From nobody Thu Mar 1 19:04:34 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ED14126579; Thu, 1 Mar 2018 19:04:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.89 X-Spam-Level: X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id em4vjJXLlE1K; Thu, 1 Mar 2018 19:04:29 -0800 (PST) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 496BE120724; Thu, 1 Mar 2018 19:04:29 -0800 (PST) Received: from [10.0.1.10] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w2234ReO048445 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 1 Mar 2018 21:04:28 -0600 (CST) (envelope-from ben@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.10] From: Ben Campbell Message-Id: <1410CC8D-8879-4435-AF6B-FBF5B9F9FA51@nostrum.com> Content-Type: multipart/signed; boundary="Apple-Mail=_5677303A-8F40-4927-8906-6FF446904D1A"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Date: Thu, 1 Mar 2018 21:04:26 -0600 In-Reply-To: <2108881588.5977405.1519629280512@mail.yahoo.com> Cc: ops-ads@ietf.org, dime@ietf.org, draft-ietf-dime-rfc4006bis.all@ietf.org To: Yuval Lifshitz References: <3C03A895-53C5-44D9-905F-9DD5248D3675@nostrum.com> <608352900.888044.1518623812177@mail.yahoo.com> <868034109.936629.1518628004592@mail.yahoo.com> <2108881588.5977405.1519629280512@mail.yahoo.com> X-Mailer: Apple Mail (2.3445.5.20) Archived-At: Subject: Re: [Dime] AD Evaluation of draft-ietf-dime-rfc4006bis-06 X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2018 03:04:32 -0000 --Apple-Mail=_5677303A-8F40-4927-8906-6FF446904D1A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Yuval, Thanks, this looks really good. You=E2=80=99ve done a lot of work here. I=E2=80=99m not sure the normative keywords are necessary; I think for = something like this it=E2=80=99s better to describe the risks and what = people can do about it, but we generally can=E2=80=99t force people to = follow that guidance. Also, the added normative requirements in 15.2 and = 15.3 are significant new requriements, and may need working group = discussion. I have a few more comments inline: Thanks! Ben. > On Feb 26, 2018, at 1:14 AM, Yuval Lifshitz wrote: >=20 > Hi All, > Would appreciate if you can review/comment on the the following new = section: > 15. Privacy Considerations >=20 > As the Diameter protocol, and especially credit control = application, > deals with subscribers and their actions, extra care should be = taken > regarding the privacy of the subscribers. In terms of [RFC6973], > both the credit-control client and credit-control server are > intermediary entities, wherein the subscribers' privacy may be > compromised even if no security issues exists, and only authorized > entities have access to the privacy-sensitive information. >=20 > 15.1. Privacy Sensitive AVPs >=20 > The following AVPs contain privacy-sensitive information at = different > levels: >=20 > 1. CC-Correlation-Id AVP: may contain privacy-sensitive = information > as the service-provider may encode personal information that > helps it correlate different subscriptions and access > technologies. >=20 > 2. Check-Balance-Result AVP: contains information on the balance > status of the subscriber. >=20 > 3. Currency-Code AVP: contains information on the subscriber's > locale. >=20 > 4. Cost-Unit AVP: contains privacy-sensitive information, as a > human readable format of the Cost-Information AVP. >=20 > 5. Service-Identifier AVP: may contain privacy-sensitive > information about the subscriber's internet activity. >=20 > 6. Rating-Group AVP: may contain privacy-sensitive information > about the subscriber's internet activity. >=20 > 7. Restriction-Filter-Rule AVP: the information inside = IPFilterRule > may be used to infer services used by the subscriber. >=20 > 8. Redirect-Server-Address AVP: the service-provider may embed > personal information on the subscriber in the URL/I (e.g. to > create a personalized message). Similar AVPs are: Redirect- > Address-URL, Redirect-Address-SIP-URI. Is there reasonable guidance one could give to not encode personal = information in the URL? >=20 > 9. Service-Context-Id AVP: depending with how the = service-provider > use it, it may contain privacy-sensitive information about the > service (e.g. access technology). >=20 > 10. Service-Parameter-Info AVP: depending with how the service- > provider use it, it may contain privacy-sensitive information > about the subscriber (e.g. location). >=20 for both 9 and 10: =E2=80=9C=E2=80=A6 service-provider use it=E2=80=A6 = =E2=80=9C s/use/uses Is there reasonable guidance that could be given to avoid putting = privacy sensitive info in these? > 11. Subscription-Id-Data AVP: contains the identity of the > subscriber. Similar AVPs are: Subscription-Id-E164, > Subscription-Id-IMSI, Subscription-Id-SIP-URI, = Subscription-Id- > NAI, Subscription-Id-Private. >=20 > 12. User-Equipment-Info-Value AVP: contains the identity of the > device of the subscriber. Similar AVPs are: User-Equipment- > Info-IMEISV, User-Equipment-Info-MAC, = User-Equipment-Info-EUI64, > User-Equipment-Info-ModifiedEUI64, User-Equipment-Info-IMEI. >=20 > 13. QoS-Final-Unit-Indication AVP: grouped AVP which may contains > privacy-sensitive information in its sub-AVPs (e.g = IPFilterRule, > redirect address). >=20 > Note that some AVPs which are used in this document are defined in > [RFC6733] and may contain privacy-sensitive information. These = AVPs > are not listed above. >=20 > 15.2. Data Minimization >=20 > Due to the nature of the credit control application, some personal > data and identity information must be stored in both credit-control > client and credit control server. This, however, could be = minimized > by following these guidelines: >=20 > 1. Data stored in the credit-control client does not need to be > persisted across sessions. All data could be deleted once the > session end, and reconstructed once a new session is = initialized. > Note that, while the credit-control server is usually owned by > the service provider with which the subscriber already has some > direct legal or business relationship (where privacy level = could > be agreed upon), this is not always true for the credit-control > client, that may be owned by a third-party. >=20 > 2. Some information about the subscriber has to be stored in > persistent storage in the credit-control server (e.g. identity, > balance), however, per transaction information does not have to > be stored in persistent storage, and per session information = may > be deleted from persistent storage once the session ends. >=20 > 3. In some cases, per transaction information has to be stored on > the credit-control server, client, or both, for regulatory, > auditability or debugging reasons. However, this could be > minimized by following these guidelines: >=20 > A. Data retention SHOULD NOT exceed the required durations >=20 > B. Transaction information SHOULD be aggregated as much as > possible. E.g. prefer information per sessions vs. > information per rating-group; prefer hourly byte summary = vs. > per transaction byte counts. >=20 > C. If not strictly needed, the more sensitive information = (E.g. > location, equipment type) SHOULD be filtered out from such > logs. Such information is often used to make rating > decisions, and in this case, the rating decision should be > logged instead of the data used to make them >=20 > D. The credit-control server SHOULD be preferred over the > credit-control client as the place where per transaction > information is stored, if needed. This is due to the = reasons > explained in 1. I would avoid the above SHOULDs. Rather, state these in terms of things = people _can_ do to improve privacy. >=20 > 15.3. Diameter Agents >=20 > Diameter agents, as described in [RFC6733], may be owned by third- > parties. To prevent from privacy sensitive information from = leaking > into them, it is RECOMMENDED to encrypt AVPs holding such > information, as listed in Section 15.1. Do you think people will actually do that? If not, there=E2=80=99s no = point in a =E2=80=9CRECOMMENDED=E2=80=9D level requirement if we know it = will be ignored. It would be better to say =E2=80=9C=E2=80=A6 Clients = and servers could encrypt AVPs=E2=80=A6=E2=80=9D Also, since we don=E2=80=99t have an e2e crypto standard for Diameter = (yet, anyway), it would be hard to do this in an interoperable way. = People would have to agree on algorithms, key management, etc. That = doesn=E2=80=99t mean we can=E2=80=99t mention it, but it argues against = a normative requirement. >=20 > In some cases, the Diameter agent requires access into privacy- > sensitive AVPs, in order to take correct routing decisions, or even > modify the content of these AVPs. In such a case it is RECOMMENDED > to anonymize the identity of the subscriber, and encrypt any other > AVP not used by the agent and can be used to identify the = subscriber. >=20 >=20 >=20 >=20 >=20 > On Wednesday, February 14, 2018, 7:12:49 PM GMT+2, Ben Campbell = wrote: >=20 >=20 > Even if we add privacy considerations to the base protocol, I think = 4006bis would still need privacy considerations that discuss the = specific AVPs it defines. So I would go ahead and add considerations to = 4006bis and avoid the delay. The WG can discuss whether it would like to = add more general considerations to the base protocol (either in a bis = draft or an update). >=20 > Thanks! >=20 > Ben. >=20 > > On Feb 14, 2018, at 11:06 AM, Yuval Lifshitz = wrote: > > > > Regarding "privacy considerations". Note that the base protocol RFC = does not have that. > > Ideally, this is added to base Diameter first, as many of the = sensitive AVPs come from there. > > Should we try to tackle that first (though this would delay the = RFC4006bis process)? > > Should we cover only 4006 AVPs and issues? > > > > Best Regards, > > > > Yuval > > > > > > On Wednesday, February 14, 2018, 5:56:52 PM GMT+2, Yuval Lifshitz = wrote: > > > > > > Ben, > > First, thanks for the comments! > > > > Regarding the major comment, agree this should be added, it was = already agreed in the meeting we had in IETF96, but somehow slipped :-( > > > > Sections 12: all the AVPs mentioned in this section exists in = RFC4006, and has values that are already registered. As part of = RFC4006bis we did not add any AVP that requires values enumeration (this = was actually one of the issue we tried to tackle). What would you like = to see different in this section? > > What is the process for updating IANA with the references to the new = doc? Can this happen before RFC4006bis is officially accepted? > > > > Appendix B: the new AVPs do not impact the flows, therefore not = added to the sample flows > > > > 8.34 agree, this is pretty bad. How about: > > If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT > > and the classification of the restricted traffic cannot be = expressed > > using IPFilterRule, or different actions (e.g., QoS) than just > > allowing traffic needs to be enforced, then the QoS-Final-Unit- > > Indication AVP SHOULD be used instead of the = Final-Unit-Indication > > AVP. > > > > > > 14. agree we should simplify as you suggested > > > > Best Regards, > > > > Yuval > > On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell = wrote: > > > > > > Hi, > > > > This is my AD Evaluation of draft-ietf-dime-rfc4006bis-06. Thanks = for the work on this; it=E2=80=99s overall a good update. However, I = have one major comment and a few minor or editorial comments. I=E2=80=99d = like to discuss the major comment prior IETF last call. The rest can be = handled along with any last call feedback. > > > > Note that for all but the major comment, I mostly reviewed the diff = from RFC 4006. > > > > Thanks! > > > > Ben. > > > > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94= =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > > > > Major Comment: > > > > I strongly suggest that you add more privacy considerations. I = realize that it inherits its existing privacy considerations from RFC = 4006, but that was published in 2005. The IETF=E2=80=99s focus on = privacy has evolved considerably since then, and I think this draft will = get objections during IESG review without adding some more. > > > > I suggest the following: > > =E2=80=94 Create a =E2=80=9CPrivacy Considerations=E2=80=9D section = separate from the security considerations. > > =E2=80=94 Enumerate the AVPs that you think contain user = identifiable information, persistent identifiers, or other privacy = sensitive data. > > =E2=80=94 Make some non-normative recommendations concerning data = minimization. That is, add a few sentences recommending that clients and = servers avoid capturing and/or log personal information beyond that = needed for the application's purpose. > > > > Minor Comments: > > > > -Section 12 and subsections: Please clarify that many of these = elements were already registered by RF 4006, and are not being = =E2=80=9Cre-registered=E2=80=9D here. ( It=E2=80=99s perfectly okay to = pull the registration information forward into the bis draft; it just = needs clarification.) Also, please consider wether existing = registrations should be updated to point to this document rather than = 4006. > > > > Appendices: Would any of the example flows benefit from including = one or more of the new AVPs? > > > > Editorial and Nits: > > > > -Section 8.34: =E2=80=9C If the Final-Unit-Action AVP is set to = RESTRICT_ACCESS or REDIRECT > > and the classification of the restricted traffic cannot be expressed > > using IPFilterRule, or different actions (e.g., QoS) than just > > allowing QoS needs to be enforced traffic, =E2=80=A6 =E2=80=9C > > > > I have trouble parsing the sentence. > > > > -14: "Even without any modification to the messages, an adversary = can > > invite a security threat by eavesdropping, as the transactions = contain private information about the user. > > =E2=80=9D > > I suggest =E2=80=9C =E2=80=A6 an adversary can eavesdrop on = transactions that contain privacy-sensitive imformation=E2=80=9D > > > > > > > > > > > > > > > > > > _______________________________________________ > > DiME mailing list > > DiME@ietf.org > > https://www.ietf.org/mailman/listinfo/dime > _______________________________________________ > DiME mailing list > DiME@ietf.org > https://www.ietf.org/mailman/listinfo/dime --Apple-Mail=_5677303A-8F40-4927-8906-6FF446904D1A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIzBAEBCgAdFiEExW9rpd7ez4DexOFOgFZKbJXz1A0FAlqYvzoACgkQgFZKbJXz 1A1HaA/8C6V+B+IuFIla1gIZdyeu4vygtuXIWJ9iaEgv71Zkru8scA5JDXdhQS15 AF/cS8Dun4FCsV8xyfS47iPIo1fq5FxkzBQ2he5FWdRRZO5OB2Jw/uT1ViFEmJFC +yfzm0hKKbOj5kQRWtlHvlAdgnYiYi7wBd8384MyYsrKAxqwyyvXUoiCH+pwichj l8DCuWThUIen+jmbS3xNp4GNRSxaRNX8FP1laYIc4HFGJyL6+3P/70uMDmewJhbf Byb8Mv/Es6or7vzhTuY+NcTMgktS7/KBQHR8NkaSZb4yncWk+Hcmh6QKqT7gM3nj Hw+7Uu5zZ+vVjKHHu8/ZH8cVIrAvDS08jf3/A77okhnzCJi0Db0CjpKRc0HwxIXh 18jjhUVKJC7KZmFSS2p5fdchFfusb48KxXA7wZBUtFQWYgAfqpJnAFuDBlYYpjU3 F6QZDIbO1q2ZTTHwy770U8SFdV9e+TwCL3pVOm7e4/L+mjRcE7MXSck6WB3BBLdu FEPGO0Oejhcqe44691t+CZmefV4LMA4HYFQ2wyY3Yl8xQDBvkx0sOED9CyehYv0V C6hbvwb4NeZu6cjTI5EXT9YI/CTJJdW1HYLMh5QjbOEq7RvJpReiFDaijLcAY6Uy jLItv4yKePtQ62W2vOKYurplxefpP2reO6SPk81goISTu5HlQ2o= =Lbw3 -----END PGP SIGNATURE----- --Apple-Mail=_5677303A-8F40-4927-8906-6FF446904D1A-- From nobody Mon Mar 5 11:44:14 2018 Return-Path: X-Original-To: dime@ietf.org Delivered-To: dime@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D8D12E8E6; Mon, 5 Mar 2018 11:43:58 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dime@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.74.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <152027903844.31739.14668543896500106421@ietfa.amsl.com> Date: Mon, 05 Mar 2018 11:43:58 -0800 Archived-At: Subject: [Dime] I-D Action: draft-ietf-dime-doic-rate-control-08.txt X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 19:44:06 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Diameter Maintenance and Extensions WG of the IETF. Title : Diameter Overload Rate Control Authors : Steve Donovan Eric Noel Filename : draft-ietf-dime-doic-rate-control-08.txt Pages : 19 Date : 2018-03-05 Abstract: This specification documents an extension to the Diameter Overload Indication Conveyance (DOIC) [RFC7683] base solution. This extension adds a new overload control abatement algorithm. This abatement algorithm allows for a DOIC reporting node to specify a maximum rate at which a DOIC reacting node sends Diameter requests to the DOIC reporting node. Requirements The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dime-doic-rate-control/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dime-doic-rate-control-08 https://datatracker.ietf.org/doc/html/draft-ietf-dime-doic-rate-control-08 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dime-doic-rate-control-08 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Mar 5 11:46:58 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB2221205D3 for ; Mon, 5 Mar 2018 11:46:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.109 X-Spam-Level: X-Spam-Status: No, score=-1.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lnrk64ZsonA9 for ; Mon, 5 Mar 2018 11:46:51 -0800 (PST) Received: from biz131.inmotionhosting.com (biz131.inmotionhosting.com [173.247.247.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ECB512D7E4 for ; Mon, 5 Mar 2018 11:46:51 -0800 (PST) Received: from [97.99.50.102] (port=51693 helo=Steves-MacBook-Air.local) by biz131.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89_1) (envelope-from ) id 1esw48-002pdU-6R for dime@ietf.org; Mon, 05 Mar 2018 11:46:50 -0800 To: "dime@ietf.org" From: Steve Donovan Message-ID: Date: Mon, 5 Mar 2018 13:46:31 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------390091F2A6492B37560D541B" Content-Language: en-US X-OutGoing-Spam-Status: No, score=2.5 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - biz131.inmotionhosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - usdonovans.com X-Get-Message-Sender-Via: biz131.inmotionhosting.com: authenticated_id: srdonovan@usdonovans.com X-Authenticated-Sender: biz131.inmotionhosting.com: srdonovan@usdonovans.com X-Source: X-Source-Args: X-Source-Dir: Archived-At: Subject: [Dime] Diff file for latest rate draft update X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 19:46:55 -0000 This is a multi-part message in MIME format. --------------390091F2A6492B37560D541B Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit All, Here's the diff file for the latest update to draft-ietf-dime-doic-rate-control. Regards, Steve --------------390091F2A6492B37560D541B Content-Type: text/html; charset=UTF-8; name="Diff draft-ietf-dime-doic-rate-control-07.txt - draft-ietf-dime-doic-rate-control-08.txt.html" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename*0="Diff draft-ietf-dime-doic-rate-control-07.txt - draft-ietf-"; filename*1="dime-doic-rate-control-08.txt.html" PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlv bmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5z aXRpb25hbC5kdGQiPgo8IS0tIEdlbmVyYXRlZCBieSByZmNkaWZmIDEuNDY6IHJmY2RpZmYg IC0tPgo8IS0tIDwhRE9DVFlQRSBodG1sIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAx IFRyYW5zaXRpb25hbCIgPiAtLT4KPCEtLSBTeXN0ZW06IExpbnV4IHppbmZhbmRlbCAzLjIu MC01LWFtZDY0ICMxIFNNUCBEZWJpYW4gMy4yLjk2LTMgeDg2XzY0IEdOVS9MaW51eCAtLT4K PCEtLSBVc2luZyBhd2s6IC91c3IvYmluL2dhd2s6IEdOVSBBd2sgNC4wLjEgLS0+CjwhLS0g VXNpbmcgZGlmZjogL3Vzci9iaW4vZGlmZjogZGlmZiAoR05VIGRpZmZ1dGlscykgMy4yIC0t Pgo8IS0tIFVzaW5nIHdkaWZmOiAvdXNyL2Jpbi93ZGlmZjogd2RpZmYgKEdOVSB3ZGlmZikg MS4xLjIgLS0+CjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj48 aGVhZD4gCiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0 L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPiAKICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVN0 eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4gCiAgPHRpdGxlPkRpZmY6IGRyYWZ0LWll dGYtZGltZS1kb2ljLXJhdGUtY29udHJvbC0wNy50eHQgLSBkcmFmdC1pZXRmLWRpbWUtZG9p Yy1yYXRlLWNvbnRyb2wtMDgudHh0PC90aXRsZT4gCiAgPHN0eWxlIHR5cGU9InRleHQvY3Nz Ij4gCiAgICBib2R5ICAgIHsgbWFyZ2luOiAwLjRleDsgbWFyZ2luLXJpZ2h0OiBhdXRvOyB9 IAogICAgdHIgICAgICB7IH0gCiAgICB0ZCAgICAgIHsgd2hpdGUtc3BhY2U6IHByZTsgZm9u dC1mYW1pbHk6IG1vbm9zcGFjZTsgdmVydGljYWwtYWxpZ246IHRvcDsgZm9udC1zaXplOiAw Ljg2ZW07fSAKICAgIHRoICAgICAgeyBmb250LXNpemU6IDAuODZlbTsgfSAKICAgIC5zbWFs bCAgeyBmb250LXNpemU6IDAuNmVtOyBmb250LXN0eWxlOiBpdGFsaWM7IGZvbnQtZmFtaWx5 OiBWZXJkYW5hLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IH0gCiAgICAubGVmdCAgIHsgYmFj a2dyb3VuZC1jb2xvcjogI0VFRTsgfSAKICAgIC5yaWdodCAgeyBiYWNrZ3JvdW5kLWNvbG9y OiAjRkZGOyB9IAogICAgLmRpZmYgICB7IGJhY2tncm91bmQtY29sb3I6ICNDQ0Y7IH0gCiAg ICAubGJsb2NrIHsgYmFja2dyb3VuZC1jb2xvcjogI0JGQjsgfSAKICAgIC5yYmxvY2sgeyBi YWNrZ3JvdW5kLWNvbG9yOiAjRkY4OyB9IAogICAgLmluc2VydCB7IGJhY2tncm91bmQtY29s b3I6ICM4RkY7IH0gCiAgICAuZGVsZXRlIHsgYmFja2dyb3VuZC1jb2xvcjogI0FDRjsgfSAK ICAgIC52b2lkICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZCOyB9IAogICAgLmNvbnQgICB7 IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IH0gCiAgICAubGluZWJyIHsgYmFja2dyb3VuZC1j b2xvcjogI0FBQTsgfSAKICAgIC5saW5lbm8geyBjb2xvcjogcmVkOyBiYWNrZ3JvdW5kLWNv bG9yOiAjRkZGOyBmb250LXNpemU6IDAuN2VtOyB0ZXh0LWFsaWduOiByaWdodDsgcGFkZGlu ZzogMCAycHg7IH0gCiAgICAuZWxpcHNpc3sgYmFja2dyb3VuZC1jb2xvcjogI0FBQTsgfSAK ICAgIC5sZWZ0IC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjogI0RERDsgfSAKICAgIC5yaWdo dCAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IH0gCiAgICAubGJsb2NrIC5jb250 IHsgYmFja2dyb3VuZC1jb2xvcjogIzlEOTsgfSAKICAgIC5yYmxvY2sgLmNvbnQgeyBiYWNr Z3JvdW5kLWNvbG9yOiAjREQ2OyB9IAogICAgLmluc2VydCAuY29udCB7IGJhY2tncm91bmQt Y29sb3I6ICMwREQ7IH0gCiAgICAuZGVsZXRlIC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjog IzhBRDsgfSAKICAgIC5zdGF0cywgLnN0YXRzIHRkLCAuc3RhdHMgdGggeyBiYWNrZ3JvdW5k LWNvbG9yOiAjRUVFOyBwYWRkaW5nOiAycHggMDsgfSAKICAgIHNwYW4uaGlkZSB7IGRpc3Bs YXk6IG5vbmU7IGNvbG9yOiAjYWFhO30gICAgYTpob3ZlciBzcGFuIHsgZGlzcGxheTogaW5s aW5lOyB9ICAgIHRyLmNoYW5nZSB7IGJhY2tncm91bmQtY29sb3I6IGdyYXk7IH0gCiAgICB0 ci5jaGFuZ2UgYSB7IHRleHQtZGVjb3JhdGlvbjogbm9uZTsgY29sb3I6IGJsYWNrIH0gCiAg PC9zdHlsZT4gCiAgICAgPHNjcmlwdD4KdmFyIGNodW5rX2luZGV4ID0gMDsKdmFyIG9sZF9j aHVuayA9IG51bGw7CgpmdW5jdGlvbiBmb3JtYXRfY2h1bmsoaW5kZXgpIHsKICAgIHZhciBw cmVmaXggPSAiZGlmZiI7CiAgICB2YXIgc3RyID0gaW5kZXgudG9TdHJpbmcoKTsKICAgIGZv ciAoeD0wOyB4PCg0LXN0ci5sZW5ndGgpOyArK3gpIHsKICAgICAgICBwcmVmaXgrPScwJzsK ICAgIH0KICAgIHJldHVybiBwcmVmaXggKyBzdHI7Cn0KCmZ1bmN0aW9uIGZpbmRfY2h1bmso bil7CiAgICByZXR1cm4gZG9jdW1lbnQucXVlcnlTZWxlY3RvcigndHJbaWQkPSInICsgbiAr ICciXScpOwp9CgpmdW5jdGlvbiBjaGFuZ2VfY2h1bmsob2Zmc2V0KSB7CiAgICB2YXIgaW5k ZXggPSBjaHVua19pbmRleCArIG9mZnNldDsKICAgIHZhciBuZXdfc3RyOwogICAgdmFyIG5l d19jaHVuazsKCiAgICBuZXdfc3RyID0gZm9ybWF0X2NodW5rKGluZGV4KTsKICAgIG5ld19j aHVuayA9IGZpbmRfY2h1bmsobmV3X3N0cik7CiAgICBpZiAoIW5ld19jaHVuaykgewogICAg ICAgIHJldHVybjsKICAgIH0KICAgIGlmIChvbGRfY2h1bmspIHsKICAgICAgICBvbGRfY2h1 bmsuc3R5bGUub3V0bGluZSA9ICIiOwogICAgfQogICAgb2xkX2NodW5rID0gbmV3X2NodW5r OwogICAgb2xkX2NodW5rLnN0eWxlLm91dGxpbmUgPSAiMXB4IHNvbGlkIHJlZCI7CiAgICB3 aW5kb3cubG9jYXRpb24ucmVwbGFjZSgiIyIgKyBuZXdfc3RyKQogICAgd2luZG93LnNjcm9s bEJ5KDAsLTEwMCk7CiAgICBjaHVua19pbmRleCA9IGluZGV4Owp9Cgpkb2N1bWVudC5vbmtl eWRvd24gPSBmdW5jdGlvbihlKSB7CiAgICBzd2l0Y2ggKGUua2V5Q29kZSkgewogICAgY2Fz ZSA3ODoKICAgICAgICBjaGFuZ2VfY2h1bmsoMSk7CiAgICAgICAgYnJlYWs7CiAgICBjYXNl IDgwOgogICAgICAgIGNoYW5nZV9jaHVuaygtMSk7CiAgICAgICAgYnJlYWs7CiAgICB9Cn07 CiAgIDwvc2NyaXB0PiAKPC9oZWFkPiAKPGJvZHk+IAogIDx0YWJsZSBjZWxsc3BhY2luZz0i MCIgY2VsbHBhZGRpbmc9IjAiIGJvcmRlcj0iMCI+IAogIDx0Ym9keT48dHIgaWQ9InBhcnQt MSIgYmdjb2xvcj0ib3JhbmdlIj48dGg+PC90aD48dGg+PGEgaHJlZj0iaHR0cHM6Ly90b29s cy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1kaW1lLWRvaWMtcmF0ZS1jb250 cm9sLTA3LnR4dCIgc3R5bGU9ImNvbG9yOiMwMDg7IHRleHQtZGVjb3JhdGlvbjpub25lOyI+ Jmx0OzwvYT4mbmJzcDs8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh ZnQtaWV0Zi1kaW1lLWRvaWMtcmF0ZS1jb250cm9sLTA3LnR4dCIgc3R5bGU9ImNvbG9yOiMw MDgiPmRyYWZ0LWlldGYtZGltZS1kb2ljLXJhdGUtY29udHJvbC0wNy50eHQ8L2E+Jm5ic3A7 PC90aD48dGg+IDwvdGg+PHRoPiZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5v cmcvaHRtbC9kcmFmdC1pZXRmLWRpbWUtZG9pYy1yYXRlLWNvbnRyb2wtMDgudHh0IiBzdHls ZT0iY29sb3I6IzAwOCI+ZHJhZnQtaWV0Zi1kaW1lLWRvaWMtcmF0ZS1jb250cm9sLTA4LnR4 dDwvYT4mbmJzcDs8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL3JmY2RpZmY/dXJs MT1kcmFmdC1pZXRmLWRpbWUtZG9pYy1yYXRlLWNvbnRyb2wtMDgudHh0IiBzdHlsZT0iY29s b3I6IzAwODsgdGV4dC1kZWNvcmF0aW9uOm5vbmU7Ij4mZ3Q7PC9hPjwvdGg+PHRoPjwvdGg+ PC90cj4gCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+RGlhbWV0ZXIgTWFpbnRlbmFuY2UgYW5kIEV4dGVuc2lvbnMgKERJ TUUpICAgICAgICAgICAgICAgUy4gRG9ub3ZhbiwgRWQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+RGlhbWV0ZXIgTWFpbnRlbmFuY2UgYW5kIEV4dGVuc2lvbnMgKERJTUUp ICAgICAgICAgICAgICAgUy4gRG9ub3ZhbiwgRWQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij5JbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBPcmFjbGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij5JbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBPcmFjbGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PkludGVuZGVkIHN0YXR1czogU3RhbmRhcmRzIFRyYWNrICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgRS4gTm9lbDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPklu dGVuZGVkIHN0YXR1czogU3RhbmRhcmRzIFRyYWNrICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgRS4gTm9lbDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyIGlkPSJkaWZmMDAwMSI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj5FeHBpcmVzOiA8c3BhbiBjbGFz cz0iZGVsZXRlIj5NYXJjaCAzMSw8L3NwYW4+IDIwMTggICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgQVQmYW1wO1QgTGFiczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj5FeHBpcmVzOiA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5TZXB0ZW1iZXIgNiw8 L3NwYW4+IDIwMTggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVQmYW1w O1QgTGFiczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0i ZGVsZXRlIj5TZXB0ZW1iZXIgMjcsIDIwMTc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+TWFyY2ggNSwgMjAxODwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAg ICAgICAgICAgICAgICAgRGlhbWV0ZXIgT3ZlcmxvYWQgUmF0ZSBDb250cm9sPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgICAgICAgRGlhbWV0ZXIg T3ZlcmxvYWQgUmF0ZSBDb250cm9sPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHIgaWQ9ImRpZmYwMDAyIj48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAg ICBkcmFmdC1pZXRmLWRpbWUtZG9pYy1yYXRlLWNvbnRyb2wtMDxzcGFuIGNsYXNzPSJkZWxl dGUiPjc8L3NwYW4+LnR4dDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAg ICAgICAgICAgICAgZHJhZnQtaWV0Zi1kaW1lLWRvaWMtcmF0ZS1jb250cm9sLTA8c3BhbiBj bGFzcz0iaW5zZXJ0Ij44PC9zcGFuPi50eHQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+QWJzdHJhY3Q8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij5BYnN0cmFjdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBUaGlzIHNwZWNpZmljYXRpb24gZG9jdW1lbnRzIGFuIGV4dGVuc2lvbiB0byB0aGUgRGlh bWV0ZXIgT3ZlcmxvYWQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGlz IHNwZWNpZmljYXRpb24gZG9jdW1lbnRzIGFuIGV4dGVuc2lvbiB0byB0aGUgRGlhbWV0ZXIg T3ZlcmxvYWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEluZGljYXRpb24g Q29udmV5YW5jZSAoRE9JQykgW1JGQzc2ODNdIGJhc2Ugc29sdXRpb24uICBUaGlzIGV4dGVu c2lvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEluZGljYXRpb24gQ29u dmV5YW5jZSAoRE9JQykgW1JGQzc2ODNdIGJhc2Ugc29sdXRpb24uICBUaGlzIGV4dGVuc2lv bjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYWRkcyBhIG5ldyBvdmVybG9h ZCBjb250cm9sIGFiYXRlbWVudCBhbGdvcml0aG0uICBUaGlzIGFiYXRlbWVudDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFkZHMgYSBuZXcgb3ZlcmxvYWQgY29udHJv bCBhYmF0ZW1lbnQgYWxnb3JpdGhtLiAgVGhpcyBhYmF0ZW1lbnQ8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIGFsZ29yaXRobSBhbGxvd3MgZm9yIGEgRE9JQyByZXBvcnRp bmcgbm9kZSB0byBzcGVjaWZ5IGEgbWF4aW11bSByYXRlPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgYWxnb3JpdGhtIGFsbG93cyBmb3IgYSBET0lDIHJlcG9ydGluZyBu b2RlIHRvIHNwZWNpZnkgYSBtYXhpbXVtIHJhdGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIGF0IHdoaWNoIGEgRE9JQyByZWFjdGluZyBub2RlIHNlbmRzIERpYW1ldGVy IHJlcXVlc3RzIHRvIHRoZSBET0lDPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgYXQgd2hpY2ggYSBET0lDIHJlYWN0aW5nIG5vZGUgc2VuZHMgRGlhbWV0ZXIgcmVxdWVz dHMgdG8gdGhlIERPSUM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlcG9y dGluZyBub2RlLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlcG9ydGlu ZyBub2RlLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0icGFydC0yIiBjbGFzcz0iY2hhbmdlIj48dGQ+PC90 ZD48dGg+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGEgaHJlZj0iI3Bh cnQtMiI+PGVtPiBwYWdlIDEsIGxpbmUgNDI8c3BhbiBjbGFzcz0iaGlkZSI+IMK2PC9zcGFu PjwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdl