From isms-bounces@lists.ietf.org Wed May 03 18:50:14 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbQAX-0005Ru-Ri; Wed, 03 May 2006 18:50:05 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbQAV-0005RA-Tz; Wed, 03 May 2006 18:50:03 -0400 Received: from oak.neustar.com ([209.173.53.70]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FbQAT-0006P5-JH; Wed, 03 May 2006 18:50:03 -0400 Received: from stiedprstage1.ietf.org (stiedprstage1.va.neustar.com [10.31.47.10]) by oak.neustar.com (8.12.8/8.12.8) with ESMTP id k43Mo1BX017134 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 May 2006 22:50:01 GMT Received: from ietf by stiedprstage1.ietf.org with local (Exim 4.43) id 1FbQAT-0002ou-DZ; Wed, 03 May 2006 18:50:01 -0400 Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 To: i-d-announce@ietf.org From: Internet-Drafts@ietf.org Message-Id: Date: Wed, 03 May 2006 18:50:01 -0400 X-Spam-Score: 0.3 (/) X-Scan-Signature: c3a18ef96977fc9bcc21a621cbf1174b Cc: isms@ietf.org Subject: [Isms] I-D ACTION:draft-ietf-isms-tmsm-02.txt X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Integrated Security Model for SNMP Working Group of the IETF. Title : Transport Mapping Security Model (TMSM) Architectural Extension for the Simple Network Management Protocol (SNMP) Author(s) : D. Harrington, J. Schoenwaelder Filename : draft-ietf-isms-tmsm-02.txt Pages : 48 Date : 2006-5-3 This document describes a Transport Mapping Security Model (TMSM) extension for the Simple Network Management Protocol (SNMP) architecture defined in RFC 3411. This document identifies and discusses some key aspects that need to be considered for any transport-mapping-based security model for SNMP. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-isms-tmsm-02.txt To remove yourself from the I-D Announcement list, send a message to i-d-announce-request@ietf.org with the word unsubscribe in the body of the message. You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce to change your subscription settings. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-isms-tmsm-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-isms-tmsm-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2006-5-3150532.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-isms-tmsm-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-isms-tmsm-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2006-5-3150532.I-D@ietf.org> --OtherAccess-- --NextPart Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms --NextPart-- From isms-bounces@lists.ietf.org Mon May 15 09:54:20 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfdWe-0003iZ-48; Mon, 15 May 2006 09:54:20 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FeZyk-0001xM-3e for isms@ietf.org; Fri, 12 May 2006 11:54:58 -0400 Received: from usaga01-in.huawei.com ([12.129.211.51]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FeZyj-0002hB-JZ for isms@ietf.org; Fri, 12 May 2006 11:54:58 -0400 Received: from huawei.com (usaga01-in [172.18.4.6]) by usaga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0IZ5001G9TEA1M@usaga01-in.huawei.com> for isms@ietf.org; Fri, 12 May 2006 08:51:46 -0700 (PDT) Received: from Harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net [24.128.66.70]) by usaga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTPA id <0IZ500A00TE63D@usaga01-in.huawei.com> for isms@ietf.org; Fri, 12 May 2006 08:51:45 -0700 (PDT) Date: Fri, 12 May 2006 11:54:04 -0400 From: David Harrington In-reply-to: <44643c1a.53b034c7.70a9.ffffa1b4@mx.gmail.com> To: isms@ietf.org Message-id: <037201c675dc$4d2ce2c0$0400a8c0@china.huawei.com> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 7698d1420ecbbce1995432e99bb6d1a1 X-Mailman-Approved-At: Mon, 15 May 2006 09:54:18 -0400 Cc: Subject: [Isms] RE: A Question about SSHSM Username mapping X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0398406417==" Errors-To: isms-bounces@lists.ietf.org This is a multi-part message in MIME format. --===============0398406417== Content-type: multipart/alternative; boundary="Boundary_(ID_DPLjFkh0N3aGCndw+yJsbA)" This is a multi-part message in MIME format. --Boundary_(ID_DPLjFkh0N3aGCndw+yJsbA) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Hi, -----Original Message----- I've been doing research on a new SNMPv3 security model, using PKI for entity identity verification. However, after the two entities performed handshake and verified the identities of each other, I got no idea how to map the identity (e.g. the subject of the public key certificate) to SNMPv3 dependent SecurityName. I think SSHSM has to solve the same problem, but I read through draft-ietf-isms-secshell-02.txt, and was still unable to understand how and where SSHSM decides if the SSH dependent username is authorized to be mapped to a specific SecurityName. Where are the access rights of the entities stored? Does the mapping happen at the RADIUS server? So could you please help to specify the mapping process? Realize that I am muddling my way through these questions myself. But let me try to answer them for you. 1) How does one map from an SSH identity to an SNMP identity? How an authenticated identity is mapped to the securityName is implementation-dependent. It is not standardized. In SSHSM, the default mapping is the "identity transform" - the name used by SSH in the "user name" field in SSH is the name that gets mapped to securityName. Implementations may choose to use a different mapping of their own choice. One way to allow for such a mapping would be to have a MIB module with a mapping table. It would have to be pre-populated with a translation table between what SSH authenticates and an SNMP securityName, which would make it harder to deploy than using the identity transform. 2) How do we determine who is authorized to open an SNMP session? This question has not yet been addressed by the ISMS WG. In SSHSM, we currently don't make an explicit access authorization decision at the point of establishing an snmp session. If the person (or principal) can authenticate himself, he is allowed to open an SNMP session. But when that person tries to access SNMP data, the access control model (e.g., VACM) determines whether they are authorized to get access to the data. We probably need to address this better, because the current approach is vulnerable to denial of service attacks from those who have access to the device, but should not have access to snmp. We deliberately chose to only discuss the connection between SNMP and SSH, and not to address whether SSH seeks authorization information from RADIUS or other AAA server to make its access decision. That is an SSH implementation and deployment decision. David Harrington dharrington@huawei.com dbharrington@comcast.net ietfdbh@comcast.net --Boundary_(ID_DPLjFkh0N3aGCndw+yJsbA) Content-type: text/html; charset=US-ASCII Content-transfer-encoding: 7BIT Message
Hi,
 
-----Original Message-----

 

         I’ve been doing research on a new SNMPv3 security model, using PKI for entity identity verification. However, after the two entities performed handshake and verified the identities of each other, I got no idea how to map the identity (e.g. the subject of the public key certificate) to SNMPv3 dependent SecurityName.

I think SSHSM has to solve the same problem, but I read through draft-ietf-isms-secshell-02.txt, and was still unable to understand how and where SSHSM decides if the SSH dependent username is authorized to be mapped to a specific SecurityName. Where are the access rights of the entities stored? Does the mapping happen at the RADIUS server? So could you please help to specify the mapping process?

 

Realize that I am muddling my way through these questions myself. But let me try to answer them for you.
 
1) How does one map from an SSH identity to an SNMP identity?
 
How an authenticated identity is mapped to the securityName is implementation-dependent. It is not standardized.
 
In SSHSM, the default mapping is the "identity transform" - the name used by SSH in the "user name" field in SSH is the name that gets mapped to securityName.
 
Implementations may choose to use a different mapping of their own choice. One way to allow for such a mapping would be to have a MIB module with a mapping table. It would have to be pre-populated with a translation table between what SSH authenticates and an SNMP securityName, which would make it harder to deploy than using the identity transform.
 
2) How do we determine who is authorized to open an SNMP session?
 
This question has not yet been addressed by the ISMS WG.
 
In SSHSM, we currently don't make an explicit access authorization decision at the point of establishing an snmp session.
If the person (or principal) can authenticate himself, he is allowed to open an SNMP session. But when that person tries to access SNMP data, the access control model (e.g., VACM) determines whether they are authorized to get access to the data.
 
We probably need to address this better, because the current approach is vulnerable to denial of service attacks from those who have access to the device, but should not have access to snmp.
 
We deliberately chose to only discuss the connection between SNMP and SSH, and not to address whether SSH seeks authorization information from RADIUS or other AAA server to make its access decision. That is an SSH implementation and deployment decision.
 

David Harrington
dharrington@huawei.com
dbharrington@comcast.net
ietfdbh@comcast.net

