itacbsS3MOyg82TkHJrsNFsiiA4x71W06wXP3Tk9K6exttqjAFdSRUpGtpcRi2k8mt9W+QdazbKM
qo5JrQjQtyTx2rRHJUlYmQZPrUmOOM8U1RjjJFLSOSTuO+vSjkDsaTpnk5pQDjvmgkFORzmnAZIH
Wmgf5FOFMljmwF5+tIp4yMZpGyeozSqRgfSiwhQQSRRStyeKKaCx8aXupT3kzPM+R/dHArMuLjJ+
U9OgpIIbi9cJBEzntirMmlvZEfahhsZxnmveVlpE4H5lWNC3MmBmpjCEXI2nNBbc+T0pNxJAOcVo
o9SbiSSY4A6dhXQ+FfENxo8vDHyyehNc6/y59aQtwuf5VE4JlqTWx7jo/jazuyqNJsc9jXTW2sR7
t0UqNn0NfN0UzR5Zcg/zqxBqc1u26OV1+h61yTo9jphiH1PqO01qJwFd1DY4FTy6nEqE71xn1618
yJ4pvVAxK+R79aSbxLqbxkid1U+9c04WOiNe57b4g8RQruXzFGeOteeaxqsEn3pF46EV5re6hcTu
S0zn6mqrSOSCzE1jyXLWJa6Hq/hLVYo77YHGHPr1ruL5DLAGH3uxBrwDR7x7e5D5PBB617b4d1Nd
S05DuywHzc1x16fU7cNX59y3aXySoYZjiQcc1i65aeaCyLn2p/iG0YZlhJDjoRWPZa06yiG6zkHG
a5Io9FLS6MS5sLhZPkQ4qrPBKBh0YED869JtYI7hAyDcD+NPk0NZUPy9fSq9py7lKdzyd4yBzwBU
DRknsR2rvNZ8MsqMyZB9PWuOu7aWGQqwPFawqphKN9iiU5x3rrvBWitdXQmfOxSD061zcEWXGePa
vY/AVujaZEVC988UVZWRny21OitINka4HAFPlBA5zmroi2r04qKRMDnmuNMh2KLHjBqJuef5Cp5U
Pb+VM28ZPFXckYucc9PrTcc89KlJ4wB19aQ4XtU3KI2jDMSD+fal6YwfepcEsDmlVADgdjSbBDFU
EgDNPWPnGOacAN3v+lSKuSSBQ2aIbt2+9CLl+vFScbADxinKCVx0A9qkpCJGSM496kUYYYOBT1zj
ilC/Pk9elIpCoOfmGOOKmXrgGkQD/wDXSn0HakA4fTB96kUZ9eKagPsR9aeoVckdKYmOx+f0pCM0
/OetNJByQKkzYwAYwMU1x+ftR1Ye9GfwpolkRyD0PFNd8cGlfhsioJHwvByPStYsyaBpPwzTN3Wq
0j4JyPyqI3Kg9SPrWqRJZZjyearSls8nAqtNqsMR/eEfWpYr+3uVAjdWPsc07DRG43d6qtH/AHWP
0q7MFH8JI9apSPCh+YYosWR+Uc8moZI29x+NSsY+qtx16mmnBxgn86LBYjaNlHJznrSFcYGOO9SA
ddx4HbNRsy52lsinYykixCAo6AduKuxjAyBWfAQNo7E1eVxjO3cKmQ4snLDj196Mg5yOgquHHX0q
RGBIFZxu2EiC8LMDGoOCaZa6dxkqcn1rZgswcFuSfatSGyJxheneu+nCyM+dRMqz08IuQK17a1C4
wKtwWmwAMOPbtVtECA7RWhhOsMhhwBng1awAMdBTNwPbFAIzzzSOdyuPIPUNSgkdaaMD/GlXgdvr
QiBcnvn6U4Ng46Z/WkHJH9aM5Oc8UxMeWwDyB2p2cjofWmkDAHehVAB5JPvTEPLAL1waEGRnOaay
qVxk0oAAGDxTJHhcHjrRUZznHNFA7nzVcXmn6FaGO0WMuRgFeTmuEvLiS7nZ5GJJ5OTRK5ZsnP41
EeSelfSRgkebfuM6E+lIDtxkc+9P2j/A0mR2HNPYCPd+f8qWTI200gDinSHKLx7Vmxoa3Xvmmvx1
Gc+lS8Y5Ge1RMMnvWcl1LRF17/gatz747JcDrVVuhzzWhdMW06E59q48QtDekrsxwDyeaXbipSo4
o8sdK5Lm/IMX5SOwzXoHgbUhbyhWOFbjiuCK5PYVs6RcGF1rOouZG1FuLPapAs8QHBB71zer6EZW
MsYKt1B6Zq74e1EXEKo7AsK6RYQ6ZPNeZNOLPXpVNDnfDTTQHypsj613VgqOnI7Z5rm57YxPuCjr
W5oVxlPLfIx0zWbd0XJ9S9c6bFOpBUZxXC+JfDIO9405+leh7ypAxxTngSZDvAyR07VC0Y4VGj5+
vtPktXIKY7V23wz1NhK9m2SMbvpXU6x4dhucnbnI4qDw/wCH49OujKi4JGK0dS6saucWjq2b5KqT
Hjrx2qwzZjAwaoTHGRUI5w5YYzjNDr0wOPSmRMPyqfk+gFNiINuBzzTSDg9KmZeODxTAOx4qShFz
jPNPUZ/GmnI4Jpw7HndTAcBg4PAqRAdpI4pP8809TnNItCMB0AyeuakjXpTVHOOo+lSDI6ev50ik
7Dk7+p96kj4GajXgcAfWpVbtSsO48AFcDOaWMYJJ6GhVGepPrSqwU44GOlIZIBz/AFpxwD6Uxcg9
ePalZt2M0CF4xj9aToKQ8+oJoccdR9aLEsa3yjjmoz+vpSk8DuKZ8wOOaNhWGy4/+tUDKGJycDGa
mPLHnn0qFlw5/LpTuKxUlj/Gqk8JbPGRitQ4AJPeq7qM4AyKakS4mDcWe75WHH0rCu9JkSTfAWjY
fxjOa7d4gcDrimSW3B4BrTmI2OHt9fvbJhFfxNLEDgOBzitmDVrK/T91KoP91uDVy/0qK6jKMoBH
Q4rmbzQvKlBTHPGQOhrSMwujfkh7jke1MIK9QRXPxfbbY4SVwoHc5qy2p3EUX7wKx9apu4nI1J5P
LjB7e9UJJTuIwfwqmL6SZt0mCfTGKmgLOQT1qWxxjzF+GQkDBI+lW0lOCBnFUo0PGARU8eQMdOee
ahs0ULFnzMY5O761a09i9xGDnGaoZYHJI/KrVk5EyEHnPIpxdmZTjZHfW0KKASBwKsD72MDFQwsG
hQn0FSgkjnBruTPLk3fUlXOTSPn1+tIM544pGZs465pkDs5HTj09acCPXmmK2MZ609sYGBQIXccY
/ShT83TijIOeRR1yR3ppgPJIGAe9Jt780mfYg0LwMZJ9c0xDwecDPrTlyOOTTARnmnZ+bIoJH5OO
OnelU54NR4J7/rUgznimAc8+oopOoBop2EfFLckDJJo6jg0h469MfiKMjrzmvp2ea3cMYHv7VJb2
73DBY0LHsAO9NyD/AA47GvTPA+kRLpyzNtMje1ROVkJHBnw/fkZMW0dcZ5qhcwSQZSVdrKa9um08
YLbQzAeleY+N4hFehVAyRzzWUZ82hV7HMggrTGHBzz60qbv4hmggZOf1q2tBkbA4I6fWtGBg+nbT
j5TVBuRkfpT7OQo+09D61x4iN46HTRlaQrJzwKQpgjPWrOzBzg5701l+bBrym7HpKJWkUDn1q3bf
d4P/ANeoZF+UntipLRiMCi+grWZ1ei6gYXTGQR6V6noF9Hd2w+Ybh1rxWybayg54rqtD1R7SZXQn
b3HtXLUjc6ISPTrmMEnHX6VJbReWwOBmq2m3sd5CsinORWmqAjIGa4ZKx2Rd0TLISADTjKVOahC4
BwMigg9qm5fKSmYHg09SCMgGq8cZJ5GT/OrixgLyKdyXoNaQAYPas+5cHpTdavo7OIljyegrJt78
TR57GrS6mdzUhJA5qwp7E8fSs6CQ9Ooq5E3H1oeg7krH5SOlAOcdOKQ4K4pCeOBzU3KQmN2ccVIp
HbGajBOfenAEMO1BZIuc56Y6c1IhxwT19aiXgEc5qQD2GD60mBKuB/8AWpwIx2qNTjgjke9PQ4X5
u9IoeGxjjr6U5WHfIzTRyOvWgIOPX60FEytwpPSn4JPP8qaowMfrTjhTg1LAN2BgAntRnikfORxT
1XPPehDAZPc0jHAx1p5G2mcE+g+tBJGRkfMcelKASPU9c04r82e1Oxx2x7UAyJh82SRUbIT05zU+
Mk+9Iy56CgRUdSo6Cq7Db9KvOmc5OfrVeVAOmaQiqGy2BUgcjr0/Oo2Hp19KjLEDGRWiIcSRlVjw
RVa4gVlIIyf605pFU5JGaqXN4i5w2atIyaKF/bBecACuf1RgG2JkgYJIrV1C9d/kHHp61nRwGTcx
5z1q07FwgVbeH8M1pxxbYwe5pIbcYBA5HXPQVeii3Yz1HpUuR0RSQka5Ckg8e9SFdvHOO1WI4cg4
p7xYX5cZrMG0VNh2c8fjU9u3zLlQSOhpJIQFwetEXXjnHaqi9TKep3dg++0if1FXFYD1/OsjQZvN
tQueVrUHOetehHVHkVFZsmzx/SkJ/D1po4HXBppPOKqxkSA465yetP6VHu9KfnIwKaAXJJx6/nTu
e/A6U38s96cMnrTJbHNjpn6GgdT7ikJx6UpOcc/pQtBDkyc8DjtTgPzqMHHWnA9M9PX0oC4/ODjo
O1OXG48/jTCM9804Ajt7VQCjAJOTxRQDkD170UCPisEluT170hwMAZFJgEdwKecZHNfVWPMGHgZ5
z6mu08JeJ47C38m4JGDlWrjNoOOR70gGG69KzauM9P1LxvbRQsIT5rHpXmmo3kl7evNKWyx6egqF
gSfl4/So8/NzzU8iQJDjgHrye1Kefb60h5GQe+KFJIoGI2QfWozwwNTEjnt+FNCg84/Cs5wuVF2L
1sfMizn2606RVXORyaoxSNC4xwO4rQyrpvU8Ec14mIpOnK/Q9fD1VONupAR8pGc/hUUfyPzzmrQw
Rx05qtcLht3asEzdovxNtKuDgGtW0kDYJJA9Aaw7eRWXscdKv2kuxsLjB54qZoIs63SNRmsX3REF