IGF0PC9zbWFsbD48YSBocmVmPSIjcGFydC0yIj48ZW0+IHBhZ2UgMSwgbGluZSA0MjxzcGFu IGNsYXNzPSJoaWRlIj4gwrY8L3NwYW4+PC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJ bnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5ldCBF bmdpbmVlcmluZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEludGVybmV0 LURyYWZ0cyBhcmUgd29ya2luZyBkb2N1bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2luZWVy aW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUYXNrIEZvcmNlIChJRVRG KS4gIE5vdGUgdGhhdCBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRhc2sgRm9yY2UgKElFVEYpLiAgTm90ZSB0 aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICB3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMu ICBUaGUgbGlzdCBvZiBjdXJyZW50IEludGVybmV0LTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0LURyYWZ0cy4gIFRo ZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBEcmFmdHMgaXMgYXQgaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFm dHMvY3VycmVudC8uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgRHJhZnRz IGlzIGF0IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZHJhZnRzL2N1cnJlbnQvLjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJbnRlcm5ldC1E cmFmdHMgYXJlIGRyYWZ0IGRvY3VtZW50cyB2YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCBt b250aHM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJbnRlcm5ldC1EcmFm dHMgYXJlIGRyYWZ0IGRvY3VtZW50cyB2YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCBtb250 aHM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFuZCBtYXkgYmUgdXBkYXRl ZCwgcmVwbGFjZWQsIG9yIG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYW5kIG1heSBiZSB1cGRhdGVkLCBy ZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVyIGRvY3VtZW50cyBhdCBhbnk8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRl IHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgdGltZS4gIEl0IGlzIGluYXBwcm9wcmlhdGUgdG8gdXNlIElu dGVybmV0LURyYWZ0cyBhcyByZWZlcmVuY2U8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIG1hdGVyaWFsIG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGlu IHByb2dyZXNzLiI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBtYXRlcmlh bCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBpbiBwcm9ncmVzcy4iPC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBp ZD0iZGlmZjAwMDMiPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgVGhpcyBJbnRlcm5ldC1EcmFmdCB3aWxs IGV4cGlyZSBvbiA8c3BhbiBjbGFzcz0iZGVsZXRlIj5NYXJjaCAzMTwvc3Bhbj4sIDIwMTgu PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIFRoaXMgSW50ZXJuZXQtRHJh ZnQgd2lsbCBleHBpcmUgb24gPHNwYW4gY2xhc3M9Imluc2VydCI+U2VwdGVtYmVyIDY8L3Nw YW4+LCAyMDE4LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5D b3B5cmlnaHQgTm90aWNlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+Q29weXJp Z2h0IE5vdGljZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHIgaWQ9ImRpZmYwMDA0Ij48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIENvcHlyaWdodCAo YykgMjAxPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Nzwvc3Bhbj4gSUVURiBUcnVzdCBhbmQgdGhl IHBlcnNvbnMgaWRlbnRpZmllZCBhcyB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgQ29weXJpZ2h0IChjKSAyMDE8c3BhbiBjbGFzcz0iaW5zZXJ0Ij44PC9zcGFu PiBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29ucyBpZGVudGlmaWVkIGFzIHRoZTwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZG9jdW1lbnQgYXV0aG9ycy4gIEFsbCByaWdo dHMgcmVzZXJ2ZWQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZG9jdW1l bnQgYXV0aG9ycy4gIEFsbCByaWdodHMgcmVzZXJ2ZWQuPC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBC Q1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3MgTGVnYWw8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBUaGlzIGRvY3VtZW50IGlzIHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0 aGUgSUVURiBUcnVzdCdzIExlZ2FsPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1lbnRzPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3Vt ZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgKGh0dHBzOi8vdHJ1c3Rl ZS5pZXRmLm9yZy9saWNlbnNlLWluZm8pIGluIGVmZmVjdCBvbiB0aGUgZGF0ZSBvZjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIChodHRwczovL3RydXN0ZWUuaWV0Zi5v cmcvbGljZW5zZS1pbmZvKSBpbiBlZmZlY3Qgb24gdGhlIGRhdGUgb2Y8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQ bGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3 IHRoZXNlIGRvY3VtZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgY2Fy ZWZ1bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFuZCByZXN0cmljdGlvbnMg d2l0aCByZXNwZWN0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgY2FyZWZ1 bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFuZCByZXN0cmljdGlvbnMgd2l0 aCByZXNwZWN0PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0byB0aGlzIGRv Y3VtZW50LiAgQ29kZSBDb21wb25lbnRzIGV4dHJhY3RlZCBmcm9tIHRoaXMgZG9jdW1lbnQg bXVzdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRvIHRoaXMgZG9jdW1l bnQuICBDb2RlIENvbXBvbmVudHMgZXh0cmFjdGVkIGZyb20gdGhpcyBkb2N1bWVudCBtdXN0 PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpbmNsdWRlIFNpbXBsaWZpZWQg QlNEIExpY2Vuc2UgdGV4dCBhcyBkZXNjcmliZWQgaW4gU2VjdGlvbiA0LmUgb2Y8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbmNsdWRlIFNpbXBsaWZpZWQgQlNEIExp Y2Vuc2UgdGV4dCBhcyBkZXNjcmliZWQgaW4gU2VjdGlvbiA0LmUgb2Y8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoZSBUcnVzdCBMZWdhbCBQcm92aXNpb25zIGFuZCBh cmUgcHJvdmlkZWQgd2l0aG91dCB3YXJyYW50eSBhczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIHRoZSBUcnVzdCBMZWdhbCBQcm92aXNpb25zIGFuZCBhcmUgcHJvdmlk ZWQgd2l0aG91dCB3YXJyYW50eSBhczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgZGVzY3JpYmVkIGluIHRoZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlLjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGRlc2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBC U0QgTGljZW5zZS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ VGFibGUgb2YgQ29udGVudHM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5UYWJs ZSBvZiBDb250ZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICAxLiAgSW50cm9kdWN0aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgIDM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICAxLiAgSW50cm9kdWN0aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgIDM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0ciBpZD0iZGlmZjAwMDUiPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgMi4gIFRlcm1pbm9sb2d5 IDxzcGFuIGNsYXNzPSJkZWxldGUiPmFuZCBBYmJyZXZpYXRpb25zPC9zcGFuPiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj4gICAyLiAgVGVybWlub2xvZ3kgPHNwYW4gY2xhc3M9Imluc2VydCI+LiAuIC4g LiAuIC4gLiAuIC48L3NwYW4+IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0 PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDMuICBJbnRlcmFjdGlvbiB3 aXRoIERPSUMgUmVwb3J0IDxzcGFuIGNsYXNzPSJkZWxldGUiPlJ5cGVzPC9zcGFuPiAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgMy4gIEludGVyYWN0aW9uIHdpdGggRE9JQyBSZXBvcnQgPHNwYW4gY2xhc3M9 Imluc2VydCI+VHlwZXM8L3NwYW4+ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNTwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgNC4gIENhcGFiaWxpdHkgQW5ub3Vu Y2VtZW50IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA1PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgNC4gIENhcGFiaWxpdHkgQW5ub3VuY2Vt ZW50IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA1PC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICA1LiAgT3ZlcmxvYWQgUmVwb3J0IEhhbmRsaW5n ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDY8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICA1LiAgT3ZlcmxvYWQgUmVwb3J0IEhhbmRsaW5nICAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDY8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgICAgNS4xLiAgUmVwb3J0aW5nIE5vZGUgT3ZlcmxvYWQgQ29u dHJvbCBTdGF0ZSAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgICAgNS4xLiAgUmVwb3J0aW5nIE5vZGUgT3ZlcmxvYWQgQ29udHJv bCBTdGF0ZSAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgICA1LjIuICBSZWFjdGluZyBOb2RlIE92ZXJsb2FkIENvbnRyb2wgU3Rh dGUgIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA2PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgICA1LjIuICBSZWFjdGluZyBOb2RlIE92ZXJsb2FkIENvbnRyb2wgU3RhdGUg IC4gLiAuIC4gLiAuIC4gLiAuIC4gICA2PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICAgIDUuMy4gIFJlcG9ydGluZyBOb2RlIE1haW50ZW5hbmNlIG9mIE92ZXJsb2FkIENv bnRyb2wgU3RhdGUgIC4gLiAgIDc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICAgIDUuMy4gIFJlcG9ydGluZyBOb2RlIE1haW50ZW5hbmNlIG9mIE92ZXJsb2FkIENvbnRy b2wgU3RhdGUgIC4gLiAgIDc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAg NS40LiAgUmVhY3RpbmcgTm9kZSBNYWludGVuYW5jZSBvZiBPdmVybG9hZCBDb250cm9sIFN0 YXRlIC4gLiAuICAgNzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgNS40 LiAgUmVhY3RpbmcgTm9kZSBNYWludGVuYW5jZSBvZiBPdmVybG9hZCBDb250cm9sIFN0YXRl IC4gLiAuICAgNzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICA1LjUuICBS ZXBvcnRpbmcgTm9kZSBCZWhhdmlvciBmb3IgUmF0ZSBBYmF0ZW1lbnQgQWxnb3JpdGhtICAu IC4gICA3PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICA1LjUuICBSZXBv cnRpbmcgTm9kZSBCZWhhdmlvciBmb3IgUmF0ZSBBYmF0ZW1lbnQgQWxnb3JpdGhtICAuIC4g ICA3PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDUuNi4gIFJlYWN0aW5n IE5vZGUgQmVoYXZpb3IgZm9yIFJhdGUgQWJhdGVtZW50IEFsZ29yaXRobSAuIC4gLiAgIDg8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDUuNi4gIFJlYWN0aW5nIE5v ZGUgQmVoYXZpb3IgZm9yIFJhdGUgQWJhdGVtZW50IEFsZ29yaXRobSAuIC4gLiAgIDg8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDYuICBSYXRlIEFiYXRlbWVudCBBbGdv cml0aG0gQVZQcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgODwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDYuICBSYXRlIEFiYXRlbWVudCBBbGdvcml0 aG0gQVZQcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgODwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICA2LjEuICBPQy1TdXBwb3J0ZWQtRmVhdHVyZXMg QVZQIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA4PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgICA2LjEuICBPQy1TdXBwb3J0ZWQtRmVhdHVyZXMgQVZQ IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA4PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAgICAgNi4xLjEuICBPQy1GZWF0dXJlLVZlY3RvciBBVlAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDg8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICAgICAgNi4xLjEuICBPQy1GZWF0dXJlLVZlY3RvciBBVlAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDg8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgICAgNi4yLiAgT0MtT0xSIEFWUCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgOTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgICAgNi4yLiAgT0MtT0xSIEFWUCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICAgOTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgICAgIDYuMi4xLiAgT0MtTWF4aW11bS1SYXRlIEFWUCAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gICA5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ICAgIDYuMi4xLiAgT0MtTWF4aW11bS1SYXRlIEFWUCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gICA5PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDYu My4gIEF0dHJpYnV0ZSBWYWx1ZSBQYWlyIEZsYWcgUnVsZXMgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgIDk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDYuMy4g IEF0dHJpYnV0ZSBWYWx1ZSBQYWlyIEZsYWcgUnVsZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgIDk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDcuICBSYXRlIEJh c2VkIEFiYXRlbWVudCBBbGdvcml0aG0gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAxMDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDcuICBSYXRlIEJhc2Vk IEFiYXRlbWVudCBBbGdvcml0aG0gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAx MDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICA3LjEuICBPdmVydmlldyAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEwPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICA3LjEuICBPdmVydmlldyAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEwPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDcuMi4gIFJlcG9ydGluZyBOb2RlIEJl aGF2aW9yIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTA8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDcuMi4gIFJlcG9ydGluZyBOb2RlIEJlaGF2 aW9yIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTA8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgNy4zLiAgUmVhY3RpbmcgTm9kZSBCZWhhdmlvciAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMTwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgICAgNy4zLiAgUmVhY3RpbmcgTm9kZSBCZWhhdmlvciAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMTwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAwNiI+PHRkPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g ICAgICAgNy4zLjEuICBEZWZhdWx0IEFsZ29yaXRobSA8c3BhbiBjbGFzcz0iZGVsZXRlIj4u IC4gLiAuIC4gLiAuIC4gLiAuIC4gLjwvc3Bhbj4gLiAuIC4gLiAuIC4gIDExPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICA3LjMuMS4gIERlZmF1bHQgQWxnb3Jp dGhtIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmZvciBSYXRlLWJhc2VkIENvbnRyb2wgPC9zcGFu PiAuIC4gLiAuIC4gLiAgMTE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAg ICA3LjMuMi4gIFByaW9yaXR5IFRyZWF0bWVudCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuICAxNDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICA3 LjMuMi4gIFByaW9yaXR5IFRyZWF0bWVudCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAxNDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgIDcuMy4z LiAgT3B0aW9uYWwgRW5oYW5jZW1lbnQ6IEF2b2lkYW5jZSBvZiBSZXNvbmFuY2UgIC4gLiAu IC4gIDE2PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgIDcuMy4zLiAg T3B0aW9uYWwgRW5oYW5jZW1lbnQ6IEF2b2lkYW5jZSBvZiBSZXNvbmFuY2UgIC4gLiAuIC4g IDE2PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICA4LiAgSUFOQSBDb25zaWRl cmF0aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTc8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICA4LiAgSUFOQSBDb25zaWRlcmF0 aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTc8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgOC4xLiAgQVZQIENvZGVzIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNzwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgOC4xLiAgQVZQIENvZGVzIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNzwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICA4LjIuICBOZXcgUmVnaXN0cmllcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgICA4LjIuICBOZXcgUmVnaXN0cmllcyAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICA5LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTc8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICA5LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIDEwLiBBY2tub3dsZWRnZW1lbnRzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxODwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIDEwLiBBY2tub3dsZWRnZW1lbnRzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICAxODwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgMTEuIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDE4PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg MTEuIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gIDE4PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDEx LjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgMTg8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDExLjEu ICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgMTg8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgMTEuMi4gIElu Zm9ybWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAxODwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgMTEuMi4gIEluZm9y bWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAx ODwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQXV0aG9ycycgQWRkcmVzc2Vz ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE4PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQXV0aG9ycycgQWRkcmVzc2VzICAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE4PC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjEuICBJbnRyb2R1Y3Rpb248 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4xLiAgSW50cm9kdWN0aW9uPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoaXMgZG9jdW1lbnQg ZGVmaW5lcyBhIG5ldyBEaWFtZXRlciBvdmVybG9hZCBjb250cm9sIGFiYXRlbWVudDwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoaXMgZG9jdW1lbnQgZGVmaW5lcyBh IG5ldyBEaWFtZXRlciBvdmVybG9hZCBjb250cm9sIGFiYXRlbWVudDwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAwNyI+PHRkPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJs b2NrIj4gICBhbGdvcml0aG0uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg IGFsZ29yaXRobTxzcGFuIGNsYXNzPSJpbnNlcnQiPiwgdGhlICJyYXRlIiBhbGdvcml0aG08 L3NwYW4+LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgog ICAgICA8dHIgaWQ9ImRpZmYwMDA4Ij48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIFRoZSBiYXNlIERpYW1l dGVyIG92ZXJsb2FkIHNwZWNpZmljYXRpb24gW1JGQzc2ODNdIGRlZmluZXMgdGhlIDxzcGFu IGNsYXNzPSJkZWxldGUiPmxvc3M8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy YmxvY2siPiAgIFRoZSBiYXNlIERpYW1ldGVyIG92ZXJsb2FkIHNwZWNpZmljYXRpb24gW1JG Qzc2ODNdIGRlZmluZXMgdGhlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPiJsb3NzIjwvc3Bhbj48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFsZ29yaXRobSBhcyB0aGUgZGVm YXVsdCBEaWFtZXRlciBvdmVybG9hZCBhYmF0ZW1lbnQgYWxnb3JpdGhtLiAgVGhlPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWxnb3JpdGhtIGFzIHRoZSBkZWZhdWx0 IERpYW1ldGVyIG92ZXJsb2FkIGFiYXRlbWVudCBhbGdvcml0aG0uICBUaGU8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGxvc3MgYWxnb3JpdGhtIGFsbG93cyBhIHJlcG9y dGluZyBub2RlIHRvIGluc3RydWN0IGEgcmVhY3Rpbmcgbm9kZSB0bzwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIGxvc3MgYWxnb3JpdGhtIGFsbG93cyBhIHJlcG9ydGlu ZyBub2RlIHRvIGluc3RydWN0IGEgcmVhY3Rpbmcgbm9kZSB0bzwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgcmVkdWNlIHRoZSBhbW91bnQgb2YgdHJhZmZpYyBzZW50IHRv IHRoZSByZXBvcnRpbmcgbm9kZSBieSBhYmF0aW5nPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgcmVkdWNlIHRoZSBhbW91bnQgb2YgdHJhZmZpYyBzZW50IHRvIHRoZSBy ZXBvcnRpbmcgbm9kZSBieSBhYmF0aW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICAoZGl2ZXJ0aW5nIG9yIHRocm90dGxpbmcpIGEgcGVyY2VudGFnZSBvZiByZXF1ZXN0 cyBzZW50IHRvIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIChkaXZl cnRpbmcgb3IgdGhyb3R0bGluZykgYSBwZXJjZW50YWdlIG9mIHJlcXVlc3RzIHNlbnQgdG8g dGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzZXJ2ZXIuICBXaGlsZSB0 aGlzIGNhbiBlZmZlY3RpdmVseSBkZWNyZWFzZSB0aGUgbG9hZCBoYW5kbGVkIGJ5IHRoZTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHNlcnZlci4gIFdoaWxlIHRoaXMg Y2FuIGVmZmVjdGl2ZWx5IGRlY3JlYXNlIHRoZSBsb2FkIGhhbmRsZWQgYnkgdGhlPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzZXJ2ZXIsIGl0IGRvZXMgbm90IGRpcmVj dGx5IGFkZHJlc3MgY2FzZXMgd2hlcmUgdGhlIHJhdGUgb2YgYXJyaXZhbDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHNlcnZlciwgaXQgZG9lcyBub3QgZGlyZWN0bHkg YWRkcmVzcyBjYXNlcyB3aGVyZSB0aGUgcmF0ZSBvZiBhcnJpdmFsPC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBvZiBzZXJ2aWNlIHJlcXVlc3RzIGluY3JlYXNlcyBxdWlj a2x5LiAgSWYgdGhlIHNlcnZpY2UgcmVxdWVzdHMgdGhhdDwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIG9mIHNlcnZpY2UgcmVxdWVzdHMgaW5jcmVhc2VzIHF1aWNrbHku ICBJZiB0aGUgc2VydmljZSByZXF1ZXN0cyB0aGF0PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICByZXN1bHQgaW4gRGlhbWV0ZXIgdHJhbnNhY3Rpb25zIGluY3JlYXNlIHF1 aWNrbHkgdGhlbiB0aGUgbG9zczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IHJlc3VsdCBpbiBEaWFtZXRlciB0cmFuc2FjdGlvbnMgaW5jcmVhc2UgcXVpY2tseSB0aGVu IHRoZSBsb3NzPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBhbGdvcml0aG0g Y2Fubm90IGd1YXJhbnRlZSB0aGUgbG9hZCBwcmVzZW50ZWQgdG8gdGhlIHNlcnZlciByZW1h aW5zPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWxnb3JpdGhtIGNhbm5v dCBndWFyYW50ZWUgdGhlIGxvYWQgcHJlc2VudGVkIHRvIHRoZSBzZXJ2ZXIgcmVtYWluczwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYmVsb3cgYSBzcGVjaWZpYyByYXRl IGxldmVsLiAgVGhlIGxvc3MgYWxnb3JpdGhtIGNhbiBiZSBzbG93IHRvPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYmVsb3cgYSBzcGVjaWZpYyByYXRlIGxldmVsLiAg VGhlIGxvc3MgYWxnb3JpdGhtIGNhbiBiZSBzbG93IHRvPC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBwcm90ZWN0IHRoZSBzdGFiaWxpdHkgb2YgcmVwb3J0aW5nIG5vZGVz IHdoZW4gc3ViamVjdGVkIHdpdGggcmFwaWRseTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIHByb3RlY3QgdGhlIHN0YWJpbGl0eSBvZiByZXBvcnRpbmcgbm9kZXMgd2hl biBzdWJqZWN0ZWQgd2l0aCByYXBpZGx5PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBjaGFuZ2luZyBsb2Fkcy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBjaGFuZ2luZyBsb2Fkcy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgQ29uc2lkZXIgdGhlIGNhc2Ugd2hlcmUgYSByZWFjdGluZyBub2RlIGlzIGhh bmRsaW5nIDEwMCBzZXJ2aWNlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg Q29uc2lkZXIgdGhlIGNhc2Ugd2hlcmUgYSByZWFjdGluZyBub2RlIGlzIGhhbmRsaW5nIDEw MCBzZXJ2aWNlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICByZXF1ZXN0cyBw ZXIgc2Vjb25kLCB3aGVyZSBlYWNoIG9mIHRoZXNlIHNlcnZpY2UgcmVxdWVzdHMgcmVzdWx0 cyBpbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlcXVlc3RzIHBlciBz ZWNvbmQsIHdoZXJlIGVhY2ggb2YgdGhlc2Ugc2VydmljZSByZXF1ZXN0cyByZXN1bHRzIGlu PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvbmUgRGlhbWV0ZXIgdHJhbnNh Y3Rpb24gYmVpbmcgc2VudCB0byBhIHJlcG9ydGluZyBub2RlLiAgSWYgdGhlPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgb25lIERpYW1ldGVyIHRyYW5zYWN0aW9uIGJl aW5nIHNlbnQgdG8gYSByZXBvcnRpbmcgbm9kZS4gIElmIHRoZTwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgcmVwb3J0aW5nIG5vZGUgaXMgYXBwcm9hY2hpbmcgYW4gb3Zl cmxvYWQgc3RhdGUsIG9yIGlzIGFscmVhZHkgaW4gYW48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICByZXBvcnRpbmcgbm9kZSBpcyBhcHByb2FjaGluZyBhbiBvdmVybG9h ZCBzdGF0ZSwgb3IgaXMgYWxyZWFkeSBpbiBhbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgb3ZlcmxvYWQgc3RhdGUsIGl0IHdpbGwgc2VuZCBhIERpYW1ldGVyIG92ZXJs b2FkIHJlcG9ydCByZXF1ZXN0aW5nIGE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBvdmVybG9hZCBzdGF0ZSwgaXQgd2lsbCBzZW5kIGEgRGlhbWV0ZXIgb3ZlcmxvYWQg cmVwb3J0IHJlcXVlc3RpbmcgYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4K ICAgICAgPHRyIGlkPSJkaWZmMDAwOSI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBwZXJjZW50YWdlIHJl ZHVjdGlvbiBpbiB0cmFmZmljIDxzcGFuIGNsYXNzPSJkZWxldGUiPnNlbnQuPC9zcGFuPiAg QXNzdW1lIGZvciB0aGlzIGRpc2N1c3Npb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgcGVyY2VudGFnZSByZWR1Y3Rpb24gaW4gdHJhZmZpYyA8c3BhbiBjbGFzcz0i aW5zZXJ0Ij5zZW50IHdoZW4gdGhlIGxvc3MgYWxnb3JpdGhtIGlzIHVzZWQ8L3NwYW4+PC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBhcyBEaWFtZXRlciBvdmVybG9h ZCBhYmF0ZW1lbnQgYWxnb3JpdGhtLjwvc3Bhbj4gIEFzc3VtZSBmb3IgdGhpcyBkaXNjdXNz aW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aGF0IHRoZSByZXBvcnRp bmcgbm9kZSByZXF1ZXN0cyBhIDEwJSByZWR1Y3Rpb24uICBUaGUgcmVhY3Rpbmcgbm9kZTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRoYXQgdGhlIHJlcG9ydGluZyBu b2RlIHJlcXVlc3RzIGEgMTAlIHJlZHVjdGlvbi4gIFRoZSByZWFjdGluZyBub2RlPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB3aWxsIHRoZW4gYWJhdGUgKGRpdmVydGlu ZyBvciB0aHJvdHRsaW5nKSB0ZW4gRGlhbWV0ZXIgdHJhbnNhY3Rpb25zIGE8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB3aWxsIHRoZW4gYWJhdGUgKGRpdmVydGluZyBv ciB0aHJvdHRsaW5nKSB0ZW4gRGlhbWV0ZXIgdHJhbnNhY3Rpb25zIGE8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHNlY29uZCwgc2VuZGluZyB0aGUgcmVtYWluaW5nIDkw IHRyYW5zYWN0aW9ucyBwZXIgc2Vjb25kIHRvIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIHNlY29uZCwgc2VuZGluZyB0aGUgcmVtYWluaW5nIDkwIHRyYW5zYWN0 aW9ucyBwZXIgc2Vjb25kIHRvIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgcmVwb3J0aW5nIG5vZGUuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg cmVwb3J0aW5nIG5vZGUuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIE5vdyBhc3N1bWUgdGhhdCB0aGUgcmVhY3Rpbmcgbm9kZSdzIHNlcnZpY2UgcmVx dWVzdHMgc3Bpa2VzIHRvIDEwMDA8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBOb3cgYXNzdW1lIHRoYXQgdGhlIHJlYWN0aW5nIG5vZGUncyBzZXJ2aWNlIHJlcXVlc3Rz IHNwaWtlcyB0byAxMDAwPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICByZXF1 ZXN0cyBwZXIgc2Vjb25kLiAgVGhlIHJlYWN0aW5nIG5vZGUgd2lsbCBjb250aW51ZSB0byBo b25vciB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICByZXF1ZXN0cyBw ZXIgc2Vjb25kLiAgVGhlIHJlYWN0aW5nIG5vZGUgd2lsbCBjb250aW51ZSB0byBob25vciB0 aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlcG9ydGluZyBub2RlJ3Mg cmVxdWVzdCBmb3IgYSAxMCUgcmVkdWN0aW9uIGluIHRyYWZmaWMuICBUaGlzPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcmVwb3J0aW5nIG5vZGUncyByZXF1ZXN0IGZv ciBhIDEwJSByZWR1Y3Rpb24gaW4gdHJhZmZpYy4gIFRoaXM8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIHJlc3VsdHMsIGluIHRoaXMgZXhhbXBsZSwgaW4gdGhlIHJlYWN0 aW5nIG5vZGUgc2VuZGluZyA5MDAgRGlhbWV0ZXI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICByZXN1bHRzLCBpbiB0aGlzIGV4YW1wbGUsIGluIHRoZSByZWFjdGluZyBu b2RlIHNlbmRpbmcgOTAwIERpYW1ldGVyPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICB0cmFuc2FjdGlvbnMgcGVyIHNlY29uZCwgYWJhdGluZyB0aGUgcmVtYWluaW5nIDEw MCB0cmFuc2FjdGlvbnMgcGVyPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg dHJhbnNhY3Rpb25zIHBlciBzZWNvbmQsIGFiYXRpbmcgdGhlIHJlbWFpbmluZyAxMDAgdHJh bnNhY3Rpb25zIHBlcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHIgaWQ9InBhcnQtMyIgY2xhc3M9ImNoYW5nZSI+PHRkPjwvdGQ+PHRo PjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxhIGhyZWY9IiNwYXJ0LTMi PjxlbT4gcGFnZSA0LCBsaW5lIDc8c3BhbiBjbGFzcz0iaGlkZSI+IMK2PC9zcGFuPjwvZW0+ PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9z bWFsbD48YSBocmVmPSIjcGFydC0zIj48ZW0+IHBhZ2UgNCwgbGluZSA3PHNwYW4gY2xhc3M9 ImhpZGUiPiDCtjwvc3Bhbj48L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlcG9ydCBy ZXF1ZXN0aW5nIHRoYXQgdGhlIHJlYWN0aW5nIG5vZGUgYWJhdGUgOTElIG9mIHJlcXVlc3Rz IHRvIGdldDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlcG9ydCByZXF1 ZXN0aW5nIHRoYXQgdGhlIHJlYWN0aW5nIG5vZGUgYWJhdGUgOTElIG9mIHJlcXVlc3RzIHRv IGdldDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYmFjayB0byB0aGUgZGVz aXJlZCA5MCB0cmFuc2FjdGlvbnMgcGVyIHNlY29uZC4gIEhvd2V2ZXIsIG9uY2UgdGhlPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYmFjayB0byB0aGUgZGVzaXJlZCA5 MCB0cmFuc2FjdGlvbnMgcGVyIHNlY29uZC4gIEhvd2V2ZXIsIG9uY2UgdGhlPC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzcGlrZSBoYXMgYWJhdGVkIGFuZCB0aGUgcmVh Y3Rpbmcgbm9kZSBoYW5kbGVkIHNlcnZpY2UgcmVxdWVzdHM8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBzcGlrZSBoYXMgYWJhdGVkIGFuZCB0aGUgcmVhY3Rpbmcgbm9k ZSBoYW5kbGVkIHNlcnZpY2UgcmVxdWVzdHM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIHJldHVybnMgdG8gMTAwIHBlciBzZWNvbmQsIHRoaXMgd2lsbCByZXN1bHQgaW4g anVzdCA5IHRyYW5zYWN0aW9uczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IHJldHVybnMgdG8gMTAwIHBlciBzZWNvbmQsIHRoaXMgd2lsbCByZXN1bHQgaW4ganVzdCA5 IHRyYW5zYWN0aW9uczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcGVyIHNl Y29uZCBiZWluZyBzZW50IHRvIHRoZSByZXBvcnRpbmcgbm9kZSwgcmVxdWlyaW5nIGEgbmV3 IG92ZXJsb2FkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcGVyIHNlY29u ZCBiZWluZyBzZW50IHRvIHRoZSByZXBvcnRpbmcgbm9kZSwgcmVxdWlyaW5nIGEgbmV3IG92 ZXJsb2FkPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICByZXBvcnQgc2V0dGlu ZyB0aGUgcmVkdWN0aW9uIHBlcmNlbnRhZ2UgYmFjayB0byAxMCUuICBUaGlzIGNvbnRyb2w8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICByZXBvcnQgc2V0dGluZyB0aGUg cmVkdWN0aW9uIHBlcmNlbnRhZ2UgYmFjayB0byAxMCUuICBUaGlzIGNvbnRyb2w8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGZlZWRiYWNrIGxvb3AgaGFzIHRoZSBwb3Rl bnRpYWwgdG8gbWFrZSB0aGUgc2l0dWF0aW9uIHdvcnNlIGJ5PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgZmVlZGJhY2sgbG9vcCBoYXMgdGhlIHBvdGVudGlhbCB0byBt YWtlIHRoZSBzaXR1YXRpb24gd29yc2UgYnk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIGNhdXNpbmcgd2lkZSBmbHVjdHVhdGlvbnMgaW4gdHJhZmZpYyBvbiBtdWx0aXBs ZSBub2RlcyBpbiB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBjYXVz aW5nIHdpZGUgZmx1Y3R1YXRpb25zIGluIHRyYWZmaWMgb24gbXVsdGlwbGUgbm9kZXMgaW4g dGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBEaWFtZXRlciBuZXR3b3Jr LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIERpYW1ldGVyIG5ldHdvcmsu PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 ciBpZD0iZGlmZjAwMTAiPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgT25lIG9mIHRoZSBiZW5lZml0cyBv ZiBhIHJhdGUgYmFzZWQgYWxnb3JpdGhtIGlzIHRoYXQgaXQgYmV0dGVyPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIE9uZSBvZiB0aGUgYmVuZWZpdHMgb2YgYSByYXRl IGJhc2VkIGFsZ29yaXRobSA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5vdmVyIHRoZSBsb3NzIGFs Z29yaXRobTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgaGFu ZGxlcyBzcGlrZXMgaW4gdHJhZmZpYy4gIEluc3RlYWQgb2Ygc2VuZGluZyBhIHJlcXVlc3Qg dG8gcmVkdWNlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGlzIHRoYXQg aXQgYmV0dGVyIGhhbmRsZXMgc3Bpa2VzIGluIHRyYWZmaWMuICBJbnN0ZWFkIG9mIHNlbmRp bmcgYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICB0cmFmZmljIGJ5IGEg cGVyY2VudGFnZSwgdGhlIHJhdGUgYXBwcm9hY2ggYWxsb3dzIHRoZSByZXBvcnRpbmcgbm9k ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICByZXF1ZXN0IHRvIHJlZHVj ZSB0cmFmZmljIGJ5IGEgcGVyY2VudGFnZSwgdGhlIHJhdGUgYXBwcm9hY2ggYWxsb3dzPC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIHRvIHNwZWNpZnkgdGhlIG1heGlt dW0gbnVtYmVyIG9mIERpYW1ldGVyIHJlcXVlc3RzIHBlciBzZWNvbmQgdGhhdDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICB0aGUgcmVwb3J0aW5nIG5vZGUgdG8gc3Bl Y2lmeSB0aGUgbWF4aW11bSBudW1iZXIgb2YgRGlhbWV0ZXIgcmVxdWVzdHM8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgY2FuIGJlIHNlbnQgdG8gdGhlIHJlcG9ydGlu ZyBub2RlLiAgRm9yIGluc3RhbmNlLCBpbiB0aGlzIGV4YW1wbGUsPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyYmxvY2siPiAgIHBlciBzZWNvbmQgdGhhdCBjYW4gYmUgc2VudCB0byB0 