 
--Boundary_(ID_DPLjFkh0N3aGCndw+yJsbA)-- --===============0398406417== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms --===============0398406417==-- From isms-bounces@lists.ietf.org Mon May 15 17:33:49 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfkhD-0003Qn-Ch; Mon, 15 May 2006 17:33:43 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfkhC-0003Qi-CI for isms@ietf.org; Mon, 15 May 2006 17:33:42 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ffkh8-0006Ri-Qz for isms@ietf.org; Mon, 15 May 2006 17:33:42 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id DB43455F5D; Mon, 15 May 2006 23:33:37 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 03134-03; Mon, 15 May 2006 23:33:35 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id F2A4E55BD5; Mon, 15 May 2006 23:33:34 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id 1A8ED6DE13D; Mon, 15 May 2006 23:33:31 +0200 (CEST) Date: Mon, 15 May 2006 23:33:31 +0200 From: Juergen Schoenwaelder To: David Harrington Subject: Re: [Isms] RE: A Question about SSHSM Username mapping Message-ID: <20060515213331.GA24075@noname> Mail-Followup-To: David Harrington , isms@ietf.org References: <44643c1a.53b034c7.70a9.ffffa1b4@mx.gmail.com> <037201c675dc$4d2ce2c0$0400a8c0@china.huawei.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <037201c675dc$4d2ce2c0$0400a8c0@china.huawei.com> User-Agent: Mutt/1.5.10i X-Virus-Scanned: by amavisd-new 20030616p5 at demetrius.iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 97adf591118a232206bdb5a27b217034 Cc: isms@ietf.org X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org On Fri, May 12, 2006 at 11:54:04AM -0400, David Harrington wrote: > 2) How do we determine who is authorized to open an SNMP session? > > This question has not yet been addressed by the ISMS WG. > > In SSHSM, we currently don't make an explicit access authorization > decision at the point of establishing an snmp session. > If the person (or principal) can authenticate himself, he is allowed > to open an SNMP session. In some sense, this is already a first level access control decision. The question was "who is authorized to _open_ an SNMP session" and the answer I think is "any user how can authenticate". > But when that person tries to access SNMP data, the access control > model (e.g., VACM) determines whether they are authorized to get > access to the data. > > We probably need to address this better, because the current approach > is vulnerable to denial of service attacks from those who have access > to the device, but should not have access to snmp. Our code hooks into PAM and you have PAM configuration specifically for SNMP. In other words, I am not sure the problem really exists (or at least it is not worse than for any other SSH subsystem). I checked the security considerations in the netconf over ssh ID as well and there was nothing about denial of service either. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Mon May 15 17:51:16 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ffky8-0002ct-LJ; Mon, 15 May 2006 17:51:12 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ffky6-0002co-VW for isms@ietf.org; Mon, 15 May 2006 17:51:10 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ffky5-0007A0-Hm for isms@ietf.org; Mon, 15 May 2006 17:51:10 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 28A6055FAD for ; Mon, 15 May 2006 23:51:09 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 04782-08; Mon, 15 May 2006 23:51:07 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 435BA55F5D; Mon, 15 May 2006 23:51:07 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id E38F66DE178; Mon, 15 May 2006 23:51:02 +0200 (CEST) Date: Mon, 15 May 2006 23:51:02 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060515215102.GB24075@noname> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: by amavisd-new 20030616p5 at demetrius.iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: cab78e1e39c4b328567edb48482b6a69 Cc: Subject: [Isms] ssh window adjustments X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi, I have a question concerning the SSH windowing mechanism. RFC 4254 says: The window size specifies how many bytes the other party can send before it must wait for the window to be adjusted. Both parties use the following message to adjust the window. The document then explains the window adjust message but it does not really say when window adjustments are generated. (There are no real elements of procedure in RFC 4254 as far as I can tell.) The reasons I am asking this question is a surprising behaviour of the SSH library we are using in our SNMP over SSH prototype. In a nutshell, a getnext/response SNMP interaction comes out as follows in terms of SSH connection protocol messages: C: SSH_MSG_CHANNEL_DATA S: SSH_MSG_CHANNEL_WINDOW_ADJUST S: SSH_MSG_CHANNEL_DATA C: SSH_MSG_CHANNEL_WINDOW_ADJUST The SSH library likes to send a window adjustment whenever it has received data. While the adjustment message itself is small (9 bytes), it gets padded, encrypted, hmac'ed, wrapped and the result is notable larger than 9 bytes (typically 52 bytes). Furthermore, while TCP ACK piggybacking works nicely, these window adjustments basically double the TCP messages we are seeing. We have been playing with openssh to produce a similar interaction pattern and we did not see the same behaviour so we kind of believe these frequent window adjustments are a "feature" of the SSH library we are using. But since we found RFC 4254 not particular clear on this subject, I thought I better ask here for some advice from the SSH experts before studying several implementations. /js P.S. There might be a larger issue how we deal with TCP layer buffers, SSH channel buffers and SNMP engine buffers in a useful way. -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Mon May 15 18:00:03 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ffl6h-0005up-LQ; Mon, 15 May 2006 18:00:03 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ffl6g-0005uj-7r for isms@ietf.org; Mon, 15 May 2006 18:00:02 -0400 Received: from htr2.enterasys.com ([63.160.138.51]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ffl6b-0007Q9-VL for isms@ietf.org; Mon, 15 May 2006 18:00:02 -0400 Received: from IS1.enterasys.com (mabosavg1 [134.141.79.101]) by htr2.enterasys.com (0.25.1/8.12.6) with ESMTP id k4FLrAqY020012 for ; Mon, 15 May 2006 17:53:10 -0400 (EDT) Received: from MABOSEVS2.ets.enterasys.com ([134.141.77.30]) by nhrocefe1.ets.enterasys.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 May 2006 17:59:56 -0400 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: RE: [Isms] RE: A Question about SSHSM Username mapping Date: Mon, 15 May 2006 17:59:56 -0400 Message-ID: <3CFB564E055A594B82C4FE89D215656021923E@MABOSEVS2.ets.enterasys.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] RE: A Question about SSHSM Username mapping Thread-Index: AcZ4Z66l33KiRklWSO2nL52Z4cq2WQAAEgJQ From: "Nelson, David" To: X-OriginalArrivalTime: 15 May 2006 21:59:56.0138 (UTC) FILETIME=[E6D764A0:01C6786A] X-imss-version: 2.040 X-imss-result: Passed X-imss-approveListMatch: *@enterasys.com X-Spam-Score: 0.0 (/) X-Scan-Signature: e8a67952aa972b528dd04570d58ad8fe Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Juergen Schoenwaelder writes... > > In SSHSM, we currently don't make an explicit access authorization > > decision at the point of establishing an snmp session. > > If the person (or principal) can authenticate himself, he is allowed > > to open an SNMP session. >=20 > In some sense, this is already a first level access control decision. > The question was "who is authorized to _open_ an SNMP session" and the > answer I think is "any user how can authenticate". This is the model used by systems such as SSH. It is basically an authentication model. What may be desired is an authentication and authorization model. =20 > > But when that person tries to access SNMP data, the access control > > model (e.g., VACM) determines whether they are authorized to get > > access to the data. > > > > We probably need to address this better, because the current approach > > is vulnerable to denial of service attacks from those who have access > > to the device, but should not have access to snmp. >=20 > Our code hooks into PAM and you have PAM configuration specifically > for SNMP. In other words, I am not sure the problem really exists (or > at least it is not worse than for any other SSH subsystem). I think the problem is no worse than for any other SSH subsystem. OTOH, it seems to me that existing SSH subsystems are about authentication and not authorization. For example, if you use SSH to log into a remote host, the fact that you have authentication credentials available on that host (locally or remotely), is sufficient to give you a shell prompt. Your authorization to access data objects and services is typically controlled by file access permissions of one sort or another, implemented within the host OS. In terms of opening an SNMP session, we can assume that a similar model applies. There are existing access control methods for SNMPv3. One shortcoming, however, is that the standard PAM interface does not provide the authorization information -- only an authenticated identity. In order to take advantage of full integration with existing AAA infrastructures, such as RADIUS, we have tentatively decided that SSHSM needs to perform an separate authorization request, after the SNMP session is initiated from SSH. The fact that a user may authenticate in some administrative domain, and is allowed to log onto any workstation in that domain, does not mean that user should have management access to the network infrastructure. Mapping authenticated identity to the SNMP securityName is only sufficient if you plan to store all the valid usernames in each managed entity. I think the benefit of adding an authorization phase to SSHSM is that an authenticated authorization level can be used at each managed entity to determine whether SNMP access is allowed at all, and if so what access control should be applied. In practical terms the number of unique authorization "names" is small -- akin to the number of groups in a password authentication system. It allows the binding of users to groups to occur in the AAA back end system, and the managed entities to be configured with a small number of group names for authorization purposes.=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Mon May 15 19:09:31 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfmBt-0005OQ-TG; Mon, 15 May 2006 19:09:29 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfmBt-0005OL-4G for isms@ietf.org; Mon, 15 May 2006 19:09:29 -0400 Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FfmBr-00025g-Pk for isms@ietf.org; Mon, 15 May 2006 19:09:29 -0400 Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-4.cisco.com with ESMTP; 15 May 2006 16:09:27 -0700 X-IronPort-AV: i="4.05,131,1146466800"; d="scan'208"; a="1806688638:sNHT70144834" Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id k4FN9RCC032713; Mon, 15 May 2006 16:09:27 -0700 Received: from E2K-SEA-XCH2.sea-alpha.cisco.com (e2k-sea-xch2.cisco.com [10.93.132.68]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k4FN9QB7015754; Mon, 15 May 2006 16:09:27 -0700 (PDT) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Subject: RE: [Isms] RE: A Question about SSHSM Username mapping Date: Mon, 15 May 2006 16:17:03 -0700 Message-ID: <7210B31550AC934A8637D6619739CE6907077F7B@e2k-sea-xch2.sea-alpha.cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] RE: A Question about SSHSM Username mapping Thread-Index: AcZ4aLzwNUl3MUP6RNqggFAbSNOaKgAC1D0w From: "Salowey, Joe" To: , "David Harrington" DKIM-Signature: a=rsa-sha1; q=dns; l=2176; t=1147734567; x=1148598567; c=relaxed/simple; s=sjdkim4001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=22Salowey,=20Joe=22=20 |Subject:RE=3A=20[Isms]=20RE=3A=20A=20Question=20about=20SSHSM=20Username=20mappi ng; X=v=3Dcisco.com=3B=20h=3DLkBEQg41Lts8Fdy7TiDdfurGcyY=3D; b=Xus5a9au434Dvj4UrjkBjy3Sxns9t5uoZst8XdDDAMdcPUGN+SgMBdZX4Y4HzYUV1e4CM9AQ JfOV9hPIMHung6yAGIrMnVpAsYntxWnQQUCkyKIqUNpyUdQNZc3ka8fQ; Authentication-Results: sj-dkim-4.cisco.com; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com verified; ); X-Spam-Score: 0.0 (/) X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3 Cc: isms@ietf.org X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org =20 > -----Original Message----- > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de]=20 > Sent: Monday, May 15, 2006 2:34 PM > To: David Harrington > Cc: isms@ietf.org > Subject: Re: [Isms] RE: A Question about SSHSM Username mapping >=20 > On Fri, May 12, 2006 at 11:54:04AM -0400, David Harrington wrote: > =20 > > 2) How do we determine who is authorized to open an SNMP session? > > =20 > > This question has not yet been addressed by the ISMS WG. > > =20 > > In SSHSM, we currently don't make an explicit access authorization > > decision at the point of establishing an snmp session. > > If the person (or principal) can authenticate himself, he is allowed > > to open an SNMP session. >=20 > In some sense, this is already a first level access control decision. > The question was "who is authorized to _open_ an SNMP session" and the > answer I think is "any user how can authenticate". >=20 [Joe] I think this is an implementation decision. An implementation may wish to authorize access to the SNMP subsystem for some users access and deny others. =20 > > But when that person tries to access SNMP data, the access control > > model (e.g., VACM) determines whether they are authorized to get > > access to the data. > > > > We probably need to address this better, because the=20 > current approach > > is vulnerable to denial of service attacks from those who=20 > have access > > to the device, but should not have access to snmp. >=20 > Our code hooks into PAM and you have PAM configuration specifically > for SNMP. In other words, I am not sure the problem really exists (or > at least it is not worse than for any other SSH subsystem). I checked > the security considerations in the netconf over ssh ID as well and > there was nothing about denial of service either. > =20 > /js >=20 > --=20 > Juergen Schoenwaelder International University Bremen > P.O. Box 750 561,=20 > 28725 Bremen, Germany >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Mon May 15 19:26:31 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfmSN-0001Lf-TF; Mon, 15 May 2006 19:26:31 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfmSM-0001La-Vm for isms@ietf.org; Mon, 15 May 2006 19:26:30 -0400 Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FfmSM-0002PQ-Js for isms@ietf.org; Mon, 15 May 2006 19:26:30 -0400 Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-5.cisco.com with ESMTP; 15 May 2006 16:26:19 -0700 X-IronPort-AV: i="4.05,131,1146466800"; d="scan'208"; a="277203329:sNHT1902914214" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id k4FNQIZW014319; Mon, 15 May 2006 16:26:18 -0700 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id k4FNQIHc021867; Mon, 15 May 2006 16:26:18 -0700 (PDT) Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:26:18 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: [Isms] RE: A Question about SSHSM Username mapping Date: Mon, 15 May 2006 16:26:17 -0700 Message-ID: <618694EF0B657246A4D55A97E38274C301A86ED3@xmb-sjc-22d.amer.cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] RE: A Question about SSHSM Username mapping Thread-Index: AcZ4Z66l33KiRklWSO2nL52Z4cq2WQAAEgJQAANIcqA= From: "Kaushik Narayan \(kaushik\)" To: "Nelson, David" , X-OriginalArrivalTime: 15 May 2006 23:26:18.0718 (UTC) FILETIME=[F7E657E0:01C67876] DKIM-Signature: a=rsa-sha1; q=dns; l=2942; t=1147735578; x=1148599578; c=relaxed/simple; s=sjdkim4001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kaushik@cisco.com; z=From:=22Kaushik=20Narayan=20\(kaushik\)=22=20 |Subject:RE=3A=20[Isms]=20RE=3A=20A=20Question=20about=20SSHSM=20Username=20mappi ng; X=v=3Dcisco.com=3B=20h=3Diu2er+bf1P090x2KzPyzVaGT6qc=3D; b=PUtcRPCimymWPw+vfsHxV7o7QTBwTBWYjlX7JP5JercOeQU51XbR72RcknNKwwI91gxGZzXI hU1eCpYNYovVirbFBASQ55HDLn8kZWsXJvC/aPC7lkOPp/p9CjFzDPf0; Authentication-Results: sj-dkim-4.cisco.com; header.From=kaushik@cisco.com; dkim=pass ( sig from cisco.com verified; ); X-Spam-Score: 0.0 (/) X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi David, Please find my reply inline.=20 I think the problem is no worse than for any other SSH subsystem. OTOH, it seems to me that existing SSH subsystems are about authentication and not authorization. For example, if you use SSH to log into a remote host, the fact that you have authentication credentials available on that host (locally or remotely), is sufficient to give you a shell prompt. Your authorization to access data objects and services is typically controlled by file access permissions of one sort or another, implemented within the host OS. In terms of opening an SNMP session, we can assume that a similar model applies. There are existing access control methods for SNMPv3. One shortcoming, however, is that the standard PAM interface does not provide the authorization information -- only an authenticated identity. In order to take advantage of full integration with existing AAA infrastructures, such as RADIUS, we have tentatively decided that SSHSM needs to perform an separate authorization request, after the SNMP session is initiated from SSH. The fact that a user may authenticate in some administrative domain, and is allowed to log onto any workstation in that domain, does not mean that user should have management access to the network infrastructure. Mapping authenticated identity to the SNMP securityName is only sufficient if you plan to store all the valid usernames in each managed entity. I think the benefit of adding an authorization phase to SSHSM is that an authenticated authorization level can be used at each managed entity to determine whether SNMP access is allowed at all, and if so what access control should be applied. In practical terms the number of unique authorization "names" is small -- akin to the number of groups in a password authentication system. It allows the binding of users to groups to occur in the AAA back end system, and the managed entities to be configured with a small number of group names for authorization purposes.=20 I don't think this an SSH issue since SSH is primarily responsible for transport channel after successful authentication. Authorization is well within realm of SNMP and we have really never addressed how ISMS is going to handle authorization of principals authenticated externally. I agree with you that requiring securityName mappings on each SNMP engine really does not do anything to address the administrative burden we sought fix with ISMS. VACM already has the concept of groups, group-mapping is the most effective way of addressing authorization and that's what we had proposed with EUSM. Infact group-mapping may be leveraged by other management protocols such as NetConf for authorization of operations. _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Mon May 15 23:48:46 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfqY5-00042Z-49; Mon, 15 May 2006 23:48:41 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfqY3-00042R-Gl for isms@ietf.org; Mon, 15 May 2006 23:48:39 -0400 Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FfqY3-0004ty-2G for isms@ietf.org; Mon, 15 May 2006 23:48:39 -0400 Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-4.cisco.com with ESMTP; 15 May 2006 20:48:39 -0700 X-IronPort-AV: i="4.05,131,1146466800"; d="scan'208"; a="1806823497:sNHT32106904" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id k4G3mcGM018961; Mon, 15 May 2006 20:48:38 -0700 Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id k4G3mZHg001152; Mon, 15 May 2006 20:48:38 -0700 (PDT) Received: from xmb-sjc-219.amer.cisco.com ([171.70.151.188]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 20:47:47 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: [Isms] RE: A Question about SSHSM Username mapping Date: Mon, 15 May 2006 20:47:46 -0700 Message-ID: <1201449A090B0843854022982BB025F907DD9B@xmb-sjc-219.amer.cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] RE: A Question about SSHSM Username mapping Thread-Index: AcZ4Z66l33KiRklWSO2nL52Z4cq2WQAAEgJQAANIcqAACVngIA== From: "Khanh Nguyen \(khanhvn\)" To: "Kaushik Narayan \(kaushik\)" , "Nelson, David" , X-OriginalArrivalTime: 16 May 2006 03:47:47.0318 (UTC) FILETIME=[7F08B960:01C6789B] DKIM-Signature: a=rsa-sha1; q=dns; l=3845; t=1147751318; x=1148615318; c=relaxed/simple; s=sjdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=khanhvn@cisco.com; z=From:=22Khanh=20Nguyen=20\(khanhvn\)=22=20 |Subject:RE=3A=20[Isms]=20RE=3A=20A=20Question=20about=20SSHSM=20Username=20mappi ng; X=v=3Dcisco.com=3B=20h=3DsRN4xzm/QHcQ/eD8SFOPGVQ5V+A=3D; b=qyuL0WuSY6wZtnquhNKynLR8Ug/6H2MHdWZU+gTpj/3GbJjSxA4nb3ZcEmm7H8lPxVCVtieG 5KsgEgDhSyHXeALyaQ/zu1Vq4KWfxImxkcl8gaE34c9sARzShrAjI9P6; Authentication-Results: sj-dkim-1.cisco.com; header.From=khanhvn@cisco.com; dkim=pass ( sig from cisco.com verified; ); X-Spam-Score: 0.0 (/) X-Scan-Signature: b7b9551d71acde901886cc48bfc088a6 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org PAM interface can be used for authorization. After a call to pam_authenticate, application can call pam_acct_mgmt to check if the user have certain access right. We've been using PAM succefully to authenticate and authorize users via TACACS+. Khanh > -----Original Message----- > From: Kaushik Narayan (kaushik)=20 > Sent: Monday, May 15, 2006 4:26 PM > To: Nelson, David; isms@ietf.org > Subject: RE: [Isms] RE: A Question about SSHSM Username mapping >=20 > Hi David, >=20 > Please find my reply inline.=20 >=20 > >=20 > I think the problem is no worse than for any other SSH=20 > subsystem. OTOH, it seems to me that existing SSH subsystems=20 > are about authentication and not authorization. For example,=20 > if you use SSH to log into a remote host, the fact that you=20 > have authentication credentials available on that host=20 > (locally or remotely), is sufficient to give you a shell=20 > prompt. Your authorization to access data objects and=20 > services is typically controlled by file access permissions=20 > of one sort or another, implemented within the host OS. >=20 > In terms of opening an SNMP session, we can assume that a=20 > similar model > applies. There are existing access control methods for SNMPv3. One > shortcoming, however, is that the standard PAM interface does=20 > not provide the authorization information -- only an=20 > authenticated identity. > In order to take advantage of full integration with existing=20 > AAA infrastructures, such as RADIUS, we have tentatively=20 > decided that SSHSM needs to perform an separate authorization=20 > request, after the SNMP session is initiated from SSH. >=20 > The fact that a user may authenticate in some administrative=20 > domain, and is allowed to log onto any workstation in that=20 > domain, does not mean that user should have management access=20 > to the network infrastructure. >=20 > Mapping authenticated identity to the SNMP securityName is=20 > only sufficient if you plan to store all the valid usernames=20 > in each managed entity. I think the benefit of adding an=20 > authorization phase to SSHSM is that an authenticated=20 > authorization level can be used at each managed entity to=20 > determine whether SNMP access is allowed at all, and if so=20 > what access control should be applied. In practical terms=20 > the number of unique authorization "names" is small -- akin=20 > to the number of groups in a password authentication system. =20 > It allows the binding of users to groups to occur in the AAA=20 > back end system, and the managed entities to be configured=20 > with a small number of group names for authorization purposes.=20 >=20 >=20 > I don't think this an SSH issue since SSH is=20 > primarily responsible for transport channel after successful=20 > authentication. > Authorization is well within realm of SNMP and we have really=20 > never addressed how ISMS is going to handle authorization of=20 > principals authenticated externally. I agree with you that=20 > requiring securityName mappings on each SNMP engine really=20 > does not do anything to address the administrative burden we=20 > sought fix with ISMS. VACM already has the concept of groups,=20 > group-mapping is the most effective way of addressing=20 > authorization and that's what we had proposed with EUSM.=20 > Infact group-mapping may be leveraged by other management=20 > protocols such as NetConf for authorization of operations. >=20 >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 08:11:35 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgKsJ-0006cF-QG; Wed, 17 May 2006 08:11:35 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgKsI-0006cA-O7 for isms@ietf.org; Wed, 17 May 2006 08:11:34 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgKsF-00051n-9o for isms@ietf.org; Wed, 17 May 2006 08:11:34 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 3E4C65605D for ; Wed, 17 May 2006 14:11:28 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24450-09; Wed, 17 May 2006 14:11:26 +0200 (CEST) Received: from boskop.local (unknown [10.50.243.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 17F6B56064; Wed, 17 May 2006 14:11:26 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id EAA676DFE80; Wed, 17 May 2006 14:11:24 +0200 (CEST) Date: Wed, 17 May 2006 14:11:24 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517121124.GB2730@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: by amavisd-new 20030616p5 at demetrius.iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab Cc: Subject: [Isms] progressing the tmsm document X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi, an updated version of the TMSM document is out since May 3rd: http://www.ietf.org/internet-drafts/draft-ietf-isms-tmsm-02.txt This document improved a lot since its last revision and there are only a few [discuss] and [todo] markers left in the document. I will start separate threads in subsequent emails in order to resolve these issues. Hopefully this can be done quickly so that we can spin another revision and have a first WG last call on this document completed before July. So please, get ready to read the document and to help us close the few open issues that are left. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 14:57:11 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRCp-0004Rs-MX; Wed, 17 May 2006 14:57:11 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRCo-0004Qo-6i for isms@ietf.org; Wed, 17 May 2006 14:57:10 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgRCk-0001mc-Li for isms@ietf.org; Wed, 17 May 2006 14:57:10 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 7358756065 for ; Wed, 17 May 2006 20:57:03 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24348-09; Wed, 17 May 2006 20:57:01 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id C58385605D; Wed, 17 May 2006 20:57:01 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id 628786E09FA; Wed, 17 May 2006 20:56:58 +0200 (CEST) Date: Wed, 17 May 2006 20:56:58 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517185658.GA6311@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 1ac7cc0a4cd376402b85bc1961a86ac2 Cc: Subject: [Isms] tmsm issue #1: meaning of authoritative in the context of TMSM (p28) X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org tmsm issue #1: meaning of authoritative in the context of TMSM (p28) We need to discuss what the meaning of authoritative would be in a TMSM environment. -> strawman: the meaning of authoritative in the sense of clock synchronization does not apply to TMSM instances and is irrelevant /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 14:57:20 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRCy-0004Uf-Rg; Wed, 17 May 2006 14:57:20 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRCx-0004TP-CW for isms@ietf.org; Wed, 17 May 2006 14:57:19 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgRCx-0001pW-33 for isms@ietf.org; Wed, 17 May 2006 14:57:19 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id A19CB56065 for ; Wed, 17 May 2006 20:57:18 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24327-07; Wed, 17 May 2006 20:57:16 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 9735B5605D; Wed, 17 May 2006 20:57:16 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id 28C066E0A02; Wed, 17 May 2006 20:57:15 +0200 (CEST) Date: Wed, 17 May 2006 20:57:15 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517185715.GB6311@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581 Cc: Subject: [Isms] tmsm issue #2: purpose of msgSecurityParameters in TMSM (p28) X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org tmsm issue #2: purpose of msgSecurityParameters in TMSM (p28) We need to discuss whether the specific services provided in USM security from msgSecurityParameters still are needed, and how the Message Processing model provides this information to the security model via generateRequestMsg() and processIncomingMsg() primitives. RFC3412 specifies that "The data in the msgSecurityParameters field is used exclusively by the Security Model, and the contents and format of the data is defined by the Security Model. This OCTET STRING is not interpreted by the v3MP, but is passed to the local implementation of the Security Model indicated by the msgSecurityModel field in the message." -> strawman: we leave the contents of the msgSecurityParameters to the definition of a concrete TMSM instance /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 14:57:36 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRDE-0004ka-Dc; Wed, 17 May 2006 14:57:36 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRDC-0004kO-LV for isms@ietf.org; Wed, 17 May 2006 14:57:34 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgRDB-0001qM-CA for isms@ietf.org; Wed, 17 May 2006 14:57:34 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id E6FCD55BC8 for ; Wed, 17 May 2006 20:57:32 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24327-10; Wed, 17 May 2006 20:57:31 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 3E48E56080; Wed, 17 May 2006 20:57:31 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id CF1756E0A0A; Wed, 17 May 2006 20:57:29 +0200 (CEST) Date: Wed, 17 May 2006 20:57:29 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517185729.GC6311@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 1ac7cc0a4cd376402b85bc1961a86ac2 Cc: Subject: [Isms] tmsm issue #3: handling of msgFlags and securityLevel (p29) X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org tmsm issue #3: handling of msgFlags and securityLevel (p29) The text says that messages must be discarded if the underlying transport can't provide the requested security. How is yet to be determined, and may be model-specific or implementation-specific. -> strawman: yes, the implementation is implementation specific and the [discuss] should simply be dropped /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 15:02:42 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRIA-0007A6-IK; Wed, 17 May 2006 15:02:42 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRI9-00079l-4J for isms@ietf.org; Wed, 17 May 2006 15:02:41 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgRI8-00020h-RZ for isms@ietf.org; Wed, 17 May 2006 15:02:41 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 66E46561A7 for ; Wed, 17 May 2006 21:02:40 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24653-04; Wed, 17 May 2006 21:02:38 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 0F9E656080; Wed, 17 May 2006 20:57:46 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id AB5F16E0A11; Wed, 17 May 2006 20:57:44 +0200 (CEST) Date: Wed, 17 May 2006 20:57:44 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517185744.GD6311@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: d17f825e43c9aed4fd65b7edddddec89 Cc: Subject: [Isms] tmsm issue #4: notification state of NO initiated sessions (p31) X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org tmsm issue #4: notification state of NO initiated sessions (p31) We need to determine what state needs to be saved here. -> unclear what is needed here or what this issue is all about /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 15:02:53 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRIL-0007Ch-NB; Wed, 17 May 2006 15:02:53 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRIJ-0007Cc-S6 for isms@ietf.org; Wed, 17 May 2006 15:02:51 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgRII-00020p-In for isms@ietf.org; Wed, 17 May 2006 15:02:51 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 26B3D56095 for ; Wed, 17 May 2006 21:02:50 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24653-05; Wed, 17 May 2006 21:02:48 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id CAD645609C; Wed, 17 May 2006 20:58:04 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id 6F7AC6E0A32; Wed, 17 May 2006 20:58:02 +0200 (CEST) Date: Wed, 17 May 2006 20:58:02 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517185802.GE6311@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 08170828343bcf1325e4a0fb4584481c Cc: Subject: [Isms] tmsm issue #5: session table (p39) X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org tmsm issue #5: session table (p39) Should it be possible for a manager to create or modify rows in the session table? If so, then we may need the rowstatus object. If the session table is read-only then we can probably eliminate the rowstatus. If the tabel is not read-only, then we need to list the tables and objects and state why they are sensitive. -> strawman: the session table is read-only /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 15:03:09 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRIb-0007Fq-SQ; Wed, 17 May 2006 15:03:09 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRIZ-0007Fi-S0 for isms@ietf.org; Wed, 17 May 2006 15:03:07 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgRIX-00021O-I6 for isms@ietf.org; Wed, 17 May 2006 15:03:07 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 21CC95609D for ; Wed, 17 May 2006 21:03:05 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24567-09; Wed, 17 May 2006 21:03:03 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 3C067560DC; Wed, 17 May 2006 20:58:40 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id E0DFC6E0A41; Wed, 17 May 2006 20:58:38 +0200 (CEST) Date: Wed, 17 May 2006 20:58:38 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517185838.GG6311@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: de4f315c9369b71d7dd5909b42224370 Cc: Subject: [Isms] tmsm issue #7: transport type (p40) X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org tmsm issue #7: transport type (p40) How do we add a new TransportType? I am not sure, but the underlying question might be whether we use generic TransportAddress and TransportAddressType TCs or stick with the traditional TDomain and TAddress TCs. -> strawman: We use TDomain/TAddress and every TMSM instance provides appropriate TCs and OID constants for the specific SNMP transport. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 15:14:13 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRTJ-0002rF-Uc; Wed, 17 May 2006 15:14:13 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgRTI-0002r7-B9 for isms@ietf.org; Wed, 17 May 2006 15:14:12 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgRTI-0002P9-9k for isms@ietf.org; Wed, 17 May 2006 15:14:12 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FgRIQ-0008GB-TS for isms@ietf.org; Wed, 17 May 2006 15:03:00 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id A03F55609C for ; Wed, 17 May 2006 21:02:55 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24607-04; Wed, 17 May 2006 21:02:54 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id B3849560BA; Wed, 17 May 2006 20:58:22 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id 660B76E0A39; Wed, 17 May 2006 20:58:21 +0200 (CEST) Date: Wed, 17 May 2006 20:58:21 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060517185821.GF6311@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 08170828343bcf1325e4a0fb4584481c Cc: Subject: [Isms] tmsm issue #6: security considerations (p40) X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org tmsm issue #6: security considerations (p40) How do we modify this section for an SNMP/SSH or other transport mapping security model? If the security model provides for securityName/Level/Model then some of the normal boilerplate is not true. -> strawman: TMSM instance specific text goes into the document which defines the TMSM instance - drop the discuss. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 16:11:46 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgSN0-0006QW-OI; Wed, 17 May 2006 16:11:46 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgSMz-0006QD-4A for isms@ietf.org; Wed, 17 May 2006 16:11:45 -0400 Received: from chokecherry.srv.cs.cmu.edu ([128.2.185.41]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgSMy-00070Z-S5 for isms@ietf.org; Wed, 17 May 2006 16:11:45 -0400 Received: from sirius.fac.cs.cmu.edu (SIRIUS.FAC.CS.CMU.EDU [128.2.209.170]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.5/8.13.5) with ESMTP id k4HKBhvU011573 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 17 May 2006 16:11:43 -0400 (EDT) Date: Wed, 17 May 2006 16:11:43 -0400 From: Jeffrey Hutzelman To: j.schoenwaelder@iu-bremen.de, isms@ietf.org Subject: Re: [Isms] tmsm issue #1: meaning of authoritative in the context of TMSM (p28) Message-ID: <37628639541571B784205B4A@sirius.fac.cs.cmu.edu> In-Reply-To: <20060517185658.GA6311@boskop.local> <20060517185715.GB6311@boskop.local> <20060517185729.GC6311@boskop.local> <20060517185744.GD6311@boskop.local> <20060517185802.GE6311@boskop.local> <20060517185838.GG6311@boskop.local> <20060517185821.GF6311@boskop.local> References: <20060517185658.GA6311@boskop.local> Originator-Info: login-token=Mulberry:01bpM89Nj7sWi63rR1oRFsYwUFcx/1x7XbCGpZpBM=; token_authority=postmaster@andrew.cmu.edu X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Spam-Score: 0.0 (/) X-Scan-Signature: a8a20a483a84f747e56475e290ee868e Cc: Jeffrey Hutzelman X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org On Wednesday, May 17, 2006 08:56:58 PM +0200 Juergen Schoenwaelder wrote: > tmsm issue #1: meaning of authoritative in the context of TMSM (p28) > > -> strawman: the meaning of authoritative in the sense of clock > synchronization does not apply to TMSM instances and is > irrelevant >From my limited understanding of what's going on here, this concept of "authoritative" is specific to the way USM works, and should be irrelevant to TMSM, at least at the abstract layer. > tmsm issue #2: purpose of msgSecurityParameters in TMSM (p28) > > -> strawman: we leave the contents of the msgSecurityParameters to > the definition of a concrete TMSM instance Agree. > tmsm issue #3: handling of msgFlags and securityLevel (p29) > > The text says that messages must be discarded if the underlying > transport can't provide the requested security. How is yet to be > determined, and may be model-specific or implementation-specific. > > -> strawman: yes, the implementation is implementation specific > and the [discuss] should simply be dropped Yup. There may be cases where the model needs to define exactly what it means for the underlying transport to provide the needed security; for example, SSHSM could decide that the level of security provided by an SSH connection depends on whether the null cipher is used, or not. Or, it could leave that up to the implementation or to configuration. In any event, actually determining what cipher is in use would certainly be implementation specific. > tmsm issue #4: notification state of NO initiated sessions (p31) I have to go reread documents before I can comment on this. > tmsm issue #5: session table (p39) > > Should it be possible for a manager to create or modify rows in the > session table? If so, then we may need the rowstatus object. If > the session table is read-only then we can probably eliminate the > rowstatus. If the tabel is not read-only, then we need to list the > tables and objects and state why they are sensitive. > > -> strawman: the session table is read-only The session table appears to be a means for exposing information about cached transport sessions. Since the actual sessions represented by these rows typically include things like actual transport connections and security state associated with those connections, it seems nonsensical for this table to be anything other than read-only. In fact, I'm not entirely convinced this essentially internal state should be exposed at all. > tmsm issue #7: transport type (p40) > > How do we add a new TransportType? > > I am not sure, but the underlying question might be whether we use > generic TransportAddress and TransportAddressType TCs or stick with > the traditional TDomain and TAddress TCs. > > -> strawman: We use TDomain/TAddress and every TMSM instance provides > appropriate TCs and OID constants for the specific SNMP > transport. I'm not sure I understand what you're proposing; maybe I need to go back and look at SNMPv3 again. My recollection from the interim was that we came to the conclusion that a new transport address type would be necessary to describe SSH endpoints by name. > tmsm issue #6: security considerations (p40) > > How do we modify this section for an SNMP/SSH or other transport > mapping security model? If the security model provides for > securityName/Level/Model then some of the normal boilerplate is not > true. > > -> strawman: TMSM instance specific text goes into the document which > defines the TMSM instance - drop the discuss. Agree. Each TMSM is going to have to have security considerations which depend on the underlying transport and on how it is being used. -- Jeff _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 16:55:36 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgT3J-0004OI-Bs; Wed, 17 May 2006 16:55:29 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgT3I-0004O8-2S for isms@ietf.org; Wed, 17 May 2006 16:55:28 -0400 Received: from rwcrmhc13.comcast.net ([216.148.227.153]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgT3G-0001ak-BP for isms@ietf.org; Wed, 17 May 2006 16:55:28 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc13) with SMTP id <20060517205524m1300fcmnfe>; Wed, 17 May 2006 20:55:25 +0000 From: "David Harrington" To: , Subject: RE: [Isms] progressing the tmsm document Date: Wed, 17 May 2006 16:54:31 -0400 Message-ID: <071d01c679f4$191bc7f0$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060517121124.GB2730@boskop.local> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi, Note that I may not have done a good job of removing all the [discuss] even though I understand the edits and I think consensus has been reached. It should not hurt us, however, to double check that we have consensus on these points. So don't be surprised when I respond to these points with an opinion that we probably have consensus already. ;-) dbh > -----Original Message----- > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de]=20 > Sent: Wednesday, May 17, 2006 8:11 AM > To: isms@ietf.org > Subject: [Isms] progressing the tmsm document >=20 >=20 > Hi, >=20 > an updated version of the TMSM document is out since May 3rd: >=20 > http://www.ietf.org/internet-drafts/draft-ietf-isms-tmsm-02.txt >=20 > This document improved a lot since its last revision and there are > only a few [discuss] and [todo] markers left in the document. >=20 > I will start separate threads in subsequent emails in order to resolve > these issues. Hopefully this can be done quickly so that we can spin > another revision and have a first WG last call on this document > completed before July. >=20 > So please, get ready to read the document and to help us close the few > open issues that are left. >=20 > /js >=20 > --=20 > Juergen Schoenwaelder International University Bremen > P.O. Box 750 561,=20 > 28725 Bremen, Germany >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 17:00:35 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgT8F-0006I5-LT; Wed, 17 May 2006 17:00:35 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgT8D-0006Hp-Pa for isms@ietf.org; Wed, 17 May 2006 17:00:33 -0400 Received: from rwcrmhc13.comcast.net ([216.148.227.153]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgT8D-0001sy-GV for isms@ietf.org; Wed, 17 May 2006 17:00:33 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc13) with SMTP id <20060517210032m1300f3eene>; Wed, 17 May 2006 21:00:32 +0000 From: "David Harrington" To: , Subject: RE: [Isms] tmsm issue #2: purpose of msgSecurityParameters in TMSM (p28) Date: Wed, 17 May 2006 16:59:39 -0400 Message-ID: <071e01c679f4$d085f960$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060517185715.GB6311@boskop.local> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Agreed. dbh > -----Original Message----- > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de]=20 > Sent: Wednesday, May 17, 2006 2:57 PM > To: isms@ietf.org > Subject: [Isms] tmsm issue #2: purpose of=20 > msgSecurityParameters in TMSM (p28) >=20 >=20 > tmsm issue #2: purpose of msgSecurityParameters in TMSM (p28) >=20 > We need to discuss whether the specific services provided in USM > security from msgSecurityParameters still are needed, and how the > Message Processing model provides this information to the security > model via generateRequestMsg() and processIncomingMsg() primitives. > RFC3412 specifies that "The data in the msgSecurityParameters field > is used exclusively by the Security Model, and the contents and > format of the data is defined by the Security Model. This OCTET > STRING is not interpreted by the v3MP, but is passed to the local > implementation of the Security Model indicated by the > msgSecurityModel field in the message." >=20 > -> strawman: we leave the contents of the msgSecurityParameters to > the definition of a concrete TMSM instance >=20 > /js >=20 > --=20 > Juergen Schoenwaelder International University Bremen > P.O. Box 750 561,=20 > 28725 Bremen, Germany >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 17:00:37 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgT8G-0006It-Vr; Wed, 17 May 2006 17:00:36 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgT8F-0006I0-9K for isms@ietf.org; Wed, 17 May 2006 17:00:35 -0400 Received: from rwcrmhc13.comcast.net ([216.148.227.153]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgT8F-0001sy-03 for isms@ietf.org; Wed, 17 May 2006 17:00:35 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc13) with SMTP id <20060517210033m1300f3eeoe>; Wed, 17 May 2006 21:00:34 +0000 From: "David Harrington" To: , Subject: RE: [Isms] tmsm issue #1: meaning of authoritative in the context ofTMSM (p28) Date: Wed, 17 May 2006 16:59:39 -0400 Message-ID: <071f01c679f4$d1509c60$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060517185658.GA6311@boskop.local> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi, The RFC3411 ASIs contain securityEngineID and a comment about it being authoritative. For SSHSM, I believe we do not use the concept, and I have modified SSHSM to use the local snmpEngineID wherever the securityEngineID is called for. I think that will work in the elements of procedure (EOP) for SSHSM and the RFC3412 MP model EOP. I think authoritative is not relevant to SSHSM, but there may be other TMSM models for whom authoritative may be meaningful. This is highly model-dependent, and may not mean the same type of authoritative as USM's authoritative. So until RFC3412 and RFC3411 are rewritten to remove securityEngineID from the ASIs, I think it would be wise to leave it, but we can point out that it is model-specific and may not be used by all models, and the local snmpEngineID will stauisyf the ASIs when it is not needed by a security model. dbh > -----Original Message----- > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de]=20 > Sent: Wednesday, May 17, 2006 2:57 PM > To: isms@ietf.org > Subject: [Isms] tmsm issue #1: meaning of authoritative in=20 > the context ofTMSM (p28) >=20 >=20 > tmsm issue #1: meaning of authoritative in the context of TMSM (p28) >=20 > We need to discuss what the meaning of authoritative would be in a > TMSM environment. >=20 > -> strawman: the meaning of authoritative in the sense of clock > synchronization does not apply to TMSM instances and is > irrelevant >=20 > /js >=20 > --=20 > Juergen Schoenwaelder International University Bremen > P.O. Box 750 561,=20 > 28725 Bremen, Germany >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 22:26:13 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgYDI-0007KP-Oe; Wed, 17 May 2006 22:26:08 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgYDI-0007KK-02 for isms@ietf.org; Wed, 17 May 2006 22:26:08 -0400 Received: from rwcrmhc12.comcast.net ([204.127.192.82]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgYDF-0001Ff-MW for isms@ietf.org; Wed, 17 May 2006 22:26:07 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc12) with SMTP id <20060518022604m120048667e>; Thu, 18 May 2006 02:26:04 +0000 From: "David Harrington" To: , Subject: RE: [Isms] tmsm issue #4: notification state of NO initiated sessions(p31) Date: Wed, 17 May 2006 22:25:11 -0400 Message-ID: <073401c67a22$4a5810c0$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060517185744.GD6311@boskop.local> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 7baded97d9887f7a0c7e8a33c2e3ea1b Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org The text preceding this discuss is incorrect, in that an outgoing notification does not cause the generation of a securityCache.=20 This section basically says that a norification must cause the creation of a session if one does not exist. I do not think this requires any special processing other than getting the information from the target-mib (or whatever), which is likely to be model-specific. When I do the EOP for SSHSM, I will have a better idea of whteher there are any special issues for creating sessions for notifications. dbh > -----Original Message----- > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de]=20 > Sent: Wednesday, May 17, 2006 2:58 PM > To: isms@ietf.org > Subject: [Isms] tmsm issue #4: notification state of NO=20 > initiated sessions(p31) >=20 >=20 > tmsm issue #4: notification state of NO initiated sessions (p31) >=20 > We need to determine what state needs to be saved here. >=20 > -> unclear what is needed here or what this issue is all about >=20 > /js >=20 > --=20 > Juergen Schoenwaelder International University Bremen > P.O. Box 750 561,=20 > 28725 Bremen, Germany >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 22:41:26 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgYS6-0004Xl-LX; Wed, 17 May 2006 22:41:26 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgYS4-0004Xb-Je for isms@ietf.org; Wed, 17 May 2006 22:41:24 -0400 Received: from rwcrmhc12.comcast.net ([204.127.192.82]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgYS3-0003ho-A0 for isms@ietf.org; Wed, 17 May 2006 22:41:24 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc12) with SMTP id <20060518024122m12003ua41e>; Thu, 18 May 2006 02:41:22 +0000 From: "David Harrington" To: , Subject: RE: [Isms] tmsm issue #5: session table (p39) Date: Wed, 17 May 2006 22:40:29 -0400 Message-ID: <073501c67a24$6d6bf200$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060517185802.GE6311@boskop.local> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org So an engine creates session entries for one of two circumstances 1) an outgoing message causes creation of a session. 2) an outgoing message from another engine causes creation of a session with this engine. Are those the only two things we need to care about? Either way, a sessionEntry should be created to record the session's existence. Although this makes me realize that we have not provided any text that discusses the opening of a session by a remote engine, and how the sessionTable gets populated. If those are the only two ways to create a session, then read-only should be fine. But these do not cover any callhome mechanism. dbh > -----Original Message----- > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de] > Sent: Wednesday, May 17, 2006 2:58 PM > To: isms@ietf.org > Subject: [Isms] tmsm issue #5: session table (p39) > > > tmsm issue #5: session table (p39) > > Should it be possible for a manager to create or modify rows in the > session table? If so, then we may need the rowstatus object. If > the session table is read-only then we can probably eliminate the > rowstatus. If the tabel is not read-only, then we need to list the > tables and objects and state why they are sensitive. > > -> strawman: the session table is read-only > > /js > > -- > Juergen Schoenwaelder International University Bremen > P.O. Box 750 561, > 28725 Bremen, Germany > > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms > _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 17 22:52:14 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgYcY-00089h-RS; Wed, 17 May 2006 22:52:14 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgYcX-00089Z-JD for isms@ietf.org; Wed, 17 May 2006 22:52:13 -0400 Received: from rwcrmhc12.comcast.net ([216.148.227.152]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgYcW-0005rR-Bq for isms@ietf.org; Wed, 17 May 2006 22:52:13 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc12) with SMTP id <20060518025210m120045uude>; Thu, 18 May 2006 02:52:11 +0000 From: "David Harrington" To: , Subject: RE: [Isms] tmsm issues Date: Wed, 17 May 2006 22:51:18 -0400 Message-ID: <073601c67a25$f0084410$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060517185802.GE6311@boskop.local> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 7aefe408d50e9c7c47615841cb314bed Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Juergen, I think the page numbers you are showing are for -01-, not -02- dbh _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Thu May 18 10:48:44 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fgjnw-0000QB-E5; Thu, 18 May 2006 10:48:44 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fgjnv-0000Q6-S0 for isms@ietf.org; Thu, 18 May 2006 10:48:43 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fgjnt-0006b4-He for isms@ietf.org; Thu, 18 May 2006 10:48:43 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 5B147560C3 for ; Thu, 18 May 2006 16:48:31 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 07846-05; Thu, 18 May 2006 16:48:29 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 71F07560BA; Thu, 18 May 2006 16:48:28 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id CA9A46E18FD; Thu, 18 May 2006 16:48:26 +0200 (CEST) Date: Thu, 18 May 2006 16:48:26 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060518144826.GC8411@boskop.local> Mail-Followup-To: isms@ietf.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 93238566e09e6e262849b4f805833007 Cc: Subject: [Isms] tmsm issue #8: MPSP vs SMSP X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi, I just ran into the following question and so I am posting it as a new issue: The ID right now uses the term "message processing security processor" (MPSP) to refer to the piece which does security processing in the security subsystem. This somehow sounds like a misnomer. Should this not be the "security model security processor" (SMSP)? This way, we would device a "transport mapping security model" into the two pieces TMSP - transport mapping security processor SMSP - security model security processor since the message processing model should actually not be involed in all this. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Thu May 18 12:00:30 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgkvI-0002ZR-EI; Thu, 18 May 2006 12:00:24 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgkvG-0002Xk-FQ for isms@ietf.org; Thu, 18 May 2006 12:00:22 -0400 Received: from rwcrmhc14.comcast.net ([204.127.192.84]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgkvF-0002pt-63 for isms@ietf.org; Thu, 18 May 2006 12:00:22 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc14) with SMTP id <20060518160019m1400kee7ee>; Thu, 18 May 2006 16:00:20 +0000 From: "David Harrington" To: , Subject: RE: [Isms] tmsm issue #8: MPSP vs SMSP Date: Thu, 18 May 2006 11:59:26 -0400 Message-ID: <076401c67a94$0a4e2600$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060518144826.GC8411@boskop.local> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi, If that is the approach we want to take, I can live with it. Note that I agree that "the message processing model **should** actually not be involved", but I am not convinced that in practice this is true. Of course, no implementation actually follows this design closely anyway, so in practice the point is unimportant. dbh =20 > -----Original Message----- > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de]=20 > Sent: Thursday, May 18, 2006 10:48 AM > To: isms@ietf.org > Subject: [Isms] tmsm issue #8: MPSP vs SMSP >=20 >=20 > Hi, >=20 > I just ran into the following question and so I am posting it as a > new issue: >=20 > The ID right now uses the term "message processing security=20 > processor" > (MPSP) to refer to the piece which does security processing in the > security subsystem. This somehow sounds like a misnomer. Should this > not be the "security model security processor" (SMSP)? >=20 > This way, we would device a "transport mapping security model" into > the two pieces >=20 > TMSP - transport mapping security processor > SMSP - security model security processor >=20 > since the message processing model should actually not be involed > in all this. >=20 > /js >=20 > --=20 > Juergen Schoenwaelder International University Bremen > P.O. Box 750 561,=20 > 28725 Bremen, Germany >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Thu May 18 13:52:00 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgmfI-0002Rt-Ez; Thu, 18 May 2006 13:52:00 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgmfG-0002Ri-Vt for isms@ietf.org; Thu, 18 May 2006 13:51:58 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgmfG-0000AI-UY for isms@ietf.org; Thu, 18 May 2006 13:51:58 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FgmeV-0005s1-DB for isms@ietf.org; Thu, 18 May 2006 13:51:12 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 8DB2B560C4; Thu, 18 May 2006 19:51:09 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 24179-09; Thu, 18 May 2006 19:51:07 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id B47785609D; Thu, 18 May 2006 19:51:07 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id A271E6E1A7B; Thu, 18 May 2006 19:51:06 +0200 (CEST) Date: Thu, 18 May 2006 19:51:06 +0200 From: Juergen Schoenwaelder To: David Harrington Subject: Re: [Isms] tmsm issue #8: MPSP vs SMSP Message-ID: <20060518175106.GG8411@boskop.local> Mail-Followup-To: David Harrington , isms@ietf.org References: <20060518144826.GC8411@boskop.local> <076401c67a94$0a4e2600$0400a8c0@china.huawei.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <076401c67a94$0a4e2600$0400a8c0@china.huawei.com> User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: -1.9 (-) X-Scan-Signature: 856eb5f76e7a34990d1d457d8e8e5b7f Cc: isms@ietf.org X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org On Thu, May 18, 2006 at 11:59:26AM -0400, David Harrington wrote: > If that is the approach we want to take, I can live with it. > > Note that I agree that "the message processing model **should** > actually not be involved", but I am not convinced that in practice > this is true. Of course, no implementation actually follows this > design closely anyway, so in practice the point is unimportant. In practice, everything is different. But in our architectural model, the security processing clearly is the job of the security model and not of the message processing model. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Fri May 19 09:42:12 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fh5Ez-00029L-O0; Fri, 19 May 2006 09:42:05 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FguWs-0002ho-SN for isms@ietf.org; Thu, 18 May 2006 22:15:50 -0400 Received: from rwcrmhc14.comcast.net ([216.148.227.154]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FguWn-0007ho-Pm for isms@ietf.org; Thu, 18 May 2006 22:15:50 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc14) with SMTP id <20060519021540m1400kjtdge>; Fri, 19 May 2006 02:15:40 +0000 From: "David B Harrington" To: Date: Thu, 18 May 2006 22:14:49 -0400 Message-ID: <07f801c67aea$01e52c10$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_07F9_01C67AC8.7AD38C10" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal X-Spam-Score: 0.2 (/) X-Scan-Signature: c5998d44b9e9fcdfbf90fd1c988a464a X-Mailman-Approved-At: Fri, 19 May 2006 09:42:04 -0400 Cc: Subject: [Isms] SSHSM pre-release X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org This is a multi-part message in MIME format. ------=_NextPart_000_07F9_01C67AC8.7AD38C10 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Hi, We need reviews to both TMSM and SSHSM drafts at this point to make sure that the big decisions we have made have been applied properly to the documents, and that we haven't overlooked any important factors while doing the design. (That's not an open invitation to recommend unnecessary, nifty-to-have new features). Please read the minutes of the last IETF meeting if you don't know what big decisions we have reached consensus on; we reviewed them at that meeting. To make progress, I had to "interpret" how some of the decisions would apply, so you should definitely look at how I interpreted some of the "ripples" from the WG decisions. The TMSM I-D was published a week or two ago. I believe it is in fairly good shape. I'm still working on the SSHSM draft. It's heavy going; I've gotten most of the expository text updated. I'll post it here for the WG to be able to review it at this stage while I keep working on it. I'll try to get an official I-D published by the end of next week. The attached file doesn't pass id-nits because of some references and miscellaneous stuff that will be fixed in the I-D. We've addressed the big issues in the WG; now we need to get into the details. I am now working on the elements of procedure for SSHSM, where we need to define the sequence of necessary steps, and where the data to perform each step comes from, including the MIB module definitions. I am finding that the tmsmSessionTable needs to be used by the EOP to lookup info on the session at a point where the EOP has no knowledge of a sessionID. We will almost certainly need to change the indices for the table. The transportDomain and transportAddress need to be added to generateRequest() and generateResponse() so the MPSP has the address when finding an existing session to use. Knowing who an existing session is connected to is somewhat important ;-) Enjoy reading. David Harrington dharrington@huawei.com=20 dbharrington@comcast.net ietfdbh@comcast.net ------=_NextPart_000_07F9_01C67AC8.7AD38C10 Content-Type: text/plain; name="draft-ietf-isms-secshell.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="draft-ietf-isms-secshell.txt" Network Working Group D. Harrington Internet-Draft Futurewei Technologies Expires: November 16, 2006 J. Salowey Cisco Systems May 15, 2006 Secure Shell Security Model for SNMP draft-ietf-isms-secshell-02.9.txt Status of This Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 16, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This memo describes a Security Model for the Simple Network Management Protocol, using the Secure Shell protocol within a Transport Mapping. Harrington & Salowey Expires November 16, 2006 [Page 1] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. The Internet-Standard Management Framework . . . . . . . . 4 1.2. Modularity . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Conventions . . . . . . . . . . . . . . . . . . . . . . . 6 1.5. The Secure Shell Protocol . . . . . . . . . . . . . . . . 7 1.6. Constraints . . . . . . . . . . . . . . . . . . . . . . . 7 2. How SSHSM Fits into the TMSM Architecture . . . . . . . . . . 8 2.1. Security Capabilities of this Model . . . . . . . . . . . 9 2.1.1. Threats . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.2. SSHSM Sessions . . . . . . . . . . . . . . . . . . . . 11 2.1.3. Authentication Protocol . . . . . . . . . . . . . . . 12 2.1.4. Privacy Protocol . . . . . . . . . . . . . . . . . . . 12 2.1.5. Protection against Message Replay, Delay and Redirection . . . . . . . . . . . . . . . . . . . . . 12 2.1.6. Security Protocol Requirements . . . . . . . . . . . . 13 2.2. Security Parameter Passing Requirement . . . . . . . . . . 14 2.3. Requirements for Notifications and Proxy . . . . . . . . . 14 3. RFC 3411 Abstract Service Interfaces . . . . . . . . . . . . . 15 3.1. Public Abstract Service Interfaces . . . . . . . . . . . . 15 3.1.1. Public ASIs for Outgoing Messages . . . . . . . . . . 15 3.1.2. Public ASIs for Incoming Messages . . . . . . . . . . 18 4. SNMP Messages Using this Security Model . . . . . . . . . . . 19 4.1. SNMPv3 Message Fields . . . . . . . . . . . . . . . . . . 19 4.1.1. msgGlobalData . . . . . . . . . . . . . . . . . . . . 21 4.1.2. msgSecurityParameters . . . . . . . . . . . . . . . . 21 4.2. Passing Security Parameters . . . . . . . . . . . . . . . 21 4.2.1. tmStateReference . . . . . . . . . . . . . . . . . . . 21 4.2.2. securityStateReference . . . . . . . . . . . . . . . . 22 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 23 5.1. Generating an Outgoing SNMP Message . . . . . . . . . . . 23 5.2. MPSP . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.3. Sending an Outgoing SNMP Message to the Network . . . . . 25 5.3.1. TMSP . . . . . . . . . . . . . . . . . . . . . . . . . 25 5.4. [todo] Prepare Data Elements from an Incoming SNMP Message . . . . . . . . . . . . . . . . . . . . . . . . . 25 5.5. Processing an Incoming SNMP Message . . . . . . . . . . . 26 5.6. Establishing a Session . . . . . . . . . . . . . . . . . . 28 5.7. Closing a Session . . . . . . . . . . . . . . . . . . . . 30 5.8. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 31 6. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 7. Structure of the MIB Module . . . . . . . . . . . . . . . . . 31 7.1. Textual Conventions . . . . . . . . . . . . . . . . . . . 31 7.2. The sshsmStats Subtree . . . . . . . . . . . . . . . . . . 32 7.3. The sshsmsSession Subtree . . . . . . . . . . . . . . . . 32 7.4. Relationship to Other MIB Modules . . . . . . . . . . . . 32 Harrington & Salowey Expires November 16, 2006 [Page 2] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 7.4.1. Relationship to the SNMPv2-MIB . . . . . . . . . . . . 32 7.4.2. Relationship to the SNMP-FRAMEWORK-MIB . . . . . . . . 32 7.4.3. Relationship to the TMSM-MIB . . . . . . . . . . . . . 32 7.4.4. MIB Modules Required for IMPORTS . . . . . . . . . . . 33 8. MIB module definition . . . . . . . . . . . . . . . . . . . . 33 9. Security Considerations . . . . . . . . . . . . . . . . . . . 37 9.1. noAuthPriv . . . . . . . . . . . . . . . . . . . . . . . . 37 9.2. skipping public key verification . . . . . . . . . . . . . 38 9.3. the 'none' MAC algorithm . . . . . . . . . . . . . . . . . 38 9.4. MIB module security . . . . . . . . . . . . . . . . . . . 38 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 40 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40 12.1. Normative References . . . . . . . . . . . . . . . . . . . 40 12.2. Informative References . . . . . . . . . . . . . . . . . . 41 Appendix A. Open Issues . . . . . . . . . . . . . . . . . . . . . 42 A.1. Closed Issues . . . . . . . . . . . . . . . . . . . . . . 42 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 46 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 47 Intellectual Property and Copyright Statements . . . . . . . . . . 48 Harrington & Salowey Expires November 16, 2006 [Page 3] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 1. Introduction This memo describes a Security Model for the Simple Network Management Protocol, using the Secure Shell protocol within a Transport Mapping Security Model extension [I-D.ietf-isms-tmsm]. The security model specified in this memo is referred to as the Secure Shell Security Model (SSHSM). This memo also defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP based internets. In particular it defines objects for monitoring and managing the Secure Shell Security Model for SNMP. It is important to understand the SNMP architecture and the terminology of the architecture to understand where the Security Model described in this memo fits into the architecture and interacts with other subsystems within the architecture. 