SeR6132ka7DdKqscN6GvLYHLYrTtXPykZB+tcs4HRFnrsbqw4xipwi45PfNec2mtXMKABuPrWkvi
G4YYAWsJQNVUZ2rbFGT2PFUdS1SK1jYlhnsBXJy6zcynl8DpiqE0jOcs5J681KiJzuP1K8kvZzIz
HAOAPSiylKSYJxVYqeCB+NMU7SMH8a2XYi50kM27HzcVowSDABJrnbOQEcNz6GtSCTnk4FTJDTNZ
ZR7+1PLFjzVNZMHipkbA7Vm0aIlByp7VIpPQ9agX6/8A16nQZXJNIskUc1Jk5x/Ko9yAZXPpTUJ5
70IpFgYbkdakUcfyqFQCOKkBycH8qLDJl4UAnHvTgBknOajBzjFSZxwKT0AcD83J/Snn/e5NIBjr
1p+OBt7HtUjuOQDvyfU05RjOaQDgnNSJ06UDZGPv4HSm7Pm/wqdhntRtz2x+FCFcZtHXpmgru6EY
qUgHgihVx9aYrkRXuKaVx0HPqKssMfWoicLx/wDqoC5WcHjHWoJUzkdfpVqT61XkDc0DKUyE89P0
qpIhx047c1pSgbevNVJVwDkUxMzJ1AXpxWVcSgkqowa2bgbwRWU9p++JPQ9watSHGCe5mxRl3y5z
V5IwVA4xS+XsPAyDU4TC+x6UNluPYjSLH3QKuxRjqKiQdMDI+lWgwAwSM1JLdixHEAvr3oeIDk8i
mibA6jJ6YoaXcAMjPpRbUxbZDOPkwVBzVOJTk8d+vtV9lyMHjPpVcpg43EfXijYZo6FcGG7CtyG4
rqP5muJiba2RwyntXX2UvnwI3GcDvmuyhO+h52JhbUtrkCkPUGkx6dKQ43ZI/Kuk4rki9fTHvUgw
RzUffHanLwpxge1NAPA45zg07cMAVGDx6/SnIRycf/XoESZ4GAaAfypM9/5Uq/pTQXFHTHf6048E
daaMZ5/SlByMmmg3F64681KDxnnI9Kg9O1SLz0oeohy8d+KKXOQQelFMR8Uoc9xk0cZ7ZFNbCtxx
6UuMjKk596+n5rnn2sKxH4E9KOv0p2wgAn86RlJAJxkUrsTGHrwetIQucAjJpSAe4pvK5qWmxoRc
Dj196dlVI5pGU+/NC/Mh55HtU2HYce3YUEc4wabnIAz2605WJBxV2uK41/Q8GlglaNsYODSY/Ckc
Hfk8n2rCrSUo2ZrTm4u6NGMgjjofWo7hSy8DpUdpLxtY1ZbBBweK8KrSdOVmevTmqkblWJsMMcVe
ifIz1PTHrVB1+bBGSKntpD0I5qGrjWjNyylPQkY+ta1rJjHX8656BuQcA1p2znv1rnmjoTN2OTgY
zjvVqNsfNnA6VkwOCOetX4myOO3asJI1WpdRzsLdakOCeuOORmq6nnBNSghT1JGMZqGMRmKHH+RU
bHnA5qR/rz71C2Rzke2aaJaLNu4DAn161qQS571hKwHI5FXraXj1PrVNXQk7G/HLnGOtWlbvxWRC
+AM8EelXopMjrWbRaZoKcAen0p4JB4HFVUkGOhNTxkMvapNUy0jZUcCpFHQnpUCN+dTg4UHrzU2K
TJUXA4yKbuCknvT0zgmk25HegpMfG+Rmpg25RjBx61AigLnue9TRn8+tIZLvOOentT+SO+Kzp0uj
KohKhe5J71ehV9oD9R6UWHoiTnHHapFY4PBpijBFWEAxtxSDmEXpz0p4GDkcULx9KcpG7igncQcn
jmg4HQcinE9QOlNOAOvNAgZsjOOajY5zgc0vI5zSb8jJGM1QiMjHJHSonXuamLAk5zj3prkAZyKA
KUi5JxyKryR8e/errsD6Cqlw+V4I/Ci5aM902nJHFUZ/nf2FaUyl05P4CqSQ7Wy3SkzVLQrNEVyP
4aAvy5q1JFnjHFR7cHrjFNA2Q8r0INQPNhupz7VNP0JJIX2qkiNLcMMkLwaexMY8zLJlZl4xmnQy
sDzk81IkB9B9DTHgKkE5x6UCcEXBKWAIBzTJAWPJ4qOBfnxx9DVjZlqTZm42IYvv9q6LRJCYyuel
YflENkjkVs6SpANb0PiOPFW5TY5A+vrSc7vp70zLHrg/jQCQR613nlsn3Z75zTlYYqEMc9TxTw+T
yBigVyUen86ep59KiVsntnsKcuO/X1oSEPJ9s05SeSelMOMcH8aVTx1p2Af6YxmnrgdR1qIc4P8A
WlBPbmgLj+O9PUc5xUQ7Yp65BPJpgPBA6GimiigaPi3Hqc08ZHfjNMIIQg8N60iv8mDJn619Rc80
ezMOSfxprEFQdwIxwKRZFAxjNNLkn5V47cUrisPI+XjINNfbjaSM+opDvYdTtBpwiwM+/NADRJg8
LnAqNnYPnoD1FSsuPzpuOOOlLle47itt5Yck/pThwvpTY22krxj0p5PBzikFg5C8Cg9OSOaQ5PU4
xQQOKqwiNvlOcflV2CbdHzxjrVbPBUdKbyhG2uPFYfnR0Uavs5FmbjkHg0xG2sG5PrUgbeuTjNQk
/NgDjqK8ZxadmempX1NS1k3dzWnB14P0rBtn2uMnitm0kAA9SawmjeEjTiPHHFXIJCAMd6p24JIw
T71Pt25wSD1PFc7sbrQ0kk3rjI5q1G3TkGsqCQchScirscgx8w5rNxL3LOeSSetRH5sgDH1pwwyD
A4HYU3J/h4HWpEyInbkgVLHJyCM8Uxz2PPrUBfaQMELWi1Mzbt5eBz+VaEUmee9c9BMCwHWtW2k4
5xilKLBM2YnJwTVqNs49B0xWZDJxjB6cVcjY8YNZG0WX04Xg4qeJvm5xn0qlGxzxjNWYWyARx9Kk
1ReXk9TipAD0qKFiV5596sKMjg8j8qQ9hABwDmlA5pQvr+lOC+9K5VxUJPUcVOhPHHSo1U98VKg9
cZpkik/KCelSRkZPemsoPWkUEAY60ikT545xQASMg0zLYz2p46Giw7C5yOT+dMI6d6cScAdaQjI7
YoEGC3TGPWo3GD6U4nA65pGzgZ6GmhWIeR0NRMSTyanJJU/0qNhtI46+1DY0iFueOc1VmQ8HBrQd
emKidBjpSBMzwvTJ7VFIOQB06cVPNHtkG3AFAUAcc+ppGhSdQBjnFRMuQeAKuygGq8w+Tg1SREmZ
crAtszjNWYLbADdKyZpmhuSWx17V0Gk3MUsYDEGh3HGRNDBxkDt3qOa2JJJrZhiXqCOaWS3wORRy
sHNGAkBUj06cirsUeAOOPerEgiT+Nc+mahBJOEBwapU2zGpVSGlMsAo6nt3rTtY/LQcdarxx7SCe
TVlWPTNdtGly6s8vEV1PREwPFOkOCCDn8aizggDIB705ySwwa3OS5MjHjkU/IOc8moA2GOSOlPJG
eDTsBMFA7mnKDngimZJpVYDOSaAJMEqetKjYHORTAxXHP5U4OTjIyMUwHk4HHSlRvmwO3pTdw705
AB+fagQqt8w9BUigH6+9RZXd16+3enKffvQBLjFFNzjPPvxRTGfFewkdevenqq9xgetPUZIyPyoJ
BUgAntX09jzWxuADgUDAIxn3pyjIw2M/yra8OeHptanYJ8kKcs1JvlC5ic4x3pB+vQV6fF4FsfL+
87N3Oa5rxN4YbTIzPBl4h19RUqqr2Ec1kbAMc4qMjIP0oPA680bumcVomCInTrjNPjIPLdaXGelM
ZcHINJoaYuDz2HvTl68frSFhKg5xjrSA8mkmMdyMk9TQV6UE5OOhFLnsRxT3EN3eW2eo9KVsEZ5x
QyhjyeKa2VGRwAa4MThefVbnVRrcujJInywxmtW0m4GM5z161jZ9DVq1lKEDdjNePVptbno06iex
1Vs2QD0zWimDj+frWBZy9N1bVq4xzjpXFNHbF3HvEfvJwR+VPhl2kjo3pU6AYABx60y5gDRgpnd7
Vm2WyzG4J+UfNUjHn07VlxTNG2yTIPSrsbh0xk/jSsMmc5xx19+ahmBHG7PpT1IIIbrSTLvx2o2F
a5XBMZz2NaNpMQAO3TNZ8iYbHP0pkcpjJXk5PY1onczkrHUW83FX4JNwHY1zllccDJPHTFa9rIMd
f8KzlFDjI2FbqR0q3A4IB6Eday45MjBq7E20Y/lWVrGyZrRP7D2q3HyKy4JcjtV6FiSOahl3LYGM
YzigHH/1qUHdz2FPCjr2NIYKAenWnJxw3r0FRg4OetOBw3XBqkMsDbx0wOvFOcDkgZqJT685qVSP
WkAmTwB09qcQcYpTgDIP4Uo5HsfWi47jBwSKCW28AU/aD+NNI9+fpQFyCRgjU4fMueKe8Wccc03B
7jHrRcdxo5GMcjrxTJF5yOvarIUL+NR9Tgjj6UCuQgHjsfXFNlXg81OwXcRULL60AipJGD944FRk
ADA4PtU7jk4qFtvJOOaC7lZ+PrVabGBnGasuQTwTiqzjJOCK0ijGbMm8tRIdxAz3qvBCY24zxzW0
6ZUk9KrOgB4HFU0Sp9CH7TcRqdkrg/Wliu7hwwaZySKZc/KmR09aiVgUJ54HNXB6ozndp2ODtdUv
YfFhD3MsiB8EFsgDNexwNviVh3GeteRaJafa/FcjdlckivW4vkQLxwK93FKKskjwYScm22WVOCBn
NTd+9QRkHoOT61ICC3U1xGlyUk8c0rkdjTUPP0NDlQRnmkMmjwOopwxn8aiViQe3sakUYGab0AlU
k/hTgSTnJz3qJW47HmnKeueKBXJBuPIxTlcY6DFMAz3OKOh9+tFgJQ3HrUgIx6VDuBwcHH5VIOVG
B15pMQ7B3df06U4HnI4pP4valJx+NOwx6kZ64ophPGBxRRYD403MBxijd1z36UKMAEc+tOUDJzx7
19U0ecLnP3TXrnwuhik0ogEeZu+b1ryAfhxXReGfEdxokoK4eIn5l6VE48ysSe3PY4dtn3RycVzX