aGUgcmVwb3J0aW5nIG5vZGUuICBGb3IgaW5zdGFuY2UsIGluPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPiAgIHRoZSByZXBvcnRpbmcgbm9kZSBjb3VsZCBzZW5kIGEgcmF0 ZS1iYXNlZCByZXF1ZXN0IHNwZWNpZnlpbmcgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPiAgIHRoaXMgZXhhbXBsZSwgdGhlIHJlcG9ydGluZyBub2RlIGNvdWxkIHNl bmQgYSByYXRlLWJhc2VkIHJlcXVlc3Q8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+ICAgbWF4aW11bSB0cmFuc2FjdGlvbnMgcGVyIHNlY29uZCB0byBiZSA5MC4gIFRoZSBy ZWFjdGluZyBub2RlIHdpbGw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg c3BlY2lmeWluZyB0aGUgbWF4aW11bSB0cmFuc2FjdGlvbnMgcGVyIHNlY29uZCB0byBiZSA5 MC4gIFRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBzZW5kIHRoZSA5 MCByZWdhcmRsZXNzIG9mIHdoZXRoZXIgaXQgaXMgcmVjZWl2aW5nIDEwMCBvciAxMDAwIHNl cnZpY2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgcmVhY3Rpbmcgbm9k ZSB3aWxsIHNlbmQgdGhlIDkwIHJlZ2FyZGxlc3Mgb2Ygd2hldGhlciBpdCBpcyByZWNlaXZp bmc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgcmVxdWVzdHMgcGVyIHNl Y29uZC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgMTAwIG9yIDEwMDAg c2VydmljZSByZXF1ZXN0cyBwZXIgc2Vjb25kLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGlzIGRvY3VtZW50IGV4dGVuZHMgdGhlIGJhc2UgRE9J QyBzb2x1dGlvbiBbUkZDNzY4M10gdG8gYWRkIHN1cHBvcnQ8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBUaGlzIGRvY3VtZW50IGV4dGVuZHMgdGhlIGJhc2UgRE9JQyBz b2x1dGlvbiBbUkZDNzY4M10gdG8gYWRkIHN1cHBvcnQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIGZvciB0aGUgcmF0ZSBiYXNlZCBvdmVybG9hZCBhYmF0ZW1lbnQgYWxn b3JpdGhtLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGZvciB0aGUgcmF0 ZSBiYXNlZCBvdmVybG9hZCBhYmF0ZW1lbnQgYWxnb3JpdGhtLjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGlzIGRvY3VtZW50IGRyYXdzIGhlYXZp bHkgb24gd29yayBpbiB0aGUgU0lQIE92ZXJsb2FkIENvbnRyb2w8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGlzIGRvY3VtZW50IGRyYXdzIGhlYXZpbHkgb24gd29y ayBpbiB0aGUgU0lQIE92ZXJsb2FkIENvbnRyb2w8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIHdvcmtpbmcgZ3JvdXAuICBUaGUgZGVmaW5pdGlvbiBvZiB0aGUgcmF0ZSBh YmF0ZW1lbnQgYWxnb3JpdGhtIGlzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgd29ya2luZyBncm91cC4gIFRoZSBkZWZpbml0aW9uIG9mIHRoZSByYXRlIGFiYXRlbWVu dCBhbGdvcml0aG0gaXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGNvcGll ZCBhbG1vc3QgdmVyYmF0aW0gZnJvbSB0aGUgU09DIGRvY3VtZW50IFtSRkM3NDE1XSwgd2l0 aCBjaGFuZ2VzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgY29waWVkIGFs bW9zdCB2ZXJiYXRpbSBmcm9tIHRoZSBTT0MgZG9jdW1lbnQgW1JGQzc0MTVdLCB3aXRoIGNo YW5nZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGZvY3VzZWQgb24gbWFr aW5nIHRoZSB3b3JkaW5nIGNvbnNpc3RlbnQgd2l0aCB0aGUgRE9JQyBzb2x1dGlvbiBhbmQ8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBmb2N1c2VkIG9uIG1ha2luZyB0 aGUgd29yZGluZyBjb25zaXN0ZW50IHdpdGggdGhlIERPSUMgc29sdXRpb24gYW5kPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aGUgRGlhbWV0ZXIgcHJvdG9jb2wuPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhlIERpYW1ldGVyIHByb3RvY29s LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8 dHIgaWQ9ImRpZmYwMDExIj48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjIuICBUZXJtaW5vbG9neTxzcGFuIGNs YXNzPSJkZWxldGUiPiBhbmQgQWJicmV2aWF0aW9uczwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJibG9jayI+Mi4gIFRlcm1pbm9sb2d5PC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIERpYW1ldGVyIE5vZGU8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBEaWFtZXRlciBOb2RlPC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIEEgUkZDNjczMyBEaWFtZXRlciBDbGllbnQs IFJGQzY3MzMgRGlhbWV0ZXIgU2VydmVyLCBvciBSRkM2NzMzPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgICAgQSBSRkM2NzMzIERpYW1ldGVyIENsaWVudCwgUkZDNjcz MyBEaWFtZXRlciBTZXJ2ZXIsIG9yIFJGQzY3MzM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgICAgIERpYW1ldGVyIEFnZW50LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgICAgIERpYW1ldGVyIEFnZW50LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBEaWFtZXRlciBFbmRwb2ludDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIERpYW1ldGVyIEVuZHBvaW50PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIEFuIFJGQzY3MzMgRGlhbWV0ZXIgQ2xp ZW50IG9yIFJGQzY3MzMgRGlhbWV0ZXIgU2VydmVyLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgICAgIEFuIFJGQzY3MzMgRGlhbWV0ZXIgQ2xpZW50IG9yIFJGQzY3MzMg RGlhbWV0ZXIgU2VydmVyLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0icGFydC00IiBjbGFzcz0iY2hhbmdl Ij48dGQ+PC90ZD48dGg+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGEg aHJlZj0iI3BhcnQtNCI+PGVtPiBwYWdlIDUsIGxpbmUgNTxzcGFuIGNsYXNzPSJoaWRlIj4g wrY8L3NwYW4+PC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxzbWFsbD5za2lwcGluZyB0 byBjaGFuZ2UgYXQ8L3NtYWxsPjxhIGhyZWY9IiNwYXJ0LTQiPjxlbT4gcGFnZSA1LCBsaW5l IDU8c3BhbiBjbGFzcz0iaGlkZSI+IMK2PC9zcGFuPjwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgICAgW1JGQzc2ODNdLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg ICAgIFtSRkM3NjgzXS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgUmVwb3J0aW5nIE5vZGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBSZXBvcnRpbmcgTm9kZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICAgICBBIERPSUMgTm9kZSB0aGF0IHNlbmRzIGEgRE9JQyBvdmVybG9hZCByZXBv cnQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgQSBET0lDIE5vZGUg dGhhdCBzZW5kcyBhIERPSUMgb3ZlcmxvYWQgcmVwb3J0LjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBSZWFjdGluZyBOb2RlPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgUmVhY3RpbmcgTm9kZTwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBBIERPSUMgTm9kZSB0aGF0IHJlY2VpdmVz IGFuZCBhY3RzIG9uIGEgRE9JQyBvdmVybG9hZCByZXBvcnQuPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgICAgQSBET0lDIE5vZGUgdGhhdCByZWNlaXZlcyBhbmQgYWN0 cyBvbiBhIERPSUMgb3ZlcmxvYWQgcmVwb3J0LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDEyIj48dGQ+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPjMuICBJbnRlcmFjdGlvbiB3aXRoIERPSUMgUmVwb3J0IDxzcGFuIGNsYXNzPSJkZWxl dGUiPlI8L3NwYW4+eXBlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4zLiAg SW50ZXJhY3Rpb24gd2l0aCBET0lDIFJlcG9ydCA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5UPC9z cGFuPnlwZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4K ICAgICAgPHRyIGlkPSJkaWZmMDAxMyI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBBcyBvZiB0aGUgcHVi bGljYXRpb24gb2YgdGhpcyA8c3BhbiBjbGFzcz0iZGVsZXRlIj5zcGVjaWZpY2F0aW9uPC9z cGFuPiB0aGVyZSBhcmUgdHdvIERPSUMgcmVwb3J0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPiAgIEFzIG9mIHRoZSBwdWJsaWNhdGlvbiBvZiB0aGlzIDxzcGFuIGNsYXNz PSJpbnNlcnQiPnNwZWNpZmljYXRpb24sPC9zcGFuPiB0aGVyZSBhcmUgdHdvIERPSUM8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgdHlwZXMgZGVmaW5lZCB3aXRoIHRo ZSBzcGVjaWZpY2F0aW9uIG9mIGEgdGhpcmQgaW4gcHJvZ3Jlc3M6PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyYmxvY2siPiAgIHJlcG9ydCB0eXBlcyBkZWZpbmVkIHdpdGggdGhlIHNw ZWNpZmljYXRpb24gb2YgYSB0aGlyZCBpbiBwcm9ncmVzczo8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAxNCI+PHRk PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj4xLiAgSG9zdCAtPC9zcGFuPiBP dmVybG9hZCBvZiBhIHNwZWNpZmljIERpYW1ldGVyIEFwcGxpY2F0aW9uIGF0IGEgc3BlY2lm aWM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imlu c2VydCI+SE9TVF9SRVBPUlQgMDwvc3Bhbj4gIE92ZXJsb2FkIG9mIGEgc3BlY2lmaWMgRGlh bWV0ZXIgQXBwbGljYXRpb24gYXQgYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr Ij4gICAgICAgRGlhbWV0ZXIgTm9kZSBhcyBkZWZpbmVkIGluIDxzcGFuIGNsYXNzPSJkZWxl dGUiPltSRkM3NjgzXS48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PiAgICAgIHNwZWNpZmljIERpYW1ldGVyIE5vZGUgYXMgZGVmaW5lZCBpbiA8c3BhbiBjbGFz cz0iaW5zZXJ0Ij5bUkZDNzY4M108L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0iZGlmZjAwMTUiPjx0ZD48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+ICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mi4gIFJlYWxtIC08L3NwYW4+IE92ZXJsb2Fk IG9mIGEgc3BlY2lmaWMgRGlhbWV0ZXIgQXBwbGljYXRpb24gYXQgYSBzcGVjaWZpYzwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5S RUFMTV9SRVBPUlQgMTwvc3Bhbj4gIE92ZXJsb2FkIG9mIGEgc3BlY2lmaWMgRGlhbWV0ZXIg QXBwbGljYXRpb24gYXQgYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAg ICAgRGlhbWV0ZXIgUmVhbG0gYXMgZGVmaW5lZCBpbiA8c3BhbiBjbGFzcz0iZGVsZXRlIj5b UkZDNzY4M10uPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAg ICBzcGVjaWZpYyBEaWFtZXRlciBSZWFsbSBhcyBkZWZpbmVkIGluIDxzcGFuIGNsYXNzPSJp bnNlcnQiPltSRkM3NjgzXTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAxNiI+PHRkPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g ICA8c3BhbiBjbGFzcz0iZGVsZXRlIj4zLiAgUGVlciAtPC9zcGFuPiBPdmVybG9hZCBvZiBh IHNwZWNpZmljIERpYW1ldGVyIHBlZXIgYXMgZGVmaW5lZCBpbjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5QRUVSX1JFUE9SVCAy PC9zcGFuPiAgT3ZlcmxvYWQgb2YgYSBzcGVjaWZpYyBEaWFtZXRlciBwZWVyIGFzIGRlZmlu ZWQgaW48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgIDxzcGFuIGNs YXNzPSJkZWxldGUiPltJLUQuaWV0Zi1kaW1lLWFnZW50LW92ZXJsb2FkXS48L3NwYW4+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgIDxzcGFuIGNsYXNzPSJpbnNl cnQiPltJLUQuaWV0Zi1kaW1lLWFnZW50LW92ZXJsb2FkXTwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIHJhdGUgYWxnb3JpdGhtIE1B WSBiZSBzZWxlY3RlZCBieSByZXBvcnRpbmcgbm9kZXMgZm9yIGFueSBvZjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSByYXRlIGFsZ29yaXRobSBNQVkgYmUgc2Vs ZWN0ZWQgYnkgcmVwb3J0aW5nIG5vZGVzIGZvciBhbnkgb2Y8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIHRoZXNlIHJlcG9ydCB0eXBlcy48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICB0aGVzZSByZXBvcnQgdHlwZXMuPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEl0IGlzIGV4cGVjdGVkIHRoYXQgYWxsIHJl cG9ydCB0eXBlcyBkZWZpbmVkIGluIHRoZSBmdXR1cmUgd2lsbDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIEl0IGlzIGV4cGVjdGVkIHRoYXQgYWxsIHJlcG9ydCB0eXBl cyBkZWZpbmVkIGluIHRoZSBmdXR1cmUgd2lsbDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgaW5kaWNhdGUgd2hldGhlciBvciBub3QgdGhlIHJhdGUgYWxnb3JpdGhtIGNh biBiZSB1c2VkIHdpdGggdGhhdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IGluZGljYXRlIHdoZXRoZXIgb3Igbm90IHRoZSByYXRlIGFsZ29yaXRobSBjYW4gYmUgdXNl ZCB3aXRoIHRoYXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlcG9ydCB0 eXBlLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlcG9ydCB0eXBlLjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij40LiAgQ2FwYWJpbGl0 eSBBbm5vdW5jZW1lbnQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij40LiAgQ2Fw YWJpbGl0eSBBbm5vdW5jZW1lbnQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgVGhpcyBleHRlbnNpb24gZGVmaW5lcyB0aGUgcmF0ZSBhYmF0ZW1lbnQg YWxnb3JpdGhtIChyZWZlcnJlZCB0byBhczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIFRoaXMgZXh0ZW5zaW9uIGRlZmluZXMgdGhlIHJhdGUgYWJhdGVtZW50IGFsZ29y aXRobSAocmVmZXJyZWQgdG8gYXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+ CiAgICAgIDx0ciBpZD0iZGlmZjAwMTciPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgcmF0ZSBpbiB0aGlz IGRvY3VtZW50KSBmZWF0dXJlLiAgU3VwcG9ydCA8c3BhbiBjbGFzcz0iZGVsZXRlIj5mb3I8 L3NwYW4+IHRoZSByYXRlIGZlYXR1cmUgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+d2lsbCBiZTwv c3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgcmF0ZSBpbiB0aGlz IGRvY3VtZW50KSBmZWF0dXJlLiAgU3VwcG9ydCA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5vZjwv c3Bhbj4gdGhlIHJhdGUgZmVhdHVyZSBieSA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij50aGU8L3Nw YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxl dGUiPiAgIHJlZmxlY3RlZDwvc3Bhbj4gYnkgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+dXNlIG9m PC9zcGFuPiBhIG5ldyA8c3BhbiBjbGFzcz0iZGVsZXRlIj52YWx1ZSw8L3NwYW4+IGFzIDxz cGFuIGNsYXNzPSJkZWxldGUiPmRlZmluZWQ8L3NwYW4+IGluIFNlY3Rpb24gNi4xLjEsIDxz cGFuIGNsYXNzPSJkZWxldGUiPmluIHRoZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgRE9JQyBub2RlIGlzIGFubm91 bmNlZCBieTwvc3Bhbj4gYSBuZXcgPHNwYW4gY2xhc3M9Imluc2VydCI+dmFsdWUgb2YgdGhl IE9DLUZlYXR1cmUtVmVjdG9yIEFWUCw8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIE9DLUZlYXR1cmUtVmVjdG9yIEFW UDwvc3Bhbj4gcGVyIHRoZSBydWxlcyBkZWZpbmVkIGluIFtSRkM3NjgzXS48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgYXMgPHNwYW4gY2xhc3M9Imluc2VydCI+ZGVz Y3JpYmVkPC9zcGFuPiBpbiBTZWN0aW9uIDYuMS4xLCBwZXIgdGhlIHJ1bGVzIGRlZmluZWQg aW4gW1JGQzc2ODNdLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDE4Ij48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDxzcGFuIGNs YXNzPSJkZWxldGUiPk5vdGUgdGhhdCBEaWFtZXRlcjwvc3Bhbj4gbm9kZXMgdGhhdCBzdXBw b3J0IHRoZSByYXRlIGZlYXR1cmUgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+d2lsbCwgYnk8L3Nw YW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJp bnNlcnQiPlRoZSBsb3NzIGFsZ29yaXRobSBiZWluZyB0aGUgZGVmYXVsdCBhbGdvcml0aG0g c3VwcG9ydGVkIGJ5IGFsbDwvc3Bhbj4gbm9kZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgZGVmaW5pdGlvbiw8L3NwYW4+IHN1 cHBvcnQgYm90aCB0aGUgbG9zcyBhbmQgcmF0ZSBiYXNlZCBhYmF0ZW1lbnQ8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgdGhhdCBzdXBwb3J0IHRoZSA8c3BhbiBjbGFz cz0iaW5zZXJ0Ij5EaWFtZXRlciBvdmVybG9hZCBjb250cm9sIG1lY2hhbmlzbSBhcyBzcGVj aWZpZWQgaW48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGFs Z29yaXRobXMuICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5ET0lDIHJlYWN0aW5nIG5vZGVzIFNI T1VMRCBpbmRpY2F0ZSBzdXBwb3J0IGZvciBib3RoIHRoZTwvc3Bhbj48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgW1JGQzc2ODNd LCBET0lDIG5vZGVzIHN1cHBvcnRpbmcgdGhlPC9zcGFuPiByYXRlIGZlYXR1cmUgPHNwYW4g Y2xhc3M9Imluc2VydCI+d2lsbDwvc3Bhbj4gc3VwcG9ydCBib3RoPC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIGxvc3MgYW5kIHJh dGUgYWxnb3JpdGhtcyBpbiB0aGUgT0MtRmVhdHVyZS1WZWN0b3IgQVZQLjwvc3Bhbj48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgdGhlIGxvc3MgYW5kIHJhdGUgYmFz ZWQgYWJhdGVtZW50IGFsZ29yaXRobXMuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0iZGlmZjAwMTkiPjx0ZD48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ ICAgICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+VGhlcmUgbWF5IGJlIGxvY2FsIHBvbGljeSBy ZWFzb25zIHRoYXQgY2F1c2U8L3NwYW4+IGEgRE9JQyBub2RlIDxzcGFuIGNsYXNzPSJkZWxl dGUiPnRoYXQ8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxz cGFuIGNsYXNzPSJpbnNlcnQiPkRPSUMgcmVhY3Rpbmcgbm9kZXMgc3VwcG9ydGluZyB0aGUg cmF0ZSBmZWF0dXJlIE1VU1QgaW5kaWNhdGUgc3VwcG9ydDwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgICAgc3VwcG9y dHM8L3NwYW4+IHRoZSByYXRlIGFiYXRlbWVudCBhbGdvcml0aG0gPHNwYW4gY2xhc3M9ImRl bGV0ZSI+dG8gbm90IGluY2x1ZGUgaXQ8L3NwYW4+IGluIHRoZSA8c3BhbiBjbGFzcz0iZGVs ZXRlIj5PQy08L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFu IGNsYXNzPSJpbnNlcnQiPiAgIGZvciBib3RoIHRoZSBsb3NzIGFuZCByYXRlIGFsZ29yaXRo bXMgaW4gdGhlIE9DLUZlYXR1cmUtVmVjdG9yIEFWUC48L3NwYW4+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgIEZlYXR1cmUt VmVjdG9yLiAgQWxsIHJlYWN0aW5nIG5vZGVzLCBob3dldmVyLCBtdXN0IGNvbnRpbnVlIHRv PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0i aW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFu IGNsYXNzPSJkZWxldGUiPiAgICAgIGluY2x1ZGUgbG9zczwvc3Bhbj4gaW4gdGhlIDxzcGFu IGNsYXNzPSJkZWxldGUiPk9DLUZlYXR1cmUtVmVjdG9yIGluIG9yZGVyPC9zcGFuPiB0byA8 c3BhbiBjbGFzcz0iZGVsZXRlIj5yZW1haW4gY29tcGxpYW50PC9zcGFuPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBBcyBkZWZp bmVkIGluIFtSRkM3NjgzXSw8L3NwYW4+IGEgRE9JQyA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5y ZXBvcnRpbmc8L3NwYW4+IG5vZGUgPHNwYW4gY2xhc3M9Imluc2VydCI+c3VwcG9ydGluZzwv c3Bhbj4gdGhlIHJhdGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4g Y2xhc3M9ImRlbGV0ZSI+ICAgICAgd2l0aCBbUkZDNzY4M10uPC9zcGFuPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5mZWF0dXJl IE1VU1Qgc2VsZWN0IGEgc2luZ2xlPC9zcGFuPiBhYmF0ZW1lbnQgYWxnb3JpdGhtIGluIHRo ZSA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5PQy1GZWF0dXJlLTwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFZlY3RvciBBVlAgYW5kIE9DLVBlZXItQWxnbyBB VlA8L3NwYW4+IGluIHRoZSA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5zZW50PC9zcGFuPiB0byA8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij50aGUgRE9JQyByZWFjdGluZzwvc3Bhbj48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv Y2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIG5vZGVzLjwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQSByZXBvcnRpbmcgbm9kZSBNQVkg c2VsZWN0IG9uZSBhYmF0ZW1lbnQgYWxnb3JpdGhtIHRvIGFwcGx5IHRvIGhvc3Q8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBBIHJlcG9ydGluZyBub2RlIE1BWSBzZWxl Y3Qgb25lIGFiYXRlbWVudCBhbGdvcml0aG0gdG8gYXBwbHkgdG8gaG9zdDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYW5kIHJlYWxtIHJlcG9ydHMgYW5kIGEgZGlmZmVy ZW50IGFsZ29yaXRobSB0byBhcHBseSB0byBwZWVyIHJlcG9ydHMuPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgYW5kIHJlYWxtIHJlcG9ydHMgYW5kIGEgZGlmZmVyZW50 IGFsZ29yaXRobSB0byBhcHBseSB0byBwZWVyIHJlcG9ydHMuPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIEZvciBob3N0IG9yIHJlYWxtIHJlcG9y dHMgdGhlIHNlbGVjdGVkIGFsZ29yaXRobSBpcyByZWZsZWN0ZWQgaW48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBGb3IgaG9zdCBvciByZWFsbSByZXBvcnRzIHRo ZSBzZWxlY3RlZCBhbGdvcml0aG0gaXMgcmVmbGVjdGVkIGluPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAgICB0aGUgT0MtRmVhdHVyZS1WZWN0b3IgQVZQIHNlbnQgYXMg cGFydCBvZiB0aGUgT0MtU3VwcG9ydGVkLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgICAgIHRoZSBPQy1GZWF0dXJlLVZlY3RvciBBVlAgc2VudCBhcyBwYXJ0IG9mIHRo ZSBPQy1TdXBwb3J0ZWQtPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBG ZWF0dXJlcyBBVlAgaW5jbHVkZWQgaW4gYW5zd2VyIG1lc3NhZ2VzIGZvciB0cmFuc2FjdGlv biB3aGVyZSB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBGZWF0 dXJlcyBBVlAgaW5jbHVkZWQgaW4gYW5zd2VyIG1lc3NhZ2VzIGZvciB0cmFuc2FjdGlvbiB3 aGVyZSB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHJlcXVlc3Qg Y29udGFpbmVkIGFuIE9DLVN1cHBvcnRlZC1GZWF0dXJlcyBBVlAuICBUaGlzIGlzIHBlciB0 aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICByZXF1ZXN0IGNvbnRh aW5lZCBhbiBPQy1TdXBwb3J0ZWQtRmVhdHVyZXMgQVZQLiAgVGhpcyBpcyBwZXIgdGhlPC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBwcm9jZWR1cmVzIGRlZmluZWQg aW4gW1JGQzc2ODNdLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHBy b2NlZHVyZXMgZGVmaW5lZCBpbiBbUkZDNzY4M10uPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIEZvciBwZWVyIHJlcG9ydHMgdGhlIHNlbGVjdGVk IGFsZ29yaXRobSBpcyByZWZsZWN0ZWQgaW4gdGhlIE9DLTwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgICAgIEZvciBwZWVyIHJlcG9ydHMgdGhlIHNlbGVjdGVkIGFsZ29y aXRobSBpcyByZWZsZWN0ZWQgaW4gdGhlIE9DLTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgICAgUGVlci1BbGdvIEFWUCBzZW50IGFzIHBhcnQgb2YgdGhlIE9DLVN1cHBv cnRlZC1GZWF0dXJlcyBBVlA8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg ICBQZWVyLUFsZ28gQVZQIHNlbnQgYXMgcGFydCBvZiB0aGUgT0MtU3VwcG9ydGVkLUZlYXR1 cmVzIEFWUDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgaW5jbHVkZWQg YW5zd2VyIG1lc3NhZ2VzIGZvciB0cmFuc2FjdGlvbnMgd2hlcmUgdGhlIHJlcXVlc3Q8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBpbmNsdWRlZCBhbnN3ZXIgbWVz c2FnZXMgZm9yIHRyYW5zYWN0aW9ucyB3aGVyZSB0aGUgcmVxdWVzdDwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgY29udGFpbmVkIGFuIE9DLVN1cHBvcnRlZC1GZWF0 dXJlcyBBVlAuICBUaGlzIGlzIHBlciB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICAgICBjb250YWluZWQgYW4gT0MtU3VwcG9ydGVkLUZlYXR1cmVzIEFWUC4gIFRo aXMgaXMgcGVyIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgcHJv Y2VkdXJlcyBkZWZpbmVkIGluIFtJLUQuaWV0Zi1kaW1lLWFnZW50LW92ZXJsb2FkXS48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBwcm9jZWR1cmVzIGRlZmluZWQg aW4gW0ktRC5pZXRmLWRpbWUtYWdlbnQtb3ZlcmxvYWRdLjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDIwIj48dGQ+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPiAgICAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPkVkaXRvcidzIE5vZGU6IFRo ZSBwZWVyIHJlcG9ydCBzcGVjaWZpY2F0aW9uIGlzIHN0aWxsIHVuZGVyPC9zcGFuPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgICAgZGV2ZWxvcG1lbnQgYW5kLCBh cyBzdWNoLCB0aGUgYWJvdmUgcGFyYWdyYXBoIGlzIHN1YmplY3QgdG88L3NwYW4+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICAgICBjaGFuZ2UuPC9zcGFuPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjUuICBPdmVybG9hZCBS ZXBvcnQgSGFuZGxpbmc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij41LiAgT3Zl cmxvYWQgUmVwb3J0IEhhbmRsaW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIFRoaXMgc2VjdGlvbiBkZXNjcmliZXMgYW55IGNoYW5nZXMgdG8gdGhl IGJlaGF2aW9yIGRlZmluZWQgaW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBUaGlzIHNlY3Rpb24gZGVzY3JpYmVzIGFueSBjaGFuZ2VzIHRvIHRoZSBiZWhhdmlvciBk ZWZpbmVkIGluPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDNzY4M10g Zm9yIGhhbmRsaW5nIG9mIG92ZXJsb2FkIHJlcG9ydHMgd2hlbiB0aGUgcmF0ZSBvdmVybG9h ZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtSRkM3NjgzXSBmb3IgaGFu ZGxpbmcgb2Ygb3ZlcmxvYWQgcmVwb3J0cyB3aGVuIHRoZSByYXRlIG92ZXJsb2FkPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBhYmF0ZW1lbnQgYWxnb3JpdGhtIGlzIHVz ZWQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWJhdGVtZW50IGFsZ29y aXRobSBpcyB1c2VkLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij41LjEuICBSZXBvcnRpbmcgTm9kZSBPdmVybG9hZCBDb250cm9sIFN0YXRlPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+NS4xLiAgUmVwb3J0aW5nIE5vZGUgT3ZlcmxvYWQg Q29udHJvbCBTdGF0ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBBIHJlcG9ydGluZyBub2RlIHRoYXQgdXNlcyB0aGUgcmF0ZSBhYmF0ZW1lbnQgYWxn b3JpdGhtIFNIT1VMRDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEEgcmVw b3J0aW5nIG5vZGUgdGhhdCB1c2VzIHRoZSByYXRlIGFiYXRlbWVudCBhbGdvcml0aG0gU0hP VUxEPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBtYWludGFpbiByZXBvcnRp bmcgbm9kZSBPdmVybG9hZCBDb250cm9sIFN0YXRlIChPQ1MpIGZvciBlYWNoPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbWFpbnRhaW4gcmVwb3J0aW5nIG5vZGUgT3Zl cmxvYWQgQ29udHJvbCBTdGF0ZSAoT0NTKSBmb3IgZWFjaDwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9InBhcnQtNSIgY2xhc3M9 ImNoYW5nZSI+PHRkPjwvdGQ+PHRoPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3Nt YWxsPjxhIGhyZWY9IiNwYXJ0LTUiPjxlbT4gcGFnZSA2LCBsaW5lIDM3PHNwYW4gY2xhc3M9 ImhpZGUiPiDCtjwvc3Bhbj48L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PHNtYWxsPnNr aXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGEgaHJlZj0iI3BhcnQtNSI+PGVtPiBwYWdl IDYsIGxpbmUgMzU8c3BhbiBjbGFzcz0iaGlkZSI+IMK2PC9zcGFuPjwvZW0+PC9hPjwvdGg+ PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICAgVGhpcyBpcyBkaWZmZXJlbnQgZnJvbSB0aGUgYmVoYXZpb3Ig ZGVmaW5lZCBpbiBbUkZDNzY4M10gd2hlcmUgYTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgICAgIFRoaXMgaXMgZGlmZmVyZW50IGZyb20gdGhlIGJlaGF2aW9yIGRlZmlu ZWQgaW4gW1JGQzc2ODNdIHdoZXJlIGE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgICAgIHNpbmdsZSBsb3NzIHBlcmNlbnRhZ2Ugc2VudCB0byBhbGwgcmVhY3Rpbmcgbm9k ZXMuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgc2luZ2xlIGxvc3Mg cGVyY2VudGFnZSBzZW50IHRvIGFsbCByZWFjdGluZyBub2Rlcy48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQSByZXBvcnRpbmcgbm9kZSBTSE9VTEQg bWFpbnRhaW4gT0NTIGVudHJpZXMgd2hlbiB1c2luZyB0aGUgcmF0ZTwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIEEgcmVwb3J0aW5nIG5vZGUgU0hPVUxEIG1haW50YWlu IE9DUyBlbnRyaWVzIHdoZW4gdXNpbmcgdGhlIHJhdGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIGFiYXRlbWVudCBhbGdvcml0aG0gcGVyIHN1cHBvcnRlZCBEaWFtZXRl ciBhcHBsaWNhdGlvbiwgcGVyIHRhcmdldGVkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgYWJhdGVtZW50IGFsZ29yaXRobSBwZXIgc3VwcG9ydGVkIERpYW1ldGVyIGFw cGxpY2F0aW9uLCBwZXIgdGFyZ2V0ZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIHJlYWN0aW5nIG5vZGUgYW5kIHBlciByZXBvcnQgdHlwZS48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICByZWFjdGluZyBub2RlIGFuZCBwZXIgcmVwb3J0IHR5cGUu PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEEgcmF0ZSBP Q1MgZW50cnkgaXMgaWRlbnRpZmllZCBieSB0aGUgdHVwbGUgb2YgQXBwbGljYXRpb24tSWQs IHJlcG9ydDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEEgcmF0ZSBPQ1Mg ZW50cnkgaXMgaWRlbnRpZmllZCBieSB0aGUgdHVwbGUgb2YgQXBwbGljYXRpb24tSWQsIHJl cG9ydDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdHlwZSBhbmQgRGlhbWV0 ZXJJZGVudGl0eSBvZiB0aGUgdGFyZ2V0IG9mIHRoZSByYXRlIE9MUi48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0eXBlIGFuZCBEaWFtZXRlcklkZW50aXR5IG9mIHRo ZSB0YXJnZXQgb2YgdGhlIHJhdGUgT0xSLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDIxIj48dGQ+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgIEEgcmVwb3J0aW5nIG5vZGUgdGhhdCA8c3BhbiBjbGFzcz0iZGVsZXRlIj5zdXBwb3J0 czwvc3Bhbj4gdGhlIHJhdGUgYWJhdGVtZW50IGFsZ29yaXRobSBNVVNUPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIEEgcmVwb3J0aW5nIG5vZGUgdGhhdCA8c3BhbiBj bGFzcz0iaW5zZXJ0Ij5oYXMgc2VsZWN0ZWQ8L3NwYW4+IHRoZSByYXRlIDxzcGFuIGNsYXNz PSJpbnNlcnQiPm92ZXJvbG9hZDwvc3Bhbj4gYWJhdGVtZW50PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPmluY2x1ZGU8L3NwYW4+ IHRoZSByYXRlIDxzcGFuIGNsYXNzPSJkZWxldGUiPm9mIGl0cyBhYmF0ZW1lbnQgYWxnb3Jp dGhtPC9zcGFuPiBpbiB0aGUgT0MtTWF4aW11bS1SYXRlPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPiAgIGFsZ29yaXRobSBNVVNUIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmlu ZGljYXRlPC9zcGFuPiB0aGUgcmF0ZSA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5yZXF1ZXN0ZWQg dG8gYmUgYXBwbGllZCBieSBET0lDPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj4gICBBVlAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+d2hlbiBzZW5kaW5nIGEgcmF0 ZSBPTFIuPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj bGFzcz0iaW5zZXJ0Ij4gICByZWFjdGluZyBub2Rlczwvc3Bhbj4gaW4gdGhlIE9DLU1heGlt dW0tUmF0ZSBBVlAgPHNwYW4gY2xhc3M9Imluc2VydCI+aW5jbHVkZWQgaW4gdGhlIE9DLU9M UiBBVlAuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBBbGwgb3RoZXIgZWxlbWVudHMgZm9yIHRoZSBPQ1MgZGVmaW5lZCBpbiBbUkZDNzY4 M10gYW5kPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQWxsIG90aGVyIGVs ZW1lbnRzIGZvciB0aGUgT0NTIGRlZmluZWQgaW4gW1JGQzc2ODNdIGFuZDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW0ktRC5pZXRmLWRpbWUtYWdlbnQtb3ZlcmxvYWRd IGFsc28gYXBwbHkgdG8gdGhlIHJlcG9ydGluZyBub2RlcyBPQ1M8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBbSS1ELmlldGYtZGltZS1hZ2VudC1vdmVybG9hZF0gYWxz byBhcHBseSB0byB0aGUgcmVwb3J0aW5nIG5vZGVzIE9DUzwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgd2hlbiB1c2luZyB0aGUgcmF0ZSBhYmF0ZW1lbnQgYWxnb3JpdGht LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHdoZW4gdXNpbmcgdGhlIHJh dGUgYWJhdGVtZW50IGFsZ29yaXRobS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+NS4yLiAgUmVhY3RpbmcgTm9kZSBPdmVybG9hZCBDb250cm9sIFN0YXRl PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+NS4yLiAgUmVhY3RpbmcgTm9kZSBP dmVybG9hZCBDb250cm9sIFN0YXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIEEgcmVhY3Rpbmcgbm9kZSB0aGF0IHN1cHBvcnRzIHRoZSByYXRlIGFi YXRlbWVudCBhbGdvcml0aG0gTVVTVDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIEEgcmVhY3Rpbmcgbm9kZSB0aGF0IHN1cHBvcnRzIHRoZSByYXRlIGFiYXRlbWVudCBh bGdvcml0aG0gTVVTVDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW5kaWNh dGUgcmF0ZSBhcyB0aGUgc2VsZWN0ZWQgYWJhdGVtZW50IGFsZ29yaXRobSBpbiB0aGUgcmVh Y3Rpbmc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbmRpY2F0ZSByYXRl IGFzIHRoZSBzZWxlY3RlZCBhYmF0ZW1lbnQgYWxnb3JpdGhtIGluIHRoZSByZWFjdGluZzwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAy MiI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGJsb2NrIj4gICBub2RlIE9DUyA8c3BhbiBjbGFzcz0iZGVsZXRlIj53aGVu IHJlY2VpdmluZyBhIHJhdGUgT0xSLjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+ICAgbm9kZSBPQ1MgPHNwYW4gY2xhc3M9Imluc2VydCI+YmFzZWQgb24gdGhl IE9DLUZlYXR1cmUtVmVjdG9yIEFWUCBvciB0aGUgT0MtUGVlci1BbGdvIEFWUDwvc3Bhbj48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGluIHRoZSByZWNlaXZlZCBP Qy1TdXBwb3J0ZWQtRmVhdHVyZXMgQVZQLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQSByZWFjdGluZyBub2RlIHRoYXQgc3VwcG9ydHMg dGhlIHJhdGUgYWJhdGVtZW50IGFsZ29yaXRobSBNVVNUPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgQSByZWFjdGluZyBub2RlIHRoYXQgc3VwcG9ydHMgdGhlIHJhdGUg YWJhdGVtZW50IGFsZ29yaXRobSBNVVNUPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBpbmNsdWRlIHRoZSByYXRlIHNwZWNpZmllZCBpbiB0aGUgT0MtTWF4aW11bS1SYXRl IEFWUCBpbmNsdWRlZCBpbiB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBpbmNsdWRlIHRoZSByYXRlIHNwZWNpZmllZCBpbiB0aGUgT0MtTWF4aW11bS1SYXRlIEFW UCBpbmNsdWRlZCBpbiB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIE9D LU9MUiBBVlAgYXMgYW4gZWxlbWVudCBvZiB0aGUgYWJhdGVtZW50IGFsZ29yaXRobSBzcGVj aWZpYyBwb3J0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgT0MtT0xS IEFWUCBhcyBhbiBlbGVtZW50IG9mIHRoZSBhYmF0ZW1lbnQgYWxnb3JpdGhtIHNwZWNpZmlj IHBvcnRpb248L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG9mIHJlYWN0aW5n IG5vZGUgT0NTIGVudHJpZXMuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg b2YgcmVhY3Rpbmcgbm9kZSBPQ1MgZW50cmllcy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgQWxsIG90aGVyIGVsZW1lbnRzIGZvciB0aGUgT0NTIGRl ZmluZWQgaW4gW1JGQzc2ODNdIGFuZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIEFsbCBvdGhlciBlbGVtZW50cyBmb3IgdGhlIE9DUyBkZWZpbmVkIGluIFtSRkM3Njgz XSBhbmQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtJLUQuaWV0Zi1kaW1l LWFnZW50LW92ZXJsb2FkXSBhbHNvIGFwcGx5IHRvIHRoZSByZXBvcnRpbmcgbm9kZXMgT0NT PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW0ktRC5pZXRmLWRpbWUtYWdl bnQtb3ZlcmxvYWRdIGFsc28gYXBwbHkgdG8gdGhlIHJlcG9ydGluZyBub2RlcyBPQ1M8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdoZW4gdXNpbmcgdGhlIHJhdGUgYWJh dGVtZW50IGFsZ29yaXRobS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB3 aGVuIHVzaW5nIHRoZSByYXRlIGFiYXRlbWVudCBhbGdvcml0aG0uPC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlk PSJwYXJ0LTYiIGNsYXNzPSJjaGFuZ2UiPjx0ZD48L3RkPjx0aD48c21hbGw+c2tpcHBpbmcg dG8gY2hhbmdlIGF0PC9zbWFsbD48YSBocmVmPSIjcGFydC02Ij48ZW0+IHBhZ2UgNywgbGlu ZSAyNzxzcGFuIGNsYXNzPSJoaWRlIj4gwrY8L3NwYW4+PC9lbT48L2E+PC90aD48dGg+IDwv dGg+PHRoPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxhIGhyZWY9IiNw YXJ0LTYiPjxlbT4gcGFnZSA3LCBsaW5lIDI3PHNwYW4gY2xhc3M9ImhpZGUiPiDCtjwvc3Bh bj48L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEEgcmVwb3J0aW5nIG5vZGUgdGhhdCBo YXMgc2VsZWN0ZWQgdGhlIHJhdGUgYWJhdGVtZW50IGFsZ29yaXRobSBhbmQ8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBBIHJlcG9ydGluZyBub2RlIHRoYXQgaGFzIHNl bGVjdGVkIHRoZSByYXRlIGFiYXRlbWVudCBhbGdvcml0aG0gYW5kPC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBlbnRlcnMgYW4gb3ZlcmxvYWQgY29uZGl0aW9uIE1VU1Qg aW5kaWNhdGUgdGhlIHNlbGVjdGVkIHJhdGUgaW4gdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgZW50ZXJzIGFuIG92ZXJsb2FkIGNvbmRpdGlvbiBNVVNUIGluZGlj YXRlIHRoZSBzZWxlY3RlZCByYXRlIGluIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgcmVzdWx0aW5nIHJlcG9ydGluZyBub2RlIE9DUyBlbnRyaWVzLjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlc3VsdGluZyByZXBvcnRpbmcgbm9kZSBP Q1MgZW50cmllcy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgV2hlbiBzZWxlY3RpbmcgdGhlIHJhdGUgYWxnb3JpdGhtIGluIHRoZSByZXNwb25zZSB0 byBhIHJlcXVlc3QgdGhhdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFdo ZW4gc2VsZWN0aW5nIHRoZSByYXRlIGFsZ29yaXRobSBpbiB0aGUgcmVzcG9uc2UgdG8gYSBy ZXF1ZXN0IHRoYXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGNvbnRhaW5l ZCBhbiBPQy1TdXBwb3J0aW5nLUZlYXR1cmVzIEFWUCB3aXRoIGFuIE9DLUZlYXR1cmUtVmVj dG9yIEFWUDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGNvbnRhaW5lZCBh biBPQy1TdXBwb3J0aW5nLUZlYXR1cmVzIEFWUCB3aXRoIGFuIE9DLUZlYXR1cmUtVmVjdG9y IEFWUDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW5kaWNhdGluZyBzdXBw b3J0IGZvciB0aGUgcmF0ZSBmZWF0dXJlLCBhIHJlcG9ydGluZyBub2RlIE1VU1QgZW5zdXJl PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaW5kaWNhdGluZyBzdXBwb3J0 IGZvciB0aGUgcmF0ZSBmZWF0dXJlLCBhIHJlcG9ydGluZyBub2RlIE1VU1QgZW5zdXJlPC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aGF0IGEgcmVwb3J0aW5nIG5vZGUg T0NTIGVudHJ5IGV4aXN0cyBmb3IgdGhlIHRhcmdldCBvZiB0aGUgb3ZlcmxvYWQ8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0aGF0IGEgcmVwb3J0aW5nIG5vZGUgT0NT IGVudHJ5IGV4aXN0cyBmb3IgdGhlIHRhcmdldCBvZiB0aGUgb3ZlcmxvYWQ8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlcG9ydC4gIFRoZSB0YXJnZXQgaXMgZGVmaW5l ZCBhcyBmb2xsb3dzOjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlcG9y dC4gIFRoZSB0YXJnZXQgaXMgZGVmaW5lZCBhcyBmb2xsb3dzOjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDIzIj48 dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgIG8gIEZvciBIb3N0IHJlcG9ydHMgdGhlIHRhcmdldCBpcyB0aGUg RGlhbWV0ZXJJZGVudGl0eSBjb250YWluZWQgaW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+ICAgbyAgRm9yIEhvc3QgcmVwb3J0czxzcGFuIGNsYXNzPSJpbnNlcnQiPiw8 L3NwYW4+IHRoZSB0YXJnZXQgaXMgdGhlIERpYW1ldGVySWRlbnRpdHkgY29udGFpbmVkIGlu PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICB0aGUgT3JpZ2luLUhvc3Qg QVZQIHJlY2VpdmVkIGluIHRoZSByZXF1ZXN0LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgICAgIHRoZSBPcmlnaW4tSG9zdCBBVlAgcmVjZWl2ZWQgaW4gdGhlIHJlcXVl c3QuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0ciBpZD0iZGlmZjAwMjQiPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgbyAgRm9yIFJlYWxtIHJlcG9y dHMgdGhlIHRhcmdldCBpcyB0aGUgRGlhbWV0ZXJJZGVudGl0eSBjb250YWluZWQgaW48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgbyAgRm9yIFJlYWxtIHJlcG9ydHM8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4sPC9zcGFuPiB0aGUgdGFyZ2V0IGlzIHRoZSBEaWFtZXRl cklkZW50aXR5IGNvbnRhaW5lZCBpbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgICAgdGhlIE9yaWdpbi1SZWFsbSBBVlAgcmVjZWl2ZWQgaW4gdGhlIHJlcXVlc3QuPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgdGhlIE9yaWdpbi1SZWFsbSBB VlAgcmVjZWl2ZWQgaW4gdGhlIHJlcXVlc3QuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0iZGlmZjAwMjUiPjx0ZD48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+ICAgbyAgRm9yIFBlZXIgcmVwb3J0cyB0aGUgdGFyZ2V0IGlzIHRoZSBEaWFtZXRlcklk ZW50aXR5IG9mIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBvICBG b3IgUGVlciByZXBvcnRzPHNwYW4gY2xhc3M9Imluc2VydCI+LDwvc3Bhbj4gdGhlIHRhcmdl dCBpcyB0aGUgRGlhbWV0ZXJJZGVudGl0eSBvZiB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgICAgIERpYW1ldGVyIFBlZXIgZnJvbSB3aGljaCB0aGUgcmVxdWVzdCB3 YXMgcmVjZWl2ZWQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgRGlh bWV0ZXIgUGVlciBmcm9tIHdoaWNoIHRoZSByZXF1ZXN0IHdhcyByZWNlaXZlZC48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+NS40LiAgUmVhY3RpbmcgTm9k ZSBNYWludGVuYW5jZSBvZiBPdmVybG9hZCBDb250cm9sIFN0YXRlPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+NS40LiAgUmVhY3RpbmcgTm9kZSBNYWludGVuYW5jZSBvZiBP dmVybG9hZCBDb250cm9sIFN0YXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIFdoZW4gcmVjZWl2aW5nIGFuIGFuc3dlciBtZXNzYWdlIGluZGljYXRp bmcgdGhhdCB0aGUgcmVwb3J0aW5nIG5vZGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBXaGVuIHJlY2VpdmluZyBhbiBhbnN3ZXIgbWVzc2FnZSBpbmRpY2F0aW5nIHRo YXQgdGhlIHJlcG9ydGluZyBub2RlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBoYXMgc2VsZWN0ZWQgdGhlIHJhdGUgYWxnb3JpdGhtLCBhIHJlYWN0aW5nIG5vZGUgTVVT VCBpbmRpY2F0ZSB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBoYXMg c2VsZWN0ZWQgdGhlIHJhdGUgYWxnb3JpdGhtLCBhIHJlYWN0aW5nIG5vZGUgTVVTVCBpbmRp Y2F0ZSB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJhdGUgYWJhdGVt ZW50IGFsZ29yaXRobSBpbiB0aGUgcmVhY3Rpbmcgbm9kZSBPQ1MgZW50cnkgZm9yIHRoZTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJhdGUgYWJhdGVtZW50IGFsZ29y aXRobSBpbiB0aGUgcmVhY3Rpbmcgbm9kZSBPQ1MgZW50cnkgZm9yIHRoZTwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcmVwb3J0aW5nIG5vZGUuPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgcmVwb3J0aW5nIG5vZGUuPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEEgcmVhY3Rpbmcgbm9kZSByZWNlaXZpbmcg YW4gb3ZlcmxvYWQgcmVwb3J0IGZvciB0aGUgcmF0ZSBhYmF0ZW1lbnQ8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBBIHJlYWN0aW5nIG5vZGUgcmVjZWl2aW5nIGFuIG92 ZXJsb2FkIHJlcG9ydCBmb3IgdGhlIHJhdGUgYWJhdGVtZW50PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0icGFydC03IiBjbGFz cz0iY2hhbmdlIj48dGQ+PC90ZD48dGg+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwv c21hbGw+PGEgaHJlZj0iI3BhcnQtNyI+PGVtPiBwYWdlIDgsIGxpbmUgOTxzcGFuIGNsYXNz PSJoaWRlIj4gwrY8L3NwYW4+PC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxzbWFsbD5z a2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxhIGhyZWY9IiNwYXJ0LTciPjxlbT4gcGFn ZSA4LCBsaW5lIDk8c3BhbiBjbGFzcz0iaGlkZSI+IMK2PC9zcGFuPjwvZW0+PC9hPjwvdGg+ PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+NS41LiAgUmVwb3J0aW5nIE5vZGUgQmVoYXZpb3IgZm9yIFJhdGUgQWJh dGVtZW50IEFsZ29yaXRobTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjUuNS4g IFJlcG9ydGluZyBOb2RlIEJlaGF2aW9yIGZvciBSYXRlIEFiYXRlbWVudCBBbGdvcml0aG08 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgV2hlbiBpbiBh biBvdmVybG9hZCBjb25kaXRpb24gd2l0aCByYXRlIHNlbGVjdGVkIGFzIHRoZSBvdmVybG9h ZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFdoZW4gaW4gYW4gb3Zlcmxv YWQgY29uZGl0aW9uIHdpdGggcmF0ZSBzZWxlY3RlZCBhcyB0aGUgb3ZlcmxvYWQ8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFiYXRlbWVudCBhbGdvcml0aG0gYW5kIHdo ZW4gaGFuZGxpbmcgYSByZXF1ZXN0IHRoYXQgY29udGFpbmVkIGFuIE9DLTwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFiYXRlbWVudCBhbGdvcml0aG0gYW5kIHdoZW4g aGFuZGxpbmcgYSByZXF1ZXN0IHRoYXQgY29udGFpbmVkIGFuIE9DLTwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgU3VwcG9ydGVkLUZlYXR1cmVzIEFWUCB0aGF0IGluZGlj YXRlZCBzdXBwb3J0IGZvciB0aGUgcmF0ZSBhYmF0ZW1lbnQ8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBTdXBwb3J0ZWQtRmVhdHVyZXMgQVZQIHRoYXQgaW5kaWNhdGVk IHN1cHBvcnQgZm9yIHRoZSByYXRlIGFiYXRlbWVudDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgYWxnb3JpdGhtLCBhIHJlcG9ydGluZyBub2RlIFNIT1VMRCBpbmNsdWRl IGFuIE9DLU9MUiBBVlAgZm9yIHRoZSByYXRlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgYWxnb3JpdGhtLCBhIHJlcG9ydGluZyBub2RlIFNIT1VMRCBpbmNsdWRlIGFu IE9DLU9MUiBBVlAgZm9yIHRoZSByYXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBhbGdvcml0aG0gdXNpbmcgdGhlIHBhcmFtZXRlcnMgc3RvcmVkIGluIHRoZSByZXBv cnRpbmcgbm9kZSBPQ1MgZm9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg YWxnb3JpdGhtIHVzaW5nIHRoZSBwYXJhbWV0ZXJzIHN0b3JlZCBpbiB0aGUgcmVwb3J0aW5n IG5vZGUgT0NTIGZvcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIHRh cmdldCBvZiB0aGUgb3ZlcmxvYWQgcmVwb3J0LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIHRoZSB0YXJnZXQgb2YgdGhlIG92ZXJsb2FkIHJlcG9ydC48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgV2hlbiBzZW5kaW5nIGFuIG92 ZXJsb2FkIHJlcG9ydCBmb3IgdGhlIHJhdGUgYWxnb3JpdGhtLCB0aGUgT0MtPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgV2hlbiBzZW5kaW5nIGFuIG92ZXJsb2FkIHJl cG9ydCBmb3IgdGhlIHJhdGUgYWxnb3JpdGhtLCB0aGUgT0MtPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDI2Ij48dGQ+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgIE1heGltdW0tUmF0ZSBBVlAgTVVTVCBiZSBpbmNsdWRlZCBhbmQgdGhlIDxzcGFuIGNs YXNzPSJkZWxldGUiPk9DLVJlZHVjdGlvbi1QZXJjZW50YWdlPC9zcGFuPiBBVlA8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgTWF4aW11bS1SYXRlIEFWUCBNVVNUIGJl IGluY2x1ZGVkIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmluIHRoZSBPQy1PTFIgQVZQPC9zcGFu PiBhbmQgdGhlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPk9DLTwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgTVVTVCBOT1QgYmUgaW5jbHVkZWQuPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFJlZHVj dGlvbi1QZXJjZW50YWdlPC9zcGFuPiBBVlAgTVVTVCBOT1QgYmUgaW5jbHVkZWQuPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjUuNi4gIFJlYWN0aW5nIE5v ZGUgQmVoYXZpb3IgZm9yIFJhdGUgQWJhdGVtZW50IEFsZ29yaXRobTwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPjUuNi4gIFJlYWN0aW5nIE5vZGUgQmVoYXZpb3IgZm9yIFJh dGUgQWJhdGVtZW50IEFsZ29yaXRobTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBXaGVuIGRldGVybWluaW5nIGlmIGFiYXRlbWVudCB0cmVhdG1lbnQg c2hvdWxkIGJlIGFwcGxpZWQgdG8gYTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIFdoZW4gZGV0ZXJtaW5pbmcgaWYgYWJhdGVtZW50IHRyZWF0bWVudCBzaG91bGQgYmUg YXBwbGllZCB0byBhPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICByZXF1ZXN0 IGJlaW5nIHNlbnQgdG8gYSByZXBvcnRpbmcgbm9kZSB0aGF0IGhhcyBzZWxlY3RlZCB0aGUg cmF0ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlcXVlc3QgYmVpbmcg c2VudCB0byBhIHJlcG9ydGluZyBub2RlIHRoYXQgaGFzIHNlbGVjdGVkIHRoZSByYXRlPC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvdmVybG9hZCBhYmF0ZW1lbnQgYWxn b3JpdGhtLCB0aGUgcmVhY3Rpbmcgbm9kZSBNQVkgdXNlIHRoZSBhbGdvcml0aG08L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvdmVybG9hZCBhYmF0ZW1lbnQgYWxnb3Jp dGhtLCB0aGUgcmVhY3Rpbmcgbm9kZSBNQVkgdXNlIHRoZSBhbGdvcml0aG08L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRldGFpbGVkIGluIFNlY3Rpb24gNy48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBkZXRhaWxlZCBpbiBTZWN0aW9uIDcuPC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIE5vdGU6IE90 aGVyIGFsZ29yaXRobXMgZm9yIGNvbnRyb2xsaW5nIHRoZSByYXRlIGNhbiBiZSBpbXBsZW1l bnRlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIE5vdGU6IE90aGVy IGFsZ29yaXRobXMgZm9yIGNvbnRyb2xsaW5nIHRoZSByYXRlIGNhbiBiZSBpbXBsZW1lbnRl ZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgYnkgdGhlIHJlYWN0aW5n IG5vZGUgYXMgbG9uZyBhcyB0aGV5IHJlc3VsdCBpbiB0aGUgY29ycmVjdCByYXRlIG9mPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgYnkgdGhlIHJlYWN0aW5nIG5v ZGUgYXMgbG9uZyBhcyB0aGV5IHJlc3VsdCBpbiB0aGUgY29ycmVjdCByYXRlIG9mPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0i cGFydC04IiBjbGFzcz0iY2hhbmdlIj48dGQ+PC90ZD48dGg+PHNtYWxsPnNraXBwaW5nIHRv IGNoYW5nZSBhdDwvc21hbGw+PGEgaHJlZj0iI3BhcnQtOCI+PGVtPiBwYWdlIDgsIGxpbmUg NDA8c3BhbiBjbGFzcz0iaGlkZSI+IMK2PC9zcGFuPjwvZW0+PC9hPjwvdGg+PHRoPiA8L3Ro Pjx0aD48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48YSBocmVmPSIjcGFy dC04Ij48ZW0+IHBhZ2UgOCwgbGluZSA0MDxzcGFuIGNsYXNzPSJoaWRlIj4gwrY8L3NwYW4+ PC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij42LjEuICBPQy1TdXBwb3J0ZWQtRmVhdHVyZXMg QVZQPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+Ni4xLiAgT0MtU3VwcG9ydGVk LUZlYXR1cmVzIEFWUDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBUaGUgcmF0ZSBhbGdvcml0aG0gZG9lcyBub3QgYWRkIGFueSBuZXcgQVZQcyB0byB0 aGUgT0MtU3VwcG9ydGVkLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRo ZSByYXRlIGFsZ29yaXRobSBkb2VzIG5vdCBhZGQgYW55IG5ldyBBVlBzIHRvIHRoZSBPQy1T dXBwb3J0ZWQtPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBGZWF0dXJlcyBB VlAuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgRmVhdHVyZXMgQVZQLjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGUgcmF0ZSBh bGdvcml0aG0gZG9lcyBhZGQgYSBuZXcgZmVhdHVyZSBiaXQgdG8gYmUgY2FycmllZCBpbiB0 aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUgcmF0ZSBhbGdvcml0 aG0gZG9lcyBhZGQgYSBuZXcgZmVhdHVyZSBiaXQgdG8gYmUgY2FycmllZCBpbiB0aGU8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIE9DLUZlYXR1cmUtVmVjdG9yIEFWUC48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBPQy1GZWF0dXJlLVZlY3RvciBB VlAuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjYuMS4xLiAg T0MtRmVhdHVyZS1WZWN0b3IgQVZQPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ Ni4xLjEuICBPQy1GZWF0dXJlLVZlY3RvciBBVlA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAyNyI+PHRkPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJs b2NrIj4gICBUaGlzIGV4dGVuc2lvbiBhZGRzIHRoZSBmb2xsb3dpbmcgPHNwYW4gY2xhc3M9 ImRlbGV0ZSI+Y2FwYWJpbGl0aWVzPC9zcGFuPiB0byB0aGUgPHNwYW4gY2xhc3M9ImRlbGV0 ZSI+T0MtRmVhdHVyZS08L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PiAgIFRoaXMgZXh0ZW5zaW9uIGFkZHMgdGhlIGZvbGxvd2luZyA8c3BhbiBjbGFzcz0iaW5z ZXJ0Ij5jYXBhYmlsaXR5PC9zcGFuPiB0byB0aGUgPHNwYW4gY2xhc3M9Imluc2VydCI+T0Mt RmVhdHVyZS1WZWN0b3I8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIFZlY3Rvcjwvc3Bhbj4gQVZQLjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBBVlAuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0iZGlmZjAwMjgiPjx0ZD48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+ICAgT0xSX1JBVEVfQUxHT1JJVEhNICg8c3BhbiBjbGFzcz0iZGVsZXRlIj4weDAw MDAwMDAwMDAwMDAwMDQ8L3NwYW4+KTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr Ij4gICBPTFJfUkFURV9BTEdPUklUSE0gKDxzcGFuIGNsYXNzPSJpbnNlcnQiPmJpdCAyPC9z cGFuPik8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyIGlkPSJkaWZmMDAyOSI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICBXaGVuIHRoaXMgZmxh ZyBpcyBzZXQgYnkgdGhlIG92ZXJsb2FkIGNvbnRyb2wgZW5kcG9pbnQgaXQ8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+Qml0 IDIgaXMgYXNzaWduZWQgdG8gdGhlIHJhdGUgb3ZlcmxvYWQgYWJhdGVtZW50IGFsZ29yaXRo bS48L3NwYW4+ICBXaGVuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAg IGluZGljYXRlcyB0aGF0IHRoZSBET0lDIE5vZGUgc3VwcG9ydHMgdGhlIHJhdGUgb3Zlcmxv YWQgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Y29udHJvbDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJibG9jayI+ICAgICAgdGhpcyBmbGFnIGlzIHNldCBieSB0aGUgb3Zlcmxv YWQgY29udHJvbCBlbmRwb2ludCBpdCBpbmRpY2F0ZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgICAgYWxnb3JpdGhtLjwvc3Bh bj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgdGhhdCB0aGUgRE9J QyBOb2RlIHN1cHBvcnRzIHRoZSByYXRlIG92ZXJsb2FkIDxzcGFuIGNsYXNzPSJpbnNlcnQi PmFiYXRlbWVudDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAg ICAgIGFsZ29yaXRobS4uPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij42LjIuICBPQy1PTFIgQVZQPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+Ni4yLiAgT0MtT0xSIEFWUDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBUaGlzIGV4dGVuc2lvbiBkZWZpbmVzIHRoZSBPQy1NYXhpbXVtLVJh dGUgQVZQIHRvIGJlIGFuIG9wdGlvbmFsIHBhcnQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBUaGlzIGV4dGVuc2lvbiBkZWZpbmVzIHRoZSBPQy1NYXhpbXVtLVJhdGUg QVZQIHRvIGJlIGFuIG9wdGlvbmFsIHBhcnQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIG9mIHRoZSBPQy1PTFIgQVZQLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIG9mIHRoZSBPQy1PTFIgQVZQLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAgICBPQy1PTFIgOjo9ICZsdDsgQVZQIEhlYWRlcjogVEJEMiAm Z3Q7PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgT0MtT0xSIDo6PSAm bHQ7IEFWUCBIZWFkZXI6IFRCRDIgJmd0OzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgICAgICAgICAgICAgICAmbHQ7IE9DLVNlcXVlbmNlLU51bWJlciAmZ3Q7PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgICAmbHQ7IE9DLVNl cXVlbmNlLU51bWJlciAmZ3Q7PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg ICAgICAgICAgICAgICZsdDsgT0MtUmVwb3J0LVR5cGUgJmd0OzwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICAgJmx0OyBPQy1SZXBvcnQtVHlwZSAm Z3Q7PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgIFsg T0MtUmVkdWN0aW9uLVBlcmNlbnRhZ2UgXTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgICAgICAgICAgICAgICAgWyBPQy1SZWR1Y3Rpb24tUGVyY2VudGFnZSBdPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0i cGFydC05IiBjbGFzcz0iY2hhbmdlIj48dGQ+PC90ZD48dGg+PHNtYWxsPnNraXBwaW5nIHRv IGNoYW5nZSBhdDwvc21hbGw+PGEgaHJlZj0iI3BhcnQtOSI+PGVtPiBwYWdlIDExLCBsaW5l IDE0PHNwYW4gY2xhc3M9ImhpZGUiPiDCtjwvc3Bhbj48L2VtPjwvYT48L3RoPjx0aD4gPC90 aD48dGg+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGEgaHJlZj0iI3Bh cnQtOSI+PGVtPiBwYWdlIDExLCBsaW5lIDE0PHNwYW4gY2xhc3M9ImhpZGUiPiDCtjwvc3Bh bj48L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgV2hlbiBzZXR0aW5n IHRoZSBtYXhpbXVtIHJhdGUgZm9yIGEgcGFydGljdWxhciByZWFjdGluZyBub2RlLCB0aGU8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBXaGVuIHNldHRpbmcgdGhlIG1h eGltdW0gcmF0ZSBmb3IgYSBwYXJ0aWN1bGFyIHJlYWN0aW5nIG5vZGUsIHRoZTwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcmVwb3J0aW5nIG5vZGUgbWF5IG5lZWQgdGFr ZSBpbnRvIGFjY291bnQgdGhlIHdvcmtsb2FkIChlLmcuICBDUFU8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICByZXBvcnRpbmcgbm9kZSBtYXkgbmVlZCB0YWtlIGludG8g YWNjb3VudCB0aGUgd29ya2xvYWQgKGUuZy4gIENQVTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgbG9hZCBwZXIgcmVxdWVzdCkgb2YgdGhlIGRpc3RyaWJ1dGlvbiBvZiBt ZXNzYWdlIHR5cGVzIGZyb20gdGhhdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIGxvYWQgcGVyIHJlcXVlc3QpIG9mIHRoZSBkaXN0cmlidXRpb24gb2YgbWVzc2FnZSB0 eXBlcyBmcm9tIHRoYXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlYWN0 aW5nIG5vZGUuICBGdXJ0aGVybW9yZSwgYmVjYXVzZSB0aGUgcmVhY3Rpbmcgbm9kZSBtYXkg cHJpb3JpdGl6ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlYWN0aW5n IG5vZGUuICBGdXJ0aGVybW9yZSwgYmVjYXVzZSB0aGUgcmVhY3Rpbmcgbm9kZSBtYXkgcHJp b3JpdGl6ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIHNwZWNpZmlj IHR5cGVzIG9mIG1lc3NhZ2VzIGl0IHNlbmRzIHdoaWxlIHVuZGVyIG92ZXJsb2FkPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhlIHNwZWNpZmljIHR5cGVzIG9mIG1l c3NhZ2VzIGl0IHNlbmRzIHdoaWxlIHVuZGVyIG92ZXJsb2FkPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICByZXN0cmljdGlvbiwgdGhpcyBkaXN0cmlidXRpb24gb2YgbWVz c2FnZSB0eXBlcyBtYXkgYmUgZGlmZmVyZW50IGZyb208L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICByZXN0cmljdGlvbiwgdGhpcyBkaXN0cmlidXRpb24gb2YgbWVzc2Fn ZSB0eXBlcyBtYXkgYmUgZGlmZmVyZW50IGZyb208L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIHRoZSBtZXNzYWdlIGRpc3RyaWJ1dGlvbiBmb3IgdGhhdCByZWFjdGluZyBu b2RlIHVuZGVyIG5vbi1vdmVybG9hZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIHRoZSBtZXNzYWdlIGRpc3RyaWJ1dGlvbiBmb3IgdGhhdCByZWFjdGluZyBub2RlIHVu ZGVyIG5vbi1vdmVybG9hZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgY29u ZGl0aW9ucyAoZS5nLiwgZWl0aGVyIGhpZ2hlciBvciBsb3dlciBDUFUgbG9hZCkuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgY29uZGl0aW9ucyAoZS5nLiwgZWl0aGVy IGhpZ2hlciBvciBsb3dlciBDUFUgbG9hZCkuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0iZGlmZjAwMzAiPjx0ZD48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+ICAgTm90ZSB0aGF0IHRoZSBBVlAgZm9yIHRoZSByYXRlIGFsZ29yaXRobSA8c3BhbiBj bGFzcz0iZGVsZXRlIj5pczwvc3Bhbj4gYW4gdXBwZXIgYm91bmQgPHNwYW4gY2xhc3M9ImRl bGV0ZSI+KGluPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBO b3RlIHRoYXQgdGhlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPnZhbHVlIG9mIE9DLU1heGltdW0t UmF0ZTwvc3Bhbj4gQVZQIDxzcGFuIGNsYXNzPSJpbnNlcnQiPihpbiByZXF1ZXN0IG1lc3Nh Z2VzIHBlcjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4g Y2xhc3M9ImRlbGV0ZSI+ICAgcmVxdWVzdCBtZXNzYWdlcyBwZXIgc2Vjb25kKTwvc3Bhbj4g b24gdGhlIHRyYWZmaWMgc2VudCBieSB0aGUgcmVhY3Rpbmcgbm9kZTwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBzZWNvbmQpPC9z cGFuPiBmb3IgdGhlIHJhdGUgYWxnb3JpdGhtIDxzcGFuIGNsYXNzPSJpbnNlcnQiPnByb3Zp ZGVzPC9zcGFuPiBhbiB1cHBlciBib3VuZCBvbiB0aGUgdHJhZmZpYzwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICB0byB0aGUgcmVwb3J0aW5nIG5vZGUuICA8c3BhbiBj bGFzcz0iZGVsZXRlIj5UaGUgcmVhY3Rpbmcgbm9kZSBtYXkgc2VuZCB0cmFmZmljIGF0IGEg cmF0ZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgc2VudCBi eSB0aGUgcmVhY3Rpbmcgbm9kZSB0byB0aGUgcmVwb3J0aW5nIG5vZGUuPC90ZD48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIHNpZ25pZmlj YW50bHkgbG93ZXIgdGhhbiB0aGUgdXBwZXIgYm91bmQsIGZvciBhIHZhcmlldHkgb2YgcmVh c29ucy48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJbiBvdGhlciB3b3Jkcywg d2hlbiBtdWx0aXBsZSByZWFjdGluZyBub2RlcyBhcmUgYmVpbmcgY29udHJvbGxlZCBieTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEluIG90aGVyIHdvcmRzLCB3aGVu IG11bHRpcGxlIHJlYWN0aW5nIG5vZGVzIGFyZSBiZWluZyBjb250cm9sbGVkIGJ5PC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDMxIj48 dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgIGFuIG92ZXJsb2FkZWQgcmVwb3J0aW5nIG5vZGUsIGF0IGFueSBn aXZlbiB0aW1lPHNwYW4gY2xhc3M9ImRlbGV0ZSI+IHNvbWUgcmVhYzwvc3Bhbj50aW5nIG5v ZGVzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGFuIG92ZXJsb2FkZWQg cmVwb3J0aW5nIG5vZGUsIGF0IGFueSBnaXZlbiB0aW1lPHNwYW4gY2xhc3M9Imluc2VydCI+ LCBzb21lIHJlcG9yPC9zcGFuPnRpbmcgbm9kZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIG1heSByZWNlaXZlIHJlcXVlc3RzIGF0IGEgcmF0ZSBiZWxvdyBpdHMgdGFy Z2V0IG1heGltdW0gRGlhbWV0ZXI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBtYXkgcmVjZWl2ZSByZXF1ZXN0cyBhdCBhIHJhdGUgYmVsb3cgaXRzIHRhcmdldCBtYXhp bXVtIERpYW1ldGVyPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICByZXF1ZXN0 IHJhdGUgd2hpbGUgb3RoZXJzIGFib3ZlIHRoYXQgdGFyZ2V0IHJhdGUuICBCdXQgdGhlIHJl c3VsdGluZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlcXVlc3QgcmF0 ZSB3aGlsZSBvdGhlcnMgYWJvdmUgdGhhdCB0YXJnZXQgcmF0ZS4gIEJ1dCB0aGUgcmVzdWx0 aW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICByZXF1ZXN0IHJhdGUgcHJl c2VudGVkIHRvIHRoZSBvdmVybG9hZGVkIHJlcG9ydGluZyBub2RlIHdpbGwgY29udmVyZ2U8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICByZXF1ZXN0IHJhdGUgcHJlc2Vu dGVkIHRvIHRoZSBvdmVybG9hZGVkIHJlcG9ydGluZyBub2RlIHdpbGwgY29udmVyZ2U8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRvd2FyZHMgdGhlIHRhcmdldCBEaWFt ZXRlciByZXF1ZXN0IHJhdGUuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg dG93YXJkcyB0aGUgdGFyZ2V0IERpYW1ldGVyIHJlcXVlc3QgcmF0ZS48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVXBvbiBkZXRlY3Rpb24gb2Ygb3Zl cmxvYWQsIGFuZCB0aGUgZGV0ZXJtaW5hdGlvbiB0byBpbnZva2Ugb3ZlcmxvYWQ8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBVcG9uIGRldGVjdGlvbiBvZiBvdmVybG9h ZCwgYW5kIHRoZSBkZXRlcm1pbmF0aW9uIHRvIGludm9rZSBvdmVybG9hZDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgY29udHJvbHMsIHRoZSByZXBvcnRpbmcgbm9kZSBN VVNUIGZvbGxvdyB0aGUgc3BlY2lmaWNhdGlvbnMgaW48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBjb250cm9scywgdGhlIHJlcG9ydGluZyBub2RlIE1VU1QgZm9sbG93 IHRoZSBzcGVjaWZpY2F0aW9ucyBpbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgW1JGQzc2ODNdIHRvIG5vdGlmeSBpdHMgY2xpZW50cyBvZiB0aGUgYWxsb2NhdGVkIHRh cmdldCBtYXhpbXVtPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzc2 ODNdIHRvIG5vdGlmeSBpdHMgY2xpZW50cyBvZiB0aGUgYWxsb2NhdGVkIHRhcmdldCBtYXhp bXVtPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBEaWFtZXRlciByZXF1ZXN0 IHJhdGUgYW5kIHRvIG5vdGlmeSB0aGVtIHRoYXQgdGhlIHJhdGUgb3ZlcmxvYWQ8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBEaWFtZXRlciByZXF1ZXN0IHJhdGUgYW5k IHRvIG5vdGlmeSB0aGVtIHRoYXQgdGhlIHJhdGUgb3ZlcmxvYWQ8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIGFiYXRlbWVudCBpcyBpbiBlZmZlY3QuPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWJhdGVtZW50IGlzIGluIGVmZmVjdC48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIHJlcG9ydGluZyBu b2RlIE1VU1QgdXNlIHRoZSBPQy1NYXhpbXVtLVJhdGUgQVZQIGRlZmluZWQgaW4gdGhpczwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSByZXBvcnRpbmcgbm9kZSBN VVNUIHVzZSB0aGUgT0MtTWF4aW11bS1SYXRlIEFWUCBkZWZpbmVkIGluIHRoaXM8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHNwZWNpZmljYXRpb24gdG8gY29tbXVuaWNh dGUgYSB0YXJnZXQgbWF4aW11bSBEaWFtZXRlciByZXF1ZXN0IHJhdGU8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBzcGVjaWZpY2F0aW9uIHRvIGNvbW11bmljYXRlIGEg dGFyZ2V0IG1heGltdW0gRGlhbWV0ZXIgcmVxdWVzdCByYXRlPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICB0byBlYWNoIG9mIGl0cyBjbGllbnRzLjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRvIGVhY2ggb2YgaXRzIGNsaWVudHMuPC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjcuMy4gIFJlYWN0aW5nIE5vZGUg QmVoYXZpb3I8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij43LjMuICBSZWFjdGlu ZyBOb2RlIEJlaGF2aW9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0ciBpZD0iZGlmZjAwMzIiPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+Ny4zLjEuICBE ZWZhdWx0IEFsZ29yaXRobTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj43LjMu MS4gIERlZmF1bHQgQWxnb3JpdGhtPHNwYW4gY2xhc3M9Imluc2VydCI+IGZvciBSYXRlLWJh c2VkIENvbnRyb2w8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIEluIGRldGVybWluaW5nIHdoZXRoZXIgb3Igbm90IHRvIHRyYW5zbWl0IGEg c3BlY2lmaWMgbWVzc2FnZSwgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgSW4gZGV0ZXJtaW5pbmcgd2hldGhlciBvciBub3QgdG8gdHJhbnNtaXQgYSBzcGVjaWZp YyBtZXNzYWdlLCB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlYWN0 aW5nIG5vZGUgY2FuIHVzZSBhbnkgYWxnb3JpdGhtIHRoYXQgbGltaXRzIHRoZSBtZXNzYWdl IHJhdGUgdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICByZWFjdGluZyBu b2RlIGNhbiB1c2UgYW55IGFsZ29yaXRobSB0aGF0IGxpbWl0cyB0aGUgbWVzc2FnZSByYXRl IHRvPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aGUgT0MtTWF4aW11bS1S YXRlIEFWUCB2YWx1ZSBpbiB1bml0cyBvZiBtZXNzYWdlcyBwZXIgc2Vjb25kLiAgRm9yPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhlIE9DLU1heGltdW0tUmF0ZSBB VlAgdmFsdWUgaW4gdW5pdHMgb2YgbWVzc2FnZXMgcGVyIHNlY29uZC4gIEZvcjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZWFzZSBvZiBkaXNjdXNzaW9uLCB3ZSBkZWZp bmUgVCA9IDEvW09DLU1heGltdW0tUmF0ZV0gYXMgdGhlIHRhcmdldDwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIGVhc2Ugb2YgZGlzY3Vzc2lvbiwgd2UgZGVmaW5lIFQg PSAxL1tPQy1NYXhpbXVtLVJhdGVdIGFzIHRoZSB0YXJnZXQ8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIGludGVyLURpYW1ldGVyIHJlcXVlc3QgaW50ZXJ2YWwuICBJdCBt YXkgYmUgc3RyaWN0bHkgZGV0ZXJtaW5pc3RpYyw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBpbnRlci1EaWFtZXRlciByZXF1ZXN0IGludGVydmFsLiAgSXQgbWF5IGJl IHN0cmljdGx5IGRldGVybWluaXN0aWMsPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBvciBpdCBtYXkgYmUgcHJvYmFiaWxpc3RpYy4gIEl0IG1heSwgb3IgbWF5IG5vdCwg aGF2ZSBhIHRvbGVyYW5jZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG9y IGl0IG1heSBiZSBwcm9iYWJpbGlzdGljLiAgSXQgbWF5LCBvciBtYXkgbm90LCBoYXZlIGEg dG9sZXJhbmNlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBmYWN0b3IsIHRv IGFsbG93IGZvciBzaG9ydCBidXJzdHMsIGFzIGxvbmcgYXMgdGhlIGxvbmcgdGVybSByYXRl PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZmFjdG9yLCB0byBhbGxvdyBm b3Igc2hvcnQgYnVyc3RzLCBhcyBsb25nIGFzIHRoZSBsb25nIHRlcm0gcmF0ZTwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcmVtYWlucyBiZWxvdyAxL1QuPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcmVtYWlucyBiZWxvdyAxL1QuPC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyIGlkPSJwYXJ0LTEwIiBjbGFzcz0iY2hhbmdlIj48dGQ+PC90ZD48dGg+PHNtYWxsPnNr aXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGEgaHJlZj0iI3BhcnQtMTAiPjxlbT4gcGFn ZSAxOSwgbGluZSA2PHNwYW4gY2xhc3M9ImhpZGUiPiDCtjwvc3Bhbj48L2VtPjwvYT48L3Ro Pjx0aD4gPC90aD48dGg+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGEg aHJlZj0iI3BhcnQtMTAiPjxlbT4gcGFnZSAxOSwgbGluZSA2PHNwYW4gY2xhc3M9ImhpZGUi PiDCtjwvc3Bhbj48L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgRXJy YW1pbGxpLCBBLiBhbmQgTC4gRm9yeXMsICJUcmFmZmljIFN5bmNocm9uaXphdGlvbjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgRXJyYW1pbGxpLCBB LiBhbmQgTC4gRm9yeXMsICJUcmFmZmljIFN5bmNocm9uaXphdGlvbjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBFZmZlY3RzIEluIFRlbGV0cmFmZmlj IFN5c3RlbXMiLCAxOTkxLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAg ICAgICAgICAgRWZmZWN0cyBJbiBUZWxldHJhZmZpYyBTeXN0ZW1zIiwgMTk5MS48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzc0MTVdICBOb2Vs LCBFLiBhbmQgUC4gV2lsbGlhbXMsICJTZXNzaW9uIEluaXRpYXRpb24gUHJvdG9jb2w8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNzQxNV0gIE5vZWwsIEUuIGFu ZCBQLiBXaWxsaWFtcywgIlNlc3Npb24gSW5pdGlhdGlvbiBQcm90b2NvbDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAoU0lQKSBSYXRlIENvbnRyb2wi LCBSRkMgNzQxNSwgRE9JIDEwLjE3NDg3L1JGQzc0MTUsPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgICAgICAgICAgICAoU0lQKSBSYXRlIENvbnRyb2wiLCBSRkMgNzQx NSwgRE9JIDEwLjE3NDg3L1JGQzc0MTUsPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICAgICAgICAgICAgIEZlYnJ1YXJ5IDIwMTUsICZsdDtodHRwczovL3d3dy5yZmMtZWRp dG9yLm9yZy9pbmZvL3JmYzc0MTUmZ3Q7LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgICAgICAgICAgICAgRmVicnVhcnkgMjAxNSwgJmx0O2h0dHBzOi8vd3d3LnJmYy1l ZGl0b3Iub3JnL2luZm8vcmZjNzQxNSZndDsuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPkF1dGhvcnMnIEFkZHJlc3NlczwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPkF1dGhvcnMnIEFkZHJlc3NlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgU3RldmUgRG9ub3ZhbiAoZWRpdG9yKTwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIFN0ZXZlIERvbm92YW4gKGVkaXRvcik8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIE9yYWNsZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIE9yYWNsZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyIGlkPSJkaWZmMDAzMyI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRl Ij4xNzIxMCBDYW1wYmVsbCBSb2FkPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij43NDYwIFdhcnJlbiBQa3d5ICMgMzAw PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0i ZGVsZXRlIj4gICBEYWxsYXMsPC9zcGFuPiBUZXhhcyAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ NzUyNTQ8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs YXNzPSJpbnNlcnQiPiAgIEZyaXNjbyw8L3NwYW4+IFRleGFzICA8c3BhbiBjbGFzcz0iaW5z ZXJ0Ij43NTAzNDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFVu aXRlZCBTdGF0ZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBVbml0ZWQg U3RhdGVzPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVt YWlsOiBzcmRvbm92YW5AdXNkb25vdmFucy5jb208L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBFbWFpbDogc3Jkb25vdmFuQHVzZG9ub3ZhbnMuY29tPC90ZD48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVyaWMgTm9lbDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEVyaWMgTm9lbDwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgQVQmYW1wO1QgTGFiczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIEFUJmFtcDtUIExhYnM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIDIwMHMgTGF1cmVsIEF2ZW51ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIDIwMHMgTGF1cmVsIEF2ZW51ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgTWlkZGxldG93biwgTkogIDA3NzQ3PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgTWlkZGxldG93biwgTkogIDA3NzQ3PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBVbml0ZWQgU3RhdGVzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgVW5pdGVkIFN0YXRlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgoKICAgICA8dHI+PHRkPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZD48L3RkPjwvdHI+CiAgICAgPHRyIGlk PSJlbmQiIGJnY29sb3I9ImdyYXkiPjx0aCBjb2xzcGFuPSI1IiBhbGlnbj0iY2VudGVyIj4m bmJzcDtFbmQgb2YgY2hhbmdlcy4gMzMgY2hhbmdlIGJsb2Nrcy4mbmJzcDs8L3RoPjwvdHI+ CiAgICAgPHRyIGNsYXNzPSJzdGF0cyI+PHRkPjwvdGQ+PHRoPjxpPjY5IGxpbmVzIGNoYW5n ZWQgb3IgZGVsZXRlZDwvaT48L3RoPjx0aD48aT4gPC9pPjwvdGg+PHRoPjxpPjY5IGxpbmVz IGNoYW5nZWQgb3IgYWRkZWQ8L2k+PC90aD48dGQ+PC90ZD48L3RyPgogICAgIDx0cj48dGQg Y29sc3Bhbj0iNSIgY2xhc3M9InNtYWxsIiBhbGlnbj0iY2VudGVyIj48YnI+VGhpcyBodG1s IGRpZmYgd2FzIHByb2R1Y2VkIGJ5IHJmY2RpZmYgMS40Ni4gVGhlIGxhdGVzdCB2ZXJzaW9u IGlzIGF2YWlsYWJsZSBmcm9tIDxhIGhyZWY9Imh0dHA6Ly93d3cudG9vbHMuaWV0Zi5vcmcv dG9vbHMvcmZjZGlmZi8iPmh0dHA6Ly90b29scy5pZXRmLm9yZy90b29scy9yZmNkaWZmLzwv YT4gPC90ZD48L3RyPgogICA8L3Rib2R5PjwvdGFibGU+CiAgIAogICAKPC9ib2R5PjwvaHRt bD4= --------------390091F2A6492B37560D541B-- From nobody Mon Mar 5 12:20:49 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D0F812D810 for ; Mon, 5 Mar 2018 12:20:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 884t5dDD__J8 for ; Mon, 5 Mar 2018 12:20:45 -0800 (PST) Received: from mailport8.csra.com (mailport8.csra.com [131.131.83.26]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91F2B12D77D for ; Mon, 5 Mar 2018 12:20:45 -0800 (PST) Received: from csrrdu1exm030.corp.csra.com (HELO mail.csra.com) ([10.176.90.40]) by mailport8.csra.com with ESMTP/TLS/AES256-SHA; 05 Mar 2018 15:20:44 -0500 Received: from CSRRDU1EXM025.corp.csra.com (10.176.90.35) by CSRRDU1EXM028.corp.csra.com (10.176.90.38) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 5 Mar 2018 15:20:43 -0500 Received: from CSRRDU1EXM025.corp.csra.com ([10.176.90.35]) by CSRRDU1EXM025.corp.csra.com ([10.176.90.35]) with mapi id 15.00.1263.000; Mon, 5 Mar 2018 15:20:43 -0500 From: "Gunn, Janet P" To: Steve Donovan , "dime@ietf.org" Thread-Topic: [Dime] Diff file for latest rate draft update Thread-Index: AQHTtLq7wMv8Qnn4ykSKLNtKJ6dyNaPCFVqw Date: Mon, 5 Mar 2018 20:20:43 +0000 Message-ID: <061cf640ee6d4f28ab8e62f472b92fb3@CSRRDU1EXM025.corp.csra.