1.1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 1.2. Modularity The reader is expected to have read and understood the description of the SNMP architecture, as defined in [RFC3411],and the TMSM architecture extension specified in "Transport Mapping Security Model (TMSM) Architectural Extension for the Simple Network Management Protocol" [I-D.ietf-isms-tmsm], which enables the use of external "lower layer" protocols to provide message security, tied into the SNMP architecture through the transport mapping subsystem. One such external protocol is the Secure Shell protocol [RFC4251]. This memo describes the Secure Shell Security Model for SNMP, a specific SNMP security model to be used within the SNMP Architecture, to provide authentication, encryption, and integrity checking of SNMP messages. Harrington & Salowey Expires November 16, 2006 [Page 4] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 In keeping with the RFC 3411 design decisions to use self-contained documents, this memo includes the elements of procedure plus associated MIB objects which are needed for processing the Secure Shell Security Model for SNMP. These MIB objects SHOULD not be referenced in other documents. This allows the Secure Shell Security Model for SNMP to be designed and documented as independent and self- contained, having no direct impact on other modules, and allowing this module to be upgraded and supplemented as the need arises, and to move along the standards track on different time-lines from other modules. This modularity of specification is not meant to be interpreted as imposing any specific requirements on implementation. 1.3. Motivation Version 3 of the Simple Network Management Protocol (SNMPv3) added security to the previous versions of the protocol. The User Security Model (USM) [RFC3414] was designed to be independent of other existing security infrastructures, to ensure it could function when third party authentication services were not available, such as in a broken network. As a result, USM typically utilizes a separate user and key management infrastructure. Operators have reported that deploying another user and key management infrastructure in order to use SNMPv3 is a reason for not deploying SNMPv3 at this point in time. This memo describes a security model that will make use of the existing and commonly deployed Secure Shell security infrastructure. It is designed to meet the security and operational needs of network administrators, maximize usability in operational environments to achieve high deployment success and at the same time minimize implementation and deployment costs to minimize the time until deployment is possible. The work will address the requirement for the SSH client to authenticate the SSH server, for the SSH server to authenticate the SSH client, and how SNMP can make use of the authenticated identities in message authentication and access control. The work will include the ability to use any of the client authentication methods described in "SSH Authentication Protocol" [RFC4252] - public key, password, and host-based. Local accounts may be supported through the use of the public key, host-based or password based mechanisms. The password based mechanism allows for integration with deployed password infrastructure such as AAA servers using the RADIUS protocol [RFC2865]. SSHSM SHOULD be able to take advantage of other defined authentication mechanism such as those Harrington & Salowey Expires November 16, 2006 [Page 5] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 defined in [RFC4462] and future mechanisms such as those that make use of X.509 certificate credentials. This will allow SSHSM to utilize client authentication and key exchange mechanisms which support different security infrastructures and provide different security properties. It is desirable to use mechanisms that could unify the approach for administrative security for SNMPv3 and Command Line interfaces (CLI) and other management interfaces. The use of security services provided by Secure Shell is the approach commonly used for the CLI, and is the approach being adopted for use with NETCONF [I-D.ietf- netconf-ssh]. This memo describes a method for invoking and running the SNMP protocol within a Secure Shell (SSH) session as an SSH subsystem. This memo describes how SNMP can be used within a Secure Shell (SSH) session, using the SSH connection protocol [RFC4254] over the SSH transport protocol , using SSH user-auth [RFC4252]for authentication. There are a number of challenges to be addressed to map Secure Shell authentication method parameters into the SNMP architecture so that SNMP continues to work without any surprises. These are discussed in detail below. 1.4. Conventions The terms "manager" and "agent" are not used in this document, because in the RFC 3411 architecture, all SNMP entities have the capability of acting as either manager or agent or both depending on the SNMP applications included in the engine. Where distinction is required, the application names of Command Generator, Command Responder, Notification Generator, Notification Responder, and Proxy Forwarder are used. See "SNMP Applications" [RFC3413] for further information. Throughout this document, the terms "client" and "server" are used to refer to the two ends of the SSH transport connection. The client actively opens the SSH connection, and the server passively listens for the incoming SSH connection. Either SNMP entity may act as client or as server, as discussed further below. While SSH and USM frequently refer to a user, the terminology used in RFC3411 [RFC3411] and in this memo is "principal". A principal is the "who" on whose behalf services are provided or processing takes place. A principal can be, among other things, an individual acting in a particular role; a set of individuals, with each acting in a particular role; an application or a set of applications; and combinations thereof. Harrington & Salowey Expires November 16, 2006 [Page 6] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] Sections requiring further editing are identified by [todo] markers in the text. Points requiring further WG research and discussion are identified by [discuss] markers in the text. 1.5. The Secure Shell Protocol SSH is a protocol for secure remote login and other secure network services over an insecure network. It consists of three major components: o The Transport Layer Protocol [[RFC4253] provides server authentication, and message confidentiality and integrity. It may optionally also provide compression. The transport layer will typically be run over a TCP/IP connection, but might also be used on top of any other reliable data stream. o The User Authentication Protocol [RFC4252] authenticates the client-side principal to the server. It runs over the transport layer protocol. o The Connection Protocol [RFC4254] multiplexes the encrypted tunnel into several logical channels. It runs over the transport after successfully authenticating the principal. The client sends a service request once a secure transport layer connection has been established. A second service request is sent after client authentication is complete. This allows new protocols to be defined and coexist with the protocols listed above. The connection protocol provides channels that can be used for a wide range of purposes. Standard methods are provided for setting up secure interactive shell sessions and for forwarding ("tunneling") arbitrary TCP/IP ports and X11 connections. 1.6. Constraints The design of this SNMP Security Model is also influenced by the following constraints: 1. When the requirements of effective management in times of network stress are inconsistent with those of security, the design of this model gives preference to effective management. 2. In times of network stress, the security protocol and its underlying security mechanisms SHOULD NOT depend upon the ready availability of other network services (e.g., Network Time Protocol (NTP) or AAA protocols). Harrington & Salowey Expires November 16, 2006 [Page 7] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 3. When the network is not under stress, the security model and its underlying security mechanisms MAY depend upon the ready availability of other network services. 4. It may not be possible for the security model to determine when the network is under stress. 5. A security model should require no changes to the SNMP architecture. 6. A security model should require no changes to the underlying security protocol. 2. How SSHSM Fits into the TMSM Architecture SSH is a security layer which is plugged into the TMSM architecture extension between the underlying transport layer and the message dispatcher [RFC3411]. The SSHSM model will establish an encrypted tunnel between the transport mappings of two SNMP engines. The sending transport mapping security model instance encrypts outgoing messages, and the receiving transport mapping security model instance decrypts the messages. After the transport layer tunnel is established, then SNMP messages can conceptually be sent through the tunnel from one SNMP message dispatcher to another SNMP message dispatcher. Once the tunnel is established, multiple SNMP messages may be able to be passed through the same tunnel. Within an engine, outgoing SNMP messages are passed unencrypted from the message dispatcher to the transport mapping, and incoming messages are passed unencrypted from the transport mapping to the message dispatcher. SSHSM follows the TMSM approach, in which the security-model has two separate areas of security processing - transport-mapping-related security processing (TMSP) within the transport mapping section of the dispatcher, and message processor security processing (MPSP) which happens within the security model subsystem of the message processor. SSHSM security processing will be called from within the Transport Mapping functionality of an SNMP engine dispatcher to perform the translation of transport security parameters to/from security-model- independent parameters. Some SSHSM security processing will also be performed within a message processing portion of the model, for compatibility with the ASIs between the RFC 3411 Security Subsystem and the Message Processing Subsystem. Harrington & Salowey Expires November 16, 2006 [Page 8] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 2.1. Security Capabilities of this Model 2.1.1. Threats The security protocols used in this memo are considered acceptably secure at the time of writing. However, the procedures allow for new authentication and privacy methods to be specified at a future time if the need arises. The Secure Shell Security Model provides protection against the threats identified by the RFC 3411 architecture [RFC3411]: 1. Message stream modification - SSHSM provides for verification that each received SNMP message has not been modified during its transmission through the network. 2. Information modification - SSHSM provides for verification that the contents of each received SNMP message has not been modified during its transmission through the network, data has not been altered or destroyed in an unauthorized manner, nor have data sequences been altered to an extent greater than can occur non- maliciously. 3. Masquerade - SSHSM provides for both verification of the identity of the SSH server and verification of the identity of the SSH client - the principal on whose behalf a received SNMP message claims to have been generated. It is not possible to assure the specific principal that originated a received SNMP message; rather, it is the principal on whose behalf the message was originated that is authenticated. SSH provides verification of the identity of the SSH server through the SSH Transport Protocol server authentication [RFC4253] 4. Verification of principal identity is important for use with the SNMP access control subsystem, to ensure that only authorized principals have access to potentially sensitive data. The SSH user identity will be used to map to an SNMP model-independent securityName for use with SNMP access control. 5. Authenticating both the SSH server and the SSH client ensures the authenticity of the SNMP engine that provides MIB data, whether that engine resides on the server or client side of the association. Operators or management applications might act upon the data they receive (e.g., raise an alarm for an operator, modify the configuration of the device that sent the notification, modify the configuration of other devices in the network as the result of the notification, and so on), so it is important to know that the provider of MIB data is authentic. 6. Disclosure - SSHSM provides that the contents of each received SNMP message are protected from disclosure to unauthorized persons. Harrington & Salowey Expires November 16, 2006 [Page 9] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 7. Replay - SSH ensures that cryptographic keys established at the beginning of the SSH session and stored in the SSH session state are fresh new session keys generated for each session. These are used to authenticate and encrypt data, and to prevent replay across sessions. SSH uses sequence information to prevent the replay and reordering of messages within a session. 2.1.1.1. Data Origin Authentication Issues The RFC 3411 architecture recognizes three levels of security: - without authentication and without privacy (noAuthNoPriv) - with authentication but without privacy (authNoPriv) - with authentication and with privacy (authPriv) The Secure Shell protocol provides support for encryption and data integrity. While it is technically possible to support no authentication and no encryption in SSH it is NOT RECOMMENDED by [RFC4253]. SSHSM extracts from SSH the identity of the authenticated principal, and the type and address associated with an incoming message, and SSHSM provides this information to SSH for an outgoing message. The transport layer algorithms used to provide authentication, data integrity and encryption SHOULD NOT be exposed to the SSHSM layer. In SNMPv3, we deliberately avoided this and settled for an assertion, using msgFlags, that auth and priv were applied according to the rules of the security model. However, SSHSM has no mechanisms by which it can test whether an underlying SSH connection provides auth or priv to meet a desired msgFlags setting, so the SSHSM trusts that the underlying SSH connection has been properly configured to support security characteristics at least as strong as requested in msgFlags. SSH does not understand msgFlags, and SSHSM does not know about the algorithms or options for the SSH session to open SSH sessions that match different securityLevels. For interoperability of the trust assumptions between SNMP engines, an SSHSM-compliant implementation MUST use an SSH connection that provides authentication, data integrity and encryption that meets the highest level of SNMP security (authPriv). Outgoing messages requested by SNMP applications and specified with a lesser securityLevel (noAuthNoPriv or authNoPriv) are sent by SSHSM as authPriv securityLevel. Other security models, where the actual securityLevel applied to the connection can be determined or controlled, can be used when a lesser level of security is desired. Implementations SHOULD support whatever authentications are provided by SSH. The security protocols used in [RFC4253] are considered acceptably secure at the time of writing. However, the procedures Harrington & Salowey Expires November 16, 2006 [Page 10] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 allow for new authentication and privacy methods to be specified at a future time if the need arises. 2.1.2. SSHSM Sessions The Secure Shell security model will utilize TMSM sessions, with a single combination of transportAddress, engineID, securityName, securityModel, and securityLevel associated with each session. A TMSM session is associated with state information that is maintained for its lifetime. All SSHSM sessions will utilize the authPriv securityLevel, and all incoming SSHSM messages will be treated as having been delivered through authenticated, integrity-checked, and encrypted connections. SSHSM sessions are opened during the elements of procedure for an outgoing SNMP message, never during the elements of procedure for an incoming message. Implementations MAY choose to instantiate sessions in anticipation of outgoing messages. 2.1.2.1. Message security versus session security As part of session creation, the client and server entities are authenticated and authorized access to the session. In addition, as part of session establishment, cryptographic key material is exchanged and is then used to control access to the session on a message by message basis. Messages that fail the basic data origin authenticaiton/ data integrity checks will be rejected. Entities receiving the messages that do not have the correct encryption keys established during session creation will not be able to read the messages. In order for an entity to process messages, it must maintain certain state associated with the session. This includes, but is not limited to, cryptographic encryption and data integrity keys, entity identities and authorization information associated with the authenticated identities. After a message is received and passes integrity and authentication checks, the state stored in the session is used to provide further authorization for the message. [discuss] this sounds like a discussion of what happens at the SSH layer, not the SSHSM layer; Isn't the SSH state maintained by the SSH layer? Isn't all this invisible to the SSHSM security model? If an incoming message fails SSH authentication, integrity, or decryption then it will not be passed to the SSHSM layer, right? [discuss] to make it possible for SSHSM to send an outgoing message via an SSH connection, what state needs to be known/preserved by SSHSM to tell SSH which session to use? Harrington & Salowey Expires November 16, 2006 [Page 11] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 2.1.3. Authentication Protocol SSHSM should support any client authentication mechanism supported by SSH. This includes the three authentication methods described in the SSH Authentication Protocol document [RFC4252] - publickey, password, and host-based. The password authentication mechanism allows for integration with deployed password based infrastructure. It is possible to hand a password to a service such as RADIUS [RFC2865] or Diameter [RFC3588] for validation. The validation could be done using the user-name and user-password attributes. It is also possible to use a different password validation protocol such as CHAP [RFC1994] or digest authentication [RFC 2617, draft-ietf-radext-digest-auth-04] to integrate with RADIUS or Diameter. These mechanisms leave the password in the clear on the device that is authenticating the password which introduces threats to the authentication infrastructure. GSSKeyex [RFC4462] provides a framework for the addition of client authentication mechanisms which support different security infrastructures and provide different security properties. Additional authentication mechanisms, such as one that supports X.509 certificates, may be added to SSH in the future. 2.1.4. Privacy Protocol The Secure Shell Security Model uses the SSH transport layer protocol, which provides strong encryption, server authentication, and integrity protection. 2.1.5. Protection against Message Replay, Delay and Redirection The Secure Shell Security Model uses the SSH transport layer protocol. SSH uses sequence numbers and integrity checks to protect against replay and reordering of messages within a connection. SSH also provides protection against replay of entire sessions. In a properly-implemented DH exchange, both sides will generate new random numbers for each exchange, which means the exchange hash and thus the encryption and integrity keys will be distinct for every session. This would prevent capturing an SNMP message and redirecting it to another SNMP engine. Message delay is not as important an issue with SSH as it is with USM. USM checks the timeliness of messages because it does not provide session protection or message sequence ordering. The only delay that would seem to be possible would be to delay the Harrington & Salowey Expires November 16, 2006 [Page 12] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 transmission of all packets from a particular point in a session since SSH protects the ordering of packets. 2.1.6. Security Protocol Requirements Modifying the Secure Shell protocol, or configuring it in a particular manner, may change its security characteristics in ways that would impact other existing usages. If a change is necessary, the change should be an extension that has no impact on the existing usages. This document will describe the use of an SSH subsystem for SNMP to make SNMP usage distinct from other usages. 2.1.6.1. Troubleshooting SSHSM will likely not work in conditions where access to the CLI has stopped working. In situations where SNMP access has to work when the CLI has stopped working, the use of USM should be considered instead of SSHSM. 2.1.6.2. Coexistence The Secure Shell security model can coexist with the USM security model, the only other currently defined security model. [discuss] #6: Are there are any wrinkles to coexistence with SNMPv1/v2c/USM? Note that RFC3584 discusses how to transfer fields between SNMPv3 and SNMPv1 messages. [todo] this area needs detailed analysis. 2.1.6.3. Mapping SSH to EngineID In the RFC3411 architecture, there are three use cases for an engineID: snmpEngineID - RFC3411 includes the SNMP-FRAMEWORK-MIB, which defines a snmpEngineID object. An snmpEngineID is the unique and unambiguous identifier of an SNMP engine. Since there is a one- to-one association between SNMP engines and SNMP entities, it also uniquely and unambiguously identifies the SNMP entity within an administrative domain. contextEngineID - Management information resides at an SNMP entity where a Command Responder Application has local access to potentially multiple contexts. A Command Responder application uses a contextEngineID equal to the snmpEngineID of its associated SNMP engine, and the contextEngineID is included in a scopedPDU to identify the engine associated with the data contained in the PDU. securityEngineID - The securityEngineID is used by USM when performing integrity checking and authentication, to look up values in the USM tables, and to synchronize "clocks". The securityEngineID is not needed by SSHSM, since integrity checking Harrington & Salowey Expires November 16, 2006 [Page 13] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 and authentication are handled outside the SNMP engine. The RFC3411 architecture defines ASIs that include a securityEngineID; SSHSM should always set the securityEngineID equal to the snmpEngineID to satisfy the elements of procedure for generateRequestMsg() defined in RFC3412. 2.2. Security Parameter Passing Requirement Security-model-specific parameters for an incoming message are determined from the SSH layer by the transport mapping security processor (TMSP), before the message processing begins. The TMSP accepts (decrypted) messages from the SSH subsystem, and records the transport-related information and the security-related information, including authenticated identity, in a cache referenced by tmStateReference, and passes the WholeMsg and the tmStateReference to the MPSP (via the dispatcher). For outgoing messages, the security-model-specific parameters are gathered by the messaging-security-processor (MPSP) and passed with the outgoing message to the transport mapping. The MPSP portion of the security model creates the WholeMsg from its component parts. In the SSHSM model, an SNMPv3 message is built without any content in the SecurityParameters field of the message, and the WholeMsg is passed unencrypted back to the Message Processing Model for forwarding to the Transport Mapping. The MPSP takes input provided by the SNMP application, converts that information into suitable security parameters for SSHSM, and passes these in a cache referenced by tmStateReference to the TMSP (via the dispatcher). The TMSP establishes sessions as needed and passes messages to the SSH subsystem for processing. The cache reference is an additional parameter in the ASIs between the transport mapping and the messaging security model. This approach does create dependencies between a model-specific TMSP and a corresponding specific MPSP. Passing a model-independent cache reference as a parameter in an ASI is consistent with the securityStateReference cache already being passed around in the ASI. 2.3. Requirements for Notifications and Proxy SSH connections may be initiated by command generators or by notification originators. Command generators are frequently operated by a human, but notification originators frequently are unmanned automated processes. As a result, it usually will be necessary to provision authentication credentials on the SNMP engine containing the notification originator, or use a third party key provider such as Kerberos, so the engine can successfully authenticate to an engine Harrington & Salowey Expires November 16, 2006 [Page 14] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 containing a notification receiver. The SNMP-TARGET-MIB module [RFC3413] contains objects for defining management targets, including transport domains and addresses and security parameters, for applications such as notifications and proxy. For SSHSM, transport type and address are configured in the snmpTargetAddrTable, and the securityModel, securityName, and securityLevel parameters are configured in the snmpTargetParamsTable. The default approach is for an administrator to statically preconfigure this information to identify the targets authorized to receive notifications or perform proxy. 3. RFC 3411 Abstract Service Interfaces Abstract service interfaces have been defined by RFC 3411 to describe the conceptual data flows between the various subsystems within an SNMP entity. The Secure Shell Security Model uses some of these conceptual data flows when communicating between subsystems, such as the dispatcher and the Message Processing Subsystem. These RFC 3411- defined data flows are referred to here as public interfaces. [todo] Do we need these in a separate section like this? Can we move these to the EOP section? 3.1. Public Abstract Service Interfaces 3.1.1. Public ASIs for Outgoing Messages The IN parameters of the prepareOutgoingMessage() ASI are used to pass information from the dispatcher (application subsystem) to the message processing subsystem. The OUT parameters are used to pass information from the message processing subsystem to the dispatcher and on to the transport mapping: Harrington & Salowey Expires November 16, 2006 [Page 15] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 statusInformation =3D -- success or errorIndication prepareOutgoingMessage( IN transportDomain -- transport domain to be used IN transportAddress -- transport address to be used IN messageProcessingModel -- typically, SNMP version IN securityModel -- Security Model to use IN securityName -- on behalf of this principal IN securityLevel -- Level of Security requested IN contextEngineID -- data from/at this entity IN contextName -- data from/in this context IN pduVersion -- the version of the PDU IN PDU -- SNMP Protocol Data Unit IN expectResponse -- TRUE or FALSE IN sendPduHandle -- the handle for matching incoming responses OUT destTransportDomain -- destination transport domain OUT destTransportAddress -- destination transport address OUT outgoingMessage -- the message to send OUT outgoingMessageLength -- its length ) The abstract service primitive from a Message Processing Model to a Security Model to generate the components of a Request message is: statusInformation =3D -- success or errorIndication generateRequestMsg( IN messageProcessingModel -- typically, SNMP version IN globalData -- message header, admin data IN maxMessageSize -- of the sending SNMP entity IN securityModel -- for the outgoing message IN securityEngineID -- authoritative SNMP entity IN securityName -- on behalf of this principal IN securityLevel -- Level of Security requested IN scopedPDU -- message (plaintext) payload OUT securityParameters -- filled in by Security Module OUT wholeMsg -- complete generated message OUT wholeMsgLength -- length of generated message ) The abstract service primitive from a Message Processing Model to a Security Model to generate the components of a Response message is: Harrington & Salowey Expires November 16, 2006 [Page 16] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 statusInformation =3D -- success or errorIndication generateResponseMsg( IN messageProcessingModel -- typically, SNMP version IN globalData -- message header, admin data IN maxMessageSize -- of the sending SNMP entity IN securityModel -- for the outgoing message IN securityEngineID -- authoritative SNMP entity IN securityName -- on behalf of this principal IN securityLevel -- Level of Security requested IN scopedPDU -- message (plaintext) payload IN securityStateReference -- reference to security state -- information from original -- request OUT securityParameters -- filled in by Security Module OUT wholeMsg -- complete generated message OUT wholeMsgLength -- length of generated message ) The abstract data elements passed as parameters in the abstract service primitives are as follows: [todo] check each parameter and determine if it is necessary for SSHSM and whether the description is accurate o statusInformation - An indication of whether the encoding and securing of the message was successful. If not it contains an indication of the problem. o messageProcessingModel - The SNMP version number for the message to be generated. o globalData - The message header (i.e., its administrative information). This data is opaque to SSHSM. o maxMessageSize - The maximum message size as included in the message. This data is not used by SSHSM. o securityModel - The securityModel in use. Should be the SSH Security Model. o securityEngineID - SSHSM always sets this to the snmpEngineID of the sending SNMP engine. o securityName - identifies a principal to be used for securing an outgoing message. The securityName has a format that is independent of the Security Model. In case of a response this parameter is ignored and the value from the securityStateReference cache is used. o securityLevel - Ignored by SSHSM, which always uses an authPriv securityLevel. o scopedPDU - The message payload. The data is opaque to SSHSM. o securityStateReference - A handle/reference to cachedSecurityData to be used when securing an outgoing Response message. This is the exact same securityStateReference as was generated by the SSH Security module when processing the incoming Request message to which this is the Response message. Harrington & Salowey Expires November 16, 2006 [Page 17] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 o securityParameters - Always set to empty by SSHSM. o wholeMsg - The fully encoded SNMP message ready for sending on the wire. o wholeMsgLength - The length of the encoded SNMP message (wholeMsg). Upon completion of the process, the SSH Security module returns statusInformation. If the process was successful, the completed message is returned, without the privacy and authentication applied yet. If the process was not successful, then an errorIndication is returned. 3.1.2. Public ASIs for Incoming Messages The abstract service primitive from a Transport Mapping (in the dispatcher) to a Message Processing Model for a received message is: result =3D -- SUCCESS or errorIndication prepareDataElements( IN transportDomain -- origin transport domain IN transportAddress -- origin transport address IN wholeMsg -- as received from the network IN wholeMsgLength -- as received from the network OUT messageProcessingModel -- typically, SNMP version OUT securityModel -- Security Model to use OUT securityName -- on behalf of this principal OUT securityLevel -- Level of Security requested OUT contextEngineID -- data from/at this entity OUT contextName -- data from/in this context OUT pduVersion -- the version of the PDU OUT PDU -- SNMP Protocol Data Unit OUT pduType -- SNMP PDU type OUT sendPduHandle -- handle for matched request OUT maxSizeResponseScopedPDU -- maximum size sender can accept OUT statusInformation -- success or errorIndication -- error counter OID/value if error OUT stateReference -- reference to state information -- to be used for possible Response ) The abstract service primitive from a Message Processing Model to the Security Subsystem for a received message is:: Harrington & Salowey Expires November 16, 2006 [Page 18] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 statusInformation =3D -- errorIndication or success -- error counter OID/value if error processIncomingMsg( IN messageProcessingModel -- typically, SNMP version IN maxMessageSize -- of the sending SNMP entity IN securityParameters -- for the received message IN securityModel -- for the received message IN securityLevel -- Level of Security IN wholeMsg -- as received on the wire IN wholeMsgLength -- length as received on the wire OUT securityEngineID -- authoritative SNMP entity OUT securityName -- identification of the principal OUT scopedPDU, -- message (plaintext) payload OUT maxSizeResponseScopedPDU -- maximum size sender can handle OUT securityStateReference -- reference to security state ) -- information, needed for response 4. SNMP Messages Using this Security Model The syntax of an SNMP message using this Security Model adheres to the message format defined in the version-specific Message Processing Model document (for example [RFC3412]). At the time of this writing, there are three defined message formats - SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 and SNMPv2c have been declared Historic, so this memo only deals with SNMPv3 messages. The processing is compatible with the RFC 3412 primitives, generateRequestMsg() and processIncomingMsg(), that show the data flow between the Message Processor and the MPSP. 4.1. SNMPv3 Message Fields The SNMPv3Message SEQUENCE is defined in [RFC3412]. Harrington & Salowey Expires November 16, 2006 [Page 19] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 SNMPv3MessageSyntax DEFINITIONS IMPLICIT TAGS ::=3D BEGIN SNMPv3Message ::=3D SEQUENCE { -- identify the layout of the SNMPv3Message -- this element is in same position as in SNMPv1 -- and SNMPv2c, allowing recognition -- the value 3 is used for snmpv3 msgVersion INTEGER ( 0 .. 