j17ez8PygkGVxismb4lwiDEcLlscZ9a4DX9butYuTLcEgDoo6VzQou+pVzH6HJz6YoznnHXgVIFy
xpoXOd2cdua6bAMDYoJHTt3p3Xp+YoOe+M/SmPRDDgYZc1KW3qNuBnrTCB06nFRrlDketTsG5MeD
jjpSj5h9KaCpBIGSaUEhPnwDTQ7Dh90cd6GAYe1NBwcZ5pevB4qrX3JsRspX6e1OD45xTxk8DkUg
UEe9c1bDRmtTanWcNi3aXG1vmP61v2V0vAUiuUT5WBY5q7b3hQjHTNeLicHKGp6lDFKTsdrBKG5y
R6VdVsgnnPauYstQBGMkZNbMNwCMg/rXmTp2O9STLc9ukoOeGqkTJbyAPkr65zVuOcY54z1FPk2S
qQSPxqFoURRzKSpHerCturMlheAgp93vUtvdYYA8Hvmm1cm5dYBgc8etQTIR90deKlV146Y7CnSA
HPA9qSTQPUpwzmNtrcYrasbgOBk8+lYs0e4cfnSW87QMAxyPetFaRm1ZnZQT5ArRt5Aetc3Z3Jk2
8itaCU8EEGspwNIyNyFsH2NXoZcYAHFY9vL068dqvwuDyDgelYtGqZqJIeKmDnHPHfNUYnB7c+tW
Y34AODUmiLKsCpwAT2FOUZHcH3qJSCe4p6HAoKJEJ79KlBwMA00EHHvS5G7kZoQh/UdaUDC9aadu
PTH60oIxyOKaAcpBGfypynvTMj0pw+p96VhpCqc9aCuTimjG/JNO3HoMH8aLCaE5Uds03aQMnGKf
yTikPfvQBCVGeO9RNtwcjmrDEleBUDDaM00MrSEAAgflVR+QCOPxq3KRj61VkIPTv7U0O+hXZfmz
UTdsjmrJUA9D+NQkcn0rSKOaT1IR8wIGTikK4DZAp+eeP0pJXASrsCMy/H7o55z1rLvp1s9Okmdg
BjA7c1qXNxEkLNMwCgZJzXlnjDXjfy+Vbn/R0OOO9deEwrrTVtkYYmuqNN9zofAbiXUbiTrk5ziv
SFf+717e9eb/AA6QiJ3PUnvXoccmevbv6V6OK1meNT2L8ZIA4zUoPI4qpE4z347ipwx74x61yWNE
TqecDp70qtk+v1pkZGTjvS9TycCgZNGSOuakQ56Y5qFM4GaeCcjPNAJk6n25pynGcdahRh36VL/P
1pAiXnOAeacDyST+dRjHBBxSkkDPWgBw+6c1IhwR6UwEk8mlBxjbj8DQIkZiWPy8CnbsnrmowTuz
j86eGzyDigB3TgZzRTckYGOaKaQHxuX5G0HB7UFsEd80YwOKaeuNo46819Rc88cMH69qUkkcg4zT
e+R/OnL0yKLiFPQgdOtJg5x81Bx6++B3pSQF460rjAenpQ3TkUigNjr07UE5HXmqEAKkcjmk4GRn
NNJGMY5+lGcDpzipHuK2cDj8u9IR/wDqo3cAfjSZ3delFx2GMNhyOop/EhHPPpRuJ9MU3bxuB59q
nYZKmC4GeO5px25ODketQo4OQ3HvT0AXOcmmmIehxw2QRxQDhhyKQnjrgUHJ+npVXuTYXg81Cchj
6dqlbhQM/jSbR0zk+3SplBSLi7D4pWTvjArUs9SHygk1jOD+FMVip7e1eXXwKl8J20sXKOjOyt79
G5J49KvLdDgDp1riYpip7+uav21+Vxz+VeVUw0o7o9CniYyOt+0ZBPQdiTVO4OCCvBFUIL9GHJ61
Z+0KeTg/jWHI0b8yaJra8Gdr8H+dacUokT5eaxpNj8DGfWo47h4sAEkZ/Kk1cnmN9sE+pqtKgII6
YqC2vkkGe/oamEysD0OfSpUWgvcS2uWt2Ac8CuisLxZMbT9a5yXDYyeR+tNtrprZwM5XPriqa5iU
7M7+CYnB5rSgccEZ5rk9P1BJVByOe+a2YJ8jrx61zygbxmdBDJyPSrSSDpmsiCQbQepq9G2B74rK
xsmaSsD71L0OT09apQP2qwsuCB3qS0WVYjjPNOUnuelRBxjnrUoPHWgol3DqOtPHXBOBUK9Dxz60
obBxkU0BMeMk4NJk5PGKbuH4DrS9TxTGOyFbp1p4PPSogTnBANKSwWgGTE1GWGRyajL46VGzHOeO
aLEk0jcc4/OqssgP+FK59zxVV2JOAPxp8oDXIOc1DxtNPdQqkk9O9czrutGANHakFvX0qoq4n72i
Nua4VeNwGKy9R12w0+Mvc3CIK4u4vLqQtJcSvhR64rzfxLqsmoXZCM3lpwBXdQoe0OTFT+rq73PT
774k6bb5FskszdMgVmv4+iuuf3iD+7jmvK4wQSeTVyDHG4HnrXqUsDTe55UsfUWx1ms6/Nfp5abl
Q+/JrAKhztGcnrTpEHlqwOCPepLRt0yAqM55z0r06dJU48sFocNWtKq+abPRPCS/ZbGPIwD3zXZ2
z5Xjv6d64d76G200fMqhV45rQ8I69Ffx7GYeaO1cFei2+YqnPodrGwPoPqanBP3RjAqnA2e3X1qw
h6jrXA0dOxaRyAAKduG7OPrUMZJpxJznGT60rBcshuBzUm7gYA5qEEYzT8/MOaVhkoJ4qVW45/M1
Cv1yRUg9+goYE3QL29qUHdkdaav3R1FOBxk98UhsevAGcD6U/I4PH0qIcHrmnq3IFDFcevBJzTge
f8KjX34zTzkDNFwQ7J6DOPWim7uvXn2opXFc+NtzBeTSKWHI70p5yATjNIcdj09q+nZw2HBicZHH
SlZjgjPFN528mjGQSSKFoFhxz1IFKDt65qPj1pUJJxjPt0oTAkQ9h1oc5GPftSHpnpRkZ5Hai4hG
XB4xRxn+gpM8n3/Wup8C6RHqGomS5XfHEM7T3pN2VwMe20i8uUEkUDsh6HHFVrqymtXK3ETIfcYz
XvEMcOxUSJUUcY21neI9Is7/AE+43Rjeqkggd/rWSq6hdniLjjpwKRVBNSSoVYrngHFRjg88fStl
qMbIgzkcDpmkDFPcCpPXuKYRnjIIocRkgYSYHbFDOBwBzUO3klTg0K/ZhmlzATg5/wDr9qXOOB0q
JCMEg59qcvI+bjvVKQh+M8n6U0JwCc8e1OXAHqD3pSoK9aGrgQsDgnPWm/MGylSkHJzTcYOeelYy
ppjUmgEzA9frUyXjjAYnNVyvB/pTSMdOprjqYSL6HTDETiasd5IwBDZA96k8+Q/T61h8gnBIPrT/
AD5lXG7iuSWDa2OiOKvuaRuJg2VO0j9atwasyjbJnHfFYQuH+tNM/wDeFZPDtblKujsIdTikHD1M
1wrfdI2/1rhTKQ3BNPS+uEB2yEio9gP6wdxBdvDKHRvl9K6fStXSYbSRx1FeTx6vOAoPOKs2+uyR
SBuQe+DUyw90VHEpM9ytblWGQePStSKbcAdwB/lXleheKYZdqyMVb37121hqCSKrKwIPpXBVouO5
3UqqktGdXFJgZqxG+RnNYsF0rZHNXYZge/6Vz2OmMzXU5APX3qZHJJP6VnRzAdzVhJMnJNItMvmT
PA6imnBbnk1XDe5zT0bt0ppDTJw5UZ61IG4HBqEdM05Wx06Ux3JgwOM0oYE81HjPJFRySbVOAaQb
khYZ7Z+lIzfNmoQ5zjByfWh3UD5qYpWQrsWGBgZqCR1iBJI49aimukVDg81lXN4DnJzirSMnMq6v
qUjs8a/KvrXOTRryWbpzmn+IPENvZfKy7pPQVw+pa7c3mQvyJ6Ct4wOmjFsf4s1sRQta2w3M3BcH
pXB7cnJ5NdBdQ+dGVP3j3rFljeBisoIr18DyJcvU8nN6FSLU/sguBweuOMVPEvAHbrVbIzyCas27
ZUZ7fpXrRSPAdy7t/dkDP40sAIA6VD5nKjP4VPFhJd3Yj0rbYgrXdxKwMZclQemam0K/k068SWMk
AHnBqKVVdyVAx9aiMJwdnXNZuN0Vc970a9W7tIpkOcjtWurd815h8NdUYobORsFeQDXpUTBtu5Rm
vGr0+SVjqhK6LiuMYxx9aemN2SSfpUMJVmxtpynk47msLFosjn2xUg5X6etQoCeAc8U4Z6YNSMsI
RgkZ5qUMB1xn2qurbex5qVTn6kUwJge+eKev04qNTwM//rpytzSGSk9xjrSg9aYcNgk9Oval9Tmk
FhytxnFOyenFRhsY7mlLZPbOetDESEjn6dKKj3d+nFFNIR8fZGMd6bx254oGCcihgQeMV9Fe5xij
7vPSl98AfSmqMNxTsZ+tFxC4xznn0pDxznn2pvI7ig546Ypp6AKo5xnNBPsDik6njil4Bxk596Lj
ExzxXb/DW6jS4nidgCwyK4knnjp71PaXMttOssDFXU9qHqhNHv8ACyOgI6jrWVr99Fp+lTvK4DbT
getefweOLlYcSxBnX+IcViazrl1qrAzEBR0UViqdmKxQnk82Vn6sxNQnPSgjuTzQG5wRmuhaD2FA
yOTxTWGOP0px5zilOMcn86baAZzjkY96TgnHUU7GSQvP1pOT1/GlYBhHPy5ApQ7dG6U4D2PBpeuM
9qXKMAcjCninE8gAc461GyDHHWkVmTjGRSu0BM2ABk4NHBwT+lMEiFslSD9aFxk4O7PajmCwrqQc
imtwfbFOTIDEgk0Ahgd2BijRjIgBzngU0g/hU3BTIppXK59OeKylG47kRGDxTGHPHeptu8dOaYU6
56VlKBVyIp09Kbt75qUr3phU/jWLgO40jJ9uopCozTyuP8KMHBzUuFh3GoSvKnFbGl+IrywYbXLq
OxrGx68Uu3P4VEqakrMpTcdUeoaH40gmKrcsI3PrXbWWpxTqrI4wffNfPIBB4OKvWWqXdiwaGZh7