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-dg-ref: =?utf-8?B?UEcxbGRHRStQR0YwSUc1dFBTSmliMlI1TG5SNGRDSWdjRDBpWXpwY2RYTmxj?= =?utf-8?B?bk5jWjNWdWJtcGNZWEJ3WkdGMFlWeHliMkZ0YVc1blhEQTVaRGcwT1dJMkxU?= =?utf-8?B?TXlaRE10TkdFME1DMDROV1ZsTFRaaU9EUmlZVEk1WlRNMVlseHRjMmR6WEcx?= =?utf-8?B?elp5MWhaREV6TVRrMU9TMHlNR0l5TFRFeFpUZ3RZbVZtTmkxbE5HRTBOekUz?= =?utf-8?B?WTJOaFpHWmNZVzFsTFhSbGMzUmNZV1F4TXpFNU5XSXRNakJpTWkweE1XVTRM?= =?utf-8?B?V0psWmpZdFpUUmhORGN4TjJOallXUm1ZbTlrZVM1MGVIUWlJSE42UFNJME16?= =?utf-8?B?QWlJSFE5SWpFek1UWTBOelUwT0RReU5Ea3pNVFkyTWlJZ2FEMGlaM05tY2t3?= =?utf-8?B?NWFuVnZPVlJuWTFkaFVUUTVia051VHpOamIyRlpQU0lnYVdROUlpSWdZbXc5?= =?utf-8?B?SWpBaUlHSnZQU0l4SWlCamFUMGlZMEZCUVVGRlVraFZNVkpUVWxWR1RrTm5W?= =?utf-8?B?VUZCU25kSFFVRkNUMU5YZEhaMk4xUlVRVlJZU1UxdFNWWnVZM2xGVG1ObmVW?= =?utf-8?B?bG9WMlI2U1ZGTFFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVo?= =?utf-8?B?QlFVRkJRWE5DWjBGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVVZC?= =?utf-8?B?UVZGQlFrRkJRVUZJTXlzd1VHZEJRVUZCUVVGQlFVRkJRVUZCUVVGS05FRkJR?= =?utf-8?B?VUpvUVVkUlFWcEJRbmxCUjFWQlkzZENla0ZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJSVUZCUVVGQlFVRkJRVUZuUVVG?= =?utf-8?B?QlFVRkJibWRCUVVGSFRVRlpkMEptUVVkTlFXUlJRbnBCU0ZGQlluZENkRUZH?= =?utf-8?B?T0VGWlVVSjFRVWhyUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVZGQlFVRkJR?= =?utf-8?B?VUZCUVVGRFFVRkJRVUZCUTJWQlFVRkJXWGRDTVVGSVRVRmtRVUoyUVVjd1FW?= =?utf-8?B?aDNRbmRCUjFWQlkyZENla0ZIT0VGaVowRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRa0ZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVSkJRVUZCUVVGQlFVRkJTVUZCUVVGQlFVbzBRVUZCUW1wQlNGVkJZM2RD?= =?utf-8?B?TUVGSE9FRmlVVUptUVVoQlFXRkJRbkJCUjNOQldsRkNOVUZJWTBGaWQwSjVR?= =?utf-8?B?VWRSUVdOM1FVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZGUVVGQlFVRkJRVUZCUVdkQlFVRkJRVUZ1WjBGQlFV?= =?utf-8?B?ZE5RV1JSUW5wQlNGRkJZbmRDZEVGR09FRmpRVUp2UVVjNFFXSm5RbXhCUnpS?= =?utf-8?B?QlpGRkNkRUZIU1VGYVVVSjVRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlVVRkJRVUZCUVVGQlFVTkJRVUZC?= =?utf-8?B?UVVGRFpVRkJRVUZaZDBJeFFVaE5RV1JCUW5aQlJ6QkJXSGRDZWtGSVRVRmla?= =?utf-8?B?MEZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRa0ZCUVVGQlFV?= =?utf-8?B?RkJRVUZKUVVGQlFVRkJTalJCUVVGQ2EwRklaMEZZZDBKcVFVYzRRVnBCUW14?= =?utf-8?B?QlNFMUJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVWQlFVRkJRVUZCUVVGQlowRkJRVUZCUVc1blFVRkJSMVZCWWxGQ2FFRkhh?= =?utf-8?B?MEZpUVVKbVFVZEZRVnBCUW10QlNFbEJXbEZDZWtGSVRVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRV2RCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRlJRVUZCUVVGQlFVRkJRMEZCUVVGQlFVTmxRVUZCUVdG?= =?utf-8?B?QlFtcEJTRUZCV1hkQ2VrRkdPRUZaZDBKMlFVZFJRVnBSUW5wQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZDUVVGQlFVRkJRVUZCUVVsQlFVRkJR?= =?utf-8?B?VUZLTkVGQlFVSjNRVWhuUVZoM1FtcEJSemhCV2tGQ2JFRklUVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVG?= =?utf-8?B?QlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZC?= =?utf-8?B?UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJR?= =?utf-8?B?VUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFV?= =?utf-8?B?RkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlJVRkJRVUZCUVVG?= =?utf-8?B?QlFVRm5RVUZCUVVGQklpOCtQQzl0WlhSaFBnPT0=?= x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.176.253.110] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [Dime] Diff file for latest rate draft update X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 20:20:47 -0000 TG9va3MgZ29vZCB0byBtZS4NCkphbmV0DQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpG cm9tOiBEaU1FIFttYWlsdG86ZGltZS1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgU3Rl dmUgRG9ub3Zhbg0KU2VudDogTW9uZGF5LCBNYXJjaCA1LCAyMDE4IDI6NDcgUE0NClRvOiBkaW1l QGlldGYub3JnDQpTdWJqZWN0OiBbRGltZV0gRGlmZiBmaWxlIGZvciBsYXRlc3QgcmF0ZSBkcmFm dCB1cGRhdGUNCg0KQWxsLA0KDQpIZXJlJ3MgdGhlIGRpZmYgZmlsZSBmb3IgdGhlIGxhdGVzdCB1 cGRhdGUgdG8gZHJhZnQtaWV0Zi1kaW1lLWRvaWMtcmF0ZS1jb250cm9sLg0KDQpSZWdhcmRzLA0K DQpTdGV2ZQ0KDQpUaGlzIGVsZWN0cm9uaWMgbWVzc2FnZSB0cmFuc21pc3Npb24gY29udGFpbnMg aW5mb3JtYXRpb24gZnJvbSBDU1JBIHRoYXQgbWF5IGJlIGF0dG9ybmV5LWNsaWVudCBwcml2aWxl Z2VkLCBwcm9wcmlldGFyeSBvciBjb25maWRlbnRpYWwuIFRoZSBpbmZvcm1hdGlvbiBpbiB0aGlz IG1lc3NhZ2UgaXMgaW50ZW5kZWQgb25seSBmb3IgdXNlIGJ5IHRoZSBpbmRpdmlkdWFsKHMpIHRv IHdob20gaXQgaXMgYWRkcmVzc2VkLiBJZiB5b3UgYmVsaWV2ZSB5b3UgaGF2ZSByZWNlaXZlZCB0 aGlzIG1lc3NhZ2UgaW4gZXJyb3IsIHBsZWFzZSBjb250YWN0IG1lIGltbWVkaWF0ZWx5IGFuZCBi ZSBhd2FyZSB0aGF0IGFueSB1c2UsIGRpc2Nsb3N1cmUsIGNvcHlpbmcgb3IgZGlzdHJpYnV0aW9u IG9mIHRoZSBjb250ZW50cyBvZiB0aGlzIG1lc3NhZ2UgaXMgc3RyaWN0bHkgcHJvaGliaXRlZC4g Tk9URTogUmVnYXJkbGVzcyBvZiBjb250ZW50LCB0aGlzIGVtYWlsIHNoYWxsIG5vdCBvcGVyYXRl IHRvIGJpbmQgQ1NSQSB0byBhbnkgb3JkZXIgb3Igb3RoZXIgY29udHJhY3QgdW5sZXNzIHB1cnN1 YW50IHRvIGV4cGxpY2l0IHdyaXR0ZW4gYWdyZWVtZW50IG9yIGdvdmVybm1lbnQgaW5pdGlhdGl2 ZSBleHByZXNzbHkgcGVybWl0dGluZyB0aGUgdXNlIG9mIGVtYWlsIGZvciBzdWNoIHB1cnBvc2Uu DQo= From nobody Mon Mar 5 12:48:02 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA400127058 for ; Mon, 5 Mar 2018 12:47:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.008 X-Spam-Level: X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tu0GaYz7Xxh7 for ; Mon, 5 Mar 2018 12:47:57 -0800 (PST) Received: from sonic305-4.consmr.mail.bf2.yahoo.com (sonic305-4.consmr.mail.bf2.yahoo.com [74.6.133.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE8D5126D85 for ; Mon, 5 Mar 2018 12:47:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1520282875; bh=jvEX9MTmYa5rf/Fe4e4K29Ayq5oEoIL2jiY9TB9mKgg=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=O9VxB44eq35zs/NwXDUwMuw6rwT1YiW7lMVG0sW2RrrKhTsODzANRy3hPxhT+aDylOkM+C0PONNy/TMBQdmpWdsFkEm3DMKYRLCH9pMiZzqhLtQ5OEn97GJxSL9Ykeb/hcAZB+tkPu5ZVX5xoOdT7PuBo0dPPIi/ey3mEXCHk1+3m+dzMePM6ylU7oO3Pnhq/NQOhi2006xy5t/ZyPfjfj4rN74zX8jvLvoz9FuJFFn2XCZeRg/vufHWWahF+1/jA1ELZFfrRAfMQgcUD5cRTAlMvBw7wLvWDnLTVtrB/4oYulX9cCfaWzWRlwWk0k1vYgyI9Wt6q7RMAPKxj17I3g== X-YMail-OSG: ASNgQ2IVM1n50i6MfybO1LDWmi7OfxHsXDDekNnEUV8KE80Blxzsdpu_yEXL47v .JwOPpnRBSTx7ShsizmucGcSN8Bte1MoDsf_5P9g.uBzRC09BnrjTI1q8.7rQW7Yt18.kmYCmVHH ElmjRX6UrTQ4_J0oKNujxNJJeKsPpEoZRbJPDEUIw6HUEsQV9T65IAnN__u3fac9Afxu5GTTAO22 01qrEkrTa9bLjXvPGycIAYAzVbaTPWwtY0MzXX9D0xY2NeVtnbntMnD8iKW8SIy3QJjsuhSo5BhC wouL29P7QX9mTSF4ef64o130cgWJY0pJ4w3fH0hs5tmKIrHBxMsLvmv2TJnHngJpZzt_sY1dmUZM IZN4.LcjHAYOEZhh9BVGXsUwfm_V8AxHMKGj5aT.kRmWgR6PquKkttm7paX1khXL3pg5nFnFXtD0 O65_1Fx53c9sRoZvORiWH0xvjtVj0U4pfDuaIS4dJCFQC5Vz72JzT7iBLfwH91rQzaQ-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.bf2.yahoo.com with HTTP; Mon, 5 Mar 2018 20:47:55 +0000 Date: Mon, 5 Mar 2018 20:37:20 +0000 (UTC) From: Yuval Lifshitz To: Ben Campbell Cc: ops-ads@ietf.org, dime@ietf.org, draft-ietf-dime-rfc4006bis.all@ietf.org Message-ID: <1444666056.11229924.1520282240683@mail.yahoo.com> In-Reply-To: <1410CC8D-8879-4435-AF6B-FBF5B9F9FA51@nostrum.com> References: <3C03A895-53C5-44D9-905F-9DD5248D3675@nostrum.com> <608352900.888044.1518623812177@mail.yahoo.com> <868034109.936629.1518628004592@mail.yahoo.com> <2108881588.5977405.1519629280512@mail.yahoo.com> <1410CC8D-8879-4435-AF6B-FBF5B9F9FA51@nostrum.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_11229923_1398735155.1520282240679" X-Mailer: WebService/1.1.11419 YMailNorrin Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Archived-At: Subject: Re: [Dime] AD Evaluation of draft-ietf-dime-rfc4006bis-06 X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 20:48:00 -0000 ------=_Part_11229923_1398735155.1520282240679 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Ben,* Will remove the normative language from 15.2 and 15.3* "Is there = reasonable guidance one could give to not encode personal information in th= e URL?". The other option is passing the personal info in some out-of-band = way, it make the whole thing more complex, but could add that as a point to= consider* "Is there reasonable guidance that could be given to avoid putti= ng privacy sensitive info in these?" - not really, the goal of these AVPs i= s to carry such information if needed by the credit-control server On a different note, is there any active work done on Diameter base privacy= consideration and end2end/AVP encryption? Should this WG look into that? Yuval On Friday, March 2, 2018, 5:04:31 AM GMT+2, Ben Campbell wrote: =20 Hi Yuval, Thanks, this looks really good. You=E2=80=99ve done a lot of work here. I=E2=80=99m not sure the normative keywords are necessary; I think for some= thing like this it=E2=80=99s better to describe the risks and what people c= an do about it, but we generally can=E2=80=99t force people to follow that = guidance. Also, the added normative requirements in 15.2 and 15.3=C2=A0 are= significant new requriements, and may need working group discussion. I have a few more comments inline: Thanks! Ben. > On Feb 26, 2018, at 1:14 AM, Yuval Lifshitz wrote: >=20 > Hi All, > Would appreciate if you can review/comment on the the following new secti= on: > 15.=C2=A0 Privacy Considerations >=20 >=C2=A0 =C2=A0 As the Diameter protocol, and especially credit control appl= ication, >=C2=A0 =C2=A0 deals with subscribers and their actions, extra care should = be taken >=C2=A0 =C2=A0 regarding the privacy of the subscribers.=C2=A0 In terms of = [RFC6973], >=C2=A0 =C2=A0 both the credit-control client and credit-control server are >=C2=A0 =C2=A0 intermediary entities, wherein the subscribers' privacy may = be >=C2=A0 =C2=A0 compromised even if no security issues exists, and only auth= orized >=C2=A0 =C2=A0 entities have access to the privacy-sensitive information. >=20 > 15.1.=C2=A0 Privacy Sensitive AVPs >=20 >=C2=A0 =C2=A0 The following AVPs contain privacy-sensitive information at = different >=C2=A0 =C2=A0 levels: >=20 >=C2=A0 =C2=A0 1.=C2=A0 CC-Correlation-Id AVP: may contain privacy-sensitiv= e information >=C2=A0 =C2=A0 =C2=A0 =C2=A0 as the service-provider may encode personal in= formation that >=C2=A0 =C2=A0 =C2=A0 =C2=A0 helps it correlate different subscriptions and= access >=C2=A0 =C2=A0 =C2=A0 =C2=A0 technologies. >=20 >=C2=A0 =C2=A0 2.=C2=A0 Check-Balance-Result AVP: contains information on t= he balance >=C2=A0 =C2=A0 =C2=A0 =C2=A0 status of the subscriber. >=20 >=C2=A0 =C2=A0 3.=C2=A0 Currency-Code AVP: contains information on the subs= criber's >=C2=A0 =C2=A0 =C2=A0 =C2=A0 locale. >=20 >=C2=A0 =C2=A0 4.=C2=A0 Cost-Unit AVP: contains privacy-sensitive informati= on, as a >=C2=A0 =C2=A0 =C2=A0 =C2=A0 human readable format of the Cost-Information = AVP. >=20 >=C2=A0 =C2=A0 5.=C2=A0 Service-Identifier AVP: may contain privacy-sensiti= ve >=C2=A0 =C2=A0 =C2=A0 =C2=A0 information about the subscriber's internet ac= tivity. >=20 >=C2=A0 =C2=A0 6.=C2=A0 Rating-Group AVP: may contain privacy-sensitive inf= ormation >=C2=A0 =C2=A0 =C2=A0 =C2=A0 about the subscriber's internet activity. >=20 >=C2=A0 =C2=A0 7.=C2=A0 Restriction-Filter-Rule AVP: the information inside= IPFilterRule >=C2=A0 =C2=A0 =C2=A0 =C2=A0 may be used to infer services used by the subs= criber. >=20 >=C2=A0 =C2=A0 8.=C2=A0 Redirect-Server-Address AVP: the service-provider m= ay embed >=C2=A0 =C2=A0 =C2=A0 =C2=A0 personal information on the subscriber in the = URL/I (e.g. to >=C2=A0 =C2=A0 =C2=A0 =C2=A0 create a personalized message).=C2=A0 Similar = AVPs are: Redirect- >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Address-URL, Redirect-Address-SIP-URI. Is there reasonable guidance one could give to not encode personal informat= ion in the URL? >=20 >=C2=A0 =C2=A0 9.=C2=A0 Service-Context-Id AVP: depending with how the serv= ice-provider >=C2=A0 =C2=A0 =C2=A0 =C2=A0 use it, it may contain privacy-sensitive infor= mation about the >=C2=A0 =C2=A0 =C2=A0 =C2=A0 service (e.g. access technology). >=20 >=C2=A0 =C2=A0 10.=C2=A0 Service-Parameter-Info AVP: depending with how the= service- >=C2=A0 =C2=A0 =C2=A0 =C2=A0 provider use it, it may contain privacy-sensit= ive information >=C2=A0 =C2=A0 =C2=A0 =C2=A0 about the subscriber (e.g. location). >=20 for both 9 and 10: =E2=80=9C=E2=80=A6 service-provider use it=E2=80=A6 =E2= =80=9C s/use/uses Is there reasonable guidance that could be given to avoid putting privacy s= ensitive info in these? >=C2=A0 =C2=A0 11.=C2=A0 Subscription-Id-Data AVP: contains the identity of= the >=C2=A0 =C2=A0 =C2=A0 =C2=A0 subscriber.=C2=A0 Similar AVPs are: Subscripti= on-Id-E164, >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subscription-Id-IMSI, Subscription-Id-SIP-URI,= Subscription-Id- >=C2=A0 =C2=A0 =C2=A0 =C2=A0 NAI, Subscription-Id-Private. >=20 >=C2=A0 =C2=A0 12.=C2=A0 User-Equipment-Info-Value AVP: contains the identi= ty of the >=C2=A0 =C2=A0 =C2=A0 =C2=A0 device of the subscriber.=C2=A0 Similar AVPs a= re: User-Equipment- >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Info-IMEISV, User-Equipment-Info-MAC, User-Equ= ipment-Info-EUI64, >=C2=A0 =C2=A0 =C2=A0 =C2=A0 User-Equipment-Info-ModifiedEUI64, User-Equipm= ent-Info-IMEI. >=20 >=C2=A0 =C2=A0 13.=C2=A0 QoS-Final-Unit-Indication AVP: grouped AVP which m= ay contains >=C2=A0 =C2=A0 =C2=A0 =C2=A0 privacy-sensitive information in its sub-AVPs = (e.g IPFilterRule, >=C2=A0 =C2=A0 =C2=A0 =C2=A0 redirect address). >=20 >=C2=A0 =C2=A0 Note that some AVPs which are used in this document are defi= ned in >=C2=A0 =C2=A0 [RFC6733] and may contain privacy-sensitive information.=C2= =A0 These AVPs >=C2=A0 =C2=A0 are not listed above. >=20 > 15.2.=C2=A0 Data Minimization >=20 >=C2=A0 =C2=A0 Due to the nature of the credit control application, some pe= rsonal >=C2=A0 =C2=A0 data and identity information must be stored in both credit-= control >=C2=A0 =C2=A0 client and credit control server.=C2=A0 This, however, could= be minimized >=C2=A0 =C2=A0 by following these guidelines: >=20 >=C2=A0 =C2=A0 1.=C2=A0 Data stored in the credit-control client does not n= eed to be >=C2=A0 =C2=A0 =C2=A0 =C2=A0 persisted across sessions.=C2=A0 All data coul= d be deleted once the >=C2=A0 =C2=A0 =C2=A0 =C2=A0 session end, and reconstructed once a new sess= ion is initialized. >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Note that, while the credit-control server is = usually owned by >=C2=A0 =C2=A0 =C2=A0 =C2=A0 the service provider with which the subscriber= already has some >=C2=A0 =C2=A0 =C2=A0 =C2=A0 direct legal or business relationship (where p= rivacy level could >=C2=A0 =C2=A0 =C2=A0 =C2=A0 be agreed upon), this is not always true for t= he credit-control >=C2=A0 =C2=A0 =C2=A0 =C2=A0 client, that may be owned by a third-party. >=20 >=C2=A0 =C2=A0 2.=C2=A0 Some information about the subscriber has to be sto= red in >=C2=A0 =C2=A0 =C2=A0 =C2=A0 persistent storage in the credit-control serve= r (e.g. identity, >=C2=A0 =C2=A0 =C2=A0 =C2=A0 balance), however, per transaction information= does not have to >=C2=A0 =C2=A0 =C2=A0 =C2=A0 be stored in persistent storage, and per sessi= on information may >=C2=A0 =C2=A0 =C2=A0 =C2=A0 be deleted from persistent storage once the se= ssion ends. >=20 >=C2=A0 =C2=A0 3.=C2=A0 In some cases, per transaction information has to b= e stored on >=C2=A0 =C2=A0 =C2=A0 =C2=A0 the credit-control server, client, or both, fo= r regulatory, >=C2=A0 =C2=A0 =C2=A0 =C2=A0 auditability or debugging reasons.=C2=A0 Howev= er, this could be >=C2=A0 =C2=A0 =C2=A0 =C2=A0 minimized by following these guidelines: >=20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 A.=C2=A0 Data retention SHOULD NOT exceed the = required durations >=20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 B.=C2=A0 Transaction information SHOULD be agg= regated as much as >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 possible.=C2=A0 E.g.=C2=A0 prefe= r information per sessions vs. >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 information per rating-group; pr= efer hourly byte summary vs. >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 per transaction byte counts. >=20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 C.=C2=A0 If not strictly needed, the more sens= itive information (E.g. >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 location, equipment type) SHOULD= be filtered out from such >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 logs.=C2=A0 Such information is = often used to make rating >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 decisions, and in this case, the= rating decision should be >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 logged instead of the data used = to make them >=20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 D.=C2=A0 The credit-control server SHOULD be p= referred over the >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 credit-control client as the pla= ce where per transaction >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 information is stored, if needed= .=C2=A0 This is due to the reasons >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 explained in 1. I would avoid the above SHOULDs.=C2=A0 Rather, state these in terms of thin= gs people _can_ do to improve privacy. >=20 > 15.3.=C2=A0 Diameter Agents >=20 >=C2=A0 =C2=A0 Diameter agents, as described in [RFC6733], may be owned by = third- >=C2=A0 =C2=A0 parties.=C2=A0 To prevent from privacy sensitive information= from leaking >=C2=A0 =C2=A0 into them, it is RECOMMENDED to encrypt AVPs holding such >=C2=A0 =C2=A0 information, as listed in Section 15.1. Do you think people will actually do that? If not, there=E2=80=99s no point= in a =E2=80=9CRECOMMENDED=E2=80=9D level requirement if we know it will be= ignored. It would be better to say =E2=80=9C=E2=80=A6 Clients and servers = could encrypt AVPs=E2=80=A6=E2=80=9D Also, since we don=E2=80=99t have an e2e crypto standard for Diameter (yet,= anyway), it would be hard to do this in an interoperable way. People would= have to agree on algorithms, key management, etc. That doesn=E2=80=99t mea= n we can=E2=80=99t mention it, but it argues against a normative requiremen= t. >=20 >=C2=A0 =C2=A0 In some cases, the Diameter agent requires access into priva= cy- >=C2=A0 =C2=A0 sensitive AVPs, in order to take correct routing decisions, = or even >=C2=A0 =C2=A0 modify the content of these AVPs.=C2=A0 In such a case it is= RECOMMENDED >=C2=A0 =C2=A0 to anonymize the identity of the subscriber, and encrypt any= other >=C2=A0 =C2=A0 AVP not used by the agent and can be used to identify the su= bscriber. >=20 >=20 >=20 >=20 >=20 > On Wednesday, February 14, 2018, 7:12:49 PM GMT+2, Ben Campbell wrote: >=20 >=20 > Even if we add privacy considerations to the base protocol, I think 4006b= is would still need privacy considerations that discuss the specific AVPs i= t defines. So I would go ahead and add considerations to 4006bis and avoid = the delay. The WG can discuss whether it would like to add more general con= siderations to the base protocol (either in a bis draft or an update). >=20 > Thanks! >=20 > Ben. >=20 > > On Feb 14, 2018, at 11:06 AM, Yuval Lifshitz wrote: > > > > Regarding "privacy considerations". Note that the base protocol RFC doe= s not have that. > > Ideally, this is added to base Diameter first, as many of the sensitive= AVPs come from there. > > Should we try to tackle that first (though this would delay the RFC4006= bis process)? > > Should we cover only 4006 AVPs and issues? > > > > Best Regards, > > > > Yuval > > > > > > On Wednesday, February 14, 2018, 5:56:52 PM GMT+2, Yuval Lifshitz wrote: > > > > > > Ben, > > First, thanks for the comments! > > > > Regarding the major comment, agree this should be added, it was already= agreed in the meeting we had in IETF96, but somehow slipped :-( > > > > Sections 12: all the AVPs mentioned in this section exists in RFC4006, = and has values that are already registered. As part of RFC4006bis we did no= t add any AVP that requires values enumeration (this was actually one of th= e issue we tried to tackle). What would you like to see different in this s= ection? > > What is the process for updating IANA with the references to the new do= c? Can this happen before RFC4006bis is officially accepted? > > > > Appendix B: the new AVPs do not impact the flows, therefore not added t= o the sample flows > > > > 8.34 agree, this is pretty bad. How about: > > If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT > >=C2=A0 =C2=A0 and the classification of the restricted traffic cannot be= expressed > >=C2=A0 =C2=A0 using IPFilterRule, or different actions (e.g., QoS) than = just > >=C2=A0 =C2=A0 allowing traffic needs to be enforced, then the QoS-Final-= Unit- > >=C2=A0 =C2=A0 Indication AVP SHOULD be used instead of the Final-Unit-In= dication > >=C2=A0 =C2=A0 AVP. > > > > > > 14. agree we should simplify as you suggested > > > > Best Regards, > > > > Yuval > > On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell wrote: > > > > > > Hi, > > > > This is my AD Evaluation of draft-ietf-dime-rfc4006bis-06. Thanks for t= he work on this; it=E2=80=99s overall a good update. However, I have one ma= jor comment and a few minor or editorial comments. I=E2=80=99d like to disc= uss the major comment prior IETF last call. The rest can be handled along w= ith any last call feedback. > > > > Note that for all but the major comment, I mostly reviewed the diff fro= m RFC 4006. > > > > Thanks! > > > > Ben. > > > > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80= =94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > > > > Major Comment: > > > > I strongly suggest that you add more privacy considerations. I realize = that it inherits its existing privacy considerations from RFC 4006, but tha= t was published in 2005. The IETF=E2=80=99s focus on privacy has evolved co= nsiderably since then, and I think this draft will get objections during IE= SG review without adding some more. > > > > I suggest the following: > > =E2=80=94 Create a =E2=80=9CPrivacy Considerations=E2=80=9D section sep= arate from the security considerations. > > =E2=80=94 Enumerate the AVPs that you think contain user identifiable i= nformation, persistent identifiers, or other privacy sensitive data. > > =E2=80=94 Make some non-normative recommendations concerning data minim= ization. That is, add a few sentences recommending that clients and servers= avoid capturing and/or log personal information beyond that needed for the= application's purpose. > > > > Minor Comments: > > > > -Section 12 and subsections: Please clarify that many of these elements= were already registered by RF 4006, and are not being =E2=80=9Cre-register= ed=E2=80=9D here. ( It=E2=80=99s perfectly okay to pull the registration in= formation forward into the bis draft; it just needs clarification.) Also, p= lease consider wether existing registrations should be updated to point to = this document rather than 4006. > > > > Appendices: Would any of the example flows benefit from including one o= r more of the new AVPs? > > > > Editorial and Nits: > > > > -Section 8.34: =E2=80=9C If the Final-Unit-Action AVP is set to RESTRIC= T_ACCESS or REDIRECT > > and the classification of the restricted traffic cannot be expressed > > using IPFilterRule, or different actions (e.g., QoS) than just > > allowing QoS needs to be enforced traffic, =E2=80=A6 =E2=80=9C > > > > I have trouble parsing the sentence. > > > > -14: "Even without any modification to the messages, an adversary can > >=C2=A0 invite a security threat by eavesdropping, as the transactions co= ntain private information about the user. > > =E2=80=9D > > I suggest =E2=80=9C =E2=80=A6 an adversary can eavesdrop on transaction= s that contain privacy-sensitive imformation=E2=80=9D > > > > > > > > > > > > > > > > > > _______________________________________________ > > DiME mailing list > > DiME@ietf.org > > https://www.ietf.org/mailman/listinfo/dime > _______________________________________________ > DiME mailing list > DiME@ietf.org > https://www.ietf.org/mailman/listinfo/dime =20 ------=_Part_11229923_1398735155.1520282240679 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Ben,
* Will remove the normative language fro= m 15.2 and 15.3
* "Is there reasonable guidance one could give= to not encode personal information in the URL?". The other option is p= assing the personal info in some out-of-band way, it make the whole thing m= ore complex, but could add that as a point to consider
* "Is t= here reasonable guidance that could be given to avoid putting privacy sensi= tive info in these?" - not really, the goal of these AVPs is to carry s= uch information if needed by the credit-control server