2147483647 ), -- administrative parameters msgGlobalData HeaderData, -- security model-specific parameters -- format defined by Security Model msgSecurityParameters OCTET STRING, msgData ScopedPduData } HeaderData ::=3D SEQUENCE { msgID INTEGER (0..2147483647), msgMaxSize INTEGER (484..2147483647), msgFlags OCTET STRING (SIZE(1)), -- .... ...1 authFlag -- .... ..1. privFlag -- .... .1.. reportableFlag -- Please observe: -- .... ..00 is OK, means noAuthNoPriv -- .... ..01 is OK, means authNoPriv -- .... ..10 reserved, MUST NOT be used. -- .... ..11 is OK, means authPriv msgSecurityModel INTEGER (1..2147483647) } ScopedPduData ::=3D CHOICE { plaintext ScopedPDU, encryptedPDU OCTET STRING -- encrypted scopedPDU value } ScopedPDU ::=3D SEQUENCE { contextEngineID OCTET STRING, contextName OCTET STRING, data ANY -- e.g., PDUs as defined in [RFC3416] } END The following describes how SSHSM treats certain fields in the message: Harrington & Salowey Expires November 16, 2006 [Page 20] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 4.1.1. msgGlobalData msgGlobalData is opaque to SSHSM. The values are set by the Message Processing model (e.g., SNMPv3 Message Processing), and are not modified by SSHSM. msgMaxSize is determined by the implementation. To avoid the need to mess with the ASN.1 encoding, msgGlobalData contains the value of msgFlags set by the Message Processing model (e.g., SNMPv3 Message Processing), not the actual (authPriv) securityLevel applied to the message by SSHSM. msgSecurityModel is set by the Message Processing model (e.g., SNMPv3) to the IANA-assigned value for the Secure Shell Security Model. See http://www.iana.org/assignments/snmp-number-spaces. 4.1.2. msgSecurityParameters Since message security is provided by a "lower layer", and the securityName parameter is always determined from the SSH authentication method, the SNMP message does not need to carry message security parameters within the msgSecurityParameters field. The field msgSecurityParameters in SNMPv3 messages has a data type of OCTET STRING. To prevent its being used in a manner that could be damaging, such as for carrying a virus or worm, when used with SSHSM its value MUST be the BER serialization of a zero-length OCTET STRING. SSHSMSecurityParametersSyntax DEFINITIONS IMPLICIT TAGS ::=3D = BEGIN SSHsmSecurityParameters ::=3D SEQUENCE { OCTET STRING } END 4.2. Passing Security Parameters For SSHSM, there are two levels of state that need to be maintained: the session state, and the message state. 4.2.1. tmStateReference For each session, SSHSM stores information about the session in the Local Configuration Datastore, supplemented with a cache to store model- and mechanism-specific parameters. Harrington & Salowey Expires November 16, 2006 [Page 21] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 Upon opening an SSH connection, the TMSP will store the transport parameters in the tmSessionTable of the TMSM-MIB [I-D.ietf-isms-tmsm] for subsequent usage. tmsmSessionID =3D a unique local identifier tmsmTransport =3D transportDomainSSH tmsmSessionAddress =3D a TransportAddressSSH tmsmSessionSecurityModel - SSHSM tmsmSessionSecurityLevel =3D "authPriv" tmsmSessionSecurityName =3D the principal name authenticated by = SSH. How this data is extracted from the SSH environment and how it is translated into a securityName is implementation-dependent. By default, the tmSecurityName is the name that has been successfully authenticated by SSH, from the user name field of the SSH_MSG_USERAUTH_REQUEST message. tmsmSessionEngineID =3D if known, the value of the remote engine's snmpEngineID. [discuss] is this the appropriate place to store an engineID? It isn't used by SSHSM or TMSM. How the SSH identity is extracted from the SSH layer, and how the SSH identity is mapped to a securityName for storage in tmsmSessionTable is implementation-dependent. Additional information may be stored in a local datastore (such as a preconfigured mapping table) or in a cache, such as the value of an SSH session identifier (as distinct from the tmsmSessionID). The tmStateReference is used to pass references to the appropriate session information between the TMSP and MPSP through the ASIs. The SSHSM has the responsibility for explicitly releasing the complete tmStateReference and deleting the associated tmsmSessionEntry in the tmsmSessionTable when the session is destroyed. 4.2.2. securityStateReference For each message received, SSHSM caches message-specific security information such that a Response message can be generated using the same security information, even if the Configuration Datastore is altered between the time of the incoming request and the outgoing response. The securityStateReference is used to preserve the data needed to generate a Response message with the same security information. This information includes the model-independent parameters (securityName, securityLevel, transport address, and transport type). The Message Processing Model has the responsibility for explicitly releasing the securityStateReference when such data is no longer needed. The securityStateReference cached data may be implicitly released via the generation of a response, or explicitly Harrington & Salowey Expires November 16, 2006 [Page 22] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 released by using the stateRelease primitive, as described in RFC 3411 section 4.5.1." The SSH standard does not require that a session be maintained nor that it be closed when the keys associated with the host or client associated with the session are changed. Some SSH implementations might close an existing session if the keys associated with the session change. For SSHSM, if the session is closed between the time a Request is received and a Response message is being prepared, then the Response should be discarded. The parameters associated with an incoming request message to be applied to the outgoing response. messageProcessingModel =3D SNMPv3 securityModel =3D SSHSM sessionID =3D tmSessionID 5. Elements of Procedure 5.1. Generating an Outgoing SNMP Message This section describes the procedure followed by the MPSP portion of the Secure Shell Security Model whenever it generates a message containing a management operation (like a request, a response, a notification, or a report) on behalf of a user. The parameters needed are supplied by the Message Processing Model via the generateRequestMsg() or the generateResponseMsg() ASI. The TMSM extension has added the tmStateReference to these ASIs. statusInformation =3D -- success or errorIndication generateRequestMsg( IN messageProcessingModel -- typically, SNMP version IN globalData -- message header, admin data IN maxMessageSize -- of the sending SNMP entity IN securityModel -- for the outgoing message IN securityEngineID -- authoritative SNMP entity IN securityName -- on behalf of this principal IN securityLevel -- Level of Security requested IN scopedPDU -- message (plaintext) payload OUT securityParameters -- filled in by Security Module OUT wholeMsg -- complete generated message OUT wholeMsgLength -- length of generated message OUT tmStateReference -- reference to session info ) Harrington & Salowey Expires November 16, 2006 [Page 23] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 statusInformation =3D -- success or errorIndication generateResponseMsg( IN messageProcessingModel -- typically, SNMP version IN globalData -- message header, admin data IN maxMessageSize -- of the sending SNMP entity IN securityModel -- for the outgoing message IN securityEngineID -- authoritative SNMP entity IN securityName -- on behalf of this principal IN securityLevel -- Level of Security requested IN scopedPDU -- message (plaintext) payload IN securityStateReference -- reference to security state -- information from original -- request OUT securityParameters -- filled in by Security Module OUT wholeMsg -- complete generated message OUT wholeMsgLength -- length of generated message OUT tmStateReference -- reference to session info ) 5.2. MPSP 1) verify securityModel =3D sshsmSecurityModel determine whether we need to use the SSH subsystem for Request/ Responses ("SNMP"), or for Notifications ("SNMPNotification") or Reports. [discuss] #34 - how do we determine this? 2) If there is a securityStateReference (indicating this must be a Response or Report message), then extract the tmStateReference, securityModel, securityName, and securityLevel from the cachedSecurityData. At this point, the cachedSecurityData can now be discarded. 2b) If the session referenced by tmStateReference does not still exist then an error indication (noAvailableSession) is returned to the calling module and the message is discarded. [todo] add an approrpiate object to TMSM-MIB. 3) If there is no securityStateReference, then lookup the session in the tmsmSessionTable using {securityModel, securityName, securityLevel}, and create a tmStateReference. [discuss] tmsmSessionTable is indexed by SessionID, which we do not have, and a unique tmsmSessionEntry requires knowing the transport and address, which we do not have. Even if we could look up the appropriate entry, are we not likely to need more than the model-independent sName/Model/Level info, such as the SSH send and receive channels? 4) If there is no session info for this index, then create an incomplete tmStateReference indexed by the provided {securityName, securityLevel, and securityModel}. Store the securityModel and maxMessageSize information. When the TMSP gets the incomplete tmStateReference, it will recognize that it needs to establish a Harrington & Salowey Expires November 16, 2006 [Page 24] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 new session, and fill in the rest of the information for subsequent use. 5) fill in the securityParameters with the serialization of a zero-length OCTET STRING. 6) The wholeMsg is now serialized and then represents the unauthenticated message being prepared. 7) The completed message (wholeMsg) with its length (wholeMsgLength) and securityParameters (a zero-length octet string) and tmStateReference is returned to the calling module with the statusInformation set to success. The Message Processing Model then passes information to the disptacher for forwarding to the Transport Mapping. 5.3. Sending an Outgoing SNMP Message to the Network The Dispatcher passes the information to the Transport Mapping using the ASI defined in the TMSM extension: 5.3.1. TMSP The TMSP portion of the Secure Shell Security Model performs the following tasks: 8) Uses tmStateReference to lookup session information. 10) If the session information is incomplete (i.e, has no tmTransportAddress), then call openSession() using the destTransportDomain and destTransportAddress (the output of the PrepareOutgoingMessage() ASI) and the securityModel, securityName, securityLevel from the tmStateReference. Store all information in the tmStateReference for subsequent use. 11) An SSH_MSG_CHANNEL_DATA message is sent, indicating the recipient channel and encapsulating the wholeMessage. [discuss] #28: For notification tables, how do we predefine the dynamic session identifiers? 5.4. [todo] Prepare Data Elements from an Incoming SNMP Message For an incoming message, the TMSP will need to put information from the transport mechanisms used into the tmStateReference so the MPSP can extract the information and add it conceptually to the securityStateReference. Harrington & Salowey Expires November 16, 2006 [Page 25] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 5.5. Processing an Incoming SNMP Message This section describes the procedure followed by an SNMP engine whenever it receives a message containing a management operation on behalf of a user. To simplify the elements of procedure, the release of state information is not always explicitly specified. As a general rule, if state information is available when a message gets discarded, the message-state information should also be released, and if state information is available when a session is closed, the session state information should also be released. Also, an error indication can return an OID and value for an incremented counter and optionally a value for securityLevel, and values for contextEngineID or contextName for the counter. In addition, the securityStateReference data is returned if any such information is available at the point where the error is detected. [todo] this paragraph may no longer be accurate because of persistent session state information. The abstract service primitive from a Message Processing Model to the Security Subsystem for a received message is:: statusInformation =3D -- errorIndication or success -- error counter OID/value if error processIncomingMsg( IN messageProcessingModel -- typically, SNMP version IN maxMessageSize -- of the sending SNMP entity IN securityParameters -- for the received message IN securityModel -- for the received message IN securityLevel -- Level of Security IN wholeMsg -- as received on the wire IN wholeMsgLength -- length as received on the wire OUT securityEngineID -- authoritative SNMP entity OUT securityName -- identification of the principal OUT scopedPDU, -- message (plaintext) payload OUT maxSizeResponseScopedPDU -- maximum size sender can handle OUT securityStateReference -- reference to security state ) -- information, needed for response 1) If the received securityParameters is not the serialization of an OCTET STRING formatted according to the SSHsmSecurityParameters, and the contained OCTET STRING is not empty, then the snmpInASNParseErrs counter [RFC3418] is incremented, and an error indication (parseError) is returned to the calling module. Note that we return without the OID and value of the incremented counter, which may be important if this security model supports generating a Report PDU, because in this case there is not enough information to generate a Report PDU. Harrington & Salowey Expires November 16, 2006 [Page 26] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 2) The SSHSM queries the associated SSH engine, in an implementation- dependent manner, to determine the transport and security parameters for the received message: a) the transportDomain and transportAddress b) tmSecurityName - an identifier for the authenticated entity c) whether authentication is on or off, d) whether encryption is on or off, e) integrity-checking options 3) The securityEngineID is set to the local snmpEngineID, to satisfy the SNMPv3 message processing model in RFC 3412 section 7.2 13a). [discuss] verify this works. 4) If the information about the message security indicates that the security options do not match the securityLevel requested by the caller, then the SSHsmStatsUnsupportedSecLevels counter is incremented and an error indication (unsupportedSecurityLevel) together with the OID and value of the incremented counter is returned to the calling module. 5) The scopedPDU component is assumed to be in plain text and is the message payload to be returned to the calling module. 7) The maxSizeResponseScopedPDU is calculated. This is the maximum size allowed for a scopedPDU for a possible Response message. Provision is made for a message header that allows the same securityLevel as the received Request. 10) Information about the value of tmSecurityName is extracted from the Local Configuration Datastore (LCD) to provide conversion from the SSH authentication-method-specific tmSecurityName to a model- independent securityName. If no information is available for the username in the LCD, then the securityName is set to the username associated with the session. 11) The security data is cached as cachedSecurityData, so that a possible response to this message can and will use the same authentication and privacy parameters. Information to be saved/ cached is as follows: [todo] copy from the "Passing Security Parameters" section above. transportDomain, transportAddress SSH username, auth options encryption options Integrity checking options 12) The statusInformation is set to success and a return is made to the calling module passing back the OUT parameters as specified in Harrington & Salowey Expires November 16, 2006 [Page 27] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 the processIncomingMsg primitive. 5.6. Establishing a Session The Secure Shell Security Model provides the following primitive to pass data back and forth between the Transport Mapping portion of the Security Model and the SSH service: statusInformation =3D openSession( IN destTransportDomain -- transport domain to be used IN destTransportAddress -- transport address to be used IN securityModel -- Security Model to use IN securityName -- on behalf of this principal IN securityLevel -- Level of Security requested OUT sessionID ) The following describes the procedure to follow to establish a session between a client and server to run SNMP over SSH. This process is followed by any SNMP engine establishing a session for subsequent use. This will done automatically by an SNMP application that initiates a transaction, such as a Command Generator or a Notification Originator or a Proxy Forwarder. It is never triggered by an application preparing a response message, such as a Command Responder or Notification Receiver, because securityStateReference will always have session information for a response message The parameters necessary to establish a session are provided by the Secure Shell Security Model to the SSH client code, using the openSession() ASI. 1) If the securityLevel specifies that the message is to be authenticated, but the SSH implementation does not support an authentication protocol, then the message cannot be sent. An error indication (unsupportedSecurityLevel) is returned to the calling module. 2) If the securityLevel specifies that the message is to be protected from disclosure, but the SSH implementation does not support encryption, then the message cannot be sent. An error indication (unsupportedSecurityLevel) is returned to the calling module. 3) Using destTransportDomain and destTransportAddress, the client Harrington & Salowey Expires November 16, 2006 [Page 28] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 will establish an SSH transport connection using the SSH transport protocol, and the client and server will mutually authenticate, and exchange keys for message integrity and encryption. if the attempt to establish a connection is successful, then tmStateReference is created, and the values of transportDomain and transportAddress are saved. If the attempt to establish a connection is unsuccessful, then an error indication [todo] will be returned, and [todo] processing stops. [discuss] How do we open an SSH connection? Do we need to specify what type of authentication we want (password, publickey, etc.)? Do we have to specify that we want encryption? 4) The provided transport address, securityName and securityLevel are used to lookup the associated entry in the Local Configuration Datastore (LCD), and the model-specific information concerning the principal at the destination is extracted. This step allows preconfiguration of model-specific principals mapped to the transport/name/level, for example, for sending notifications using host-only authentication. Set the username in the SSH_MSG_USERAUTH_REQUEST to the username extracted from the LCD. If information about the principal is absent from the LCD, then set the username in the SSH_MSG_USERAUTH_REQUEST to the value of securityName. This allows a deployment without preconfigured mappings between model-specific and model-independent names, but the securityName will need to contain a username recognized by the authentication mechanism. 5)The client will then invoke the "ssh-userauth" service to authenticate the user, as described in the SSH authentication protocol [RFC4252]. 6) If the authentication is unsuccessful, then the transport connection should be closed, tmStateReference is discarded, the message is discarded, an error indication (unknownSecurityName) is returned to the calling module, and processing stops for this message. 7) Once the principal has been successfully authenticated, the client will invoke the "ssh- connection" service, also known as the SSH connection protocol [RFC4254]. 8) After the ssh-connection service is established, the client will use an SSH_MSG_CHANNEL_OPEN message to open a channel of type "session", providing a selected sender channel number, and a maximum packet size based on maxMessageSize. Harrington & Salowey Expires November 16, 2006 [Page 29] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 9) If successful, this will result in an SSH session. The destTransportDomain nd the destTransportAddress, plus the "recipient channel" and "sender channel" and other relevant data from the SSH_MSG_CHANNEL_OPEN_CONFIRMATION are added to the tmStateReference for subsequent use. 10) Running SNMP as an SSH subsystem avoids the need for the script to recognize shell prompts or skip over extraneous information, such as a system message that is printed at shell start-up. Once the SSH session has been established, the SNMP engine will invoke SNMP as an SSH subsystem, as indicated in the "subsystem" parameter. In order to allow SNMP traffic to be easily identified and filtered by firewalls and other network devices, servers associated with SNMP entities using the Secure Shell Security Model MUST default to providing access to the "SNMP" SSH subsystem only when the SSH session is established using the IANA-assigned TCP port (TBD). Servers SHOULD be configurable to allow access to the SNMP SSH subsystem over other ports. [discuss] We must perform some type of engineID discovery to provide the mapping between transport address, SSH session, TMSM session, and engineID at this point in the session establishment procedure. The engine cannot perform an SNMP GET command requesting the value of the remote engine's snmpEngineID object, 11) Create a tmStateReference cache (and/or sshsmSessionEntry) recording the following information: the remote engine's snmpEngineID the transport address the recipient and sender channels 5.7. Closing a Session The Secure Shell Security Model provides the following primitive to pass data back and forth between the Security Model and the SSH service: statusInformation =3D closeSession( IN sessionID ) The following describes the procedure to follow to close a session between a client and sever to run SNMP over SSH. This process is followed by any SNMP engine closing the corresponding SNMP session. Harrington & Salowey Expires November 16, 2006 [Page 30] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 The Secure Shell Security Model identifies which session should be closed to the SSH client code, using the closeSession() ASI. [discuss] #23: We need to discuss the circumstances under which a session should be closed, and how an SNMP engine should determine if, and respond if the SSH session is closed by other means. 5.8. Discovery Since snmpEngineID isn't really needed for authentication and integrity checking, it becomes useful primarily for contextEngineID. contextEngineID is useful for proxy, and for a management application to uniquely identify an SNMP entity. Since snmpEngineID is an object in the SNMP-FRAMEWORK-MIB, the mapping between engineID and transport address could be established after a tunnel is established, or could be determined using noAuthNoPriv (with suitable caveats). [discuss] #24: How should we enable auto-discovery? Auto-discovery of SNMP devices is an important feature of many NMS platforms. Should we simply use a noAuthNoPriv request, and recommend an associated access control configuration that only makes accessible relatively benign data such as sysOID, sysDescription, and snmpEngineID? Should we standardize this approach for all TMSM models, including a "named policy" for what can be discovered (a policy to be configured within whatever access control system is used)? ** The problem is that the agent won't respond to a GET if you do not ** have the proper engineID. So I think we need a discovery procedure ** which is based on reports. Alternatively, can we let USM perform discovery so we don't have to attenpt to establish an SSH connection first? USM is the mandatory- to-implement security model, so this could make sense. 6. Overview 7. Structure of the MIB Module Objects in this MIB module are arranged into subtrees. Each subtree is organized as a set of related objects. The overall structure and assignment of objects to their subtrees, and the intended purpose of each subtree, is shown below. 7.1. Textual Conventions Generic and Common Textual Conventions used in this document can be found summarized at http://www.ops.ietf.org/mib-common-tcs.html Harrington & Salowey Expires November 16, 2006 [Page 31] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 7.2. The sshsmStats Subtree This subtree contains SSHSM security-model-dependent counters. This subtree provides information for identifying fault conditions and performance degradation. 7.3. The sshsmsSession Subtree This subtree contains SSHSM security-model-dependent information about sessions. 7.4. Relationship to Other MIB Modules Some management objects defined in other MIB modules are applicable to an entity implementing SSHSM. In particular, it is assumed that an entity implementing SSHSM will implement the SNMPv2-MIB [RFC3418], the SNMP-FRAMEWORK-MIB [RFC3411] and the TMSM-MIB [I-D.ietf-isms- tmsm]. This MIB module is for managing SSHSM-specific information. 7.4.1. Relationship to the SNMPv2-MIB The 'system' group in the SNMPv2-MIB [RFC3418] is defined as being mandatory for all systems, and the objects apply to the entity as a whole. The 'system' group provides identification of the management entity and certain other system-wide data. The SSHSM-MIB does not duplicate those objects. [todo] if the SSHSM-MIB does not actually have dependencies on SNMPv2-MIB other than imports, then remove this paragraph. 7.4.2. Relationship to the SNMP-FRAMEWORK-MIB [todo] if the SSHSM-MIB does not actually have dependencies on SNMP- FRAMEWORK-MIB other than imports, then remove this paragraph. 7.4.3. Relationship to the TMSM-MIB The 'tmsmSession' group in the TMSM-MIB [I-D.ietf-isms-tmsm] is defined as being applicable to all Transport-Mapping Security Models that use sessions. [todo] if the SSHSM-MIB does not actually have dependencies on TMSM-MIB other than imports, then remove this paragraph. Harrington & Salowey Expires November 16, 2006 [Page 32] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 7.4.4. MIB Modules Required for IMPORTS The following MIB module imports items from [RFC2578], [RFC2579], [RFC2580], [RFC3411], [RFC3419], and [I-D.ietf-isms-tmsm] 8. MIB module definition ** Is AES the only officially required to support SSH encryption ** mechanisms? It seems RFC 4344 has much more to offer. BTW, is it ** useful to export all this information in an SSHSM MIB module? Some ** of the stuff seems generic SSH... SSHSM-MIB DEFINITIONS ::=3D BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, mib-2, Counter32, Integer32 FROM SNMPv2-SMI TestAndIncr, AutonomousType FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpAdminString, SnmpSecurityLevel, SnmpEngineID FROM SNMP-FRAMEWORK-MIB TransportAddress, TransportAddressType FROM TRANSPORT-ADDRESS-MIB tmsmSessionID FROM TMSM-MIB ; sshsmMIB MODULE-IDENTITY LAST-UPDATED "200509020000Z" ORGANIZATION "ISMS Working Group" CONTACT-INFO "WG-EMail: isms@lists.ietf.org Subscribe: isms-request@lists.ietf.org Chairs: Juergen Quittek NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 69115 Heidelberg Germany +49 6221 90511-15 quittek@netlab.nec.de Juergen Schoenwaelder Harrington & Salowey Expires November 16, 2006 [Page 33] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 International University Bremen Campus Ring 1 28725 Bremen Germany +49 421 200-3587 j.schoenwaelder@iu-bremen.de Co-editors: David Harrington Effective Software 50 Harding Rd Portsmouth, New Hampshire 03801 USA +1 603-436-8634 ietfdbh@comcast.net Joseph Salowey Cisco Systems 2901 3rd Ave Seattle, WA 98121 USA jsalowey@cisco.com " DESCRIPTION "The Secure Shell Security Model MIB Copyright (C) The Internet Society (2005). This version of this MIB module is part of RFC XXXX; see the RFC itself for full legal notices. -- NOTE to RFC editor: replace XXXX with actual RFC number -- for this document and remove this note " REVISION "200509020000Z" -- 02 September 2005 DESCRIPTION "The initial version, published in RFC XXXX. -- NOTE to RFC editor: replace XXXX with actual RFC number -- for this document and remove this note " ::=3D { mib-2 xxxx } -- RFC Ed.: replace xxxx with IANA-assigned number and -- remove this note -- ---------------------------------------------------------- -- -- subtrees in the SSHSM-MIB -- ---------------------------------------------------------- -- sshsmNotifications OBJECT IDENTIFIER ::=3D { sshsmMIB 0 } sshsmObjects OBJECT IDENTIFIER ::=3D { sshsmMIB 1 } Harrington & Salowey Expires November 16, 2006 [Page 34] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 sshsmConformance OBJECT IDENTIFIER ::=3D { sshsmMIB 2 } -- ------------------------------------------------------------- -- Objects -- ------------------------------------------------------------- TransportAddressSSH ::=3D TEXTUAL-CONVENTION DISPLAY-HINT "1a" STATUS current DESCRIPTION "[discuss] Represents either a hostname encoded in ASCII using the IDNA protocol [RFC3490] followed by a colon ':' (ASCII character 0x3A) and a decimal port number in ASCII, or an IP address followed by a colon ':' (ASCII character 0x3A) and a decimal port number in ASCII. The name SHOULD be fully qualified whenever possible. Values of this textual convention are not directly useable as transport-layer addressing information, and require runtime resolution. As such, applications that write them must be prepared for handling errors if such values are not supported, or cannot be resolved (if resolution occurs at the time of the management operation). The DESCRIPTION clause of TransportAddress objects that may have TransportAddressSSH values must fully describe how (and when) such names are to be resolved to IP addresses and vice versa. This textual convention SHOULD NOT be used directly in object definitions since it restricts addresses to a specific format. However, if it is used, it MAY be used either on its own or in conjunction with TransportAddressType or TransportDomain as a pair. When this textual convention is used as a syntax of an index object, there may be issues with the limit of 128 sub-identifiers specified in SMIv2, STD 58. In this case, the OBJECT-TYPE declaration MUST include a 'SIZE' clause to limit the number of potential instance sub-identifiers." SYNTAX OCTET STRING (SIZE (1..255)) transportDomainSSH OBJECT-IDENTITY STATUS current DESCRIPTION "The SSH transport domain. The corresponding transport address is of type TransportAddressSSH. Harrington & Salowey Expires November 16, 2006 [Page 35] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 When an SNMP entity uses the transportDomainSSH transport mapping, it must be capable of accepting messages up to and including 8192 octets in size. Implementation of larger values is encouraged whenever possible." ::=3D { snmpDomains xxxx } -- RFC Ed.: replace xxxx with IANA-assigned number and -- remove this note -- Statistics for the Secure Shell Security Model sshsmStats OBJECT IDENTIFIER ::=3D { sshsmObjects 1 } -- [todo] do we need any stats? -- The sshsmSession Group -- ------------------------------------------------------------- -- sshsmMIB - Conformance Information -- ------------------------------------------------------------- sshsmGroups OBJECT IDENTIFIER ::=3D { sshsmConformance 1 } sshsmCompliances OBJECT IDENTIFIER ::=3D { sshsmConformance 2 } -- ------------------------------------------------------------- -- Units of conformance -- ------------------------------------------------------------- sshsmGroup OBJECT-GROUP OBJECTS { } STATUS current DESCRIPTION "A collection of objects for maintaining information of an SNMP engine which implements the SNMP Secure Shell Security Model. " ::=3D { sshsmGroups 2 } -- ------------------------------------------------------------- -- Compliance statements -- ------------------------------------------------------------- Harrington & Salowey Expires November 16, 2006 [Page 36] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 sshsmCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines that support the SSHSM-MIB" MODULE MANDATORY-GROUPS { sshsmGroup } ::=3D { sshsmCompliances 1 } END 9. Security Considerations This document describes a security model that would permit SNMP to utilize SSH security services. The security threats and how SSHSM mitigates those threats is covered in detail throughout this memo. SSHSM relies on SSH mutual authentication, binding of keys, confidentiality and integrity. Any authentication method that meets the requirements of the SSH architecture will provide the properties of mutual authentication and binding of keys. While SSH does support turning off confidentiality and integrity, they SHOULD NOT be turned off when used with SSHSM. SSHv2 provides Perfect Forward Security (PFS) for encryption keys. PFS is a major design goal of SSH, and any well-designed keyex algorithm will provide it. The security implications of using SSH are discussed in [RFC4251]. SSHSM has no way to verify that server authentication was performed, to learn the host's public key in advance, or verify that the correct key is being used. SSHSM simply trusts that these are properly cvonfigured by the implementer and deployer. 9.1. noAuthPriv SSH provides the "none" userauth method, which is normally rejected by servers and used only to find out what userauth methods are supported. However, it is legal for a server to accept this method, which has the effect of not authenticating the ssh client to the ssh server. Doing this does not compromise authentication of the ssh server to the ssh client, nor does it compromise data confidentiality or data integrity. SSH supports anonymous access. If SSHSM can extract from SSH an Harrington & Salowey Expires November 16, 2006 [Page 37] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 authenticated principal to map to securityName, then anonymous access SHOULD be supported. It is possible for SSH to skip entity authentication of the client through the "none" authentication method to support anonymous clients, however in this case an implementation MUST still support data integrity within the SSH transport protocol and provide an authenticated principal for mapping to securityName for access control purposes. The RFC 3411 architecture does not permit noAuthPriv. SSHSM should not be used with an SSH connection with the "none" userauth method. 