Z4rhqYJP4TtpYxr4j6NhuwcZPHfmr0dwMDBBrxTQPGtw58u4TcR1INddaeLbbgSkofeuCeHlE9Sl
J1I80dj0dLkEAHAqZJfc1x9r4gtZAMTKc+9aEesQYyHWsXBl81jphIPrUomGe1c5/a8JAO78aY2s
xjow570uVj5zqPOXB5GMetMa5jUfNg4rkZNX3MdrZz6VGL55c81Ng5jpLjU40J2YJHesufUZJWIW
s7zDt5pyuqnNUTvuSyNI/Vqz764WCB5JCMAU2+1KG3VmkcAAd6818VeKluy1vCxEYPUd62p0pSeh
m5xi9SDWL43t/JIfu5+Ue1VlIOMHisR9QGfkXJ9TUTXlw54O0e1ehChKxp/aNGkrbnSh0XBYgD3N
V9SmtJYfmkXeOmOtc4xkfO5yT9aRYj36V008M073OWvnHPFwUdH3Jd+48YwKmVsDIxmmJGduQasL
ED0XjP516sE7angSaHW6PK4wOep+lX5gBAQAQVHWujtNOisPDr3Nyg82X7ormJ3wrckA8YrWLujM
y4pzvwTxmr0Min6dagtdPF1cBTJgseKfqFhc6ZKVuEO0jhvUVkpNOzG0jc8N3n2TVopgcDIBr2qz
lWWGN1IwR1r56tp+mDz2Ar1LwBq7Tx/Zpjgr0JPascVT5lzIunKzsz0KPrnkk1Jty2ehqGNj1Hbr
Tl+9yOT39K8prU6kywnT0PepVJB69KgXhuOc96lzwM9KljLAYkdOTzzTwy9xioEOcDNPyQf50gLH
yjADYpQB0BzUW7Cnd0NKrYx/OgZPhgTSFiD8w5/nUZJyKVG5YE5oAk8wEen0oL88Nx7d6jLDGcCk
wGBJJoRJOp7dfpRUOOQQfaincaPkTOTnHWnD73IpoB7ginAc49ele+mcdgJx6fhQDjNG2joeRnNF
xASNv9aMgkc0cbT04pducd6eoCbueOKTPHUE0oHJOBzTSMcDGetCAAfpSg8dxg9KReSSeacOen5U
BcXgdBkUhyOaTB4wOlA79c0ABIyTnP1oHWgjkA9aUgY9MVQNDcZOad0GO9AGOh/CjAz9BQAKMc54
px5P86Yc9BzSgDbyaLhYXt7ml4xjvSopIwMDHOTTdw6nvTuA5R260hGDz19KTrnb29aTn8+tLYBD
3Bxmmlc9OnrTidv19aBg8AGlcY3JVcA9OlDOcYKZ96dt4Jz0pOCOtJgIzqVGMilLKRgMBRtA54NM
KL1/SpaACCSMHOKcd3UjNM2ccHHvRg9s1DTHcMncfSk+bJyM0bSD1oO4nFTKNxobk4Py/wD1qQ9O
mKdzn6UpBJzmo5RjME46AUY68ilIppHHQ1DiO4+OCSUnywT9KSW3ePIdWX6iu48MaX5mmJLEQXY+
lXbnTVl3pNEvpmsnpoUjz7SG23q5PFdBfr84OOtZmqWf9maouBhScj2raGJrVZO/SuOutT6LKGpU
5QMvzZYj8jsPYHrVuLWLpMAuxH1qGSMD7zYxWfc3aR5EYBPrWMY82hriOWmryOkTxM8fErnH1q7a
+JIJD/rSK88ldpTljzUlpneVrR4dW1PLWJvO0T1SHWoyPvL+daEGsRgcyCvK1V+CrNzVqNZT1dj7
VyugrnpU030PS5vEVvCvzzJk+9YGq+OkQMloNzetcZqEDNGTuJK9M1kqD3rajhYS1ZxYyrOi+VGt
qetXuosTI52H+HNZwBJz1+tSWlvLczLHCpZz0A5rS1DRr3Twv2qEqG6Ec16MKSjojyZVJS1bMsL7
c1KqhjgLg13fhPQYIoFuNRjBEnKseQPrXR6l4V069tCYUEUuPlYcVtFJGcmeRCPt3qVI+mP8at3t
o9ldPbzD50bB96VF3DC9BXbCCsZOQkcOG/edKt2skEMpMgBUcgVWnbYOO/WqvXJGTzzitWrKxG5t
6zrkl6qxD5Yk+6M1z08rFscipyRleD05qpdDDDj5TWU9FoOO5NZXBjmVu6nIr0dhaa54ed22mVF5
9Qa8sU7c1raXfzQo0cbkBhWcfeKkupQw0UhUZwDXZ+CLzGoxY69zXJTodx3cHPWtXwxN5WqQEnA3
CqlDRoXme/WzllX6dasR5YnIGPes3T5N0CEHPFXY35AHavEmrM60yyFzyDU2SfT6VAh3AevvT1yA
cfnUFE4OOKcD/F1FRqdynn6EU8ZPUj2oGS5/KlDECoh8vfn1pd2T1NK4EhOeSetOVmI5IOPSoVOO
OntQG+8McetFwJi4CjswpHbjPJFQ5IbOc+xFGeCWIwKSETq5B96KgDcZyc4opj1PmS60PUbZz51r
Nx1JU4qj5Dg4Mb5PYivrO50yKb5REvvkVk3Phmwkb57SEt6lBXdHG90ZSpdjxXw/4aRbdLm/XO75
gD0AroW0fTbyEr9nRcjAIFegS+G4doAyoqmPDYQnY5I9qr63FmXsZHgniDTzpmpSQgkr1Un0rPA4
4I+teqeLPAmpaheNPA6Mo4CscGuNvPCOrWZbfaOwUZyvINdMMRFrcXs5Lc5xlHZvypSAD09qsPay
oWE0TqR7Gqx4BH6VtzpisJnaRk/rSkZ+lM3DcRjFBPoTVcwrDz2Hv2o6daZznrxQGPai4x3O7OOv
ekJz+FKTg8HNNK+/NLmAXkinKGc7VBJ6YFIAAO4+teg/DzRYJrdr2fBO7Cg0SkkriOXg8OalMgcQ
/KemTVC/0+5sX2XMe0noa92WKNY8YABPpWB42sLaXRZnYLvUbkI7GsVVuFrHj/TOc/gaQc8d/Wkb
hTTV+v8A9at0xj/UZoxnIPbmkBPQ9KUYXnPbrTEHHuKTvzR1ycGkI3H0NK9hjuMcijp0OKb1HsKX
IGMdKL3AXjPHQ0hA4HWgEZODilXgE96BCLgUgJLHPQ+lKflyOc1esdKvr0A21u7r1zjik2kMzyOc
cYpMZzVq7s57SUpdRMje4qsRtzipuNDDwT1pp4FPPXFIVOcnpUyQ7jTkHBo7d6UrgZ60w8kfyrJq
wzsfBespbAW0x291J6V2ct/ZFd8kqDaM8nrXjmSp44PtTmlkIwzNis2kM0fFF4l9qLPDkxrwDUMO
qyQw+XtBHrVAkmkwWzWcoKW5vRr1KLvB2JZ7qWYnccD0FQEdqXFBHI7UlBImdWVR3k7hgZp8LFJV
agjiggniqcLomMuV3Ogt0DIMYJqdYiWxwKxLbUJIVCFQ3pVoauxYfu/yrheHqX2PpaGYYeyu7GlJ
CGTGMjvXP3MBimZe3t6Vqpq6Y5jIFV7qWK4YMuQw/Wt8LSnGeq0OfM6+HrUrwlqjp/htZwvNNLJj
eOAT2r0WfS472DZKBIuMYNeZeBNSisNS/wBJwIn4ye1euQSLMvmROvI42nrXdOm46nzlzmLk/wBm
SfZbv/j028Ej7tWYTNYkLI3mWcvMbjnFZfj7VYDY/ZRhpm4YjsK5rSfFUlnpb6dcIZEIxGc9K0hT
bVybjPGQjfWWaPHA5NY8eO5zjuBSvI88m6Qkt6mkZtjcemOK6opJEakc7bj22+g4qBlzzTpJBzjB
NMVuh/Sm2Fh+1ty9/b3qvqEeDx39PWntKzEKoP4VXvJMvwT0zWVRqxUU7lQnFW7JtrCqbkE1Zs++
DziuaEveNHsaRAkBBHPqKbbu0FzEc/dYGmK2Fz0NTqRLHwTkcZrrkuYxue4aBOJtNhfjlRzWwGJJ
rnPB+f7GgUnPyiugiGB6j2rxKqtNnZDVFxGJx0JqTkiok6DnPH1qZc4z2NYMtEoHGB+NL93oevFC
8Dg8+9LkZ5qbjEI7Uo5XHTmlK4PAyTQ3XkH0oQg+7060g4yTn3pTz054xTc4Qg5JzQMDye+D2pow
BhTnmjkYBHNLgKDzkGmAbmHt3ooIwcf5NFLVidzqvJycdFpGtiM5wD7VpmIBiemc44qNgGJUdc9q
LBcy5LYZwBzn0qu9oFOCMe4raZVHFMCcb2BIpWGYbWXT+IGoX09WHI7elbzovftUDgYwM8DApopH
K3eg2k4ZZIY2B6nbXM6j8OdIuIyEgEJPdeK9KaMjj+lNMWT0HPGBTU5LZlOKZ4bqXwnJ3NaXBHoH
5rk9V8A6vZKWWFZR0+QnNfTX2cEkEfjUEtgsmQV4PtW0cTNdTN0kz5FubC6t2ZZoZEK8HcOlQeWy
nBGDX1Xe+HrWdf3tvG491rntR+H+lXTZa1UEdNnFdCxnch0ex85jPBHX1pdxz7ivYdW+FkTsWspW
iOOh5ArkdY+H2q2OWSMTqO6f4VtHEwfUzdOSOLJbd1/Gu98E6mqad5AYmUMeOlcjeaRe2oxNazJn
uy1BaTz2U2YiVPoRWynGSIcWewpeq643YP1rE8YanHDozxGT95Jworkm8T3JXaUUN64rHu7me7k8
yeRnJ5FCgiNSAYPB6Uo469KRR7YNOI+b3rVDGnnpThyB0pwGBzim5HQHFVcA7dMe9AORzSnGOpx9
KT1HU0rjDt6e9Jjj1oI57Zx0o5APXP0p3QhSeePyNNHBxj8qUE59qDjIHekI0dAsf7Q1KKHBIzlq
9h0uOO3hS3hwqAY4ryrwXdrba1EWYBX+XJ6CvU4V3htnGfTvWNRgyHX9Ht7y1eKRQ0pGQw7V41dx
Nb3EkLDlDg17Pe3SW0EjysQFHU14zfy+fdyy5+8xORRTTBEJ6+lN9utKcHqaTjbxWrKEP3cj86YB
kE0/gDnoaFAzjNZuNx3IypzmjBx1496mC85zRtyaXs7juQkflSFODUwT8BRt49al0wUiAjAPHFIB
mp9uCO/8qs2Onz3s4jt42dvQdqhxsO5TVTk804DArorjwhqsMJlEG4egPNYUsLxEpIpVgeQRVRSF