=
On a different note, is there any active work done on Diameter base pr= ivacy consideration and end2end/AVP encryption? Should this WG look into th= at?

Yuval

=20
=20
On Friday, March 2, 2018, 5:04:31 AM GMT+2, Ben Cam= pbell <ben@nostrum.com> wrote:
=20

Hi Yuval,

Thanks, this looks really good. You=E2=80=99ve done a lot of = work here.

I=E2=80=99m not sure the no= rmative keywords are necessary; I think for something like this it=E2=80=99= s better to describe the risks and what people can do about it, but we gene= rally can=E2=80=99t force people to follow that guidance. Also, the added n= ormative requirements in 15.2 and 15.3  are significant new requriemen= ts, and may need working group discussion.

I have a few more comments inline:

Thanks!

Ben.

> On Feb 26, 2018, at 1:14 AM, Yuval Lifshitz <yuvalif@yahoo.com> wrote:
>
> Hi All,
> Would appreciate if you can review= /comment on the the following new section:
> 15. = Privacy Considerations
>
> = ;   As the Diameter protocol, and especially credit control applicatio= n,
>    deals with subscribers and their act= ions, extra care should be taken
>    regard= ing the privacy of the subscribers.  In terms of [RFC6973],
>    both the credit-control client and credit-contr= ol server are
>    intermediary entities, wh= erein the subscribers' privacy may be
>    c= ompromised even if no security issues exists, and only authorized
>    entities have access to the privacy-sensitive i= nformation.
>
> 15.1.  Priv= acy Sensitive AVPs
>
>  &nb= sp; The following AVPs contain privacy-sensitive information at different>    levels:
>
>    1.  CC-Correlation-Id AVP: may contain pr= ivacy-sensitive information
>      &nbs= p; as the service-provider may encode personal information that
>        helps it correlate different sub= scriptions and access
>        te= chnologies.
>
>    2.&= nbsp; Check-Balance-Result AVP: contains information on the balance
>        status of the subscriber.
>
>    3.  Currency-= Code AVP: contains information on the subscriber's
>&n= bsp;       locale.
>
>    4.  Cost-Unit AVP: contains privacy-sensitive inf= ormation, as a
>        human rea= dable format of the Cost-Information AVP.
>
>    5.  Service-Identifier AVP: may contain p= rivacy-sensitive
>        informa= tion about the subscriber's internet activity.
>
>    6.  Rating-Group AVP: may contain pri= vacy-sensitive information
>       = ; about the subscriber's internet activity.
>
>    7.  Restriction-Filter-Rule AVP: the in= formation inside IPFilterRule
>      &n= bsp; may be used to infer services used by the subscriber.
>
>    8.  Redirect-Server-Addr= ess AVP: the service-provider may embed
>   =     personal information on the subscriber in the URL/I (e.g. t= o
>        create a personalized = message).  Similar AVPs are: Redirect-
>  &n= bsp;     Address-URL, Redirect-Address-SIP-URI.

Is there reasonable guidance one could give to not enc= ode personal information in the URL?

&= gt;
>    9.  Service-Context-Id AVP: = depending with how the service-provider
>   =     use it, it may contain privacy-sensitive information about = the
>        service (e.g. access= technology).
>
>    1= 0.  Service-Parameter-Info AVP: depending with how the service-
>        provider use it, it may contai= n privacy-sensitive information
>      =   about the subscriber (e.g. location).
>

for both 9 and 10: =E2=80=9C=E2=80=A6 servi= ce-provider use it=E2=80=A6 =E2=80=9C s/use/uses

Is there reasonable guidance that could be given to avoid puttin= g privacy sensitive info in these?

>= ;    11.  Subscription-Id-Data AVP: contains the identity of= the
>        subscriber.  S= imilar AVPs are: Subscription-Id-E164,
>    =     Subscription-Id-IMSI, Subscription-Id-SIP-URI, Subscription-= Id-
>        NAI, Subscription-Id= -Private.
>
>    12.&n= bsp; User-Equipment-Info-Value AVP: contains the identity of the
>        device of the subscriber.  = Similar AVPs are: User-Equipment-
>     = ;   Info-IMEISV, User-Equipment-Info-MAC, User-Equipment-Info-EUI64,<= br clear=3D"none">>        User-Equipment-Info-Modi= fiedEUI64, User-Equipment-Info-IMEI.
>
>    13.  QoS-Final-Unit-Indication AVP: grouped AVP = which may contains
>        priva= cy-sensitive information in its sub-AVPs (e.g IPFilterRule,
>        redirect address).
&g= t;
>    Note that some AVPs which are used = in this document are defined in
>    [RFC673= 3] and may contain privacy-sensitive information.  These AVPs
>    are not listed above.
> > 15.2.  Data Minimization
> =
>    Due to the nature of the credit contro= l application, some personal
>    data and i= dentity information must be stored in both credit-control
>    client and credit control server.  This, however, c= ould be minimized
>    by following these gu= idelines:
>
>    1.&nb= sp; Data stored in the credit-control client does not need to be
>        persisted across sessions.  = All data could be deleted once the
>    &nbs= p;   session end, and reconstructed once a new session is initialized.=
>        Note that, while the cre= dit-control server is usually owned by
>    =     the service provider with which the subscriber already has so= me
>        direct legal or busine= ss relationship (where privacy level could
>  &nb= sp;     be agreed upon), this is not always true for the credit-c= ontrol
>        client, that may b= e owned by a third-party.
>
>&nb= sp;   2.  Some information about the subscriber has to be stored = in
>        persistent storage in = the credit-control server (e.g. identity,
>  &nbs= p;     balance), however, per transaction information does not ha= ve to
>        be stored in persis= tent storage, and per session information may
>  =       be deleted from persistent storage once the session en= ds.
>
>    3.  In= some cases, per transaction information has to be stored on
>        the credit-control server, client, or b= oth, for regulatory,
>        audi= tability or debugging reasons.  However, this could be
>        minimized by following these guidelines:=
>
>        = A.  Data retention SHOULD NOT exceed the required durations
>
>        B.  = Transaction information SHOULD be aggregated as much as
&= gt;            possible.  E.g.  pre= fer information per sessions vs.
>     =       information per rating-group; prefer hourly byte summ= ary vs.
>            per= transaction byte counts.
>
>&nb= sp;       C.  If not strictly needed, the more sensitiv= e information (E.g.
>         = ;   location, equipment type) SHOULD be filtered out from such
>            logs.  Such i= nformation is often used to make rating
>   =         decisions, and in this case, the rating decisi= on should be
>           = ; logged instead of the data used to make them
>
>        D.  The credit-control s= erver SHOULD be preferred over the
>    &nbs= p;       credit-control client as the place where per transa= ction
>            infor= mation is stored, if needed.  This is due to the reasons
>            explained in 1.

I would avoid the above SHOULDs.  Rather,= state these in terms of things people _can_ do to improve privacy.

>
> 15.3.  Diam= eter Agents
>
>    Dia= meter agents, as described in [RFC6733], may be owned by third-
>    parties.  To prevent from privacy sensitive i= nformation from leaking
>    into them, it i= s RECOMMENDED to encrypt AVPs holding such
>  &nb= sp; information, as listed in Section 15.1.

Do you think people will actually do that? If not, there=E2=80=99s no= point in a =E2=80=9CRECOMMENDED=E2=80=9D level requirement if we know it w= ill be ignored. It would be better to say =E2=80=9C=E2=80=A6 Clients and se= rvers could encrypt AVPs=E2=80=A6=E2=80=9D

Also, since we don=E2=80=99t have an e2e crypto standard for Diameter = (yet, anyway), it would be hard to do this in an interoperable way. People = would have to agree on algorithms, key management, etc. That doesn=E2=80=99= t mean we can=E2=80=99t mention it, but it argues against a normative requi= rement.


>
>    In some cases, the Diameter agent requires a= ccess into privacy-
>    sensitive AVPs, in = order to take correct routing decisions, or even
>&nbs= p;   modify the content of these AVPs.  In such a case it is RECO= MMENDED
>    to anonymize the identity of th= e subscriber, and encrypt any other
>    AVP= not used by the agent and can be used to identify the subscriber.
>
>
>
>
>
> On Wednesday, F= ebruary 14, 2018, 7:12:49 PM GMT+2, Ben Campbell <ben@nostrum.= com> wrote:
>
>
> Even if we add privacy considerations to the base protocol, = I think 4006bis would still need privacy considerations that discuss the sp= ecific AVPs it defines. So I would go ahead and add considerations to 4006b= is and avoid the delay. The WG can discuss whether it would like to add mor= e general considerations to the base protocol (either in a bis draft or an = update).
>
> Thanks!
>
> Ben.
>
> > On Feb 14, 2018, at 11:06 AM, Yuval Lifshitz <yuvalif@yahoo.com> wrote:
> >
> > Regarding "privacy considerations". Note that the base = protocol RFC does not have that.
> > Ideally, this = is added to base Diameter first, as many of the sensitive AVPs come from th= ere.
> > Should we try to tackle that first (though= this would delay the RFC4006bis process)?
> > Shou= ld we cover only 4006 AVPs and issues?
> >
> > Best Regards,
> >
> > Yuval
> >
> >= ;
> > On Wednesday, February 14, 2018, 5:56:52 PM G= MT+2, Yuval Lifshitz <yuvalif@yahoo.com> wrote:
> >
> >
> &= gt; Ben,
> > First, thanks for the comments!
> >
> > Regarding the major comme= nt, agree this should be added, it was already agreed in the meeting we had= in IETF96, but somehow slipped :-(
> >
> > Sections 12: all the AVPs mentioned in this section exists= in RFC4006, and has values that are already registered. As part of RFC4006= bis we did not add any AVP that requires values enumeration (this was actua= lly one of the issue we tried to tackle). What would you like to see differ= ent in this section?
> > What is the process for up= dating IANA with the references to the new doc? Can this happen before RFC4= 006bis is officially accepted?
> >
> > Appendix B: the new AVPs do not impact the flows, therefore not= added to the sample flows
> >
&g= t; > 8.34 agree, this is pretty bad. How about:
> &= gt; If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT
> >    and the classification of the restrict= ed traffic cannot be expressed
> >    usi= ng IPFilterRule, or different actions (e.g., QoS) than just
> >    allowing traffic needs to be enforced, then the Q= oS-Final-Unit-
> >    Indication AVP SHOU= LD be used instead of the Final-Unit-Indication
> >=     AVP.
> >
> ><= br clear=3D"none">> > 14. agree we should simplify as you suggested> >
> > Best Regards,
> >
> > Yuval
&= gt; > On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell <= ben@nostrum.com> wrote:
> >
> >
> > Hi,
&= gt; >
> > This is my AD Evaluation of draft-ietf= -dime-rfc4006bis-06. Thanks for the work on this; it=E2=80=99s overall a go= od update. However, I have one major comment and a few minor or editorial c= omments. I=E2=80=99d like to discuss the major comment prior IETF last call= . The rest can be handled along with any last call feedback.
> >
> > Note that for all but the major c= omment, I mostly reviewed the diff from RFC 4006.
> &g= t;
> > Thanks!
> >
> > Ben.
> >
>= > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80= =94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94
> >= ;
> > Major Comment:
> >> > I strongly suggest that you add more privacy cons= iderations. I realize that it inherits its existing privacy considerations = from RFC 4006, but that was published in 2005. The IETF=E2=80=99s focus on = privacy has evolved considerably since then, and I think this draft will ge= t objections during IESG review without adding some more.
> >
> > I suggest the following:
> > =E2=80=94 Create a =E2=80=9CPrivacy Considerations=E2=80= =9D section separate from the security considerations.
&g= t; > =E2=80=94 Enumerate the AVPs that you think contain user identifiab= le information, persistent identifiers, or other privacy sensitive data.> > =E2=80=94 Make some non-normative recommendations= concerning data minimization. That is, add a few sentences recommending th= at clients and servers avoid capturing and/or log personal information beyo= nd that needed for the application's purpose.
> >> > Minor Comments:
> >
> > -Section 12 and subsections: Please clarify that ma= ny of these elements were already registered by RF 4006, and are not being = =E2=80=9Cre-registered=E2=80=9D here. ( It=E2=80=99s perfectly okay to pull= the registration information forward into the bis draft; it just needs cla= rification.) Also, please consider wether existing registrations should be = updated to point to this document rather than 4006.
> = >
> > Appendices: Would any of the example flows= benefit from including one or more of the new AVPs?
>= >
> > Editorial and Nits:
>= ; >
> > -Section 8.34: =E2=80=9C If the Final-Un= it-Action AVP is set to RESTRICT_ACCESS or REDIRECT
> = > and the classification of the restricted traffic cannot be expressed> > using IPFilterRule, or different actions (e.g., = QoS) than just
> > allowing QoS needs to be enforce= d traffic, =E2=80=A6 =E2=80=9C
> >
> > I have trouble parsing the sentence.
> >= ;
> > -14: "Even without any modification to the me= ssages, an adversary can
> >  invite a securit= y threat by eavesdropping, as the transactions contain private information = about the user.
> > =E2=80=9D
>= ; > I suggest =E2=80=9C =E2=80=A6 an adversary can eavesdrop on transact= ions that contain privacy-sensitive imformation=E2=80=9D
= > >
> >
> >
> >
> >
> >=
> >
> >
= > > _______________________________________________
> > DiME mailing list
> > DiME@ietf.= org
> > https://w= ww.ietf.org/mailman/listinfo/dime