9.2. skipping public key verification Most key exchange algorithms are able to authenticate the SSH server's identity to the client. However, for the common case of DH signed by public keys, this requires the client to know the host's public key a priori and to verify that the correct key is being used. If this step is skipped, then authentication of the ssh server to the ssh client is not done. Data confidentiality and data integrity protection to the server still exist, but these are of dubious value when an attacker can insert himself between the client and the real ssh server. Note that some userauth methods may defend against this situation, but many of the common ones (including password and keyboard-interactive) do not, and in fact depend on the fact that the server's identity has been verified (so passwords are not disclosed to an attacker). SSH MUST NOT be configured to skip public key verification for use with the SSHSM security model. 9.3. the 'none' MAC algorithm SSH provides the "none" MAC algorithm, which would allow you to turn off data integrity while maintaining confidentiality. However, if you do this, then an attacker may be able to modify the data in flight, which means you effectively have no authentication. SSH MUST NOT be configured using the "none" MAC algorithm for use with the SSHSM security model. 9.4. MIB module security There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their Harrington & Salowey Expires November 16, 2006 [Page 38] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 sensitivity/vulnerability: o [todo] There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations. Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability: o [todo] SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410] section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 10. IANA Considerations IANA is requested to assign: 1. a TCP port number in the range 1..1023 in the http://www.iana.org/assignments/port-numbers registry which will be the default port for SNMP over SSH sessions as defined in this document, 2. an SMI number under mib-2, for the MIB module in this document, Harrington & Salowey Expires November 16, 2006 [Page 39] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 3. an SnmpSecurityModel for the Secure Shell Security Model, as documented in the MIB module in this document, 4. "snmp" as an SSH Service Name in the http://www.iana.org/assignments/ssh-parameters registry. 11. Acknowledgements The editors would like to thank Jeffrey Hutzelman for sharing his SSH insights. 12. References 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, December 2002. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002. Harrington & Salowey Expires November 16, 2006 [Page 40] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. [RFC3418] Presuhn, R., "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3418, December 2002. [RFC3419] Daniele, M. and J. Schoenwaelder, "Textual Conventions for Transport Addresses", RFC 3419, December 2002. [RFC3430] Schoenwaelder, J., "Simple Network Management Protocol Over Transmission Control Protocol Transport Mapping", RFC 3430, December 2002. [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Protocol Architecture", RFC 4251, January 2006. [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Authentication Protocol", RFC 4252, January 2006. [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, January 2006. [RFC4254] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Connection Protocol", RFC 4254, January 2006. [I-D.ietf-isms-tmsm] Harrington, D. and J. Schoenwaelder, "Transport Mapping Security Model (TMSM) Architectural Extension for the Simple Network Management Protocol (SNMP)", draft-ietf-isms-tmsm-02 (work in progress), May 2006. 12.2. Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003. [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, "Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol", RFC 4462, May 2006. [I-D.ietf-netconf-ssh] Harrington & Salowey Expires November 16, 2006 [Page 41] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 Wasserman, M. and T. Goddard, "Using the NETCONF Configuration Protocol over Secure Shell (SSH)", draft-ietf-netconf-ssh-06 (work in progress), March 2006. Appendix A. Open Issues We need to reach consensus on some issues. I numbered the [discuss] markers in the text for easy correlation to the issue discussions. *** When discussing these issues, please use the provided # in the subject line, and please limit the message to one topic at a time. *** Here is the current list of issues from the SSHSM document where we need to reach consensus. #6: Are there are any wrinkles to coexistence with SNMPv1/v2c/USM? #10: a) which securityparameters must be supported for the SSHSM model? b) Which services provided in USM are needed in TMSM/SSHSM? C) How does the Message Processing model provide this information to the security model via generateRequestMsg() and processIncomingMsg() primitives? #15: What data needs to be stored in the tmStateReference, and how does SSHSM get the information from SSH, for the various authentication and transport options? #21: we need to determine what data should be persistent and stored in the LCD for notification purposes. #24: How should we enable auto-discovery? A.1. Closed Issues #1: is it important to support anonymous user access to SNMP? Resolution: We should support whatever authorizations are provided by SSH; if SSH supports anonymous access, and SSHSM can extract a username, then it should be supported. #2: a) is server authentication a requirement that SNMP will require of the client? yes. b) how can we verify that server authentication was performed, or do we take simply trust the SSH client layer to perform such authentication? we trust the SSH layer to provide such auithentication. c) for the common case of DH signed by public keys, how does the client learn the host's public key in advance, and verify that the correct key is being used? this is out of scope for this document #3: we need some text contributed to discuss the implications of sessions on SNMP. See TMSM. #4: Should the SSHSM document include a discussion of the operational Harrington & Salowey Expires November 16, 2006 [Page 42] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 expectations of this model for use in troubleshooting a broken network, or can this be covered in the TMSM document? (Either way, we could use some contributed text on the topic). See TMSM. #5: Should the SSHSM document include a discussion of ways SNMP could be extended to better support management/monitoring needs when a network is running just fine, or can this be covered in the TMSM document, or in an applicability document? Out of scope for this document. #7: is there still a need for an "authoritative SNMP engine"? No. #8: Do we need a mapping between the SSH key (or other SSH engine identifier) and SNMP engineID? No. What happens if an agent "spoofs" another engineID, and an NMS perfoms a SET of sensitive parameters to the agent? Resolution: we do not need to address this for local SSH and local snmpEngineID, unless smebody can show a use case requirement. There is likely to be a need to map, in an implementation-dependent manner, the remote engineIDs with the associated SSH host (mapping of engineID/transport address/host key). #9: Can an existing R/R session be reused for notifications? Yes. #11: If we eliminate all msgSecurityParameters, should the msgSecurityParameters field in the SNMPv3 message simply be a zero- length OCTET STRING, or should it be an ASN.1 NULL? It MUST be a BER-encoded OCTET STRING #12: a) how does SSHSM determine whether SSH can provide the security services requested in msgFlags? It doesn't. B) There were discussions about whether it was acceptable for a transport-mapping- model to provide stronger security than requested. Does this need to be discussed in the SSHSM document, or should we discuss this in the TMSM document? Both. c) when sending a message into an environment where encryption is not legal, how do we ensure that encryption is not provided? The Danvers Doctrine seems to indicate this in not necessary to discuss. #13: will SSHSM be impacted by keychanges to the SSH local datastore? Resolution: if the session is closed while the Response is being prepared, discard the Response. #14: MUST the SSHSM model provide mutual authentication of the client and server, and MUST it authenticate, integrity-check, and encrypt the messages? Resolution: yes. #16: The SSH server doesn't necessarily authorize the name carried in the SSH_MSG_USERAUTH_REQUEST message, but may return a different name Harrington & Salowey Expires November 16, 2006 [Page 43] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 or list of names that are authorized to be used given the authentication of the provided username. Resolution: this is mistaken; the username from the SSH_MSG_USERAUTH_REQUEST SHOULD be used. A) What should be the source of the SSHSM mechanism-specific username for mapping to securityname? Resolution: the username from the SSH_MSG_USERAUTH_REQUEST SHOULD be used. #16 B) passing a securityName might be useful for passing as a hint to RADIUS or other authorization mechanism to indicate which identity we want to use when doing access control, and RADIUS,etc. can tell us whether the username being authenticated is allowed to be mapped to that authorization/accounting identity. Should we provide securityName when establishing a session, so the authentication machanisms can use it as a hint? SSHSM provides securityName/Model/ Level and tranport; whether SSH passes this to RADIUS is out of scope for this document. #17: I believe somebody suggested we require mutual authentication. I'm not sure I understand the edits. Done. #18: I currently have multiple sections, one for each known auth mechanism. We need to discuss the parameters that need to be cached for each, and determine whether we can collapse this into one section. a) Using Passwords to Authenticate SNMP Principals B) Using Public keys to Authenticate SNMP Principals C) Using Host-based Authentication of SNMP Principals Resolution: I will collapse this later, after we have verified we have considered all current/likely scenarios. Done. #19: RADIUS is just an instance of the password authentication protocol. The details of RADIUS are within the SSH layer. I don't think it is a good idea to expose this outside of SSH. Resolution: If possible, the details of RADIUS should not be exposed in SSHSM. There may be an issue with receiving authorization without exposing the details. #20: How do we get the mapping from model-specific identity to a model independent securityName?. Resolution: Implementation- dependent, both in the case of extracting tmSecurityname from SSH for an incoming message, and for providing an LCD mapping. #22: Joe: There are a significant number of security problems associated with mapping to a transport address which may need to be discussed in the security considerations section. Resolution: add a transporttype for hostname. #23: We need to discuss the circumstances under which a session should be closed, and how an SNMP engine should determine if, and Harrington & Salowey Expires November 16, 2006 [Page 44] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 respond if the SSH session is closed by other means, See TMSM, and implementation-dependent. #25: Where is the best place to call openSession()? Note that the whole message is completely put together within the message- processing portion of the security model, in the hopes that a session will be able to be established when the message gets to the transport mapping portion of the architecture. It is done this way because the RFC3411 arcitecture doesn't pass the transport addressing info into the security model via messaging model. It would seem a much more efficient approach to verify that the session can be established, while still in the security model portion of the messaging model. If we don't establish the session until we get to the transport mapping, we've done a lot of work for nothing. And thus far, there is no place to record failed attempts to establish a session, so an engine doesn't learn to not try to open a session. In an environment where the SNMP engine might be a daemon used by multiple applications, an attacker could use this to cause a denial of service attack at the NMS. This would likely occur on the NMS side. I don't know if there's any way to cause it to happen on the agent side. I suppose a rogue agent with callhome functionality might be able to cause a denial of service for an NMS by repeatedly requesting callhome and then refusing the connections. Resolution: called from TMSP. #26: According to RFC 3411, section 4.1.1, the application provides the transportDomain and transportAddress to the PDU dispatcher via the sendPDU() primitive. If we permit multiple sessions per transportAddress, then we would need to define how session identifiers get passed from the application to the PDU dispatcher (and then to the MP model).Resolution: applications do not know about sessions. #27: The SNMP over TCP Transport Mapping document [RFC3430]says that TCP connections can be recreated dynamically or kept for future use and actually leaves all that to the transport mapping. Do we need to discuss these issues? Where? in the security considerations? See TMSM. #28: For notification tables, how do we predefine the dynamic session identifiers? We might have a MIB module that records the session information for subsequent use by the applications and other subsytems, or it might be passed in the tmStateReference cache. For notifications, I assume the SNMPv3 notification tables would be a place to find the address, but I'm not sure how to identify the presumably-dynamic session identifiers. The MIB module could identify whether the session was initiated by the remote engine or initiated by the current engine, and possibly assigned a purpose (incoming request/response or outgoing notifications).. Resolution: Harrington & Salowey Expires November 16, 2006 [Page 45] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 applications do not know about sessions, only transport and securityN/M/L; if separate sessions are desired, then they can be differentiated by transport and securityN/M/L parameters. #29: do we need to support reports? For what purpose? Yes, reports are used from application processing and for contextEngine discovery. #30: If we actually do not extract anything from securityParameters, do we need to check whether this field parses correctly? It apparently parsed well enough to pass the parse test in the messaging model. Could we simply ignore the securityParameters being passed in? The only argument I see for checking to ensure this is empty is to ensure somebody isn't using the filed for non-standard purposes, such as passing a virus in the field. If we do check it, do we need to report it through Reports? Resolution: yes; it won't hurt to check it. #32: For an incoming message (Processing an Incoming Message section 10), is using a default securityName mapping the right thing to do? Resolution: Yes, it is the right thing to do. #31: Is maxSizeResponseScopedPDU relevant? Can it be calculated once for the session? Do we need to take into consideration the SSH window size? Resolution: It can probably be calculated once per session. #33: does the mib need to be writable, so sessions can be preconfigured, such as for callhome, or would it be populated at creation time by the underlying instrumentation, and not writable by SNMP? This is about the session table, which has been moved to TMSM. [discuss] #34 - how do we determine whether a PDU contains a Request /Response or a Notification? By configuring the securityName or the transport parameters. [discuss] #35 - which subsystem is used for Reports? ** Reports are a reaction to a previously received message and thus they go wherever the previous message triggering the report came from. Appendix B. Change Log "From -01- to -02-" Added TransportDomainSSH and Address Removed implementation considerations Changed all "user auth" to "client auth" Harrington & Salowey Expires November 16, 2006 [Page 46] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 Removed unnecessary MIB module objects updated references improved consistency of references to TMSM as architecural extension updated conventions updated threats to be more consistent with RFC3552 discussion of specific SSH mechanism configurations moved to security considerations modified session discussions to reference TMSM sessions expanded discussion of engineIDs wrote text to clarify the roles of MPSP and TMSP clarified how snmpv3 message parts are ised by SSHSM modified nesting of subsections as needed securityLevel used by SSHSM always equals authpriv removed discussion of using SSHSM with SNMPv1/v2c started updating Elements of Procedure, but realized missing info needs discussion. updated MIB module relationship to other MIB modules "From -00- to -01-" -00- initial draft as ISMS work product: updated references to SecSH RFCs Modified text related to issues# 1, 2, 8, 11, 13, 14, 16, 18, 19, 20, 29, 30, and 32. updated security considerations removed Juergen Schoenwaelder from authors, at his request ran the mib module through smilint Authors' Addresses David Harrington Futurewei Technologies 1700 Alma Dr. Suite 100 Plano, TX 75075 USA Phone: +1 603 436 8634 EMail: dharrington@huawei.com Harrington & Salowey Expires November 16, 2006 [Page 47] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 Joseph Salowey Cisco Systems 2901 3rd Ave Seattle, WA 98121 USA EMail: jsalowey@cisco.com Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at Harrington & Salowey Expires November 16, 2006 [Page 48] =0C Internet-Draft Secure Shell Security Model for SNMP May 2006 ietf-ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Harrington & Salowey Expires November 16, 2006 [Page 49] =0C ------=_NextPart_000_07F9_01C67AC8.7AD38C10 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms ------=_NextPart_000_07F9_01C67AC8.7AD38C10-- From isms-bounces@lists.ietf.org Fri May 19 23:19:01 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FhHzO-0007Ze-Lq; Fri, 19 May 2006 23:18:50 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FhHzN-0007Ue-9j for isms@ietf.org; Fri, 19 May 2006 23:18:49 -0400 Received: from pop-gadwall.atl.sa.earthlink.net ([207.69.195.61]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FhHzM-0005vY-29 for isms@ietf.org; Fri, 19 May 2006 23:18:49 -0400 Received: from h-68-166-188-131.snvacaid.dynamic.covad.net ([68.166.188.131] helo=oemcomputer) by pop-gadwall.atl.sa.earthlink.net with smtp (Exim 3.36 #10) id 1FhHzL-0007WX-00 for isms@ietf.org; Fri, 19 May 2006 23:18:47 -0400 Message-ID: <002101c67bbc$d4a837a0$6501a8c0@oemcomputer> From: "Randy Presuhn" To: References: <20060517185802.GE6311@boskop.local> Subject: Re: [Isms] tmsm issue #5: session table (p39) Date: Fri, 19 May 2006 20:23:57 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-Spam-Score: 0.0 (/) X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi - > From: "Juergen Schoenwaelder" > To: > Sent: Wednesday, May 17, 2006 11:58 AM > Subject: [Isms] tmsm issue #5: session table (p39) > > tmsm issue #5: session table (p39) > > Should it be possible for a manager to create or modify rows in the > session table? If so, then we may need the rowstatus object. If > the session table is read-only then we can probably eliminate the > rowstatus. If the tabel is not read-only, then we need to list the > tables and objects and state why they are sensitive. > > -> strawman: the session table is read-only ... The only reasons I can think for having a session table visible to management are: - to monitor who is accessing a system at the moment - to provide a way for an administrator to terminate other sessions - for debugging None of these seems very persuasive to me. I suggest eliminating the table. Randy _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Mon May 22 13:38:11 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiEM7-0001OG-U5; Mon, 22 May 2006 13:38:11 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiEM6-0001O3-5i for isms@ietf.org; Mon, 22 May 2006 13:38:10 -0400 Received: from rwcrmhc13.comcast.net ([204.127.192.83]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FiEM4-00037B-Qs for isms@ietf.org; Mon, 22 May 2006 13:38:10 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc13) with SMTP id <20060522173807m1300gmii8e>; Mon, 22 May 2006 17:38:08 +0000 From: "David Harrington" To: "'Randy Presuhn'" , Subject: RE: [Isms] tmsm issue #5: session table (p39) Date: Mon, 22 May 2006 13:37:16 -0400 Message-ID: <08d301c67dc6$5e81f690$0400a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <002101c67bbc$d4a837a0$6501a8c0@oemcomputer> Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 34d35111647d654d033d58d318c0d21a Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi Randy, There is another use case you didn't mention.=20 An authenticated CG could cause the creation of a session from the remote system to the local system for callback purposes. Such a callback approach has not been well-specified, and I am not sure such an approach is even viable, but it would require either read-write access to the session table, or another object that would cause a session to be created. Either way, the manager would probably want to see if a suitable session already existed before creating a new session. Callback has been debated, and the WG has waffled between "this really is needed for notifications when no session yet exists" to "we don't care about this because there is no customer demand for this feature." If all engines support mixing R/R and notification messages in the same session, then a manager could open a two-way session to each agent in case there are any notifications to be sent to it. I think this compares to the subscription model being discussed in netconf. There are issues with mixing that we have not yet discussed and which have been discussed in netconf, such as whether a long response (say to a getbulk) would block the delivery of notifications. There are issues with subscriptions that we have not discussed, such as the scalability of requiring managers to configure sessions to agents, especially when a network is recovering from, say, a power outage - with a subscription model, should the linkUp notifications be buffered by the agent until a manager sets up a session? In the meantime, I find the session table useful to try to understand what session info needs to be kept in an LCD for use by the elements of procedure, whether the LCD is in MIB format or a proprietary format. Using an implementation-neutral session MIB makes this clearer for me for now. We will need to keep session info available, and specify how one does a lookup based on the info available in the ASIs, in order to support the reuse of sessions (mixed or not). SNMP applications and the dispatcher and the message processing models do not know about sessions, and SSH does not know about securityN/M/L, so SSHSM needs to translate from the ASI parameters (transport + securityN/M/L) to SSH username/subsystem/transport somehow. A session tabel seems an appropriate place. dbh > -----Original Message----- > From: Randy Presuhn [mailto:randy_presuhn@mindspring.com]=20 > Sent: Friday, May 19, 2006 11:24 PM > To: isms@ietf.org > Subject: Re: [Isms] tmsm issue #5: session table (p39) >=20 >=20 > Hi - >=20 > > From: "Juergen Schoenwaelder" > > To: > > Sent: Wednesday, May 17, 2006 11:58 AM > > Subject: [Isms] tmsm issue #5: session table (p39) > > > > tmsm issue #5: session table (p39) > >=20 > > Should it be possible for a manager to create or modify=20 > rows in the > > session table? If so, then we may need the rowstatus object. If > > the session table is read-only then we can probably eliminate the > > rowstatus. If the tabel is not read-only, then we need=20 > to list the > > tables and objects and state why they are sensitive. > >=20 > > -> strawman: the session table is read-only > ... >=20 > The only reasons I can think for having a session table visible to > management are: > - to monitor who is accessing a system at the moment > - to provide a way for an administrator to terminate=20 > other sessions > - for debugging >=20 > None of these seems very persuasive to me. I suggest eliminating > the table. >=20 > Randy >=20 >=20 > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms >=20 _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Wed May 24 18:23:58 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fj1lm-0006kn-R0; Wed, 24 May 2006 18:23:58 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fj1ll-0006ki-Oc for isms@ietf.org; Wed, 24 May 2006 18:23:57 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fj1lg-0005Yl-Eh for isms@ietf.org; Wed, 24 May 2006 18:23:57 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 5224D5623E for ; Thu, 25 May 2006 00:23:43 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 31576-10; Thu, 25 May 2006 00:23:41 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 8284A55ECC; Thu, 25 May 2006 00:23:41 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id 4F7736E9480; Thu, 25 May 2006 00:23:40 +0200 (CEST) Date: Thu, 25 May 2006 00:23:40 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060524222340.GA16102@boskop.local> Mail-Followup-To: isms@ietf.org, Vladislav Marinov Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 08170828343bcf1325e4a0fb4584481c Cc: Subject: [Isms] snmp over ssh performance X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Hi, some time ago, I promised to post some data how our SNMP over SSH prototype performs. At the location http://www.eecs.iu-bremen.de/schoenw/sshsm-perf.pdf you can pick up a draft of a paper which has the whole story. Let us know if you have any questions or comments. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Thu May 25 17:52:26 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjNki-0004e1-Om; Thu, 25 May 2006 17:52:20 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjNkh-0004RW-8Q for isms@ietf.org; Thu, 25 May 2006 17:52:19 -0400 Received: from ondar.cablelabs.com ([192.160.73.61]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FjNkg-0004xM-C4 for isms@ietf.org; Thu, 25 May 2006 17:52:19 -0400 Received: from srvxchg.cablelabs.com (srvxchg.cablelabs.com [10.5.0.20]) by ondar.cablelabs.com (8.13.6/8.13.6) with ESMTP id k4PLqHxQ009408 for ; Thu, 25 May 2006 15:52:17 -0600 (MDT) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 25 May 2006 15:52:17 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Comments: draft-ietf-isms-tmsm-02 Thread-Index: AcaARZfWCXWN4IKMRsKdXOFyy9TuLg== From: "Sumanth Channabasappa" To: X-Approved: ondar X-Spam-Score: 0.0 (/) X-Scan-Signature: ff8f6fb66123e35ba88156f838266c1a Cc: Subject: [Isms] Comments: draft-ietf-isms-tmsm-02 X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============1726554057==" Errors-To: isms-bounces@lists.ietf.org This is a multi-part message in MIME format. --===============1726554057== content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C68045.7D71C9DE" This is a multi-part message in MIME format. ------_=_NextPart_001_01C68045.7D71C9DE Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Folks, =20 As a follow-up to volunteering for the review of draft-ietf-isms-tmsm-xx, here are a set of preliminary comments, some questions and requested clarifications.=20 =20 They are mostly a collective effort (most of them are from Josh Littlefield and some from myself, as indicated in []). =20 regards Sumanth =20 =20 - [C#1] 2.2.1=20 [Sumanth] Are TMSM TMSP and TMSM MPSP really independent as defined in the figure? =20 Also see: comments on 2.2.2.2 (C#5) and 4.2 (C#8) =20 =20 - [C#2] 2.3.1=20 [Sumanth] This leaves a lot to the security model definitions. Can we make it a requirement for the security models to define constraints listed here. =20 - [C#3] 2.3.3, 1st para (pg 19): =20 "The cryptographic protocols used to establish keys for a TMSM-based security model session SHOULD ensure that fresh new session keys are generated for each session." =20 [Josh] Would this rule out TLS session resumption, which uses an abbreviated handshake to resume a cached session? Shouldn't this be a transport protocol security issue, not a TMSM issue? =20 [Sumanth] My assumption is that 'session resumption' should be allowed (e.g. TLS). Can we include this explicitly and have some considerations (when to use and when not to). =20 =20 =20 - [C#4] 2.2.2.1, 4th para (pg 14): =20 "Hence, the authentication of a transport layer identity plays an important role and must be considered by any TMSM, and user authentication must be available via the transport layer security protocol." =20 [Josh] Should avoid talking about "user authentication." There are no "users" in the abstract model, only securityNames. Perhaps the requirement is for of some form of peer principal authentication. =20 =20 - [C#5] 2.2.2.2, final para (pg 15): "This may be highly undesirable, however, if it creates a dependency between a security model and an access control model, just as it is undesirable that the TMSM approach creates a dependency between a TMSP and an MPSP." =20 [Josh, Sumanth] While I agree that interdependence between a security model and an access control model is undesirable, I don't equate that with the dependency between a TMSP and an MPSP. I think the latter is unavoidable in cases where the transport provides all security functions, even though SNMP expects them to come from the message processor. The SM-specific MPSP would seem to have to be tailored to the TMSP capabilities in all cases. In fact, they might be bound together, even though they provide two separate abstract interfaces. =20 - [C#6] 2.3, 3rd para (pg 17): =20 "It is important to note that the architecture described in [RFC3411] does not include a session selector in the Abstract Service Interfaces, and neither is that done for this architectural extension, so an SNMP application cannot select the session except by passing a unique combination of securityName, securityModel, and securityLevel." =20 [Josh, Sumanth] Add "transport address" to the list of items used to select the session. This would then be consistent with the text in 2.3.1. =20 - [C#7] 4.2 (pg 25): =20 [Josh] The TMSM is described as an entity with an (abstract) interface with a specific TMSM-based security model below it, but in general the TMSM isn't otherwise described as a component. It would seem more clear to talk about the TMSP here, or perhaps the TMSM TMSP, with the TMSP providing sendMessage() and recvMessage(), and a security-model-specific TMSP instance providing txMessage(), rxMessage(), openSession(), etc. =20 =20 [Josh] The value of the layering between sendMessage() and txMessage(), and between recvMessage() and rxMessage() (the layering between a generic TMSP and a SM-specific TMSP) is not obvious. It would seem, at the least, that the securityModel would need to be passed to sendMessage() in order to allow this generic layer to locate the specific TMSP. If this is retrieve by the generic TMSP from the tmStateReference (implied by section 7), then section 7 must be normative about some of the required content of tmStateReference. =20 [Josh] Since the recvMessage() ASI is implemented by the Dispatcher and called by the TMSP, it doesn't seem to make sense that tmStateReference is an OUTPUT. It should be an INPUT, since I believe it is produced by the TMSP and provided to the Dispatcher, as is also true for the incomingMessage. The same would seem to be true for the tmStateReference argument in rxMessage(). Similarly, why would sessionID be an OUTPUT, indicating it is produced by the Dispatcher? =20 - [C#8] 4.2 (pg 26): If the use of sessions is hidden by the TMSP, then it isn't clear why the ASI to the SM-specific TMSP provides openSession() and closeSession() mechanisms. Further, the sessionID is not INPUT to any ASI other than closeSession(), so what is the point of allowing one to open a specific session? Similarly, what is the point of producing sessionID from the sendMessage() call? The Dispatcher has no obvious use for a sessionID (and no ASI to close a session). =20 - [C#9] 6.2, para 4 (pg 28): =20 "[discuss] We need to discuss what the meaning of authoritative would be in a TMSM environment, whether the specific services provided in USM security from msgSecurityParameters still are needed, and how the Message Processing model provides this information to the security model via generateRequestMsg() and processIncomingMsg() primitives." =20 [Josh] While "authoritative", as relates to the setting of securityEngineID is defined clearly in RFC 3412, I don't think TMSM can make any blanket statements about whether securityEngineID (the authoritative SNMP entity) is needed by the underlying security model. There may be TMSM-based security models that model themselves on USM for authentication of the connection originator (client), while using transport mechanisms for authentication of the server, and require securityEngineID to be used in a way similar to USM. If it isn't used, then it would be up to each specific TMSM model to state that.=20 Likewise, I think it's up to the specific TMSM model to define the use of msgSecurityParameters. =20 [Josh]=20 Regarding "authoritative", this has been discussed on the mailing list and this is in agreement with the current consensus (?) -- refer issue #1 on the mailing list =20 Regarding "msgSecurityParameters', this has been discussed on the mailing list and this is in agreement with the current consensus (?) -- refer issue #2 on the mailing list =20 =20 -- [C#10] 8 & 9 (pg 29+): =20 [Josh] How does the tmStateReference get into and out of the MPSP? Are the Dispatcher to MP ASIs augmented to pass this reference? =20 =20 -- [C#11] 9 (pg 30): =20 [Josh] Now this text makes me think that the openSession() and closeSession() ASIs were between the MPSP and the TMSP. Or, does the MPSP accomplish the actions described here against the TMSP by internal interfaces? =20 -- [C#12] 11 (Page 33, 34) [sumanth] =20 "tmsmSessionSpinLock" - usage is not very clear =20 "tmsmSessionMaxSupported" - given the interpretation of zero is 'dynamic', what about the case when the max is zero (resource constraints). Recommend changing to it a MAX value for dynamic or something else =20 "tmsmSessionEngineID" -- implies that there is one Engine ID per session. Do we need to make this clear elsewhere? ------_=_NextPart_001_01C68045.7D71C9DE Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Folks,
 