e5EFBP8A9al289eKcijGc805RzkYrSwXGhegFTxjk9j/ADpFXLEr3qVcDqQfrWsIpEyYDK98Vo22
sX1tGI47hwnp6Vn7xt6803zR1P8AOtG4merLNxPJLKXlJZu5Peqdw4BBH3s+lI82T8ox/Wq+4tLl
udvTNZynbRFRiaKSHIJ6e1RySEsxyKr+YccGk/i45GKamFiVSST+tRk9QDxSAccCnLlhkZFPmHYf
EcKxxyBVJkdiTtJrRToFYH6V0GnWQmiGYwR096xqO+gJ2OJbqc8VYtuD3xV7xHZC0vCB0IzVGDI5
rKKtIp6ouDJU55NTW7lTwDjvUCsQnXipQAOQa6k7Gdj1fwDdeZYhC33Tiuyi6nnHpmvMfhrcqs8k
BPvnNemw4Oc4HevKxStM6aXwlpMdc89OKsoccHOKqxsDgEHHpVhSOgGB61yM0sWBg54pVwB7Uxcc
YJFShuOtIbE9+aMZ5PAHandaX+HjikCGL94gmmZ64qRgCAcdOajcZI5oGH8JyOaXAC54HvQThuDz
0oGT1PHrQhIRQCMEAr6UU7djtz0HtRSuM70jKlicGkjTAz2/nSk5bHHHA9KcV4AHTNXYzIWXceAM
Dp70112grVp9oIAWqsrbmPQEmk0XFFdlPOeR60wRksTg4NTMxKhBnb1JNPVMqc44qDVIplMdug5p
ApRORz7VZOGYqMcAgClSLc6lhwKZTKojwBnJJ7dxUvlggAdO1TyHZk4HP6CnQKWQAgY6/hTSM2Uz
ArduaiktlI+XAJ71qxxYBJ6Z5zQYQVGB/wDWosTzGE9r2x9c1WksVdfu+/SujMIGRjOOwFRiPnBH
50h8xyF3okE6ETxIw9wK5nV/h7pV8zP5OyQjqgxXp7wLzkfhUL2gPI4HrVKTWqYaM+f9V+FEqEtZ
3OfQOtcnqHgrWrEEvbFkUkZXmvqdrXjdt6VXmsEc/NGM+mK3hi6kd9SHTiz5DksrqBiJYJFI6grj
FVmBBzX1jeeG7S6B328ZB6grWHP8OtIlOTZoPoK6I49PdGcqPZnzUc9Sce9NHBOf1r3q7+E+nOGM
RkQkdjwKwLz4SurHybvA9GWtljYMn2UjyMk+uaO3rXd3/wANNXtnPkbZV+uDWLceDddgB3afIQO6
85qliYPqJ02c7noeeKAfyrSl0LUo0y1lce/yGq76ZepjdbSqD0ypq/ax7k8rKYwRycc07HpU72k6
KN0LgnvioVjf7pU89qpTTCwikq2QcEV1Wm+Mr22tliYLJgYBPXFcwsbk8IefanGNwv3SPXinoxWN
LVdevdRBSRiqE52rWR9O1PEZycA/hQI256jHWjmSBIjPp6UpGc4HSnbDml2HI45ouAzbxzkYp4Ud
RS7Shx1+lKFJ+8MY60cyBJjWJAxSA+351KYZAM7G/KoyrAFsYHvT5kPlsNbHbODSM3NKQRjgmhhk
D1pNgkN4zngfSvV/hxaQwaT5zqN8h4PtXlCg4xzwea9G8GamG0tIEGHiPNZz1QNHdyHJHlABfSuG
+ImmxNBHdwxhZAcMw4BreW8kUk85J/CuU8aas8sK2owWPJAFRCOornEgcnFO2ZIqRba5fmOGQ59F
NWU0jUH+7az49NprdziuoWZU+7gg49qryS5BGe9ax0LU3PFnNgdcrSSeGtWBGLKXnvisp1o9GNQZ
kiTn/JoByRnmtGTQNThAL2U2P93NSRaBqbKH+xzY7cVMay6spwZnAYyc5FQZxNyK6gaDcR2T77eU
yHkcViS6RfqCTbSjHX5TVSqR7kxTKmeOv409Mc5PPpUiWF0cAwSEf7poNrOmcxMO3SmqiG4sZggj
ByPSnRkE55I9qk+zypyyMB7ikaN1JwrDAqvaInlZGJgLoA8Cu70K/tba03SSLwM15wUcsxINTI7A
Yy351hzqTG4mn4k1BdQvzIi4QcCs2IZxmmgFs1JF15HNbKwdCyoO0E4pTxwDTo1JAHr2NSXVvJbk
GQYU9K1ukZm34KuDDqyHPB4r2K0YtFxy3fmvEvC7j+14CeRntXtFmxEYA4BGetefi7N3NqT6GijF
eSM1YVyenH4VWRmAzVlX6YP4muE3RMrjinq+QcVGDxkjp04qRCDzg1IMcHAwMdD2p+4AfN+tM+U8
8j0pdgK9aBkgcklRTD15o29Tnp3qNgwYDAIoQiVsk89P5UzjP/16aCST8pGKbnrjn3NIGSA5xyOe
9FMDDIBopWGkegQKdxLc+571YYcnAIwOBUMbYBCZ9velZ+Mk4IrUgcW5PYmqjgLlm4BPAqXdnqRg
cCkkUFRgdO3rUtmsSPJI4GS3apNrIuGK9P1p0OMANz3ODSNhnDKR7ChljFjC4JGT7d6eR8qrjle3
tT4EwSz8k04gsxfcMH0pWFchddxyy9BU0K52nHJ7+1OX5gPz571NCmM5HzfyppESY1/mOFHA7Uhj
JbvxzVkIACxPNIhxnA602QQGPjGOfamNFyBgZ7VaXcx9u1Cg8+tCApmPkk446U1k3D3zVkoVPJOO
9TLDyC1Fh3M/7MSO2PftQ1ttXOM56VqmPCZHOeKZ5XHYZpWDmMsWxAzjJpJbdSu3bWyEGBkZphgB
pWHcxms1Y8ACoX01WIOOOprbaIE4H6UhixtAJ9TRYOYwH0tG5C8etQPpYJwV49DXUeVgjcKGhGeB
mlYfMcm+kQnholOfaq0mg2z/AHoFP4V2JtM5pFtRnAHFKzQcxxDeF7F+Gtoz7FRVc+DdMMgc2MO4
cfcFegfYuuVz7ipEseB0P1p6hc89HgvTs/8AHlECeeEFTr4L0xmw1lAR7oK70WZJ6cVMtrgHjJzQ
mwcjhIfAOjZONPg56naP8KSb4a6DKcvp0Of92vRY7XoOPep0g57Yp3l3Fc8rb4Z6AoAGnRYHA4qO
X4Z6JKqbrCLjgYXpXrL2ynHH4mg2gUA8UNy7gmjyL/hV2iht62UeRyOKnHw80mPJNlFk/wCwMmvU
WgCtkjOahkiyMAAGleXcpNHkniTwxZWGj3MsdtGCiH+EV4XPZJJKx2LtznGK+qvGloH8PXuByIzX
zkto8s6RDhnOB7msZzlF6M+iyilCpTk5K5iPo6xSILiHYjc5x29qsy+HYI7uCGExssoysjDANdhq
MVwnl2eqW5lt1XiSMcj3qxpuhNLDHiTzIon3xuD29ParjOfc7ZUKNruK+44EWaadcsk1rC+08gjI
rovDs2jm62zWSW7t8oZeRU9zoq29y8+pSoE3btoPzEVS1wWJliOnqyrt+Yn19qTq1FuyHgcPVVuX
7j0uPwvbSKjKgKkdac3g+yYfNbIxH+yOK0vhjdnUtDRX+Z4fkz6iu0FiG7VSqSktz5zE0fY1HB9D
gbfwvbxkBYEGPari+HoQCNg/Cu1Fiq54FBtcY+X9Kepzcxxa6FEM/IOfapRpEQOPLHSuu+y98DNR
SQKOMcmm0Fzlzo9uwwY1I+lQ/wBkQA7VVfyrqfs67gCO35UC1U844qbtDTOTl0WI8CMEY6YFVzoM
LHBiU57YFdobXJ4HbpSfZCDkflTTaC5xB8PQbeIVA+lVpvDds55tkP1UV3rW+4428fSmG0BJyDT5
mh6M4E+GLT+K2Qj/AHarzeE9PfJa0jORj7vWvRDaYzx9KjktBgZA4o9o0JpHlsngDSDk/ZEGazJ/
hrpL7tsbo3qDXr7WYznHtUTWWc5Xkd6pVGg5UeIXPwrgJIhnkU+hrGufhlexNmCZWA9a+hDYqRz1
71E1gADgVosRNEummfO6eDNTsX3yQ+aRyNtY+sabrE8xEllKFX0XpX029gCvygcVEdMRxkqprT63
LqZ+xR85eEtKvI9UR5raRUHUkV61aghR/Wut/sqMMMxrkeopf7KG/G0Y7VFWtz7jjSsc/F7H9anU
nj8q2hpwBBKg08aeueE4rC5djHBI681KrYGD1rUk0pCnHXtmqUlk6gr1K8YoTJbsMAPfrnvSjpya
YylflbH404MSRmm0G47oOgye1NbG4egpfxGaaSSevHai47Bls9ce1ISMcj8RQflOTx3ozweD9BQD
Q35R04x+NFHU5IP0xRSuNHoKFd4Zc4Pf0od8OcglevSq8Tgx8nmpo2DHBPXv7VexkPClz7kZFM3E
HHBb1p5cE5XGBzimYYjPqeM9qLFpisxU4Uj34p0f8PPNNfgFcZJoiLbj05pWNLkrAoqkfhzSlcnI
OCaaOHxzkCplQlhgnPr2p2C4kAMjntVl9qEjqfQUQRgFixwSKceuKdjKTEYcAc9O1PP3eB7Yp0Qy
OOveplQAbmOR6UWuIrhDgqD+AqUw4QHoKeoO4A5qVkLADHy+vpQDKSQvJOqA4B5q15QVjjnHFSJt
QFgOT0pkjFs88UCuMU5yMdKVlHJ/DFSxDZGC3GaRh8vr6GgaZG/EYI+lMCEkcnjrxVoJkdKlWMce
uOlCQXKkcBxznNSLBnk8CrJUdecUp6YoaC5UMRz14HalWIADAq1sJIJ709VGDgHNKwXKYiBbkYqV
Lcc8ZzVhEA9ak6dMcUWC5UaAdAKkMBGM1MnXJpc5NAXIPL7DinLGFX1/CrCpk5xxmpPL6UguQooG
cCnIuR0OKkCelP24FNoLkQjGM9MdqPvVJjA9aAnHNIRAyZ69KiMII6VeEfynmjYB/WiwzA1qzE+n
3EZHDIR9a+YZLKZdXeGE7ZEk2rX1vcQ74mBxjGOa+afH2j3Gj+I7mRN+xn3qRmuWv7rTZ9HkE7uc