> ____________________= ___________________________
> DiME mailing list
> DiME@ietf.org
> https://www.ietf.org/mailman/listinfo/dime
------=_Part_11229923_1398735155.1520282240679-- From nobody Mon Mar 5 13:45:53 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE1FE12EB36; Mon, 5 Mar 2018 13:45:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.889 X-Spam-Level: X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HSCMhUx9X_-Y; Mon, 5 Mar 2018 13:45:46 -0800 (PST) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8751F12EB96; Mon, 5 Mar 2018 13:45:34 -0800 (PST) Received: from [10.0.1.10] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w25LjXTx040022 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 5 Mar 2018 15:45:33 -0600 (CST) (envelope-from ben@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.10] From: Ben Campbell Message-Id: <6BEEBB96-5E16-414F-AF79-7A6C05B80702@nostrum.com> Content-Type: multipart/signed; boundary="Apple-Mail=_DD8A12CB-9F90-49A2-A5C5-8A4E4A457924"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Date: Mon, 5 Mar 2018 15:45:31 -0600 In-Reply-To: <1444666056.11229924.1520282240683@mail.yahoo.com> Cc: ops-ads@ietf.org, dime@ietf.org, draft-ietf-dime-rfc4006bis.all@ietf.org To: Yuval Lifshitz References: <3C03A895-53C5-44D9-905F-9DD5248D3675@nostrum.com> <608352900.888044.1518623812177@mail.yahoo.com> <868034109.936629.1518628004592@mail.yahoo.com> <2108881588.5977405.1519629280512@mail.yahoo.com> <1410CC8D-8879-4435-AF6B-FBF5B9F9FA51@nostrum.com> <1444666056.11229924.1520282240683@mail.yahoo.com> X-Mailer: Apple Mail (2.3445.5.20) Archived-At: Subject: Re: [Dime] AD Evaluation of draft-ietf-dime-rfc4006bis-06 X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 21:45:53 -0000 --Apple-Mail=_DD8A12CB-9F90-49A2-A5C5-8A4E4A457924 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Mar 5, 2018, at 2:37 PM, Yuval Lifshitz wrote: >=20 > Hi Ben, > * Will remove the normative language from 15.2 and 15.3 > * "Is there reasonable guidance one could give to not encode personal = information in the URL?". The other option is passing the personal info = in some out-of-band way, it make the whole thing more complex, but could = add that as a point to consider Well, there=E2=80=99s a difference between constructing a a URL in form = of =E2=80=9Cserver//=E2=80=A6 vs = =E2=80=9Cserver//=E2=80=A6=E2=80=9D. Both may have privacy = issues but the latter seem worse. > * "Is there reasonable guidance that could be given to avoid putting = privacy sensitive info in these?" - not really, the goal of these AVPs = is to carry such information if needed by the credit-control server The text said =E2=80=9Cdepending on how the service-provider uses = them=E2=80=9D. Can you elaborate on that? It doesn=E2=80=99t need to be = details, maybe just a sentence or two. >=20 > On a different note, is there any active work done on Diameter base = privacy consideration and end2end/AVP encryption? Should this WG look = into that? There=E2=80=99s been off and on work on e2e encryption. RFC 7966 offers = a problem statement and requirements. I don=E2=80=99t think we are = likely to find energy in DIME to progress a solution at this time, but = I=E2=80=99d love to be proven wrong :-) >=20 > Yuval >=20 > On Friday, March 2, 2018, 5:04:31 AM GMT+2, Ben Campbell = wrote: >=20 > Hi Yuval, >=20 > Thanks, this looks really good. You=E2=80=99ve done a lot of work = here. >=20 > I=E2=80=99m not sure the normative keywords are necessary; I think for = something like this it=E2=80=99s better to describe the risks and what = people can do about it, but we generally can=E2=80=99t force people to = follow that guidance. Also, the added normative requirements in 15.2 and = 15.3 are significant new requriements, and may need working group = discussion. >=20 > I have a few more comments inline: >=20 > Thanks! >=20 > Ben. >=20 > > On Feb 26, 2018, at 1:14 AM, Yuval Lifshitz = wrote: > > > > Hi All, > > Would appreciate if you can review/comment on the the following new = section: > > 15. Privacy Considerations > > > > As the Diameter protocol, and especially credit control = application, > > deals with subscribers and their actions, extra care should be = taken > > regarding the privacy of the subscribers. In terms of [RFC6973], > > both the credit-control client and credit-control server are > > intermediary entities, wherein the subscribers' privacy may be > > compromised even if no security issues exists, and only = authorized > > entities have access to the privacy-sensitive information. > > > > 15.1. Privacy Sensitive AVPs > > > > The following AVPs contain privacy-sensitive information at = different > > levels: > > > > 1. CC-Correlation-Id AVP: may contain privacy-sensitive = information > > as the service-provider may encode personal information that > > helps it correlate different subscriptions and access > > technologies. > > > > 2. Check-Balance-Result AVP: contains information on the balance > > status of the subscriber. > > > > 3. Currency-Code AVP: contains information on the subscriber's > > locale. > > > > 4. Cost-Unit AVP: contains privacy-sensitive information, as a > > human readable format of the Cost-Information AVP. > > > > 5. Service-Identifier AVP: may contain privacy-sensitive > > information about the subscriber's internet activity. > > > > 6. Rating-Group AVP: may contain privacy-sensitive information > > about the subscriber's internet activity. > > > > 7. Restriction-Filter-Rule AVP: the information inside = IPFilterRule > > may be used to infer services used by the subscriber. > > > > 8. Redirect-Server-Address AVP: the service-provider may embed > > personal information on the subscriber in the URL/I (e.g. to > > create a personalized message). Similar AVPs are: Redirect- > > Address-URL, Redirect-Address-SIP-URI. >=20 > Is there reasonable guidance one could give to not encode personal = information in the URL? >=20 > > > > 9. Service-Context-Id AVP: depending with how the = service-provider > > use it, it may contain privacy-sensitive information about = the > > service (e.g. access technology). > > > > 10. Service-Parameter-Info AVP: depending with how the service- > > provider use it, it may contain privacy-sensitive information > > about the subscriber (e.g. location). > > >=20 > for both 9 and 10: =E2=80=9C=E2=80=A6 service-provider use it=E2=80=A6 = =E2=80=9C s/use/uses >=20 > Is there reasonable guidance that could be given to avoid putting = privacy sensitive info in these? >=20 > > 11. Subscription-Id-Data AVP: contains the identity of the > > subscriber. Similar AVPs are: Subscription-Id-E164, > > Subscription-Id-IMSI, Subscription-Id-SIP-URI, = Subscription-Id- > > NAI, Subscription-Id-Private. > > > > 12. User-Equipment-Info-Value AVP: contains the identity of the > > device of the subscriber. Similar AVPs are: User-Equipment- > > Info-IMEISV, User-Equipment-Info-MAC, = User-Equipment-Info-EUI64, > > User-Equipment-Info-ModifiedEUI64, User-Equipment-Info-IMEI. > > > > 13. QoS-Final-Unit-Indication AVP: grouped AVP which may = contains > > privacy-sensitive information in its sub-AVPs (e.g = IPFilterRule, > > redirect address). > > > > Note that some AVPs which are used in this document are defined = in > > [RFC6733] and may contain privacy-sensitive information. These = AVPs > > are not listed above. > > > > 15.2. Data Minimization > > > > Due to the nature of the credit control application, some = personal > > data and identity information must be stored in both = credit-control > > client and credit control server. This, however, could be = minimized > > by following these guidelines: > > > > 1. Data stored in the credit-control client does not need to be > > persisted across sessions. All data could be deleted once = the > > session end, and reconstructed once a new session is = initialized. > > Note that, while the credit-control server is usually owned = by > > the service provider with which the subscriber already has = some > > direct legal or business relationship (where privacy level = could > > be agreed upon), this is not always true for the = credit-control > > client, that may be owned by a third-party. > > > > 2. Some information about the subscriber has to be stored in > > persistent storage in the credit-control server (e.g. = identity, > > balance), however, per transaction information does not have = to > > be stored in persistent storage, and per session information = may > > be deleted from persistent storage once the session ends. > > > > 3. In some cases, per transaction information has to be stored = on > > the credit-control server, client, or both, for regulatory, > > auditability or debugging reasons. However, this could be > > minimized by following these guidelines: > > > > A. Data retention SHOULD NOT exceed the required durations > > > > B. Transaction information SHOULD be aggregated as much as > > possible. E.g. prefer information per sessions vs. > > information per rating-group; prefer hourly byte summary = vs. > > per transaction byte counts. > > > > C. If not strictly needed, the more sensitive information = (E.g. > > location, equipment type) SHOULD be filtered out from = such > > logs. Such information is often used to make rating > > decisions, and in this case, the rating decision should = be > > logged instead of the data used to make them > > > > D. The credit-control server SHOULD be preferred over the > > credit-control client as the place where per transaction > > information is stored, if needed. This is due to the = reasons > > explained in 1. >=20 > I would avoid the above SHOULDs. Rather, state these in terms of = things people _can_ do to improve privacy. >=20 > > > > 15.3. Diameter Agents > > > > Diameter agents, as described in [RFC6733], may be owned by = third- > > parties. To prevent from privacy sensitive information from = leaking > > into them, it is RECOMMENDED to encrypt AVPs holding such > > information, as listed in Section 15.1. >=20 > Do you think people will actually do that? If not, there=E2=80=99s no = point in a =E2=80=9CRECOMMENDED=E2=80=9D level requirement if we know it = will be ignored. It would be better to say =E2=80=9C=E2=80=A6 Clients = and servers could encrypt AVPs=E2=80=A6=E2=80=9D >=20 > Also, since we don=E2=80=99t have an e2e crypto standard for Diameter = (yet, anyway), it would be hard to do this in an interoperable way. = People would have to agree on algorithms, key management, etc. That = doesn=E2=80=99t mean we can=E2=80=99t mention it, but it argues against = a normative requirement. >=20 >=20 > > > > In some cases, the Diameter agent requires access into privacy- > > sensitive AVPs, in order to take correct routing decisions, or = even > > modify the content of these AVPs. In such a case it is = RECOMMENDED > > to anonymize the identity of the subscriber, and encrypt any = other > > AVP not used by the agent and can be used to identify the = subscriber. > > > > > > > > > > > > On Wednesday, February 14, 2018, 7:12:49 PM GMT+2, Ben Campbell = wrote: > > > > > > Even if we add privacy considerations to the base protocol, I think = 4006bis would still need privacy considerations that discuss the = specific AVPs it defines. So I would go ahead and add considerations to = 4006bis and avoid the delay. The WG can discuss whether it would like to = add more general considerations to the base protocol (either in a bis = draft or an update). > > > > Thanks! > > > > Ben. > > > > > On Feb 14, 2018, at 11:06 AM, Yuval Lifshitz = wrote: > > > > > > Regarding "privacy considerations". Note that the base protocol = RFC does not have that. > > > Ideally, this is added to base Diameter first, as many of the = sensitive AVPs come from there. > > > Should we try to tackle that first (though this would delay the = RFC4006bis process)? > > > Should we cover only 4006 AVPs and issues? > > > > > > Best Regards, > > > > > > Yuval > > > > > > > > > On Wednesday, February 14, 2018, 5:56:52 PM GMT+2, Yuval Lifshitz = wrote: > > > > > > > > > Ben, > > > First, thanks for the comments! > > > > > > Regarding the major comment, agree this should be added, it was = already agreed in the meeting we had in IETF96, but somehow slipped :-( > > > > > > Sections 12: all the AVPs mentioned in this section exists in = RFC4006, and has values that are already registered. As part of = RFC4006bis we did not add any AVP that requires values enumeration (this = was actually one of the issue we tried to tackle). What would you like = to see different in this section? > > > What is the process for updating IANA with the references to the = new doc? Can this happen before RFC4006bis is officially accepted? > > > > > > Appendix B: the new AVPs do not impact the flows, therefore not = added to the sample flows > > > > > > 8.34 agree, this is pretty bad. How about: > > > If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT > > > and the classification of the restricted traffic cannot be = expressed > > > using IPFilterRule, or different actions (e.g., QoS) than just > > > allowing traffic needs to be enforced, then the QoS-Final-Unit- > > > Indication AVP SHOULD be used instead of the = Final-Unit-Indication > > > AVP. > > > > > > > > > 14. agree we should simplify as you suggested > > > > > > Best Regards, > > > > > > Yuval > > > On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell = wrote: > > > > > > > > > Hi, > > > > > > This is my AD Evaluation of draft-ietf-dime-rfc4006bis-06. Thanks = for the work on this; it=E2=80=99s overall a good update. However, I = have one major comment and a few minor or editorial comments. I=E2=80=99d = like to discuss the major comment prior IETF last call. The rest can be = handled along with any last call feedback. > > > > > > Note that for all but the major comment, I mostly reviewed the = diff from RFC 4006. > > > > > > Thanks! > > > > > > Ben. > > > > > > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80= =94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > > > > > > Major Comment: > > > > > > I strongly suggest that you add more privacy considerations. I = realize that it inherits its existing privacy considerations from RFC = 4006, but that was published in 2005. The IETF=E2=80=99s focus on = privacy has evolved considerably since then, and I think this draft will = get objections during IESG review without adding some more. > > > > > > I suggest the following: > > > =E2=80=94 Create a =E2=80=9CPrivacy Considerations=E2=80=9D = section separate from the security considerations. > > > =E2=80=94 Enumerate the AVPs that you think contain user = identifiable information, persistent identifiers, or other privacy = sensitive data. > > > =E2=80=94 Make some non-normative recommendations concerning data = minimization. That is, add a few sentences recommending that clients and = servers avoid capturing and/or log personal information beyond that = needed for the application's purpose. > > > > > > Minor Comments: > > > > > > -Section 12 and subsections: Please clarify that many of these = elements were already registered by RF 4006, and are not being = =E2=80=9Cre-registered=E2=80=9D here. ( It=E2=80=99s perfectly okay to = pull the registration information forward into the bis draft; it just = needs clarification.) Also, please consider wether existing = registrations should be updated to point to this document rather than = 4006. > > > > > > Appendices: Would any of the example flows benefit from including = one or more of the new AVPs? > > > > > > Editorial and Nits: > > > > > > -Section 8.34: =E2=80=9C If the Final-Unit-Action AVP is set to = RESTRICT_ACCESS or REDIRECT > > > and the classification of the restricted traffic cannot be = expressed > > > using IPFilterRule, or different actions (e.g., QoS) than just > > > allowing QoS needs to be enforced traffic, =E2=80=A6 =E2=80=9C > > > > > > I have trouble parsing the sentence. > > > > > > -14: "Even without any modification to the messages, an adversary = can > > > invite a security threat by eavesdropping, as the transactions = contain private information about the user. > > > =E2=80=9D > > > I suggest =E2=80=9C =E2=80=A6 an adversary can eavesdrop on = transactions that contain privacy-sensitive imformation=E2=80=9D > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > DiME mailing list > > > DiME@ietf.org > > > https://www.ietf.org/mailman/listinfo/dime >=20 > > _______________________________________________ > > DiME mailing list > > DiME@ietf.org > > https://www.ietf.org/mailman/listinfo/dime --Apple-Mail=_DD8A12CB-9F90-49A2-A5C5-8A4E4A457924 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIzBAEBCgAdFiEExW9rpd7ez4DexOFOgFZKbJXz1A0FAlqdunsACgkQgFZKbJXz 1A1koxAArY+bowu9pTj10nQHbqkp+NTBT6v48hVLpjtIH6za35HnB7BWZL8npZK6 c4SjLFgHx1IgmAdvZQ7Y5LK41naHz5L2NHw+13Wx5Mf53ArNwNUnK/wNRVjiNJTS f4gbAJynPBlq1fn31oBtCma0DNAzyfjtUc2Dy/6dPhcbR+XDbH2fHeVhdU47RetW clLxLJoCBXOhj1gnI9VIlBjw32wYB7D9JQY6qaoZaolo2Hm1PPWTgyEub8s7e2Fx oDKejJyw4n4r2up5rhXRwwltIZK8pVxeDHUBQqo84rccrop3nTaOEnBpkus2iEBe tV82Z+1hXQWZgOCjoFBcHfA1B5R3KoKsb+vuehazy4s1BgNBFVkNcKvDjxlhE4p+ zGWy3bNl73DiOY9kqj/41aHaeKQwez+xu6ttjTniPyiTNtRAFTfISs3kxwFmeN7D OrYqas2E2k5bznt8eaa5dYVMyyRV7fjEIn6sdyzWx5JRi49s4GiaswmNbEmnIs8Q oNIC2CmFgmqhBrOAe1XT0oXqgBDd1kmJn90i9+IT5luvczikQRFiZX6o38isZzCZ oAleZKNH2ZrDXCeWs48cw9XGNHt8qjrRQI/ezd9EQEfhITWryLn+9nHdapg9tJnO gJ2C6W/VQm9bGlZv8mcH0oRyWwfjbm+xxxiovRe6Gi2QAT2kv2c= =p9Y7 -----END PGP SIGNATURE----- --Apple-Mail=_DD8A12CB-9F90-49A2-A5C5-8A4E4A457924-- From nobody Tue Mar 6 02:49:00 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9840D127137 for ; Tue, 6 Mar 2018 02:48:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-px-3o96C-c for ; Tue, 6 Mar 2018 02:48:07 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08153126CF6 for ; Tue, 6 Mar 2018 02:48:07 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 30) id EF13EB80E97; Tue, 6 Mar 2018 02:47:50 -0800 (PST) To: jouni.nospam@gmail.com, srdonovan@usdonovans.com, ben@nostrum.com, lionel.morand@orange.com, bclaise@cisco.com, warren@kumari.net, jouni.nospam@gmail.com, lionel.morand@orange.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: lionel.morand@orange.com, dime@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20180306104750.EF13EB80E97@rfc-editor.org> Date: Tue, 6 Mar 2018 02:47:50 -0800 (PST) Archived-At: X-Mailman-Approved-At: Tue, 06 Mar 2018 02:48:59 -0800 Subject: [Dime] [Technical Errata Reported] RFC7683 (5277) X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 10:48:09 -0000 The following errata report has been submitted for RFC7683, "Diameter Overload Indication Conveyance". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5277 -------------------------------------- Type: Technical Reported by: Lionel Morand Section: 7.2 Original Text ------------- 7.2. OC-Feature-Vector AVP The OC-Feature-Vector AVP (AVP Code 622) is of type Unsigned64 and contains a 64-bit flags field of announced capabilities of a DOIC node. The value of zero (0) is reserved. The OC-Feature-Vector sub-AVP is used to announce the DOIC features supported by the DOIC node, in the form of a flag-bits field in which each bit announces one feature or capability supported by the node. The absence of the OC-Feature-Vector AVP in request messages indicates that only the default traffic abatement algorithm described in this specification is supported. The absence of the OC-Feature- Vector AVP in answer messages indicates that the default traffic abatement algorithm described in this specification is selected (while other traffic abatement algorithms may be supported), and no features other than abatement algorithms are supported. The following capability is defined in this document: OLR_DEFAULT_ALGO (0x0000000000000001) When this flag is set by the a DOIC reacting node, it means that the default traffic abatement (loss) algorithm is supported. When this flag is set by a DOIC reporting node, it means that the loss algorithm will be used for requested overload abatement. Corrected Text -------------- 7.2. OC-Feature-Vector AVP The OC-Feature-Vector AVP (AVP Code 622) is of type Unsigned64 and contains a 64-bit flags field of announced capabilities of a DOIC node. The value of zero (0) is reserved. Note: The value of zero (0) any DOIC node supports at least the Loss algorithm. Therefore, the OC-Feature-Vector AVP cannot be sent with no bit set. The OC-Feature-Vector sub-AVP is used to announce the DOIC features supported by the DOIC node, in the form of a flag-bits field in which each bit announces one feature or capability supported by the node. The absence of the OC-Feature-Vector AVP in request messages indicates that only the default traffic abatement algorithm described in this specification is supported. The absence of the OC-Feature- Vector AVP in answer messages indicates that the default traffic abatement algorithm described in this specification is selected (while other traffic abatement algorithms may be supported), and no features other than abatement algorithms are supported. The following capability is defined in this document: +---+------------------+----------------------------------------------+ |bit| Feature Name | Description | +---+------------------+----------------------------------------------+ | 0 | OLR_DEFAULT_ALGO |When set by a DOIC reacting node, it means | | | |that the default traffic abatement (loss) | | | |algorithm is supported. When set by a DOIC | | | |reporting node, it means that the loss | | | |algorithm will be used for requested overload | | | |abatment. | +---+------------------+----------------------------------------------+ Notes ----- The OC-Feature-Vector AVP is a 64-bit flag field and not a set of values (one per feature). Using the hexadecimal notation, it gives the feeling that there is a unique value for the OC-Feature-Vector AVP per supported capability, hich is incorrect. It is only required to define the use of each bit. This errata report has an impact on the associated IANA regisrty. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC7683 (draft-ietf-dime-ovli-10) -------------------------------------- Title : Diameter Overload Indication Conveyance Publication Date : October 2015 Author(s) : J. Korhonen, Ed., S. Donovan, Ed., B. Campbell, L. Morand Category : PROPOSED STANDARD Source : Diameter Maintenance and Extensions Area : Operations and Management Stream : IETF Verifying Party : IESG From nobody Tue Mar 6 02:56:53 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55A9127369 for ; Tue, 6 Mar 2018 02:56:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5lSgdI1Y9goU for ; Tue, 6 Mar 2018 02:56:18 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA3D6126CF6 for ; Tue, 6 Mar 2018 02:56:17 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 30) id DFABEB81068; Tue, 6 Mar 2018 02:56:01 -0800 (PST) To: jouni.nospam@gmail.com, srdonovan@usdonovans.com, ben@nostrum.com, lionel.morand@orange.com, bclaise@cisco.com, warren@kumari.net, jouni.nospam@gmail.com, lionel.morand@orange.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: lionel.morand@orange.com, dime@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20180306105601.DFABEB81068@rfc-editor.org> Date: Tue, 6 Mar 2018 02:56:01 -0800 (PST) Archived-At: X-Mailman-Approved-At: Tue, 06 Mar 2018 02:56:51 -0800 Subject: [Dime] [Technical Errata Reported] RFC7683 (5278) X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 10:56:20 -0000 The following errata report has been submitted for RFC7683, "Diameter Overload Indication Conveyance". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5278 -------------------------------------- Type: Technical Reported by: Lionel Morand Section: 9.2 Original Text ------------- 9.2. New Registries Two new registries have been created in the "AVP Specific Values" sub-registry under the "Authentication, Authorization, and Accounting (AAA) Parameters" registry. A new "OC-Feature-Vector AVP Values (code 622)" registry has been created. This registry contains the following: Feature Vector Value Name Feature Vector Value Specification defining the new value See Section 7.2 for the initial Feature Vector Value in the registry. This specification defines the value. New values can be added to the registry using the Specification Required policy [RFC5226]. A new "OC-Report-Type AVP Values (code 626)" registry has been created. This registry contains the following: Report Type Value Name Report Type Value Specification defining the new value See Section 7.6 for the initial assignment in the registry. New types can be added using the Specification Required policy [RFC5226]. Corrected Text -------------- 9.2. New Registries Two new registries have been created in the "AVP Specific Values" sub-registry under the "Authentication, Authorization, and Accounting (AAA) Parameters" registry. A new "OC-Feature-Vector AVP Values (code 622)" registry has been created. This registry contains the following: Assigned Bit Feature Name Specification defining the new capability See Section 7.2 for the initial assigned bit in the registry. This specification defines the capbility announced by the setting of this bit. New values can be added to the registry using the Specification Required policy [RFC5226]. A new "OC-Report-Type AVP Values (code 626)" registry has been created. This registry contains the following: Report Type Value Name Report Type Value Specification defining the new value See Section 7.6 for the initial assignment in the registry. New types can be added using the Specification Required policy [RFC5226]. Notes ----- This errata report is linked to the following errata report: Errata ID: 5277 The IANA registry created for the OC-Feature-Vector AVP Values (code 622) should only describe the use of the bit assigned to a given feature. There is no AVP value assigned to a given feature. The associated IANA registry should provide a table describing the setting of the bit assigned to a given feature/capability. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC7683 (draft-ietf-dime-ovli-10) -------------------------------------- Title : Diameter Overload Indication Conveyance Publication Date : October 2015 Author(s) : J. Korhonen, Ed., S. Donovan, Ed., B. Campbell, L. Morand Category : PROPOSED STANDARD Source : Diameter Maintenance and Extensions Area : Operations and Management Stream : IETF Verifying Party : IESG From nobody Tue Mar 6 06:34:17 2018 Return-Path: X-Original-To: dime@ietf.org Delivered-To: dime@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B4A3F128961; Tue, 6 Mar 2018 06:34:16 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Lionel Morand To: X-Test-IDTracker: no X-IETF-IDTracker: 6.74.0 Auto-Submitted: auto-generated Precedence: bulk Cc: Lionel Morand , dime-chairs@ietf.org, iesg-secretary@ietf.org, dime@ietf.org, lionel.morand@orange.com Message-ID: <152034685673.28283.14591734994751552737.idtracker@ietfa.amsl.com> Date: Tue, 06 Mar 2018 06:34:16 -0800 Archived-At: Subject: [Dime] Publication has been requested for draft-ietf-dime-doic-rate-control-08 X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 14:34:17 -0000 Lionel Morand has requested publication of draft-ietf-dime-doic-rate-control-08 as Proposed Standard on behalf of the DIME working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-dime-doic-rate-control/ From nobody Tue Mar 6 12:55:31 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602871205D3 for ; Tue, 6 Mar 2018 12:55:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.009 X-Spam-Level: X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_Zt1Dt3Sho0 for ; Tue, 6 Mar 2018 12:55:25 -0800 (PST) Received: from sonic312-22.consmr.mail.ne1.yahoo.com (sonic312-22.consmr.mail.ne1.yahoo.com [66.163.191.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8483212AF84 for ; Tue, 6 Mar 2018 12:55:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1520369723; bh=2TUMXx3SGX+CRBJqycFdfN7DQOSpJ2C3mX7bJd16rL0=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=VvaxG3zLGVXujuSJQs2FuhzDlOWJlzz9mQ35z3ItO1Iyyyh8mDsBCNgM2h8cmwj9fFGipcNp/da51HVJq7xBWWwztQpzPG51U8PYnW25gJs/Ku8jcCoB9IHWO4eRTHBr1BwdiDn8K8j5D9ky9Db3AMYijGuj6j0BWNRGMEDzdgu7AtjJ1xFtGxRCL42S2x7liW61JQxrpMaXBgqp25LQoszEwKIbZKojFnBbXWZQuNTuOja5FteQI04XoUyrqpUYSj59RmABJv8a7tlY4rA322M/8K8X1IgMouIzEtvnj/4BFXHmVjMgiOK4EI+3DS81lD2HEzs0LGC3RCiPux39tA== X-YMail-OSG: te6hka4VM1k6xM4f_lEbQM7BmFzX5KV6XhVqG57zhDnYEZpHHpuX18a0g1nY21o g0LAAMHB5UMAXOokrxoebu4DlcAr0DvOIWgHVp2mnYxWNLXmDjNTv7sCbAIwz2q1VjVAr3j2ccii VTH698ayzPUV1En01eEsmKvXcJb8OidiU4sxAkkbUYlVM4MYKIyakTdxwzPOwkDAINT9W2syXhF1 Tc1MolpIysi.jESnSfZ8zA8hE4ME1s8icHRuNhoZdoC0ou1g0FavSid.BmnkWe5SRyjuervDsxoO OlwapcLPSC6zXtelamhyFfGyPn_oeXy1SR_X2Ht2M_Am31pU9jXDTiRdaUhtZ2aKAqoKlKu7Vjm2 Hf6VpxVZDpUYJsHg74lC6q7KfQPGw9t2lm8g7rKp40oGjD3aLfouXBRjsjUVtppnQgEYA37zQiUY NfqpKc_0rgTY7MpM2o8X1sJaBdwgsf24Yfvu_aQY7dmYe2hhUGlqK3sAI.v0iD_ywfOwR6IafSvv VeVgRrEc- Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Tue, 6 Mar 2018 20:55:23 +0000 Date: Tue, 6 Mar 2018 20:55:22 +0000 (UTC) From: Yuval Lifshitz To: Ben Campbell Cc: ops-ads@ietf.org, dime@ietf.org, draft-ietf-dime-rfc4006bis.all@ietf.org Message-ID: <563712218.12128498.1520369722254@mail.yahoo.com> In-Reply-To: <6BEEBB96-5E16-414F-AF79-7A6C05B80702@nostrum.com> References: <3C03A895-53C5-44D9-905F-9DD5248D3675@nostrum.com> <608352900.888044.1518623812177@mail.yahoo.com> <868034109.936629.1518628004592@mail.yahoo.com> <2108881588.5977405.1519629280512@mail.yahoo.com> <1410CC8D-8879-4435-AF6B-FBF5B9F9FA51@nostrum.com> <1444666056.11229924.1520282240683@mail.yahoo.com> <6BEEBB96-5E16-414F-AF79-7A6C05B80702@nostrum.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_12128497_962282822.1520369722249" X-Mailer: WebService/1.1.11419 YMailNorrin Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Archived-At: Subject: Re: [Dime] AD Evaluation of draft-ietf-dime-rfc4006bis-06 X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 20:55:29 -0000 ------=_Part_12128497_962282822.1520369722249 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable inline On Monday, March 5, 2018, 11:45:36 PM GMT+2, Ben Campbell wrote: =20 =20 =20 > On Mar 5, 2018, at 2:37 PM, Yuval Lifshitz wrote: >=20 > Hi Ben, > * Will remove the normative language from 15.2 and 15.3 > * "Is there reasonable guidance one could give to not encode personal inf= ormation in the URL?". The other option is passing the personal info in som= e out-of-band way, it make the whole thing more complex, but could add that= as a point to consider Well, there=E2=80=99s a difference between constructing a a URL in form of = =E2=80=9Cserver//=E2=80=A6 vs =E2=80=9Cserver= //=E2=80=A6=E2=80=9D. Both may have privacy issues but the latte= r seem worse. "=C2=A0=C2=A0 the service-provider may embed personal information on the su= bscriber in=20 =C2=A0=C2=A0 the URL/I (e.g. to create a personalized message). However, th= e service-provider may choose to pass=20 =C2=A0=C2=A0 an obfuscated identifier instead, and let the redirect server = query the information directly. " > * "Is there reasonable guidance that could be given to avoid putting priv= acy sensitive info in these?" - not really, the goal of these AVPs is to ca= rry such information if needed by the credit-control server The text said =E2=80=9Cdepending on how the service-provider uses them=E2= =80=9D. Can you elaborate on that? It doesn=E2=80=99t need to be details, m= aybe just a sentence or two. When used in 3GPP TS 32.299, the=C2=A0Service-Context-Id AVP hold a differe= nt value for requests regarding: IP traffic, SMS and MMS etc.Service-Parame= ter-Info is not used in 3GPP specs, so I cannot give a concrete example.I g= uess that operators could use it to carry different attributes of the subsc= riber. Note that an AVP called Service-Information (defined in 32.299, not RFC4006= ) which have similar functionality to Service-Parameter-Info, is used to ca= rry information like access technology, subscriber location, and more >=20 > On a different note, is there any active work done on Diameter base priva= cy consideration and end2end/AVP encryption? Should this WG look into that? There=E2=80=99s been off and on work on e2e encryption. RFC 7966 offers a p= roblem statement and requirements. I don=E2=80=99t think we are likely to f= ind energy in DIME to progress a solution at this time, but I=E2=80=99d lov= e to be proven wrong :-) >=20 > Yuval >=20 > On Friday, March 2, 2018, 5:04:31 AM GMT+2, Ben Campbell wrote: >=20 > Hi Yuval, >=20 > Thanks, this looks really good. You=E2=80=99ve done a lot of work here. >=20 > I=E2=80=99m not sure the normative keywords are necessary; I think for so= mething like this it=E2=80=99s better to describe the risks and what people= can do about it, but we generally can=E2=80=99t force people to follow tha= t guidance. Also, the added normative requirements in 15.2 and 15.3=C2=A0 a= re significant new requriements, and may need working group discussion. >=20 > I have a few more comments inline: >=20 > Thanks! >=20 > Ben. >=20 > > On Feb 26, 2018, at 1:14 AM, Yuval Lifshitz wrote: > > > > Hi All, > > Would appreciate if you can review/comment on the the following new sec= tion: > > 15.=C2=A0 Privacy Considerations > > > >=C2=A0 =C2=A0 As the Diameter protocol, and especially credit control ap= plication, > >=C2=A0 =C2=A0 deals with subscribers and their actions, extra care shoul= d be taken > >=C2=A0 =C2=A0 regarding the privacy of the subscribers.=C2=A0 In terms o= f [RFC6973], > >=C2=A0 =C2=A0 both the credit-control client and credit-control server a= re > >=C2=A0 =C2=A0 intermediary entities, wherein the subscribers' privacy ma= y be > >=C2=A0 =C2=A0 compromised even if no security issues exists, and only au= thorized > >=C2=A0 =C2=A0 entities have access to the privacy-sensitive information. > > > > 15.1.=C2=A0 Privacy Sensitive AVPs > > > >=C2=A0 =C2=A0 The following AVPs contain privacy-sensitive information a= t different > >=C2=A0 =C2=A0 levels: > > > >=C2=A0 =C2=A0 1.=C2=A0 CC-Correlation-Id AVP: may contain privacy-sensit= ive information > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 as the service-provider may encode personal = information that > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 helps it correlate different subscriptions a= nd access > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 technologies. > > > >=C2=A0 =C2=A0 2.=C2=A0 Check-Balance-Result AVP: contains information on= the balance > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 status of the subscriber. > > > >=C2=A0 =C2=A0 3.=C2=A0 Currency-Code AVP: contains information on the su= bscriber's > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 locale. > > > >=C2=A0 =C2=A0 4.=C2=A0 Cost-Unit AVP: contains privacy-sensitive informa= tion, as a > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 human readable format of the Cost-Informatio= n AVP. > > > >=C2=A0 =C2=A0 5.=C2=A0 Service-Identifier AVP: may contain privacy-sensi= tive > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 information about the subscriber's internet = activity. > > > >=C2=A0 =C2=A0 6.=C2=A0 Rating-Group AVP: may contain privacy-sensitive i= nformation > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 about the subscriber's internet activity. > > > >=C2=A0 =C2=A0 7.=C2=A0 Restriction-Filter-Rule AVP: the information insi= de IPFilterRule > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 may be used to infer services used by the su= bscriber. > > > >=C2=A0 =C2=A0 8.=C2=A0 Redirect-Server-Address AVP: the service-provider= may embed > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 personal information on the subscriber in th= e URL/I (e.g. to > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 create a personalized message).=C2=A0 Simila= r AVPs are: Redirect- > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Address-URL, Redirect-Address-SIP-URI. >=20 > Is there reasonable guidance one could give to not encode personal inform= ation in the URL? >=20 > > > >=C2=A0 =C2=A0 9.=C2=A0 Service-Context-Id AVP: depending with how the se= rvice-provider > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 use it, it may contain privacy-sensitive inf= ormation about the > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 service (e.g. access technology). > > > >=C2=A0 =C2=A0 10.=C2=A0 Service-Parameter-Info AVP: depending with how t= he service- > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 provider use it, it may contain privacy-sens= itive information > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 about the subscriber (e.g. location). > > >=20 > for both 9 and 10: =E2=80=9C=E2=80=A6 service-provider use it=E2=80=A6 = =E2=80=9C s/use/uses >=20 > Is there reasonable guidance that could be given to avoid putting privacy= sensitive info in these? >=20 > >=C2=A0 =C2=A0 11.=C2=A0 Subscription-Id-Data AVP: contains the identity = of the > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 subscriber.=C2=A0 Similar AVPs are: Subscrip= tion-Id-E164, > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subscription-Id-IMSI, Subscription-Id-SIP-UR= I, Subscription-Id- > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 NAI, Subscription-Id-Private. > > > >=C2=A0 =C2=A0 12.=C2=A0 User-Equipment-Info-Value AVP: contains the iden= tity of the > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 device of the subscriber.=C2=A0 Similar AVPs= are: User-Equipment- > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Info-IMEISV, User-Equipment-Info-MAC, User-E= quipment-Info-EUI64, > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 User-Equipment-Info-ModifiedEUI64, User-Equi= pment-Info-IMEI. > > > >=C2=A0 =C2=A0 13.=C2=A0 QoS-Final-Unit-Indication AVP: grouped AVP which= may contains > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 privacy-sensitive information in its sub-AVP= s (e.g IPFilterRule, > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 redirect address). > > > >=C2=A0 =C2=A0 Note that some AVPs which are used in this document are de= fined in > >=C2=A0 =C2=A0 [RFC6733] and may contain privacy-sensitive information.= =C2=A0 These AVPs > >=C2=A0 =C2=A0 are not listed above. > > > > 15.2.=C2=A0 Data Minimization > > > >=C2=A0 =C2=A0 Due to the nature of the credit control application, some = personal > >=C2=A0 =C2=A0 data and identity information must be stored in both credi= t-control > >=C2=A0 =C2=A0 client and credit control server.=C2=A0 This, however, cou= ld be minimized > >=C2=A0 =C2=A0 by following these guidelines: > > > >=C2=A0 =C2=A0 1.=C2=A0 Data stored in the credit-control client does not= need to be > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 persisted across sessions.=C2=A0 All data co= uld be deleted once the > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 session end, and reconstructed once a new se= ssion is initialized. > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Note that, while the credit-control server i= s usually owned by > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 the service provider with which the subscrib= er already has some > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 direct legal or business relationship (where= privacy level could > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 be agreed upon), this is not always true for= the credit-control > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 client, that may be owned by a third-party. > > > >=C2=A0 =C2=A0 2.=C2=A0 Some information about the subscriber has to be s= tored in > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 persistent storage in the credit-control ser= ver (e.g. identity, > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 balance), however, per transaction informati= on does not have to > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 be stored in persistent storage, and per ses= sion information may > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 be deleted from persistent storage once the = session ends. > > > >=C2=A0 =C2=A0 3.=C2=A0 In some cases, per transaction information has to= be stored on > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 the credit-control server, client, or both, = for regulatory, > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 auditability or debugging reasons.=C2=A0 How= ever, this could be > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 minimized by following these guidelines: > > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 A.=C2=A0 Data retention SHOULD NOT exceed th= e required durations > > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 B.=C2=A0 Transaction information SHOULD be a= ggregated as much as > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 possible.=C2=A0 E.g.=C2=A0 pre= fer information per sessions vs. > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 information per rating-group; = prefer hourly byte summary vs. > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 per transaction byte counts. > > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 C.=C2=A0 If not strictly needed, the more se= nsitive information (E.g. > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 location, equipment type) SHOU= LD be filtered out from such > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 logs.=C2=A0 Such information i= s often used to make rating > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 decisions, and in this case, t= he rating decision should be > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 logged instead of the data use= d to make them > > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 D.=C2=A0 The credit-control server SHOULD be= preferred over the > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 credit-control client as the p= lace where per transaction > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 information is stored, if need= ed.=C2=A0 This is due to the reasons > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 explained in 1. >=20 > I would avoid the above SHOULDs.=C2=A0 Rather, state these in terms of th= ings people _can_ do to improve privacy. >=20 > > > > 15.3.=C2=A0 Diameter Agents > > > >=C2=A0 =C2=A0 Diameter agents, as described in [RFC6733], may be owned b= y third- > >=C2=A0 =C2=A0 parties.=C2=A0 To prevent from privacy sensitive informati= on from leaking > >=C2=A0 =C2=A0 into them, it is RECOMMENDED to encrypt AVPs holding such > >=C2=A0 =C2=A0 information, as listed in Section 15.1. >=20 > Do you think people will actually do that? If not, there=E2=80=99s no poi= nt in a =E2=80=9CRECOMMENDED=E2=80=9D level requirement if we know it will = be ignored. It would be better to say =E2=80=9C=E2=80=A6 Clients and server= s could encrypt AVPs=E2=80=A6=E2=80=9D >=20 > Also, since we don=E2=80=99t have an e2e crypto standard for Diameter (ye= t, anyway), it would be hard to do this in an interoperable way. People wou= ld have to agree on algorithms, key management, etc. That doesn=E2=80=99t m= ean we can=E2=80=99t mention it, but it argues against a normative requirem= ent. >=20 >=20 > > > >=C2=A0 =C2=A0 In some cases, the Diameter agent requires access into pri= vacy- > >=C2=A0 =C2=A0 sensitive AVPs, in order to take correct routing decisions= , or even > >=C2=A0 =C2=A0 modify the content of these AVPs.=C2=A0 In such a case it = is RECOMMENDED > >=C2=A0 =C2=A0 to anonymize the identity of the subscriber, and encrypt a= ny other > >=C2=A0 =C2=A0 AVP not used by the agent and can be used to identify the = subscriber. > > > > > > > > > > > > On Wednesday, February 14, 2018, 7:12:49 PM GMT+2, Ben Campbell wrote: > > > > > > Even if we add privacy considerations to the base protocol, I think 400= 6bis would still need privacy considerations that discuss the specific AVPs= it defines. So I would go ahead and add considerations to 4006bis and avoi= d the delay. The WG can discuss whether it would like to add more general c= onsiderations to the base protocol (either in a bis draft or an update). > > > > Thanks! > > > > Ben. > > > > > On Feb 14, 2018, at 11:06 AM, Yuval Lifshitz wrot= e: > > > > > > Regarding "privacy considerations". Note that the base protocol RFC d= oes not have that. > > > Ideally, this is added to base Diameter first, as many of the sensiti= ve AVPs come from there. > > > Should we try to tackle that first (though this would delay the RFC40= 06bis process)? > > > Should we cover only 4006 AVPs and issues? > > > > > > Best Regards, > > > > > > Yuval > > > > > > > > > On Wednesday, February 14, 2018, 5:56:52 PM GMT+2, Yuval Lifshitz wrote: > > > > > > > > > Ben, > > > First, thanks for the comments! > > > > > > Regarding the major comment, agree this should be added, it was alrea= dy agreed in the meeting we had in IETF96, but somehow slipped :-( > > > > > > Sections 12: all the AVPs mentioned in this section exists in RFC4006= , and has values that are already registered. As part of RFC4006bis we did = not add any AVP that requires values enumeration (this was actually one of = the issue we tried to tackle). What would you like to see different in this= section? > > > What is the process for updating IANA with the references to the new = doc? Can this happen before RFC4006bis is officially accepted? > > > > > > Appendix B: the new AVPs do not impact the flows, therefore not added= to the sample flows > > > > > > 8.34 agree, this is pretty bad. How about: > > > If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT > > >=C2=A0 =C2=A0 and the classification of the restricted traffic cannot = be expressed > > >=C2=A0 =C2=A0 using IPFilterRule, or different actions (e.g., QoS) tha= n just > > >=C2=A0 =C2=A0 allowing traffic needs to be enforced, then the QoS-Fina= l-Unit- > > >=C2=A0 =C2=A0 Indication AVP SHOULD be used instead of the Final-Unit-= Indication > > >=C2=A0 =C2=A0 AVP. > > > > > > > > > 14. agree we should simplify as you suggested > > > > > > Best Regards, > > > > > > Yuval > > > On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell wrote: > > > > > > > > > Hi, > > > > > > This is my AD Evaluation of draft-ietf-dime-rfc4006bis-06. Thanks for= the work on this; it=E2=80=99s overall a good update. However, I have one = major comment and a few minor or editorial comments. I=E2=80=99d like to di= scuss the major comment prior IETF last call. The rest can be handled along= with any last call feedback. > > > > > > Note that for all but the major comment, I mostly reviewed the diff f= rom RFC 4006. > > > > > > Thanks! > > > > > > Ben. > > > > > > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80= =94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > > > > > > Major Comment: > > > > > > I strongly suggest that you add more privacy considerations. I realiz= e that it inherits its existing privacy considerations from RFC 4006, but t= hat was published in 2005. The IETF=E2=80=99s focus on privacy has evolved = considerably since then, and I think this draft will get objections during = IESG review without adding some more. > > > > > > I suggest the following: > > > =E2=80=94 Create a =E2=80=9CPrivacy Considerations=E2=80=9D section s= eparate from the security considerations. > > > =E2=80=94 Enumerate the AVPs that you think contain user identifiable= information, persistent identifiers, or other privacy sensitive data. > > > =E2=80=94 Make some non-normative recommendations concerning data min= imization. That is, add a few sentences recommending that clients and serve= rs avoid capturing and/or log personal information beyond that needed for t= he application's purpose. > > > > > > Minor Comments: > > > > > > -Section 12 and subsections: Please clarify that many of these elemen= ts were already registered by RF 4006, and are not being =E2=80=9Cre-regist= ered=E2=80=9D here. ( It=E2=80=99s perfectly okay to pull the registration = information forward into the bis draft; it just needs clarification.) Also,= please consider wether existing registrations should be updated to point t= o this document rather than 4006. > > > > > > Appendices: Would any of the example flows benefit from including one= or more of the new AVPs? > > > > > > Editorial and Nits: > > > > > > -Section 8.34: =E2=80=9C If the Final-Unit-Action AVP is set to RESTR= ICT_ACCESS or REDIRECT > > > and the classification of the restricted traffic cannot be expressed > > > using IPFilterRule, or different actions (e.g., QoS) than just > > > allowing QoS needs to be enforced traffic, =E2=80=A6 =E2=80=9C > > > > > > I have trouble parsing the sentence. > > > > > > -14: "Even without any modification to the messages, an adversary can > > >=C2=A0 invite a security threat by eavesdropping, as the transactions = contain private information about the user. > > > =E2=80=9D > > > I suggest =E2=80=9C =E2=80=A6 an adversary can eavesdrop on transacti= ons that contain privacy-sensitive imformation=E2=80=9D > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > DiME mailing list > > > DiME@ietf.org > > > https://www.ietf.org/mailman/listinfo/dime >=20 > > _______________________________________________ > > DiME mailing list > > DiME@ietf.org > > https://www.ietf.org/mailman/listinfo/dime =20 ------=_Part_12128497_962282822.1520369722249 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
inline

=20
=20
On Monday, March 5, 2018, 11:45:36 PM GMT+2, Ben Ca= mpbell <ben@nostrum.com> wrote:




> On Mar 5, 2018, at 2:37 PM, Yuval Lifshitz <yuvali= f@yahoo.com> wrote:
>
> H= i Ben,
> * Will remove the normative language from 15.= 2 and 15.3
> * "Is there reasonable guidance one could= give to not encode personal information in the URL?". The other option is = passing the personal info in some out-of-band way, it make the whole thing = more complex, but could add that as a point to consider
<= br clear=3D"none">Well, there=E2=80=99s a difference between constructing a= a URL in form of =E2=80=9Cserver/<rnd-number-that-changes-alot>/=E2= =80=A6 vs =E2=80=9Cserver/<user-name>/=E2=80=A6=E2=80=9D. Both may ha= ve privacy issues but the latter seem worse.

"
   the service-provider may embed personal information on the= subscriber in
   the URL/I (e.g. to create a personalized me= ssage). However, the service-provider may choose to pass
   a= n obfuscated identifier instead, and let the redirect server query the info= rmation directly.
= "

> * "Is there reaso= nable guidance that could be given to avoid putting privacy sensitive info = in these?" - not really, the goal of these AVPs is to carry such informatio= n if needed by the credit-control server

The text said =E2=80=9Cdepending on how the service-provider uses them= =E2=80=9D. Can you elaborate on that? It doesn=E2=80=99t need to be details= , maybe just a sentence or two.

When used = in 3GPP TS 32.299, the Service-Context-Id A= VP hold a different value for requests regarding: IP traffic, SM= S and MMS etc.
Service-Para= meter-Info is not used in 3GPP specs, so I cannot give a concrete example.I= guess that operators could use it to carry different attributes of the sub= scriber.
Note that an A= VP called Service-Information (defined in 32.299, not RFC4006) which have s= imilar functionality to Service-Parameter-Info, is used to carry information like access technology, subscriber = location, and more


>
> On a different note, is there any active work done on Dia= meter base privacy consideration and end2end/AVP encryption? Should this WG= look into that?

There=E2=80=99s been = off and on work on e2e encryption. RFC 7966 offers a problem statement and = requirements. I don=E2=80=99t think we are likely to find energy in DIME to= progress a solution at this time, but I=E2=80=99d love to be proven wrong = :-)