As a=20 follow-up to volunteering for the review of draft-ietf-isms-tmsm-xx, = here are a=20 set of preliminary comments, some questions and requested = clarifications.=20
 
They are=20 mostly a collective effort (most of them are from Josh Littlefield and = some from=20 myself, as indicated in []).
 
regards
Sumanth
 
 

- [C#1] 2.2.1=20

[Sumanth] Are TMSM = TMSP and=20 TMSM MPSP really independent as defined in the = figure?

 

Also see: comments = on=20 2.2.2.2 (C#5) and 4.2 (C#8)

 

 

- [C#2] 2.3.1=20

[Sumanth] This leaves a lot to the = security=20 model definitions. Can we make it a requirement for the security models = to=20 define constraints listed here.

 

- [C#3] 2.3.3, 1st = para (pg=20 19):

 

"The cryptographic = protocols=20 used to establish keys for a TMSM-based security model session SHOULD = ensure=20 that fresh new session keys are generated for each=20 session."

 

[Josh] Would this = rule out=20 TLS session resumption, which uses an abbreviated handshake to resume a = cached=20 session?  Shouldn't this = be a=20 transport protocol security issue, not a TMSM = issue?

 

[Sumanth] My = assumption is=20 that 'session resumption' should be allowed (e.g. TLS). Can we include = this=20 explicitly and have some considerations (when to use and when not=20 to).

 

 

 

- [C#4] 2.2.2.1, = 4th para=20 (pg 14):

 

"Hence, the = authentication=20 of a transport layer identity plays an important role and must be = considered by=20 any TMSM, and user authentication must be available via the transport = layer=20 security protocol."

 

[Josh] Should = avoid talking=20 about "user authentication."  = There=20 are no "users" in the abstract model, only securityNames.  Perhaps the requirement is for = of some=20 form of peer principal authentication.

 

 

- [C#5] 2.2.2.2, = final para=20 (pg 15):

"This may be = highly=20 undesirable, however, if it creates a dependency between a security = model and an=20 access control model, just as it is undesirable that the TMSM approach = creates a=20 dependency between a TMSP and an MPSP."

 

[Josh, Sumanth] = While I=20 agree that interdependence between a security model and an access = control model=20 is undesirable, I don't equate that with the dependency between a TMSP = and an=20 MPSP.  I think the latter = is=20 unavoidable in cases where the transport provides all security = functions, even=20 though SNMP expects them to come from the message processor.  The SM-specific MPSP would = seem to have=20 to be tailored to the TMSP capabilities in all cases.  In fact, they might be bound = together,=20 even though they provide two separate abstract = interfaces.

 

- [C#6] 2.3, 3rd = para (pg=20 17):

 

"It is important = to note=20 that the architecture described in [RFC3411] does not include a session = selector=20 in the Abstract Service Interfaces, and neither is that done for this=20 architectural extension, so an SNMP application cannot select the = session except=20 by passing a unique combination of securityName, securityModel, and=20 securityLevel."

 

[Josh, Sumanth] = Add=20 "transport address" to the list of items used to select the = session.  This would then be consistent = with the=20 text in 2.3.1.

 

- [C#7] 4.2 (pg=20 25):

 

[Josh] The TMSM is = described=20 as an entity with an (abstract) interface with a specific TMSM-based = security=20 model below it, but in general the TMSM isn't otherwise described as a=20 component.  It would seem = more clear=20 to talk about the TMSP here, or perhaps the TMSM TMSP, with the TMSP = providing=20 sendMessage() and recvMessage(), and a security-model-specific TMSP = instance=20 providing txMessage(), rxMessage(), openSession(), = etc.

 

 

[Josh] The value = of the=20 layering between sendMessage() and txMessage(), and between = recvMessage() and=20 rxMessage() (the layering between a generic TMSP and a SM-specific TMSP) = is not=20 obvious.  It would seem, = at the=20 least, that the securityModel would need to be passed to sendMessage() = in order=20 to allow this generic layer to locate the specific TMSP.  If this is retrieve by the = generic TMSP=20 from the tmStateReference (implied by section 7), then section 7 must be = normative about some of the required content of=20 tmStateReference.

 

[Josh] Since the=20 recvMessage() ASI is implemented by the Dispatcher and called by the = TMSP, it=20 doesn't seem to make sense that tmStateReference is an OUTPUT.  It should be an INPUT, since I = believe=20 it is produced by the TMSP and provided to the Dispatcher, as is also = true for=20 the incomingMessage.  The = same would=20 seem to be true for the tmStateReference argument in rxMessage().  Similarly, why would sessionID = be an=20 OUTPUT, indicating it is produced by the = Dispatcher?

 

- [C#8] 4.2 (pg=20 26):

If the use of = sessions is=20 hidden by the TMSP, then it isn't clear why the ASI to the SM-specific = TMSP=20 provides openSession() and closeSession() mechanisms.  Further, the sessionID is not = INPUT to=20 any ASI other than closeSession(), so what is the point of allowing one = to open=20 a specific session?  = Similarly, what=20 is the point of producing sessionID from the sendMessage() call?  The Dispatcher has no obvious = use for a=20 sessionID (and no ASI to close a session).

 

- [C#9] 6.2, para = 4 (pg=20 28):

 

"[discuss] We need = to=20 discuss what the meaning of authoritative would be in a TMSM = environment,=20 whether the specific services provided in USM security from=20 msgSecurityParameters still are needed, and how the Message Processing = model=20 provides this information to the security model via generateRequestMsg() = and=20 processIncomingMsg() primitives."

 

[Josh] While=20 "authoritative", as relates to the setting of securityEngineID is = defined=20 clearly in RFC 3412, I don't think TMSM can make any blanket statements = about=20 whether securityEngineID (the authoritative SNMP entity) is needed by = the=20 underlying security model.  = There=20 may be TMSM-based security models that model themselves on USM for=20 authentication of the connection originator (client), while using = transport=20 mechanisms for authentication of the server, and require = securityEngineID to be=20 used in a way similar to USM.  = If it=20 isn't used, then it would be up to each specific TMSM model to state = that.=20

Likewise, I think = it's up to=20 the specific TMSM model to define the use of=20 msgSecurityParameters.

 

[Josh]=20

Regarding = "authoritative",=20 this has been discussed on the mailing list and this is in agreement = with the=20 current consensus (?) -- refer issue #1 on the mailing=20 list

 

Regarding=20 "msgSecurityParameters', this has been discussed on the mailing list and = this is=20 in agreement with the current consensus (?) -- refer issue #2 on the = mailing=20 list

 

 

-- [C#10] 8 & = 9 (pg=20 29+):

 

[Josh] How does = the=20 tmStateReference get into and out of the MPSP?  Are the Dispatcher to MP ASIs = augmented=20 to pass this reference?

 

 

-- [C#11] 9 (pg=20 30):

 

[Josh] Now this = text makes=20 me think that the openSession() and closeSession() ASIs were between the = MPSP=20 and the TMSP.  Or, does = the MPSP=20 accomplish the actions described here against the TMSP by internal=20 interfaces?

 

-- [C#12] 11 (Page = 33,=20 34)

[sumanth]

 

"tmsmSessionSpinLock" -=20 usage is not very clear

 

"tmsmSessionMaxSupported" -=20 given the interpretation of zero is 'dynamic', what about the case when = the max=20 is zero (resource constraints). Recommend changing to it a MAX value for = dynamic=20 or something else

 

"tmsmSessionEngineID" --=20 implies that there is one Engine ID per session. Do we need to make this = clear=20 elsewhere?