LkF1ZXlveJJd6gqqADyM5/CtqGRIYQokTnkkfLnPbFZenSW02nxyzuJL77qhhz7VW16Cazjt4JX+
d23yPWkZW1PXnScnysuX0kl4GazVXdDh4nQZxWXq0kUmmrbS2nlXYO4Ltxj6Ve1d4rO4s7izl3zY
BkA4BA9asWVpN4p1SNoodpHGAKzq1Uk+5dOlye89juvg/YMmkPJJHgsfSvR1gHpjtUHhzSU0vTIb
dQMhfmPvWqy7V71pRg4xVz5DH11WrynHYzXhA5xj6VCY8NwP0q+y7jSGHp61ucNyiYwRzVaWEMcA
YrTaIkjimmH0FKwXMlrYA8E8+1TRWpxn8jWh5eRjAqVYRt5OCaTiNMzPs5BPcU0wc8gZrVMXPWmm
InjFKw7mV5ftTTbg9PyrUMGDyPwpnlAdO9Fg5jKktyB/Ko/s+c8YrZaDtjNRtFgE4FFirmP9mGcA
UjW4HAA4rOuPFNlbX720yupVsbq0LPV7K8JEEqsT26GsVWpt2TOqWErRjzOLsRvbDGCPyqFoAOoG
K1LhooY2eVgqrz1rgdf8SPdSfZ7AEDOC3rSq14U1eReGwlTEO0VodQLfuP5002y7jxWjo1q39nQe
ZkuV5zVprXBBxzWkdVc5ai5ZOPYwjaruGBUZtcPnHSt77NntUTWm0ZyT7VViLmJ5OOMUCIA5I+lb
RthtOKhktiBgr9KQNmWUHB6Gs65I+0Hj2zW1NDgE8ZPJrmbyVluXVlOc8YqueMNZPQyqPQW6to3R
io+pFZxBVsE81fSYHHynNTf2c0sTOw2nHp1pzrU5fC7mcGzKweoFR8ZP+FSSbo22sMN6VHyG5x9f
WktjcU9Pm6+lMJwOc5/lTicsMDP9KaW3NjP4U7jEJK4Ixj1oo4zgHJopWGbk/iTTYOPOBPoKks/E
lhO2FnCH36V5SWDg5bH06UsUhkwMcDnkV5f1+pfY+nWS0Lbs9ttrlJR8rghhkYNW94L4PIA5xXil
tq15asTBK6D0zxXf+FvEYv4/s9yQl0OSM8P7iuyji41XbZnl4vKqlBc0dUda+QucZ9jToBmHphu9
QRylgcnpU8Zwq54zXWeUTImExjrzUwXDcHp71AWZjx1qRM8BsZ70xNkwZQDxk96WIYO5u46UxyAv
y9e/NPhOV54J6GmSTISoyOM+lSjJYc1WRgM85PrT1l+Zc55oAtIASxNOjGTyetR5CHPc+1IGIfIJ
xnGKBFg7QOenbIqDcGbgcGnOzNhQeMZNCIN3pigZIeePTpUsUfc8d+aSMdycFqkHTg4z0oELGoKn
nJ9qcoVUJJ5zTVORgAU9go4A5HJpgAwQCOtJgc4/OlAHGKV2+bjpUjFGNoAz6U5RkknPFMTnOeop
4PAHt1oEJ346Cnbc4zn3pyrkg1IMccUARohBx/On7M4yKU9uefenCgBQAOnSlYnGKVckZxx6UuAa
AEWnAAnvQMdaXI60gF2jvRgUbuPWmhgOKYDmH4CkPA/rSFqCxwKBjTz3rlfG3haLXrJsKBOB8pPe
urz60AA8ms5wVSPKzWhXnQmqkHqj5v1DwXqOnXDERyLsOVIGQPpWddaPqNzNumyz4wAc5r6eaJGH
zKCPcVF9gtd4fyY8+u0VyPC1FpGWh9DDiF/bhqeA+G/AV9eyBpozt9X4Few+FvC9tosGY1UzMPmc
Dn6V0awqBhQAKeFx0rSlhlB80ndnn43N6uKXJtEi2YHTNIYie1WO9IOTx0rqseTcqGMU3YSTwauF
eeaTZnsKYiuIgATik8rrxVrbSAY6CgCskKjkilMWeoqxjI6UmCT7Uhlfy+CSKNnHpVnjJzTdoNFg
uQGP1HFRtEO4/D0q0F65pduWosBTEePrTJI+CMdavbe1QTskUbM7BVHJJpFx1Z4n4tsjFrU5ZCNx
JGe9Y0fmwOrxkq4PGK7TxxdwXt8otwCU4LDvWRpmjNqCuyXEcbL0VzXzdeL9q1DU+8wtRLDxlV00
Mu81S+u0CTzMUA+7ng1r+C9CfUNQE8i/uYzk/WqN9YtZXDRTMrN3I5rqPCfiO30+AQSwbVH/AC0X
vRQtKqvbMnF3jh39XW/Y7xLUKgA6dKebckZOeafYXcN7AssDAoe9WHZBjmvo42auj4aacW0yo1sO
3pTGtc81c8xewpd3HPHFNkGebTJ5FQz2hAzjitcEHp+tJKAc0WC5y11bYBxnnisS4hCS5ZRz2Irt
biDK4A/Gub1q1IQlV5HNS4prUcTMRolbBC5+lW1wycenSsYTYYZOMVeimwByMe1ZpJFWMvWbENmR
fvVz+35vnP5V2lyVlXBFcxqNqY5CyjgmtLjKZOR83T29KRiSMkDHT0pAOpBx9aH7cUaCBumfWik6
jgZ70UajucfcWz20qib5kPSr95bRs0UVvEqu2MHpSqnnxsrOs8Z5DqfmQ/SrK2jqIH53RL/Dzn0r
y40076aH2cqzVrmVe2slodkm1jj5T6+tUWkmhCXEUhEsRyu3sa0rqO8upg0kbY7EjoKgurJrdlEg
BVx1Fc8o8kuZbHRCakrSPUvCWsrrWnJLjEq/LJj1xXRJn0OAMV5X8L7sQand2jH73zr7Yr1LzQqg
j617dGp7SCbPj8xoKjXcY7FmJuvI5PrSiQ+ac9Oxqun8Jz36Y6UpfD4GMetbHCyyreYSM8jtTt5z
gYwOMetVVYK2dxyOTUyNkBh0PPWkInjOXGOQKezHcMYBz1qGFsue3en7zuOOtAiz5hXHfA706HJI
3DHOarHLONx6n0q5hQTnOAPWmAobIPOMfrU2f3ajuecGq4wfxqUHDYzk9KBJk6sWFPznGzjAqIfK
QMg1OgwmcHJoGPhIQMcH3PajeST60gB5GRjvSpgMB6UxCqAp68fWlXqMYP1pCoLA8nPYVIq7T/Kk
AqryMinMCMDqDSg8eopVwBu59MUWC4qjgYpx+XAA70g+Uc8ClJJByOaBXAdegp6gg0wDHXp7U4MB
wetAIfnp2oA49KbuPHc05WHpSGO7+1Bzim7iD0pu7PXrQA4Nk0oFNUGnduP50gDA70DrTQSQeKUd
u9Ax2Oc0nU+1HB4oJA4piFzRznmm7qbvzSGSjrxSAnvURfHvRv4ouIm3Z7c0bhUIb16+1KD7UXAk
3ZPpRuyKjLdaNw7mncCTdQPrUXm0hk4HNFwJie9FQCSk8z3GKQyc9KKrmdR3FRveRqDlh+dAWLfG
aXP4msibWrSIHMq8e9Y934utoiRHlmHpSuhpG/fXk0YZbeBnbse1cxf6breqbhcTJFH/AHQao3Pj
c7D5abSeOecVz934yvnLYm2jtgVhVip6NnVRrujrFK5f1fw5JZRq7SK59AOlZ0GnAZM8ojHrnmsW
/wDEV1cDEkznvyaz31SQn5pM9zk1yPCU3K53rN6/Ly6XOwlj0iLGJJZZB1NLDc6ahwkI9fmriP7T
OTnOKUaoM84H41qqFNapHLPHYias5s9Ps9ZSMBIyI19B0rXttUjlPLV46mqY6MAc+tW4NeeLnfz9
a3UktDkld6s9piuFP8QqyJNwxmvJbDxeYmAduMetdPp3i22nwpcKfetIzTM7HcK/AB6U/d6daxLf
VIZlUqwY+oNXY7pTwCD6VVwLcgUjk1mX9uHj6DB96viRSMdTUcoBTpmhhsef6rYOkh2HGOcVnQTl
GKuCCK7e/tQxPGDXLarp/wA25eGFRYtMWOQMDzUV1GHjOKoxXGw4bg5watxuHU5H58VJrYwJ4/Kc
4BIPtUHVmBPWtu8hDqc1jOuw4I5B5xTuQ0M6cjIU0UhO5gMUVokSZKQpCzFoFiXsQeRVo3aJ94kt
jO0Vk2t2xnVL85CjHI7+tNNygv3kJLR5wPYV5vtVFaH2HsXJ+8WLmfzCrJIyK+dsiNwD7jtUV/HI
kau8vmcd6aZre3vCqYaEjJX0PtWZqd+GkcRZKk4VR2rKb5tDWnFpm18OVL+J5ZUXIVCCRXrTsWde
uOuK4n4eaMdOt5Li4JE0+D9BXZRqSxz3716OHjyQsz5rM6qq1249NCwruhywGD6GmyPkHHcU1WHT
nj9KTgg4wc9a6Lnm2J4yBGeMEjg06GULuBxnoKhB2Y64x3pQcyA8nHTJpAXkyBkqeelIJDu5+vFR
GUEZOePSlGGAdflNMTLUL5Ylj06VaVuelVYFAwD1P5VZV8ZAHsKESx4BwWJG361NbPuDFs/lUUSE
tjj6VaRBnBP1qgEi5kx+tW84OOMCo1GDk9cUp3FSx9KBD85J60RDnJ/OowGP1qVQeQOnTFMCVDyW
zzSuRnJoB4z2ApjtjJzx9KLBcbNOsEJkkOFHOTTbDUIbxC0J4HUVyPirV1mcWkB+XuQetO8GSt5s
yN39K6/q9qbmzzHjk8QqUdjuGfIFML4GM89qr7/l4NRNLkZxXIehcvCTHB/KgSAntxVFWbueacH7
84qWUXfMyMCnbucH9KqK4z1xTg4B5JzSYy1u5wBThgDnrVbzPzpQ3I5pXKRaOcU0NwOKj8wA9aXd
zx+dAEoJB5707PT0qAyKOSaikulXgc0hWLRYDqaY0ozWfJejucH0qs96c8Hmi47Gq0w4GcUxpwDx
WO1382M003YPtS5h2NoTKR9aXzR7VifbMY5pDeqOSaXMFjdEgI5OKRp1A5Nc5LqoBzxj3qrNqTcg
nApOSQ+U6Z7xBjBqF78Z5rkZNUAPU/Sq8+qEA/0NLnDlOxk1FR1PH1qB9YjUHkHFcNNqbkZBO31F
Nh+23igwqwX1NDmPlOxl15VGQQKzp/EwQZGT+NYK6XezPgVJ/wAI7MQTPKQTwMVPMx8qJ7jxPMcF