>
> Yuval
>
> On Friday, March 2, 2018, 5:04:31 AM= GMT+2, Ben Campbell <ben@nostrum.com> wrote:
>
> Hi Yuval,
> > Thanks, this looks really good. You=E2=80=99ve done a = lot of work here.
>
> I=E2=80=99= m not sure the normative keywords are necessary; I think for something like= this it=E2=80=99s better to describe the risks and what people can do abou= t it, but we generally can=E2=80=99t force people to follow that guidance. = Also, the added normative requirements in 15.2 and 15.3  are significa= nt new requriements, and may need working group discussion.
>
> I have a few more comments inline:
>
> Thanks!
>
> Ben.
>
> >= On Feb 26, 2018, at 1:14 AM, Yuval Lifshitz <yuvalif@yahoo.= com> wrote:
> >
> > = Hi All,
> > Would appreciate if you can review/comm= ent on the the following new section:
> > 15. = Privacy Considerations
> >
> = >    As the Diameter protocol, and especially credit control a= pplication,
> >    deals with subscribers= and their actions, extra care should be taken
> >&= nbsp;   regarding the privacy of the subscribers.  In terms of [R= FC6973],
> >    both the credit-control c= lient and credit-control server are
> >   = ; intermediary entities, wherein the subscribers' privacy may be
> >    compromised even if no security issues exi= sts, and only authorized
> >    entities = have access to the privacy-sensitive information.
> &g= t;
> > 15.1.  Privacy Sensitive AVPs
> >
> >    The following = AVPs contain privacy-sensitive information at different
&= gt; >    levels:
> >
> >    1.  CC-Correlation-Id AVP: may contain privacy= -sensitive information
> >      &nbs= p; as the service-provider may encode personal information that
> >        helps it correlate different su= bscriptions and access
> >      &nbs= p; technologies.
> >
> >&nb= sp;   2.  Check-Balance-Result AVP: contains information on the b= alance
> >        status of the= subscriber.
> >
> >  =   3.  Currency-Code AVP: contains information on the subscriber's=
> >        locale.
> >
> >    4.  Cost-Uni= t AVP: contains privacy-sensitive information, as a
> = >        human readable format of the Cost-Informati= on AVP.
> >
> >   = ; 5.  Service-Identifier AVP: may contain privacy-sensitive
> >        information about the subscr= iber's internet activity.
> >
>= ; >    6.  Rating-Group AVP: may contain privacy-sensitiv= e information
> >        about = the subscriber's internet activity.
> >
> >    7.  Restriction-Filter-Rule AVP: the inf= ormation inside IPFilterRule
> >     = ;   may be used to infer services used by the subscriber.
> >
> >    8.  Redirect-= Server-Address AVP: the service-provider may embed
> &= gt;        personal information on the subscriber in th= e URL/I (e.g. to
> >        cre= ate a personalized message).  Similar AVPs are: Redirect-
> >        Address-URL, Redirect-Address-SI= P-URI.
>
> Is there reasonable g= uidance one could give to not encode personal information in the URL?
>
> >
> >&= nbsp;   9.  Service-Context-Id AVP: depending with how the servic= e-provider
> >        use it, i= t may contain privacy-sensitive information about the
>= ; >        service (e.g. access technology).
> >
> >    10.  Ser= vice-Parameter-Info AVP: depending with how the service-
= > >        provider use it, it may contain privac= y-sensitive information
> >      &nb= sp; about the subscriber (e.g. location).
> >
>
> for both 9 and 10: =E2=80=9C=E2= =80=A6 service-provider use it=E2=80=A6 =E2=80=9C s/use/uses
>
> Is there reasonable guidance that could be= given to avoid putting privacy sensitive info in these?
= >
> >    11.  Subscription-Id-Da= ta AVP: contains the identity of the
> >  &nbs= p;     subscriber.  Similar AVPs are: Subscription-Id-E164,<= br clear=3D"none">> >        Subscription-Id-IMSI= , Subscription-Id-SIP-URI, Subscription-Id-
> >&nbs= p;       NAI, Subscription-Id-Private.
>= ; >
> >    12.  User-Equipment-In= fo-Value AVP: contains the identity of the
> > = ;       device of the subscriber.  Similar AVPs are: Us= er-Equipment-
> >        Info-I= MEISV, User-Equipment-Info-MAC, User-Equipment-Info-EUI64,
> >        User-Equipment-Info-ModifiedEUI64, U= ser-Equipment-Info-IMEI.
> >
>= >    13.  QoS-Final-Unit-Indication AVP: grouped AVP whi= ch may contains
> >        priv= acy-sensitive information in its sub-AVPs (e.g IPFilterRule,
> >        redirect address).
> >
> >    Note that some AVPs w= hich are used in this document are defined in
> >&n= bsp;   [RFC6733] and may contain privacy-sensitive information.  = These AVPs
> >    are not listed above.> >
> > 15.2.  Data Min= imization
> >
> >  &nb= sp; Due to the nature of the credit control application, some personal
> >    data and identity information must be = stored in both credit-control
> >    clie= nt and credit control server.  This, however, could be minimized
> >    by following these guidelines:
> >
> >    1.  Data = stored in the credit-control client does not need to be
&= gt; >        persisted across sessions.  All da= ta could be deleted once the
> >     = ;   session end, and reconstructed once a new session is initialized.<= br clear=3D"none">> >        Note that, while the= credit-control server is usually owned by
> > = ;       the service provider with which the subscriber alrea= dy has some
> >        direct l= egal or business relationship (where privacy level could
= > >        be agreed upon), this is not always tr= ue for the credit-control
> >      &= nbsp; client, that may be owned by a third-party.
> &g= t;
> >    2.  Some information about= the subscriber has to be stored in
> >   = ;     persistent storage in the credit-control server (e.g. ident= ity,
> >        balance), howev= er, per transaction information does not have to
> >= ;        be stored in persistent storage, and per sessi= on information may
> >        b= e deleted from persistent storage once the session ends.
= > >
> >    3.  In some cases, = per transaction information has to be stored on
> >=         the credit-control server, client, or both, for= regulatory,
> >        auditab= ility or debugging reasons.  However, this could be
= > >        minimized by following these guideline= s:
> >
> >    &nb= sp;   A.  Data retention SHOULD NOT exceed the required durations=
> >
> >     = ;   B.  Transaction information SHOULD be aggregated as much as> >            possibl= e.  E.g.  prefer information per sessions vs.
&= gt; >            information per rating-gr= oup; prefer hourly byte summary vs.
> >   = ;         per transaction byte counts.
> >
> >        C. = If not strictly needed, the more sensitive information (E.g.
> >            location, equipment= type) SHOULD be filtered out from such
> >  &= nbsp;         logs.  Such information is often use= d to make rating
> >        &nb= sp;   decisions, and in this case, the rating decision should be
> >            logged inst= ead of the data used to make them
> >
> >        D.  The credit-control serve= r SHOULD be preferred over the
> >    &nb= sp;       credit-control client as the place where per trans= action
> >           = information is stored, if needed.  This is due to the reasons
> >            explained in = 1.
>
> I would avoid the above S= HOULDs.  Rather, state these in terms of things people _can_ do to imp= rove privacy.
>
> >
> > 15.3.  Diameter Agents
> >=
> >    Diameter agents, as described in = [RFC6733], may be owned by third-
> >    = parties.  To prevent from privacy sensitive information from leaking> >    into them, it is RECOMMENDED to enc= rypt AVPs holding such
> >    information= , as listed in Section 15.1.
>
>= Do you think people will actually do that? If not, there=E2=80=99s no poin= t in a =E2=80=9CRECOMMENDED=E2=80=9D level requirement if we know it will b= e ignored. It would be better to say =E2=80=9C=E2=80=A6 Clients and servers= could encrypt AVPs=E2=80=A6=E2=80=9D
>
> Also, since we don=E2=80=99t have an e2e crypto standard for Diam= eter (yet, anyway), it would be hard to do this in an interoperable way. Pe= ople would have to agree on algorithms, key management, etc. That doesn=E2= =80=99t mean we can=E2=80=99t mention it, but it argues against a normative= requirement.
>
>
> >
> >    In some cases, the = Diameter agent requires access into privacy-
> >&nb= sp;   sensitive AVPs, in order to take correct routing decisions, or e= ven
> >    modify the content of these AV= Ps.  In such a case it is RECOMMENDED
> > = ;   to anonymize the identity of the subscriber, and encrypt any other=
> >    AVP not used by the agent and can= be used to identify the subscriber.
> >
> >
> >
> >=
> >
> > On Wednesday, Febr= uary 14, 2018, 7:12:49 PM GMT+2, Ben Campbell <ben@nostrum.com= > wrote:
> >
> >
> > Even if we add privacy considerations to the base = protocol, I think 4006bis would still need privacy considerations that disc= uss the specific AVPs it defines. So I would go ahead and add consideration= s to 4006bis and avoid the delay. The WG can discuss whether it would like = to add more general considerations to the base protocol (either in a bis dr= aft or an update).
> >
> > = Thanks!
> >
> > Ben.
> >
> > > On Feb 14, 2018, at = 11:06 AM, Yuval Lifshitz <yuvalif@yahoo.com> wrote:> > >
> > > Regarding = "privacy considerations". Note that the base protocol RFC does not have tha= t.
> > > Ideally, this is added to base Diameter= first, as many of the sensitive AVPs come from there.
&g= t; > > Should we try to tackle that first (though this would delay th= e RFC4006bis process)?
> > > Should we cover onl= y 4006 AVPs and issues?
> > >
= > > > Best Regards,
> > >
> > > Yuval
> > >
> > >
> > > On Wednesday, February 14= , 2018, 5:56:52 PM GMT+2, Yuval Lifshitz <yuvalif@yahoo.com<= /a>> wrote:
> > >
> >= >
> > > Ben,
> > >= ; First, thanks for the comments!
> > >
> > > Regarding the major comment, agree this should be = added, it was already agreed in the meeting we had in IETF96, but somehow s= lipped :-(
> > >
> > >= ; Sections 12: all the AVPs mentioned in this section exists in RFC4006, an= d has values that are already registered. As part of RFC4006bis we did not = add any AVP that requires values enumeration (this was actually one of the = issue we tried to tackle). What would you like to see different in this sec= tion?
> > > What is the process for updating IAN= A with the references to the new doc? Can this happen before RFC4006bis is = officially accepted?
> > >
>= ; > > Appendix B: the new AVPs do not impact the flows, therefore not= added to the sample flows
> > >
> > > 8.34 agree, this is pretty bad. How about:
> > > If the Final-Unit-Action AVP is set to RESTRICT_ACCESS o= r REDIRECT
> > >    and the classifica= tion of the restricted traffic cannot be expressed
> &= gt; >    using IPFilterRule, or different actions (e.g., QoS) = than just
> > >    allowing traffic ne= eds to be enforced, then the QoS-Final-Unit-
> > &g= t;    Indication AVP SHOULD be used instead of the Final-Unit-Ind= ication
> > >    AVP.
> > >
> > >
> &g= t; > 14. agree we should simplify as you suggested
>= ; > >
> > > Best Regards,
> > >
> > > Yuval
&= gt; > > On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell= <ben@nostrum.com> wrote:
> > &= gt;
> > >
> > > Hi,> > >
> > > This is my= AD Evaluation of draft-ietf-dime-rfc4006bis-06. Thanks for the work on thi= s; it=E2=80=99s overall a good update. However, I have one major comment an= d a few minor or editorial comments. I=E2=80=99d like to discuss the major = comment prior IETF last call. The rest can be handled along with any last c= all feedback.
> > >
> > = > Note that for all but the major comment, I mostly reviewed the diff fr= om RFC 4006.
> > >
> > &= gt; Thanks!
> > >
> > &g= t; Ben.
> > >
> > > = =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2= =80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94
> > >=
> > > Major Comment:
> >= ; >
> > > I strongly suggest that you add mor= e privacy considerations. I realize that it inherits its existing privacy c= onsiderations from RFC 4006, but that was published in 2005. The IETF=E2=80= =99s focus on privacy has evolved considerably since then, and I think this= draft will get objections during IESG review without adding some more.
> > >
> > > I suggest th= e following:
> > > =E2=80=94 Create a =E2=80=9CP= rivacy Considerations=E2=80=9D section separate from the security considera= tions.
> > > =E2=80=94 Enumerate the AVPs that y= ou think contain user identifiable information, persistent identifiers, or = other privacy sensitive data.
> > > =E2=80=94 Ma= ke some non-normative recommendations concerning data minimization. That is= , add a few sentences recommending that clients and servers avoid capturing= and/or log personal information beyond that needed for the application's p= urpose.
> > >
> > > M= inor Comments:
> > >
> >= > -Section 12 and subsections: Please clarify that many of these elemen= ts were already registered by RF 4006, and are not being =E2=80=9Cre-regist= ered=E2=80=9D here. ( It=E2=80=99s perfectly okay to pull the registration = information forward into the bis draft; it just needs clarification.) Also,= please consider wether existing registrations should be updated to point t= o this document rather than 4006.
> > >
> > > Appendices: Would any of the example flows benefit= from including one or more of the new AVPs?
> > &g= t;
> > > Editorial and Nits:
&= gt; > >
> > > -Section 8.34: =E2=80=9C If = the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT
> > > and the classification of the restricted traffic cann= ot be expressed
> > > using IPFilterRule, or dif= ferent actions (e.g., QoS) than just
> > > allow= ing QoS needs to be enforced traffic, =E2=80=A6 =E2=80=9C
> > >
> > > I have trouble parsing the= sentence.
> > >
> > >= ; -14: "Even without any modification to the messages, an adversary can
> > >  invite a security threat by eavesdroppi= ng, as the transactions contain private information about the user.
> > > =E2=80=9D
> > > I sugg= est =E2=80=9C =E2=80=A6 an adversary can eavesdrop on transactions that con= tain privacy-sensitive imformation=E2=80=9D
> > >= ;
> > >
> > >
> > >
> > >
> > >
> > >
> &g= t; >
> > > __________________________________= _____________
> > > DiME mailing list
> > > DiME@ietf.org
> &= gt; > https://www.ietf.org/mailman/listinf= o/dime
>
> > ____________= ___________________________________
> > DiME mailin= g list
> > DiME@ietf.org
> > https://www.ietf.org/mailman/li= stinfo/dime
------=_Part_12128497_962282822.1520369722249-- From nobody Wed Mar 14 14:19:05 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BE901201FA; Wed, 14 Mar 2018 14:19:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.89 X-Spam-Level: X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id In1itCfrJR1d; Wed, 14 Mar 2018 14:19:00 -0700 (PDT) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D490B126CE8; Wed, 14 Mar 2018 14:19:00 -0700 (PDT) Received: from [10.0.1.91] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w2ELIxTS092439 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 14 Mar 2018 16:18:59 -0500 (CDT) (envelope-from ben@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.91] From: Ben Campbell Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_0FEA1EF4-C53A-420D-98BD-E6BE0BFD7A7C"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Date: Wed, 14 Mar 2018 16:18:58 -0500 In-Reply-To: <563712218.12128498.1520369722254@mail.yahoo.com> Cc: ops-ads@ietf.org, dime@ietf.org, draft-ietf-dime-rfc4006bis.all@ietf.org To: Yuval Lifshitz References: <3C03A895-53C5-44D9-905F-9DD5248D3675@nostrum.com> <608352900.888044.1518623812177@mail.yahoo.com> <868034109.936629.1518628004592@mail.yahoo.com> <2108881588.5977405.1519629280512@mail.yahoo.com> <1410CC8D-8879-4435-AF6B-FBF5B9F9FA51@nostrum.com> <1444666056.11229924.1520282240683@mail.yahoo.com> <6BEEBB96-5E16-414F-AF79-7A6C05B80702@nostrum.com> <563712218.12128498.1520369722254@mail.yahoo.com> X-Mailer: Apple Mail (2.3445.5.20) Archived-At: Subject: Re: [Dime] AD Evaluation of draft-ietf-dime-rfc4006bis-06 X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2018 21:19:03 -0000 --Apple-Mail=_0FEA1EF4-C53A-420D-98BD-E6BE0BFD7A7C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Also inline. Thanks! Ben. > On Mar 6, 2018, at 2:55 PM, Yuval Lifshitz wrote: >=20 > inline >=20 > On Monday, March 5, 2018, 11:45:36 PM GMT+2, Ben Campbell = wrote: >=20 >=20 >=20 >=20 > > On Mar 5, 2018, at 2:37 PM, Yuval Lifshitz = wrote: > > > > Hi Ben, > > * Will remove the normative language from 15.2 and 15.3 > > * "Is there reasonable guidance one could give to not encode = personal information in the URL?". The other option is passing the = personal info in some out-of-band way, it make the whole thing more = complex, but could add that as a point to consider >=20 > Well, there=E2=80=99s a difference between constructing a a URL in = form of =E2=80=9Cserver//=E2=80=A6 vs = =E2=80=9Cserver//=E2=80=A6=E2=80=9D. Both may have privacy = issues but the latter seem worse. >=20 > " > the service-provider may embed personal information on the = subscriber in > the URL/I (e.g. to create a personalized message). However, the = service-provider may choose to pass > an obfuscated identifier instead, and let the redirect server query = the information directly. > =E2=80=9C That WFC >=20 > > * "Is there reasonable guidance that could be given to avoid putting = privacy sensitive info in these?" - not really, the goal of these AVPs = is to carry such information if needed by the credit-control server >=20 > The text said =E2=80=9Cdepending on how the service-provider uses = them=E2=80=9D. Can you elaborate on that? It doesn=E2=80=99t need to be = details, maybe just a sentence or two. >=20 > When used in 3GPP TS 32.299, the Service-Context-Id AVP hold a = different value for requests regarding: IP traffic, SMS and MMS etc. > Service-Parameter-Info is not used in 3GPP specs, so I cannot give a = concrete example.I guess that operators could use it to carry different = attributes of the subscriber. > Note that an AVP called Service-Information (defined in 32.299, not = RFC4006) which have similar functionality to Service-Parameter-Info, is = used to carry information like access technology, subscriber location, = and more Okay >=20 >=20 > > > > On a different note, is there any active work done on Diameter base = privacy consideration and end2end/AVP encryption? Should this WG look = into that? >=20 > There=E2=80=99s been off and on work on e2e encryption. RFC 7966 = offers a problem statement and requirements. I don=E2=80=99t think we = are likely to find energy in DIME to progress a solution at this time, = but I=E2=80=99d love to be proven wrong :-) >=20 >=20 > > > > Yuval > > > > On Friday, March 2, 2018, 5:04:31 AM GMT+2, Ben Campbell = wrote: > > > > Hi Yuval, > > > > Thanks, this looks really good. You=E2=80=99ve done a lot of work = here. > > > > I=E2=80=99m not sure the normative keywords are necessary; I think = for something like this it=E2=80=99s better to describe the risks and = what people can do about it, but we generally can=E2=80=99t force people = to follow that guidance. Also, the added normative requirements in 15.2 = and 15.3 are significant new requriements, and may need working group = discussion. > > > > I have a few more comments inline: > > > > Thanks! > > > > Ben. > > > > > On Feb 26, 2018, at 1:14 AM, Yuval Lifshitz = wrote: > > > > > > Hi All, > > > Would appreciate if you can review/comment on the the following = new section: > > > 15. Privacy Considerations > > > > > > As the Diameter protocol, and especially credit control = application, > > > deals with subscribers and their actions, extra care should be = taken > > > regarding the privacy of the subscribers. In terms of = [RFC6973], > > > both the credit-control client and credit-control server are > > > intermediary entities, wherein the subscribers' privacy may be > > > compromised even if no security issues exists, and only = authorized > > > entities have access to the privacy-sensitive information. > > > > > > 15.1. Privacy Sensitive AVPs > > > > > > The following AVPs contain privacy-sensitive information at = different > > > levels: > > > > > > 1. CC-Correlation-Id AVP: may contain privacy-sensitive = information > > > as the service-provider may encode personal information = that > > > helps it correlate different subscriptions and access > > > technologies. > > > > > > 2. Check-Balance-Result AVP: contains information on the = balance > > > status of the subscriber. > > > > > > 3. Currency-Code AVP: contains information on the subscriber's > > > locale. > > > > > > 4. Cost-Unit AVP: contains privacy-sensitive information, as a > > > human readable format of the Cost-Information AVP. > > > > > > 5. Service-Identifier AVP: may contain privacy-sensitive > > > information about the subscriber's internet activity. > > > > > > 6. Rating-Group AVP: may contain privacy-sensitive information > > > about the subscriber's internet activity. > > > > > > 7. Restriction-Filter-Rule AVP: the information inside = IPFilterRule > > > may be used to infer services used by the subscriber. > > > > > > 8. Redirect-Server-Address AVP: the service-provider may embed > > > personal information on the subscriber in the URL/I (e.g. = to > > > create a personalized message). Similar AVPs are: = Redirect- > > > Address-URL, Redirect-Address-SIP-URI. > > > > Is there reasonable guidance one could give to not encode personal = information in the URL? > > > > > > > > 9. Service-Context-Id AVP: depending with how the = service-provider > > > use it, it may contain privacy-sensitive information about = the > > > service (e.g. access technology). > > > > > > 10. Service-Parameter-Info AVP: depending with how the = service- > > > provider use it, it may contain privacy-sensitive = information > > > about the subscriber (e.g. location). > > > > > > > for both 9 and 10: =E2=80=9C=E2=80=A6 service-provider use it=E2=80=A6= =E2=80=9C s/use/uses > > > > Is there reasonable guidance that could be given to avoid putting = privacy sensitive info in these? > > > > > 11. Subscription-Id-Data AVP: contains the identity of the > > > subscriber. Similar AVPs are: Subscription-Id-E164, > > > Subscription-Id-IMSI, Subscription-Id-SIP-URI, = Subscription-Id- > > > NAI, Subscription-Id-Private. > > > > > > 12. User-Equipment-Info-Value AVP: contains the identity of = the > > > device of the subscriber. Similar AVPs are: = User-Equipment- > > > Info-IMEISV, User-Equipment-Info-MAC, = User-Equipment-Info-EUI64, > > > User-Equipment-Info-ModifiedEUI64, = User-Equipment-Info-IMEI. > > > > > > 13. QoS-Final-Unit-Indication AVP: grouped AVP which may = contains > > > privacy-sensitive information in its sub-AVPs (e.g = IPFilterRule, > > > redirect address). > > > > > > Note that some AVPs which are used in this document are defined = in > > > [RFC6733] and may contain privacy-sensitive information. These = AVPs > > > are not listed above. > > > > > > 15.2. Data Minimization > > > > > > Due to the nature of the credit control application, some = personal > > > data and identity information must be stored in both = credit-control > > > client and credit control server. This, however, could be = minimized > > > by following these guidelines: > > > > > > 1. Data stored in the credit-control client does not need to = be > > > persisted across sessions. All data could be deleted once = the > > > session end, and reconstructed once a new session is = initialized. > > > Note that, while the credit-control server is usually owned = by > > > the service provider with which the subscriber already has = some > > > direct legal or business relationship (where privacy level = could > > > be agreed upon), this is not always true for the = credit-control > > > client, that may be owned by a third-party. > > > > > > 2. Some information about the subscriber has to be stored in > > > persistent storage in the credit-control server (e.g. = identity, > > > balance), however, per transaction information does not = have to > > > be stored in persistent storage, and per session = information may > > > be deleted from persistent storage once the session ends. > > > > > > 3. In some cases, per transaction information has to be stored = on > > > the credit-control server, client, or both, for regulatory, > > > auditability or debugging reasons. However, this could be > > > minimized by following these guidelines: > > > > > > A. Data retention SHOULD NOT exceed the required durations > > > > > > B. Transaction information SHOULD be aggregated as much as > > > possible. E.g. prefer information per sessions vs. > > > information per rating-group; prefer hourly byte = summary vs. > > > per transaction byte counts. > > > > > > C. If not strictly needed, the more sensitive information = (E.g. > > > location, equipment type) SHOULD be filtered out from = such > > > logs. Such information is often used to make rating > > > decisions, and in this case, the rating decision should = be > > > logged instead of the data used to make them > > > > > > D. The credit-control server SHOULD be preferred over the > > > credit-control client as the place where per = transaction > > > information is stored, if needed. This is due to the = reasons > > > explained in 1. > > > > I would avoid the above SHOULDs. Rather, state these in terms of = things people _can_ do to improve privacy. > > > > > > > > 15.3. Diameter Agents > > > > > > Diameter agents, as described in [RFC6733], may be owned by = third- > > > parties. To prevent from privacy sensitive information from = leaking > > > into them, it is RECOMMENDED to encrypt AVPs holding such > > > information, as listed in Section 15.1. > > > > Do you think people will actually do that? If not, there=E2=80=99s = no point in a =E2=80=9CRECOMMENDED=E2=80=9D level requirement if we know = it will be ignored. It would be better to say =E2=80=9C=E2=80=A6 Clients = and servers could encrypt AVPs=E2=80=A6=E2=80=9D > > > > Also, since we don=E2=80=99t have an e2e crypto standard for = Diameter (yet, anyway), it would be hard to do this in an interoperable = way. People would have to agree on algorithms, key management, etc. That = doesn=E2=80=99t mean we can=E2=80=99t mention it, but it argues against = a normative requirement. > > > > > > > > > > In some cases, the Diameter agent requires access into privacy- > > > sensitive AVPs, in order to take correct routing decisions, or = even > > > modify the content of these AVPs. In such a case it is = RECOMMENDED > > > to anonymize the identity of the subscriber, and encrypt any = other > > > AVP not used by the agent and can be used to identify the = subscriber. > > > > > > > > > > > > > > > > > > On Wednesday, February 14, 2018, 7:12:49 PM GMT+2, Ben Campbell = wrote: > > > > > > > > > Even if we add privacy considerations to the base protocol, I = think 4006bis would still need privacy considerations that discuss the = specific AVPs it defines. So I would go ahead and add considerations to = 4006bis and avoid the delay. The WG can discuss whether it would like to = add more general considerations to the base protocol (either in a bis = draft or an update). > > > > > > Thanks! > > > > > > Ben. > > > > > > > On Feb 14, 2018, at 11:06 AM, Yuval Lifshitz = wrote: > > > > > > > > Regarding "privacy considerations". Note that the base protocol = RFC does not have that. > > > > Ideally, this is added to base Diameter first, as many of the = sensitive AVPs come from there. > > > > Should we try to tackle that first (though this would delay the = RFC4006bis process)? > > > > Should we cover only 4006 AVPs and issues? > > > > > > > > Best Regards, > > > > > > > > Yuval > > > > > > > > > > > > On Wednesday, February 14, 2018, 5:56:52 PM GMT+2, Yuval = Lifshitz wrote: > > > > > > > > > > > > Ben, > > > > First, thanks for the comments! > > > > > > > > Regarding the major comment, agree this should be added, it was = already agreed in the meeting we had in IETF96, but somehow slipped :-( > > > > > > > > Sections 12: all the AVPs mentioned in this section exists in = RFC4006, and has values that are already registered. As part of = RFC4006bis we did not add any AVP that requires values enumeration (this = was actually one of the issue we tried to tackle). What would you like = to see different in this section? > > > > What is the process for updating IANA with the references to the = new doc? Can this happen before RFC4006bis is officially accepted? > > > > > > > > Appendix B: the new AVPs do not impact the flows, therefore not = added to the sample flows > > > > > > > > 8.34 agree, this is pretty bad. How about: > > > > If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or = REDIRECT > > > > and the classification of the restricted traffic cannot be = expressed > > > > using IPFilterRule, or different actions (e.g., QoS) than = just > > > > allowing traffic needs to be enforced, then the = QoS-Final-Unit- > > > > Indication AVP SHOULD be used instead of the = Final-Unit-Indication > > > > AVP. > > > > > > > > > > > > 14. agree we should simplify as you suggested > > > > > > > > Best Regards, > > > > > > > > Yuval > > > > On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell = wrote: > > > > > > > > > > > > Hi, > > > > > > > > This is my AD Evaluation of draft-ietf-dime-rfc4006bis-06. = Thanks for the work on this; it=E2=80=99s overall a good update. = However, I have one major comment and a few minor or editorial comments. = I=E2=80=99d like to discuss the major comment prior IETF last call. The = rest can be handled along with any last call feedback. > > > > > > > > Note that for all but the major comment, I mostly reviewed the = diff from RFC 4006. > > > > > > > > Thanks! > > > > > > > > Ben. > > > > > > > > =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2= =80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > > > > > > > > Major Comment: > > > > > > > > I strongly suggest that you add more privacy considerations. I = realize that it inherits its existing privacy considerations from RFC = 4006, but that was published in 2005. The IETF=E2=80=99s focus on = privacy has evolved considerably since then, and I think this draft will = get objections during IESG review without adding some more. > > > > > > > > I suggest the following: > > > > =E2=80=94 Create a =E2=80=9CPrivacy Considerations=E2=80=9D = section separate from the security considerations. > > > > =E2=80=94 Enumerate the AVPs that you think contain user = identifiable information, persistent identifiers, or other privacy = sensitive data. > > > > =E2=80=94 Make some non-normative recommendations concerning = data minimization. That is, add a few sentences recommending that = clients and servers avoid capturing and/or log personal information = beyond that needed for the application's purpose. > > > > > > > > Minor Comments: > > > > > > > > -Section 12 and subsections: Please clarify that many of these = elements were already registered by RF 4006, and are not being = =E2=80=9Cre-registered=E2=80=9D here. ( It=E2=80=99s perfectly okay to = pull the registration information forward into the bis draft; it just = needs clarification.) Also, please consider wether existing = registrations should be updated to point to this document rather than = 4006. > > > > > > > > Appendices: Would any of the example flows benefit from = including one or more of the new AVPs? > > > > > > > > Editorial and Nits: > > > > > > > > -Section 8.34: =E2=80=9C If the Final-Unit-Action AVP is set to = RESTRICT_ACCESS or REDIRECT > > > > and the classification of the restricted traffic cannot be = expressed > > > > using IPFilterRule, or different actions (e.g., QoS) than just > > > > allowing QoS needs to be enforced traffic, =E2=80=A6 =E2=80=9C > > > > > > > > I have trouble parsing the sentence. > > > > > > > > -14: "Even without any modification to the messages, an = adversary can > > > > invite a security threat by eavesdropping, as the transactions = contain private information about the user. > > > > =E2=80=9D > > > > I suggest =E2=80=9C =E2=80=A6 an adversary can eavesdrop on = transactions that contain privacy-sensitive imformation=E2=80=9D > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > DiME mailing list > > > > DiME@ietf.org > > > > https://www.ietf.org/mailman/listinfo/dime > > > > > _______________________________________________ > > > DiME mailing list > > > DiME@ietf.org > > > https://www.ietf.org/mailman/listinfo/dime --Apple-Mail=_0FEA1EF4-C53A-420D-98BD-E6BE0BFD7A7C Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIzBAEBCgAdFiEExW9rpd7ez4DexOFOgFZKbJXz1A0FAlqpkcIACgkQgFZKbJXz 1A1cZw/+LVuH7tzjVZVUSZD14Cp0PKvTlPUCh93GdaOm7jwpRYnb1SldvwdTWKbZ ZOuzDQsZKFTRHVzDYhC0G2m3aF4uucQbzr5rn8bHH7/ioznYrbjeGMQbmAJFmsv2 3JvQgT1Bmux/HyVORe2oIOQtK72v5sziFzwY0QC68Po4iCWBM9tmFfqT5SY6Gmwx 3PfnnpYz8AfbFGuaNzf7Wyt/mz8pQDEnHQpZSC+6dDuEU91kbCYXMQfAmu2GBm4w qhxHMR9F/ioZut6ghv+5yKEmsmf5mRNWJ7eSf7aHIDbAMe9hY8CWHerVUbSOJdz1 mnLxuCt/gC9y7yZ9A8G3rduJYvg95cFgwdjkPlbGVMP9YQIMEr+7RGW16Ftt28kP 6bOBWFJALms1VuYuzRRM611M71nFeGEAk0nBfCLtmL9gy1RsmXnr8DtrsiEWnm60 wrrRKzJ8uGAtjr6XfLxd2ageF/v7QFbpWyZYZiTzF31ihwvUK8EnduXRmfoIYh1k fdXxwGEnEe/yakpDfVuhRFWWzp3DpRoxtq9U4VcGCLF0ZMbKaYoTbSVq/tAY7Ge9 G+O5ILE4VuwErPmXhNeuw9Dz2AYCMYg0uytlX1bJLgJ78eirf3h6bsDW/3RqsaGs 1oS6fNwnWnAclJ3N6ARbTkOH3uiU3YQ3pqP3X3rleUuiQ6xVAWs= =d6oA -----END PGP SIGNATURE----- --Apple-Mail=_0FEA1EF4-C53A-420D-98BD-E6BE0BFD7A7C-- From nobody Wed Mar 21 01:51:57 2018 Return-Path: X-Original-To: dime@ietf.org Delivered-To: dime@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7500812D958; Wed, 21 Mar 2018 01:51:21 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dime@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.75.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <152162228143.6195.12648326151959425538@ietfa.amsl.com> Date: Wed, 21 Mar 2018 01:51:21 -0700 Archived-At: Subject: [Dime] I-D Action: draft-ietf-dime-rfc4006bis-07.txt X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 08:51:21 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Diameter Maintenance and Extensions WG of the IETF. Title : Diameter Credit-Control Application Authors : Lyle Bertz David Dolson Yuval Lifshitz Filename : draft-ietf-dime-rfc4006bis-07.txt Pages : 125 Date : 2018-03-21 Abstract: This document specifies a Diameter application that can be used to implement real-time credit-control for a variety of end user services such as network access, Session Initiation Protocol (SIP) services, messaging services, and download services. The Diameter Credit- Control application as defined in this document obsoletes RFC4006, and it must be supported by all new Diameter Credit-Control Application implementations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dime-rfc4006bis/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dime-rfc4006bis-07 https://datatracker.ietf.org/doc/html/draft-ietf-dime-rfc4006bis-07 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dime-rfc4006bis-07 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Thu Mar 29 02:44:05 2018 Return-Path: X-Original-To: dime@ietfa.amsl.com Delivered-To: dime@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 547E11241F3 for ; Thu, 29 Mar 2018 02:03:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.692 X-Spam-Level: X-Spam-Status: No, score=0.692 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XJOT9wAiGGX for ; Thu, 29 Mar 2018 02:03:16 -0700 (PDT) Received: from sonic315-15.consmr.mail.bf2.yahoo.com (sonic315-15.consmr.mail.bf2.yahoo.com [74.6.134.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69F412D87A for ; Thu, 29 Mar 2018 02:03:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1522314194; bh=ktztjVWPeeRYZBVi3E5dKZTIJwBbtR5NNnpKEtZNmZw=; h=Date:From:To:Cc:Subject:References:From:Subject; b=Dlaec7L4z4N6Cnx6/kGyZZCWZ2k224JTSAPIJmCT4kFP7l+WFYUVls3uYPNAJkKBXPu/5FBoa0HhMqK9sJRNPvkNqEb1FlOEODvc8O72mrBLhLuLXq96LWPy4aTm5h1HY6nGuW2Pxb1V6eECXuhjebpSxXU8ktBNOT9Mj8jxpMSGBPehhpufqOi5QCM2ZAtWTQY9l8EltcVGHcEoWQVt4FEdktPST/4RsVgkbYqLptaJePV+AHd8y+Eg4im/D56BbU5SMSuvKrJOrlRO5TM+Nfl1JwjAfD9d8qds9L1a/OhyDuXl5x8YWjkdzoGFr1ORU+px45AcjaBoTtXfilm0aQ== X-YMail-OSG: s9fGlW0VM1m9nQCruFHiNCBph0ISm1UlKzNrL3os8nkB.n9y2VbiDJXtqQkonA_ brC6FZPPbyQ9Z.oRDl7EZcj_OLyOD9Uo4d0u.UkvqbVoRdC83JkBArdITM1ymNHzGCZLRjkvGN1l _y9cbTSEntEMi04uAPRA6nbojxk9ozk9xY1xnXFxAVcxKRJprj3Awwa.C92AvAMHr_iqne6_GLpt tvtMFYCkDXtgMKdeQV2l4veOVM2D.Nr8h9eZ0qfmVFy8KYU1ltMDH_ZHNwWGq3hKIYyG2VkAXmbO 8UqsEVJLIY7JQbo_9eExUgFrCPynRk_Yzbmlcx8lCAPCWlGQf1TYg4TFT5J9fPnKZiRF0wFBWX7n wiqy3rXHjnmPV2A14RgKbL8Ms4sLeHdzCFiHwZjYQbRavJJ4TFf5Dze.pFNZzH.llxQliRed3t9s X7FKCbSFSS10y.FWvavE3NTZ33pGktpacwXX4issthHUkFp2rV62X2pJX_SsBGicUr2yivbxZc_p LrKOF5KG0smYvHSMers_tKta4 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.bf2.yahoo.com with HTTP; Thu, 29 Mar 2018 09:03:14 +0000 Date: Thu, 29 Mar 2018 09:02:10 +0000 (UTC) From: Yuval Lifshitz To: "3GPP_TSG_CT_WG4@LIST.ETSI.ORG" <3GPP_TSG_CT_WG4@LIST.ETSI.ORG>, "3GPP_TSG_SA_WG5@LIST.ETSI.ORG" <3GPP_TSG_SA_WG5@LIST.ETSI.ORG> Cc: "dime@ietf.org" , "Gardella Maryse (Nokia - FR/Paris-Saclay)" , Lionel Morand , Manuel Rebellon , Ben Campbell , David Dolson , "Bertz Lyle T [CTO]" , Jouni Message-ID: <377523006.806931.1522314130168@mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_806930_511438051.1522314130166" References: <377523006.806931.1522314130168.ref@mail.yahoo.com> X-Mailer: WebService/1.1.11643 YMailNorrin Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Archived-At: X-Mailman-Approved-At: Thu, 29 Mar 2018 02:44:04 -0700 Subject: [Dime] last call on IETF RFC4006bis X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2018 09:03:19 -0000 ------=_Part_806930_511438051.1522314130166 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Dear CT4/SA5, In the IETF Dime group there was an effort for updating RFC4006 (DCCA), whi= ch is now in the "Last Call" phase:=C2=A0https://tools.ietf.org/html/draft-= ietf-dime-rfc4006bis-07 As this effort was originally triggered by an LS from 3GPP SA5 (see:=C2=A0h= ttps://datatracker.ietf.org/liaison/1470/), we would highly appreciate if y= ou can review and provide feedback on the above RFC. Also, feel free to ask= questions and request clarifications on any topic. Best Regards, Yuval Lifshitz ------=_Part_806930_511438051.1522314130166 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Dear CT4/SA5,

=
In = the IETF Dime group there was an effort for updating RFC4006 (DCCA), which = is now in the "Last Call" phase: https://tools.ietf.org/html/draft-ietf-dime-rfc4006bis-07<= /div>
As this effort was originally triggered by an LS from 3GPP = SA5 (see: https://datatracker.ietf.org/lia= ison/1470/), we would highly appreciate if you can review and provide f= eedback on the above RFC. Also, feel free to ask questions and request clar= ifications on any topic.

Best Regards,
<= div>
=
Yuval Lifshitz
------=_Part_806930_511438051.1522314130166-- From nobody Thu Mar 29 18:19:09 2018 Return-Path: X-Original-To: dime@ietf.org Delivered-To: dime@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A298D124B18; Thu, 29 Mar 2018 18:19:07 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.76.2 Auto-Submitted: auto-generated Precedence: bulk CC: ben@nostrum.com, jouni.nospam@gmail.com, Jouni Korhonen , draft-ietf-dime-rfc4006bis@ietf.org, dime-chairs@ietf.org, dime@ietf.org Reply-To: ietf@ietf.org Sender: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <152237274762.20379.12636926260621923158.idtracker@ietfa.amsl.com> Date: Thu, 29 Mar 2018 18:19:07 -0700 Archived-At: Subject: [Dime] Last Call: (Diameter Credit-Control Application) to Proposed Standard X-BeenThere: dime@ietf.org X-Mailman-Version: 2.1.22 List-Id: Diameter Maintanence and Extentions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Mar 2018 01:19:08 -0000 The IESG has received a request from the Diameter Maintenance and Extensions WG (dime) to consider the following document: - 'Diameter Credit-Control Application' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2018-04-12. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a Diameter application that can be used to implement real-time credit-control for a variety of end user services such as network access, Session Initiation Protocol (SIP) services, messaging services, and download services. The Diameter Credit- Control application as defined in this document obsoletes RFC4006, and it must be supported by all new Diameter Credit-Control Application implementations. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-dime-rfc4006bis/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-dime-rfc4006bis/ballot/ No IPR declarations have been submitted directly on this I-D.