eBWdLql3chnLsB7HFalj4bjIAuGY9xWjPpMCoAFBXFF2wsjiXnlbIG5jTHhuSM+W2Dz0rvrbTIQg
ZYlI7HFRTRR+cF4znGKVgPPprG+dAfJYCsm5guhJs8mTceOB1r2T7IBETgH2FZ62yyTkPDtHqRTs
B5De293bAGeJ1HYkZFZ0k7nOR+Ve8XWnxSxBWhWQehGaw38KWVy/z2yKuewxScQPG3uHHuevNRvc
sAfrXrWseBdPuIwsSGFh3WuWvvAEiEC2mLZ4+apsBxYuiDycUG6yeTgD9a6m78AXsVsZYnV3AzsF
cvd6LqFqrPcWzqo70rPcq6sSLcnI54q1HcMOQxzWEZZIhypOO1S296jE84PoaluwjrrHWbuEgrK3
XgE11GmeL5YgonGT9a84hnCHr7/SrNnfJM5Axn1zT9sk7Ck0e0ad4pt7gDD4PcE1vQ6lHIuVcYx0
rwuNmXlGKn2NXrTVLu3PyTPj3NbKYmj2d5VkBORis27jV1JxnNcHY+Kpk/1w3DPWt2116OcfMwHt
T5kwsVtXsSrGRAdw71RguGz82R61uvcrKOOh6isPUoDFJ5iABT1pW6lReupYJDrn+VZ15DuyVzkd
s1Payll4OQfWpyoI45YetNMqRg9znhvp0oqxfRFGJGce1FXci5Y1DSrS+dmdcOf41rl7zwzfLLL5
LxypnjJwSK61mOQCOlPjlJPBrllQhPVo7qGPrUdIvQ88Hh3VpJVRY0XJwzM3T3rqNC8JwWcyTXbe
dcADg/dBrc3gAtgbh7VYjlDDOOT604UYQ1NK2Y1qkeVuxfBVEAA6CpIJeUzjFUw4289c80+Nsc4O
PSuhM85u5pTHCZ3DLe9LjcoI7d6ghyzlj0A61IJCcjnBp3JYuSPvHFSAqR1yahOASe31pwfDHjGe
RTuFiYc8Y/Spo8hducDrgVFEpCYHA6kmp1UNKD0wKdxbl6D5VLED2qaIAvtAP1qqrEEr2AyeKtRn
DZHGf8imiSxGN3t7VMmCeOajRRjCk/WpE+TGBz3+tUSTsNpxjOelIzE4Gfrimb1znIx7UgclvY9q
bBIlB2klscVGbu3TG+VR2zmqWtRNcWMkcTFZMZBz37V5tdNLCWWUvuzzg5rpw9FVep5+Mxjw9ko3
PVjfwKmRMgzz1rA8Sa0IrcxW0gMjjkjsK8/aWTn5zgep61NaSK8yrOdqMfmI9O4rqjhIwd27nmzz
OVWPKla5KZGPzscsM/hWho2tR6dLIZFLMwHIo1XT4IrczW0u5QORn9a5hny+4M2RnPNb80asbHFK
NTDTUup358XoV5gYDGRk0lv4oNwwWG1kY+me9c54c09dQzLK3yKfujvXZwRQ20e2NFAHTHWvPrul
TfKlqexg3ia8eeUrL0NKKbdGrNkEjoe1SrKSeSazxLnt9KFk56YxXC5HrpNGi0p57inrLzz+dZ3m
54J47UqzHd/jUXKsaYl5609ZcGswSgDvil+0beMmi4WNQzDd15prXO0cn2zWU0+O9VLi7Bzh8mk3
YpI1Zb07iOlVZLgseTx25rKN2T0I+tMadivJx6VPMNRNNpfU1C8wC9c4rOMp6BsGq8s+Fzye9K47
Gi9wAeDzUMt1jkEZqlskIVkVmB/u1Mun3TDcQAvoetK47CyXpUAKQKrteOzYGCe4BrRtNIG4NKdy
+lWTpkXnKY0C4PP0oEYsXnXAJRGPpSfZLqSXYyMCR3rqxAqKqqMe9SxxRLgsMkc5osFzmYNFIIaZ
ySfSrcPh1C5aVg2TwMVsSSxbwQQOcVOGIRnzwKdgdzIGlw7SpRdo9qnNtFFCBGNgHT0qJNSN1dCK
BCecMe1X7q1F3amIErnoRQrAyC3CnAQcnvTr4vFsEahsnn2qvo2n3NtM/nOSgPFazLtbL5NNLQCt
bRuCN+OlVL2wuJpw0U2yLHK4rSV2V8Bc+9DK7lwSASOgo6CGwwCOAJmoBZ28c5mCjJ71ZjgKRFWY
k+9Oa1R4gHxxz1ppDYriMxg5B79KrARib5zhSOKl/dsikjhassIRFuJz9ad7isVpiuAIwTmqriRJ
FKplSOT6VceQBUZV3HPSi4nKx5aInPoKLjKkhG4blGTVSZIRJhyoB6Zq9JIoCs6kN6VHeC2lVWYY
decHrSFcqXFuNo2PWc2nC43rLENvvzitgKjlW7e9PkixGWU4X370hnIX3hbSpfmmt13+oGKw7/wN
pl580CCJ17r1NehyoZl2kLioFtEhU5PBPWk4piseWan8OJPJLWN0WIGdrGsW28I6lYsGcIfx617T
cRYjzE/4VRjiaViSuD05rOVGLdwseZGwvIyAYWP0oe2lTmaNl+or0y7CWsRfg+2KzVgiu2IKAqf0
q1G2g7nCBB+HfipUJUg7v1rtJ9JtFU/IAfUVlSaRGWxE273JzRYNShb30ytt38jj8K2Uk8+DEhGc
VTk0aaNN+4DnFTQwvGBkZPbmnqMoRv5czID0PrWhFLlByKxNWLxXQk2nDelTWt2MA5496Bs07kBk
II/+tRUIlDDJbHtRVCZ//9kAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
--Apple-Mail-72C5511B-FB9E-4EC8-BA56-7419DD2B7FFC
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit



Sent from my iPhone
--Apple-Mail-72C5511B-FB9E-4EC8-BA56-7419DD2B7FFC--

From leifj@sunet.se  Tue Jul 30 08:51:58 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B581611E8210 for ; Tue, 30 Jul 2013 08:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whXwDwt+Bzbc for ; Tue, 30 Jul 2013 08:51:57 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) by ietfa.amsl.com (Postfix) with ESMTP id C508611E80D7 for ; Tue, 30 Jul 2013 08:51:56 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.3/8.14.3/Debian-9.4) with ESMTP id r6UFpqUG030695 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 30 Jul 2013 17:51:52 +0200
Received: from [130.129.17.63] (dhcp-113f.meeting.ietf.org [130.129.17.63]) (authenticated bits=0) by smtp1.nordu.net (8.14.6/8.14.6) with ESMTP id r6UFpn6F005373 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 30 Jul 2013 15:51:52 GMT
Message-ID: <51F7E114.2090707@sunet.se>
Date: Tue, 30 Jul 2013 17:51:48 +0200
From: Leif Johansson 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: abfab@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, nordu-net:default, base:default, @@RPTN)
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=130.129.17.63; country=CZ; latitude=49.7500; longitude=15.5000; http://maps.google.com/maps?q=49.7500,15.5000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aK6DPQRC - 7a38eeec0b68 - 20130730
X-Antispam-Training-Forget: https://mailfilter.nordu.net/canit/b.php?i=0aK6DPQRC&m=7a38eeec0b68&t=20130730&c=f
X-Antispam-Training-Nonspam: https://mailfilter.nordu.net/canit/b.php?i=0aK6DPQRC&m=7a38eeec0b68&t=20130730&c=n
X-Antispam-Training-Spam: https://mailfilter.nordu.net/canit/b.php?i=0aK6DPQRC&m=7a38eeec0b68&t=20130730&c=s
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com)
Subject: [abfab] WGLC for draft-ietf-abfab-arch-07.txt
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 30 Jul 2013 15:51:58 -0000

This message starts a Working-Group Last Call for
draft-ietf-abfab-arch-07.txt
ending on the 20/8. Provide your comments on this draft before that date.

        Leif & Klaas

From diego@tid.es  Tue Jul 30 09:36:31 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65DDA21F9A38 for ; Tue, 30 Jul 2013 09:36:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.197
X-Spam-Level: 
X-Spam-Status: No, score=-6.197 tagged_above=-999 required=5 tests=[AWL=0.402,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vp5G3mOeI8Bm for ; Tue, 30 Jul 2013 09:36:27 -0700 (PDT)
Received: from tidos.tid.es (tidos.tid.es [195.235.93.44]) by ietfa.amsl.com (Postfix) with ESMTP id CE86B21F99C3 for ; Tue, 30 Jul 2013 09:34:12 -0700 (PDT)
Received: from sbrightmailg01.hi.inet (sbrightmailg01.hi.inet [10.95.64.104]) by tid.hi.inet (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0MQR006BWCOZ7Z@tid.hi.inet> for abfab@ietf.org; Tue, 30 Jul 2013 18:34:11 +0200 (MEST)
Received: from tid (tid.hi.inet [10.95.64.10])	by sbrightmailg01.hi.inet (Symantec Messaging Gateway) with SMTP id BD.F3.03142.30BE7F15; Tue, 30 Jul 2013 18:34:11 +0200 (CEST)
Received: from correo.tid.es (mailhost.hi.inet [10.95.64.100]) by tid.hi.inet (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0MQR006BTCOY7Z@tid.hi.inet> for abfab@ietf.org; Tue, 30 Jul 2013 18:34:10 +0200 (MEST)
Received: from EX10-MB2-MAD.hi.inet ([169.254.2.81]) by EX10-HTCAS8-MAD.hi.inet ([fe80::41c8:e965:8a6:de67%11]) with mapi id 14.03.0123.003; Tue, 30 Jul 2013 18:34:10 +0200
Date: Tue, 30 Jul 2013 16:34:10 +0000
From: "Diego R. Lopez" 
X-Originating-IP: [10.95.64.115]
To: "abfab@ietf.org" 
Message-id: 
Content-id: <84101307611062448C9042363C41C628@hi.inet>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-language: en-US
Content-transfer-encoding: base64
Accept-Language: en-US, es-ES
Thread-topic: Review of RADEXT draft on RADIUS fragment
Thread-index: AQHOjUKerE7ue8/sKkipGe5cmsbLeA==
X-AuditID: 0a5f4068-b7f128e000000c46-70-51f7eb036fe5
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrALMWRmVeSWpSXmKPExsXCFe/Apcv8+nugQc9FNouP198wOjB6LFny kymAMYrLJiU1J7MstUjfLoEr42vHUtaCd7wVhz4cYGxgPMDbxcjJISFgIjH/w0Z2CFtM4sK9 9WxdjFwcQgIbGSW2rL7PCOH8YJTY+vUVO4SzgVHi5q2zTCAtLAKqEpcurGABsdmA7EfNv8FG CQsYSdx+sIwJYqyCxJ9zj8FqRIBqzj//wAZi8wpYShy4d44ZxGYWMJO40LuBESIuKPFj8j2g eg6guLrElCm5ECXiEs2tN1kgbEWJaYsawMoZBWQl3s2fzwox3lzizvLLzCCtIgJ6Eoe+CEBc ICCxZM95ZghbVOLl43+sExhFZyFZPAvJ4lkIi2chWTwLyeIFjKyrGMWKk4oy0zNKchMzc9IN DPUyMvUy81JLNjFCYiVjB+PynSqHGAU4GJV4eB0ufA8UYk0sK67MPcQowcGsJMJ7fiJQiDcl sbIqtSg/vqg0J7X4ECMTB6dUA6OguWGg7Oy4QAdT7qAdNtFXdy1bZRsbel/F0lL+vOg1hyLW Ow8u68Ssfvlww7rFMbmJJRzFy+5N1TiZGRza92vO71XmM57ckpr9JMxp7oH2w0at+2+H+Ptr LT6lcIEt8+m2CXHrnt3zWLXEQemEYsPyA80Haotln1t9tdp34PjORYaOvK+qS3YpsRRnJBpq MRcVJwIA174iGHMCAAA=
Subject: [abfab] Review of RADEXT draft on RADIUS fragment
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 30 Jul 2013 16:36:31 -0000

SGksDQoNCkR1cmluZyB0b2RheSdzIFJBREVYVCBzZXNzaW9uIEkgcHJlc2VudGVkIHRoZSBsYXN0
IHZlcnNpb24gKC0wNikgb2Ygb3VyIGRyYWZ0IG9uIHN1cHBvcnRpbmcgUkFESVVTIGZyYWdtZW50
cy4gWW91IGNhbiBzZWUgdGhlIGN1cnJlbnQgdGV4dCBhdCBodHRwOi8vdG9vbHMuaWV0Zi5vcmcv
aHRtbC9kcmFmdC1wZXJlei1yYWRleHQtcmFkaXVzLWZyYWdtZW50YXRpb24gYW5kIHRoZSBzbGlk
ZXMgSSB1c2VkIGZvciB0aGUgcHJlc2VudGF0aW9uIGF0IGh0dHA6Ly93d3cuaWV0Zi5vcmcvcHJv
Y2VlZGluZ3MvODcvc2xpZGVzL3NsaWRlcy04Ny1yYWRleHQtNS5wcHR4DQoNClNhbSBhbmQgb3Ro
ZXJzIGluIHRoZSByb29tIHN1cHBvcnRlZCBXRyBhZG9wdGlvbiwgYnV0IHRoZSBjaGFpcnMgYXNr
ZWQgZm9yIGEgZmV3IG90aGVyIHJldmlld3MgYW5kIGNvbW1lbnRzIGluIHRoZSBsaXN0IGJlZm9y
ZSBnb2luZyBmb3IgaXQuIFNpbmNlIEkgdW5kZXJzdGFuZCB0aGlzIGRyYWZ0IGlzIHJlbGV2YW50
IHNwZWNpYWxseSBmb3IgQUJGQUIgSSdkIGxpa2UgdG8gYXNrIHlvdSB0byBoYXZlIGEgbG9vayBh
dCB0aGUgdGV4dCBhbmQgZXhwcmVzcyB5b3VyIGNvbW1lbnRzIGFuZCBob3BlZnVsbHkgeW91ciBz
dXBwb3J0IHRocm91Z2ggdGhlIFJBREVYVCBsaXN0Lg0KDQpCZSBnb29kZSwNCg0KDQotLQ0KIkVz
dGEgdmV6IG5vIGZhbGxhcmVtb3MsIERvY3RvciBJbmZpZXJubyINCg0KRHIgRGllZ28gUi4gTG9w
ZXoNClRlbGVmb25pY2EgSStEDQpodHRwOi8vcGVvcGxlLnRpZC5lcy9kaWVnby5sb3Blei8NCg0K
ZS1tYWlsOiBkaWVnb0B0aWQuZXMNClRlbDogICAgKzM0IDkxMyAxMjkgMDQxDQpNb2JpbGU6ICsz
NCA2ODIgMDUxIDA5MQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0N
Cg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpFc3RlIG1lbnNhamUgc2Ug
ZGlyaWdlIGV4Y2x1c2l2YW1lbnRlIGEgc3UgZGVzdGluYXRhcmlvLiBQdWVkZSBjb25zdWx0YXIg
bnVlc3RyYSBwb2zDrXRpY2EgZGUgZW52w61vIHkgcmVjZXBjacOzbiBkZSBjb3JyZW8gZWxlY3Ry
w7NuaWNvIGVuIGVsIGVubGFjZSBzaXR1YWRvIG3DoXMgYWJham8uDQpUaGlzIG1lc3NhZ2UgaXMg
aW50ZW5kZWQgZXhjbHVzaXZlbHkgZm9yIGl0cyBhZGRyZXNzZWUuIFdlIG9ubHkgc2VuZCBhbmQg
cmVjZWl2ZSBlbWFpbCBvbiB0aGUgYmFzaXMgb2YgdGhlIHRlcm1zIHNldCBvdXQgYXQ6DQpodHRw
Oi8vd3d3LnRpZC5lcy9FUy9QQUdJTkFTL2Rpc2NsYWltZXIuYXNweA0K

From leifj@mnt.se  Wed Jul 31 03:13:06 2013
Return-Path: 
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C15E621F9FCF for ; Wed, 31 Jul 2013 03:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ydk8qrXJSNj0 for ; Wed, 31 Jul 2013 03:13:01 -0700 (PDT)
Received: from mail-pb0-f52.google.com (mail-pb0-f52.google.com [209.85.160.52]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5E621F9F9E for ; Wed, 31 Jul 2013 03:13:01 -0700 (PDT)
Received: by mail-pb0-f52.google.com with SMTP id wz12so588037pbc.39 for ; Wed, 31 Jul 2013 03:13:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding:x-gm-message-state; bh=y3WkgTGcAffUD1+MF2eWxAvgVp7i87DIQMqC1JsXIiM=; b=Z8ZaV6MDNyolPo5tcpQPx4eX+YxXAQbwGFVbq2RKcXzRWxy/QZ5r0ePLY5Ds7I4Dq6 Z2ecBIVo1fB/YHENefvvNYUxA/X5bpARo4TusDM6vKK+JhwgJQfsJNZCMYdeQ9pwj00e +9wDlUCzeBXyF0NfF8G3GXHWJlDtdwv7MES1wDZQIyZguV7W7tkpds3kyGDYJ9Xid/3s q9S+yPOSyPJAM1iULbtIwl5ODUJ/BNtHaWTsR1+bjaaKtefdLiuQfnO4vYtYEekoBFoe KeHtKr1PlabFPYlp3dCKW/PjS4qcyVM1y47ROEqFn8VWzZRejRfnA2O5TcU8NSESLmpV WvzQ==
X-Received: by 10.68.242.105 with SMTP id wp9mr78583690pbc.153.1375265580009;  Wed, 31 Jul 2013 03:13:00 -0700 (PDT)
Received: from ?IPv6:2001:df8:0:16:4538:478a:a4b7:5d6f? ([2001:df8:0:16:4538:478a:a4b7:5d6f]) by mx.google.com with ESMTPSA id ot4sm3582462pac.17.2013.07.31.03.12.58 for  (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 31 Jul 2013 03:12:59 -0700 (PDT)
Message-ID: <51F8E328.9070704@mnt.se>
Date: Wed, 31 Jul 2013 12:12:56 +0200
From: Leif Johansson 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: abfab@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQkfQWLGmEr32tJkcW/sPO6IyNQg4Sy9KGhDFQRn5fx7BHsxFrCTLNGwlV2RRk9Mh9ksF05H
Cc: ietf-secretariat-reply@ietf.org
Subject: [abfab] milestones changed
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 31 Jul 2013 10:13:06 -0000

I've updated our milestones but for some reason the secretariat auto-
poster doesn't have permission to post to the abfab list.

Please go and have a look at the milestones over here:

    https://datatracker.ietf.org/wg/abfab/charter/

The target dates are based on the discussion we had in the room
yesterday.

        Cheers Leif