------_=_NextPart_001_01C68045.7D71C9DE-- --===============1726554057== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms --===============1726554057==-- From isms-bounces@lists.ietf.org Thu May 25 17:52:37 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjNkz-0005TX-CD; Thu, 25 May 2006 17:52:37 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjNky-0005TS-4B for isms@ietf.org; Thu, 25 May 2006 17:52:36 -0400 Received: from ondar.cablelabs.com ([192.160.73.61]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FjNkw-0004xv-RQ for isms@ietf.org; Thu, 25 May 2006 17:52:36 -0400 Received: from srvxchg.cablelabs.com (srvxchg.cablelabs.com [10.5.0.20]) by ondar.cablelabs.com (8.13.6/8.13.6) with ESMTP id k4PLqX8U009428; Thu, 25 May 2006 15:52:33 -0600 (MDT) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: [Isms] tmsm issue #5: session table (p39) Date: Thu, 25 May 2006 15:52:33 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] tmsm issue #5: session table (p39) Thread-Index: AcZ9xpM2ElS2fvxkR8SIyXln1PnIdwCUMOjA From: "Sumanth Channabasappa" To: "David Harrington" , "Randy Presuhn" , X-Approved: ondar X-Spam-Score: 0.0 (/) X-Scan-Signature: 7a6398bf8aaeabc7a7bb696b6b0a2aad Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Callback has been debated, and the WG has waffled between "this really is needed for notifications when no session yet exists" to "we don't care about this because there is no customer demand for this feature." [s] I presume you mean call-home. IMHO it is important to support it (based on feedback from Service Providers) - S _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Fri May 26 00:18:54 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjTmo-0007rF-Tj; Fri, 26 May 2006 00:18:54 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjTmn-0007r9-OF for isms@ietf.org; Fri, 26 May 2006 00:18:53 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FjTmm-0005wy-7k for isms@ietf.org; Fri, 26 May 2006 00:18:53 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 5048C55FA8 for ; Fri, 26 May 2006 06:18:51 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 15544-10 for ; Fri, 26 May 2006 06:18:50 +0200 (CEST) Received: from noname.localhost (unknown [10.222.1.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id D525C55F99 for ; Fri, 26 May 2006 06:18:49 +0200 (CEST) Received: by noname.localhost (Postfix, from userid 501) id 383CE6EDD5F; Fri, 26 May 2006 06:18:48 +0200 (CEST) Resent-From: j.schoenwaelder@iu-bremen.de Resent-Date: Fri, 26 May 2006 06:18:47 +0200 Resent-Message-ID: <20060526041847.GA1978@noname> Resent-To: isms@ietf.org Received: from merkur.iu-bremen.de ([unix socket]) by merkur (Cyrus v2.2.12) with LMTPA; Fri, 26 May 2006 06:12:24 +0200 X-Sieve: CMU Sieve 2.2 Received: from hermes.iu-bremen.de (hermes.iu-bremen.de [212.201.44.23]) by merkur.iu-bremen.de (Postfix) with ESMTP id D6B9479EAA367 for ; Fri, 26 May 2006 06:12:24 +0200 (CEST) Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id D62FD55D59 for ; Fri, 26 May 2006 06:12:24 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 15168-09 for ; Fri, 26 May 2006 06:12:22 +0200 (CEST) Received: from megatron.ietf.org (stiedprmman1.ietf.org [156.154.16.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id C6DF455F99 for ; Fri, 26 May 2006 06:12:21 +0200 (CEST) Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjTUb-0003D4-Fy; Fri, 26 May 2006 00:00:05 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FjTUZ-0003CZ-1y for ietf-announce@ietf.org; Fri, 26 May 2006 00:00:03 -0400 Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=pine.neustar.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FjTUX-0003qf-QU for ietf-announce@ietf.org; Fri, 26 May 2006 00:00:03 -0400 Received: from stiedprstage1.ietf.org (stiedprstage1.va.neustar.com [10.31.47.10]) by pine.neustar.com (8.12.8/8.12.8) with ESMTP id k4Q401XO022863 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Fri, 26 May 2006 04:00:01 GMT Received: from ietf by stiedprstage1.ietf.org with local (Exim 4.43) id 1FjTUX-0005gG-Cl for ietf-announce@ietf.org; Fri, 26 May 2006 00:00:01 -0400 Content-Type: text/plain; charset="utf-8" Mime-Version: 1.0 To: ietf-announce@ietf.org From: ietf-secretariat@ietf.org Message-Id: Date: Fri, 26 May 2006 00:00:01 -0400 X-Spam-Score: -2.6 (--) X-Scan-Signature: 97adf591118a232206bdb5a27b217034 X-BeenThere: ietf-announce@ietf.org X-Mailman-Version: 2.1.5 Precedence: list X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Status: No, score=-2.312 tagged_above=-30 required=6.31 tests=[BAYES_00=-2.312] X-Spam-Score: -2.312 X-Spam-Level: X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.2 (/) X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d Cc: Subject: [Isms] Internet-Drafts Submission Cutoff Dates for the 66th IETF Meeting in Montreal, Quebec, Canada X-BeenThere: isms@lists.ietf.org List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: isms-bounces@lists.ietf.org Errors-To: isms-bounces@lists.ietf.org Resent-Date: Fri, 26 May 2006 00:18:54 -0400 There are two (2) Internet-Draft cutoff dates for the 66th IETF Meeting in Montreal, Quebec, Canada: June 19th: Cutoff Date for Initial (i.e., version -00) Internet-Draft Submissions All initial Internet-Drafts (version -00) must be submitted by Monday, June 19th at 9:00 AM ET. As always, all initial submissions with a filename beginning with "draft-ietf" must be approved by the appropriate WG Chair before they can be processed or announced. The Secretariat would appreciate receiving WG Chair approval by Monday, June 12th at 9:00 AM ET. June 26th: Cutoff Date for Revised (i.e., version -01 and higher) Internet-Draft Submissions All revised Internet-Drafts (version -01 and higher) must be submitted by Monday, June 26th at 9:00 AM ET. Initial and revised Internet-Drafts received after their respective cutoff dates will not be made available in the Internet-Drafts directory or announced until on or after Monday, July 10th at 9:00 AM ET, when Internet-Draft posting resumes. Please do not wait until the last minute to submit. Thank you for your understanding and cooperation. If you have any questions or concerns, then please send a message to internet-drafts@ietf.org. The IETF Secretariat FYI: The Internet-Draft cutoff dates as well as other significant dates for the 66th IETF Meeting can be found at http://www.ietf.org/meetings/cutoff_dates_66.html. _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Fri May 26 18:25:10 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fjkju-0000Rm-PO; Fri, 26 May 2006 18:25:02 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FhZri-0006Lu-QM for isms@ietf.org; Sat, 20 May 2006 18:24:06 -0400 Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FhZrg-0003cC-8b for isms@ietf.org; Sat, 20 May 2006 18:24:06 -0400 Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 24BB55609C; Sun, 21 May 2006 00:23:58 +0200 (CEST) Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 14185-05; Sun, 21 May 2006 00:23:56 +0200 (CEST) Received: from boskop.local (unknown [10.222.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id E02F155C2F; Sun, 21 May 2006 00:23:52 +0200 (CEST) Received: by boskop.local (Postfix, from userid 501) id 6E7AF6E3B8B; Sun, 21 May 2006 00:23:51 +0200 (CEST) Date: Sun, 21 May 2006 00:23:51 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20060520222351.GB1155@boskop.local> Mail-Followup-To: isms@ietf.org, Vladislav Marinov Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="H1spWtNR+x+ondvy" Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de X-Spam-Score: 0.0 (/) X-Scan-Signature: 80e8288170284a4ff69c3886dee0164d X-Mailman-Approved-At: Fri, 26 May 2006 18:25:01 -0400 Cc: Subject: [Isms] snmp over ssh performance X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: j.schoenwaelder@iu-bremen.de List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org --H1spWtNR+x+ondvy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, some time ago, I promised to post some data how our SNMP over SSH prototype performs. Attached is a draft of a paper which has the whole story. Let us know if you have any questions or comments. /js -- Juergen Schoenwaelder International University Bremen P.O. Box 750 561, 28725 Bremen, Germany --H1spWtNR+x+ondvy Content-Type: application/pdf Content-Disposition: attachment; filename="paper.pdf" Content-Transfer-Encoding: base64 JVBERi0xLjQKMyAwIG9iaiA8PAovTGVuZ3RoIDI3MDEgICAgICAKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnjahVlLj9s4Er7nV/RRBtoaSdTLt80MkkkG6CDYdnLJ5CDbsq1p WTIkuXt6sMD+9a2vqkjJ3crmYpHFYrFY76J/Xb/55X2Y3oSxb+I0ulnvb8Jk5SerLL1J09SP gjC7We++eZ8XJvLKxTL0un3b4Xsqmi0BTJZ4b5uifu6rXmYtVvcYx979p7vPFmpC73GkItD7 +w+L7+s/fnmf36z8VRql4CAxfrRKs5ulif00yQwz8LUudovQwyGhV9OoWEQZEVwaY7w7zLuq oU87ARcA7GT8x2IZ5d5/Fwn9XjqCH5iPRlbvCbDFziMNCCkIvLZZEOqTTIp6V3bCKQkkJ1bT mFnN/TjM05tlFPh5Hgirv7UnkD5fBiJW4qYxnbCtSgiMaBD2yg8MUViGgb9K8hVv+0gHrryh 7JpiqFoSqWz80lSP4KTs+OrVAKxnWfu1K/moshG6IanOrJJrur8Vyk4vm/5d8cUPmEVeeCvQ KM+SlYBGqrr2e9kxoGjk7DzxblUYq4kwlis/DBJzffpeEfMJIqk1yLKbgBEe/RNU1z7+5y+/ 3x7bsnkqyom4pyeEYeaneWR06+FntP9VXZYbuk3Z+LtSkKNgynGYZVAg8RyHfhDEwvPbTT90 BW68JQ0OGPgzyo9zPwnJaeSs9bHs4A954B0LyEm0BjtfeRuyvpVXlo1Me7a9R2CJNxQLGDVv LgY2G9HZ0MuGytoqjbF8VLrngo1iwCz3hnZKHrxfLEu6ia3E8n2lp/tKTqyxIYi9T2BiYBcA m233IPA7dqri4AyPMHB8EFGMwFVaiKzl+4KDtpZ9fwZJQFMEBBqGvkC/LvIUls33a3HBwHhG PiC0FzR3ZQJzSME9gusLnLuWj829Lc6MY/IV4a4T8O6yLXeyUOATeF9YeGW3JPIbkaTFQECY SLESKYvnYf1Obrgr9Shc78s94hBuJ7CnYyUUCPEoIJaISK6fu8STHhTyhlAVDyvApAWlJzUF AC49wgtGRbOTwQNb3fNSHJYINVNdwXpGus2+K8jSL2zlZCqklDgKvA8SRlXzL031VgiM9IH5 PHeZ9sxyHy18aBHD4oQiM+wyTiKv49X6sh0crUFWoEx81fTB+kSRSkZQmvJJ5ioPrLA8aE3l IVCNYsXBavdkDXiG/arZO857qxYS1sBOFeXG++tivS/KhWFA+3LrMNhYKVz6Ml2LRfQyOxdn CQudzHdlvxVL24jgGC/2jlbvQBqOlrQcM8P4/RFWyQElznM2TeRZZ5oEg7OwltlNW8XcFo0M NlZxmFxGx8glxsR5JhLRmwIumR4jET0NqsEdxvGQr7bDrRht1olVIFRjaH0BAYgZ852eJQmq ZNq9RRCBIgSIlyohWXahbeoHnGRlnRx1CzM4CpltezqTgfIZyTRy/pRZE4XME75a+kSRuK3m cF0jdfDgSVL6UbeSchXjZQgnMixXrFXNVPiAXBUIbTMbWpivWEodZ5WS1Kj+Cwkx4fqPLo1a kIoIY/yVCWPeTXYThlGCIsVoSoQ3UjlH3jjY8P2qlCMeophqHU2sn5BRMsSVXDJKFKVkEY/V trR+QcunQgM3voxSFx3KNSwWp/aiPqsbcjEDQrNFCuenK/fmragfi6HwZUa+2F/BZbJVGkyQ HOnsZGlFRPdgV89SMrix4iTJ70oBk4Kqw9GeTADkFnztvqOGVwGyR2eZ19ioZNOuFRJI6m0J DWaX2Voc53cnrnwPsozqPKLSmk0L5WylhS1Di03TgmkRVS1AG+Jzm8/760uHfGlUNbmraqIk 4zChnKCyiZLUaze91vehQw1Zwr7suePjGdqO9JBVsHq61t4Y+mV5Vwxc+fNk1BSd61jByqXX U3mJhQ4oosjOHt65qG67BOBaxczoHKemuecIPIpolzzFilVRioja/BmEMZRycdfFEWkmbowB 85VmY99RNAclNRwXSvY1LRu3aCfbPSgdi0FGoy/5AlgfleR9ZbV+Rq1Zzl3xlXvG04LvtUri IPE+swtcVV4E5ZwjgUaTDlH6Fn6X1QL9W219gKUGsOiwRTQEOveZGMy49UsurGHMmC0XxWE8 WogJE7GdthZJINAOyG9A096H06PUJs+yAFfrULthwnLWMo4JulYzVMZNaK4jG7A052J4zc4P 7IUZcrVKO5TEDCUof055H1GFG9QJiJK9TEB1tHSBQf+XTe2a6eP0QJOjama8txfmp9dt4SrP kUGCSVtNrUYliY/AgyPUKCHdebTcaFkxxXmioMkSNlzNKtWqmbth4/oRjnKh9yDN+w/Dvsgp jP1VHAupfNqqcY1upYVJ08pXky+rohqkvpWG4nSux9JxNEIrPjQVEJ/tIKQmIuAYCp022Iux 1jbl2EPoLgSXcOwkEDOkwZ/cxSUjlbsJUzSPpXNybh7DVD2AbHSnJqXlA36h487dkW1Usal+ obXPMpnjf6EdG9u104sA+CpC4DGSewBcl8Xu+pR9ATq1tXq+Qz+n/CfHQV1LNjEUr7/CHdA/ MicEMPLhYidJJLcC8Cr8MfTTXLrFwt18FYGl1wEP0Be6M3pnWoHUnYPNxCdnbNVCWYGxkRNw pY0v7oDBubvKPS0Kc8B/YFwSV2Fge+DlLwhdx2z2zvHs6rrhQsTYVngywmIhny/UbC2pbZ67 muiMWxS9Vsb2lcXSOU/yaC0vgdJAE/BORUewb9F3VTVN1pNYZagiEmRZY+VxlMlQT1L11XAo ydTQsmm85QINEaycVFICcHrGg+Vev2Nc6+YuWf5d9YPIhurjfs6tsAAxUL8Nq5Jg3LFQhzHe 97eCyXqnb9n0djGOpAIcZGXbXmpEm4hyDVc1W6kJAHi6CukK5CtUne6h5ma4bton5lhcpOER UVTbwpJONWx0k8IHBmYLBpFQKRB+iR1kmz7UwhUqfrjd1OWtoPUX23cxopKrGruRpxtOvA9a nvLK60zgC+7b3m6d0RS3dKKberiV3OGsiMaXgfmr/nGJ3XBriTW5O0mOK7BS1i69e8t+8drs Xh2A9n+KWiz/3DJm8lgQzldsIGjfXbpiaDUiGJNKiTkt4QF0Z4gvtJ0UQkb73mKQyW5Es5Xb s206sF40V27ySjqxdq80eHDGYsXj0vfyx0nu1YMjCkO80OCBht+wBva5UurByrWIVyGsnFSb CBIVP4qEMR4+LFm4Vz8okrxl0FETjwo9W/UDw14bYzwAMrYTFw6Z87KK6VMoJbYLTmjPCsAn 12exomfXo7nWwjmVKIMMKHrVtvl8htVyBAr0IYZShPFlvkaKbJU65yL1A2VBYoNOqt65yBiT Rrbw0DbjWLMpDA/SJxV+Wctc/iLKgdqNAlVN1bpp0lWyaxwEvCuhqWZarGaZS1oYS7In1I9C szyQB0geyCcPuq/ZnE1JGQt9LqvZwghvpUhbH+/v7sfXNX7VEXe07AN24Jx7Ocs2TslRoCmZ li3L3eQRgDHeNQcmU7oEr7kmEM1KzHgQyHvWdTc10Ujqyo/v1u+ZwRljnDx/mcxQcTQpKMjv esnbrszE33qTLGdBnDXqWmjImyOBPthsbrxv5rsMJo+P+aQT84UQ9zGEVem517401b7R5G40 qJaDcupe7N68W7/5H7BONdtlbmRzdHJlYW0KZW5kb2JqCjIgMCBvYmogPDwKL1R5cGUgL1Bh Z2UKL0NvbnRlbnRzIDMgMCBSCi9SZXNvdXJjZXMgMSAwIFIKL01lZGlhQm94IFswIDAgNjEy IDc5Ml0KL1BhcmVudCAyMiAwIFIKPj4gZW5kb2JqCjEgMCBvYmogPDwKL0ZvbnQgPDwgL0Yx NiA2IDAgUiAvRjggOSAwIFIgL0YxNyAxMiAwIFIgL0YxOSAxNSAwIFIgL0YxOCAxOCAwIFIg L0YyMCAyMSAwIFIgPj4KL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0KPj4gZW5kb2JqCjI2IDAg b2JqIDw8Ci9MZW5ndGggMTkwNyAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJl YW0KeNqFWEtv20YQvvtX6EgBEcP3o7cETdAUaJHAuqU50CQlERFJhQ877q/vzHyzK9qh3ZOW O+/3rN7vb95+zDa5mydBstkfNn4YuWkSJZskSdzA89PNvvrqjPV25zvlPDRb35m2QeY8bneh lztFV+HQX7a7IHXqoZiaviOs4gxAVwttRVcj3fie0x8YkhFEOD1sia4fCP5deVZt0zXAJ2kM KaZ+GN8A3PJt8ZNum7b5lz9qAOaxuGvOfL/UsOm23/Z/brzNzvfdPI4DMcioy+QQQFqLyrnn 1B3T37MKQ9+1+JxY+5z06YFUlHx7aup7/q0BPLH04wkYbLIIuNDh3ItOrVyAIbDGuSzFiFEF wKUZ+UExplOtqGI5sXhikC8GTU0rbkgdct5z3yT0eTnX4jm1hgwmLIqUgDWMyes656IziSj7 UdxBR3EHEQpvZtmxZFVlOm1Vg3Sh4Lw1HqBorcSmqi8cxZ7z4pEOS7WJQxg6DQsPIwdB7Edx THPHKteusPQjN48i4hu4QeyD7/4EusC5FE/CL3fW8rEciJUFKwmCQLJvCe/2D1yulwUhteQV +rI8z8A/sFkq7/bvv+jrMz7gf9ZMcg7pd9VIkcDbFNpODN1ZSxcePEg5oVA4GUqTCTER3m9j Cvh51gxAbAmUoDAZCMwLM+mnHoZZj4VxJoFubZo8TyypfxdMPk341Xpm4nEaZqPURId5qCsV rBjipzPS70GC+9tazt/WpQjbRZQLAX6qWvBLCcmdRIFvojC22cjn+uekWa1tBtWgmOyIiFwt QWeuFKzPuCqGkvNSCn2qYQNbMyhjNujElctkxaD0iyaoh5W851KKPNWHeV40v4dpAYBMEWn7 HANNytVnNsILnIdTLeK9RZ4umyMAw31TmiSTmxl9DUwLvS1m4zzTCBpRo2BzEQIPnWvFrror h0dOFAQryFM4hg8Xk+wErjgN+PJONeSzhCDIM6dFYMfiqBfTUNjoLRzFROjoZL/hUXTmBCuY ngtZwgo9kOu7tTwre67fJCLfjVrOvnPgBE9CTkJJArGNL0LFtV1uuDaD2fqaUWx7pPOt9BQi fzHIDJRC68VYCjQoD9JRktAalEVSfAR6hx80leeFvBIpnhImzMuuX6h1aYoeQb+oCLmRAOoQ RDtluGmTaWZrP80W5blosRVImu5KioS9io1ALhGvcB57GSh0uqDMB7TX3ZplbdGVEvfI+cfz o6OUgokF3xaDyQzy1wAttaMhLUPRj39txHWAMknsWpjJ8tBJAOPANzB7xqiqVehQnwvLXveg 7/hauAdmrU79B7N7UI8RpXrb7jmQc6VDq58HMzyoMoy/dJh2OtiM6vyRyhh9+9FPNtaNB5Ye hm6YeJlIp5br+0HsfGB51FC7sYEOEuxYc4V7It3K/KQPkziUndRKQwIIEfVSQZth6NOllOQG sUsrUKKDnPtaYnhFSfR6WybMr9E3HMTL0tboQ7ORA3nsOA58KW2Yfm0EoiSx3ZV5nilXBIM9 x8L7oaqHp8TjvGjeK/l4YEaTycIwDrgTTpjHJAex5AKPNU15330+svrODNXgOjTUD0JZKLCo JAeXm3n8wlRgwC/by+gCsD9d9X3F4yuJWtVcdt2y6ChlUQzL3gHtgpA9eGcMfbRvgbodAZWF iVk06FCW/FCUVwk2iBOrimJRH0L+QsY4YY1RQunNPMetnnzRz2eVa/tHW6y/MObuGgwejUdZ cjKf1FBmRhO+fNnaMAswLvnAa0tHc9IFlRQCH469BJUwxMhC6WQ5zzgm1bxcAwk0NpXSihoU nVB77ri6mxh3RH7ulDxOIz8zyXodVrh+aKZTLwmO719yky8ND2m8ADQ2x0uUBhvFOIeBXj1P 3omsxsPSiYxmFzwCmpkHDXtl1IxryblcBsW5hHPzYX/jE6K38ekxEbtZkOebIPTdlH7L9mbz Y+O5SSwY9kD3PyyVXrz91Pqb3/ubLzebLxa2syx3C57v+TEeeJuMGl8SPXmNB77nZmkaib4f pWFRDvi0ufimU6cLOuKZBSxM1mTat0u0G1lHc91vNQb0bdbb7MmGN/HPIzCKsqQu13RHfGqn kiN25EyY3DN5qMy5QeTX9q4auCCTmYHKHx7xklGld2RqHmc5/niY77Q8zWuBqzT28C9ClOew Ibc20KnujiKzq/GNd5Aaw6QlBre8JwnSmBQSXLqdz1NDixCKxXKw+7XZlgmAWm6WuJOu3XRs Fph9d0ZxQ2mbhktbocjxLFs7bXhYGi6yZGMrrwcXsHf8k1ALn/Ddc+vDUR3Br/oLrGhKWeBG wCfGPdbGn7Il8/1DY68UUSJLfAzHVFzbqXq0d7ZrZnBAwigwgz4K7dvdd1SEhCKLHffXUW+e s2FCVyk4vkOHoQRkFlylR+xPUt55tFjr4+Va/9pr7Y2ufWanM69xvhQrr+vgdbHC2JX/PhjA KShMwKM1q52+Ul58nuOxgc6EYQXGxjJuz+vzQJBZ9cwXqdkLU/wVFm8AFcOZi/n3ycw+gpVa HKLm+X8VMvrobg7dtIX+BymDGnFlbmRzdHJlYW0KZW5kb2JqCjI1IDAgb2JqIDw8Ci9UeXBl IC9QYWdlCi9Db250ZW50cyAyNiAwIFIKL1Jlc291cmNlcyAyNCAwIFIKL01lZGlhQm94IFsw IDAgNjEyIDc5Ml0KL1BhcmVudCAyMiAwIFIKPj4gZW5kb2JqCjIzIDAgb2JqIDw8Ci9UeXBl IC9YT2JqZWN0Ci9TdWJ0eXBlIC9Gb3JtCi9Gb3JtVHlwZSAxCi9QVEVYLkZpbGVOYW1lICgu L3NubXB2My1hcmNoLnBkZikKL1BURVguUGFnZU51bWJlciAxCi9QVEVYLkluZm9EaWN0IDI3 IDAgUiAKL01hdHJpeCBbMS4wMDAwMDAwMCAwLjAwMDAwMDAwIDAuMDAwMDAwMDAgMS4wMDAw MDAwMCAwLjAwMDAwMDAwIDAuMDAwMDAwMDBdCi9CQm94IFswLjAwMDAwMDAwIDAuMDAwMDAw MDAgNDk4LjAwMDAwMDAwIDIyOS4wMDAwMDAwMF0KL1Jlc291cmNlcyA8PAovUHJvY1NldCBb IC9QREYgL1RleHQgXQovRXh0R1N0YXRlIDw8Ci9SNiAyOCAwIFIKPj4vRm9udCA8PCAvUjEw IDI5IDAgUiA+Pgo+PgovTGVuZ3RoIDMwIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+Pgpz dHJlYW0KeJyVVUtz2jAYvOtX6FbSGVS9H8c0STvtNGkauCU5EOMQd7BNbKcp/74rsHmmhcLB 6NN6tVrtJ54pZ4Ly+G2fSU6eyYcbSyc14SxwSSdE0IzIgJGgQkvNtKFaBcWMoY57ZpWjVUoe 3xPNnNTS0Ncj4IMOEx9WqRUmBMl4UC3lYdAA+qBRekWF4y6il8t4ihpWNy3VIciAKK80fNjG uB2awyAQWWWY9dRyyTRkO2uYkp4awZkUoWM6jBoQreSC/9+ijkDBcKEU2wPt2nQEakCM00xZ c2CDR6BiDEDsdk9md4NHoBAEEzTb9TPsiDoMgiYrDJP6ANMRqAHhCOczFYse6x5JTj8O0WUi VljAhw4fybIBkSz4H2zAVhWz6KZhTno3aT0ri3FanQx/Em8Yj7YK5NBJR4dj0rsqm+wxS0ZN VhYRIxliCl/6G6Db3vcqm2TFqCmrk770wcJCUCdp9gvM98OvxEsm0fNbL21R9xXnkBV611X5 e758p5WzuVTvU1m9jqpWcF9p3C/abik+K/N8VIzj/Kr8jfQ+p0VaLRS+ax0S0SEbHep7ZrCU pn2JuDv8iESDq8trejqbTVuNdaS8GNIf5JYqx1zQ9B7GjonAhuP1JCVy6SXN9ypTEu8Vg9W6 ikO6NO4NnGc81PWYY9ve0IR0lcgltANHVwmCOS8l7Tgddul0oN2q3Tgh2jnPwroyJdoj2Eqs KjpY5F62nGY17lYFR1vplE3XlVZ7x9ntrVu1GyfkCYH9v7Baz6DPUQQniOAWYT3P6tmoSZ6W h793iAaxQwf3Y7zR1eszvCiarJmv39lYzRiGvgrMSGOXL7w81PO6SfMI522w/GIKyUzSus6K SZzDDWsDD1uIS0yPJmmchn0q6t9O1Cb5isAxzl0rN01eqlZrCGgZ/BX9nWGZWrsl4awsmqqc 7qs/TaL4N41TGiZ7OLdlxNI5tHVK73rZOC1it6Zj+jCndZHPllNfzu9O3jI2/ptqjjvHICGI xk5jLroofv8A3TvPcmVuZHN0cmVhbQplbmRvYmoKMjcgMCBvYmoKPDwKL1Byb2R1Y2VyIChB RlBMIEdob3N0c2NyaXB0IDguMCkKL0NyZWF0aW9uRGF0ZSAoRDoyMDA2MDUxODE2MDc0NCkK L01vZERhdGUgKEQ6MjAwNjA1MTgxNjA3NDQpCi9UaXRsZSAoc25tcHYzLWFyY2guZmlnKQov Q3JlYXRvciAoZmlnMmRldiBWZXJzaW9uIDMuMiBQYXRjaGxldmVsIDUtYWxwaGE1KQovQXV0 aG9yIChzY2hvZW53QGJvc2tvcC5sb2NhbCBcKEp1ZXJnZW4gU2Nob2Vud2FlbGRlclwpKQo+ PgplbmRvYmoKMjggMCBvYmoKPDwKL1R5cGUgL0V4dEdTdGF0ZQovTmFtZSAvUjYKL1RSIC9J ZGVudGl0eQovQkcgMzEgMCBSCi9VQ1IgMzIgMCBSCi9PUE0gMQovU00gMC4wMgo+PgplbmRv YmoKMjkgMCBvYmoKPDwKL0Jhc2VGb250IC9IZWx2ZXRpY2EtQm9sZAovVHlwZSAvRm9udAov TmFtZSAvUjEwCi9TdWJ0eXBlIC9UeXBlMQo+PgplbmRvYmoKMzAgMCBvYmoKNzYzCmVuZG9i agozMSAwIG9iago8PAovRmlsdGVyIC9GbGF0ZURlY29kZQovRnVuY3Rpb25UeXBlIDAKL0Rv bWFpbiBbIDAgMV0KL1JhbmdlIFsgMCAxXQovQml0c1BlclNhbXBsZSA4Ci9TaXplIFsgMjU2 XQovTGVuZ3RoIDEyCj4+CnN0cmVhbQp4nGNgGNkAAAEAAAFlbmRzdHJlYW0KZW5kb2JqCjMy IDAgb2JqCjw8Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCi9GdW5jdGlvblR5cGUgMAovRG9tYWlu IFsgMCAxXQovUmFuZ2UgWyAtMSAxXQovQml0c1BlclNhbXBsZSA4Ci9TaXplIFsgMjU2XQov TGVuZ3RoIDEyCj4+CnN0cmVhbQp4nGtoGNkAAETAgAFlbmRzdHJlYW0KZW5kb2JqCjI0IDAg b2JqIDw8Ci9Gb250IDw8IC9GOCA5IDAgUiAvRjE2IDYgMCBSIC9GMjAgMjEgMCBSIC9GMTcg MTIgMCBSID4+Ci9YT2JqZWN0IDw8IC9JbTEgMjMgMCBSID4+Ci9Qcm9jU2V0IFsgL1BERiAv VGV4dCBdCj4+IGVuZG9iagozNiAwIG9iaiA8PAovTGVuZ3RoIDI1OTggICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjapVlLk9s2Er7rV/BIVVk0AfC5t4nXrppUTWpS UrIH2weMxBmxIooySXni7J/ffgGkNFRy2MsIBBpAo9H4+uuenzaL95+KoIzKTGfB5jlQJony LMmCLMsiHas82Ow+h319fDlUy5Uu03BXL1XYL1cqPEHDDtulzsN91fHolziNP6HES8QdCnqU tD9aEC7CPX/15ye30o9+qBrszcKtPfLwtj2i8GBr6Wjw83wYYFJ9ctpscTpIKm510KiwMch4 08JvEe6qQ7/8uvk5iIOVUlGZppoONuzpDCCTlyGq3biDHSpqVqwECsDPvuIGKV1131EV2rfq eQmc2bU45Xu9c7rseNLTUpfhD7eSlTXfWkGFEQ9t9rwC6SZ6yJLdM+p9sfUT/oTVgNfxisIV SR4vj634Ps9PPe6GAg3MN0kcWrEdtnfVl1glx8kBjClCK5J3T/3Q2e2AvWW4BjvUW5l4z2pW V/rhEHrG3Rq67+mw4ha4wgbNio1d3Z/IoQp2KOyrZ+/NwmGzLOxPdLsVbYTXZw88wG7RnMgm 7XG8RRh73dfeDVFU/KxrD3wROsvZLypu78hFZEewS0r3+8rfz13bcGs65QzN467qcMUf8HZE Ap3DHnvRqhtuu2TXnl/2aABDs9hASYjm++XhkQeq40stV4Rj9rjjftz8JHNb+eUFTLj2sy26 6ungPdgOaL/2SDq9/5QHWVTmpkBM0FkaJXluAhNlKk1IS8ViU+hIoiQrTbCaSEV0wJVO0yiO QerCCe/QMWIwxDP+ZqQs2GVn0bw/loUJ3/FA0/YDi7rzq/C74bH6xoOF4xAqyB79+cRWgbEW HV0WJON2+FLwqyFv78k/7UvFO5w61ss7M0is+Fwqicokubw+uhK48KTIGUwEgNxbEidLiiLE NwLKkChcDHw9flfv5Hs8qaadqT/jW74SMNwjQ+hnDgJaHulp5+25q+nkZN5LBXNGSNpnxieP tqkOMMeUSnyp1OFvvCxac4UNxDHLyLhj0TU/THTIrnb74sDDG6NQN0LEb3iwB0SHse/cexgq cZ9xIffoUB9nQsNDzeS+8DJnYPCEurMq28nV+yuMzZWFWC3sZ2PHxmuQxEn4oW0atP0ZF5AD r56s1z6J9bxNcKEHvwt/48E/rB/GLckSLlZUsr0Y4xaOONwQT1Hy9h1UiBNhHEMvQ9Frs1Hn PxiK5s37+QToDQJ9JyvWPXe1R/IrVIp/Jgsfqrlz/V5Xr3P+BnPvyLRb0Z43+uDgHU9wYLk5 9zNs4N+XSqnwDqd8cF7otBIwpdDWEbQtPm4WChSMAxWoPI1MngeJzhkAt80i+BbEUUYC7hd6 v/k50vH+vtHBv9vFr4vgVz+2cguupiv+hIRNx0EBsJslF4wtibMIALgkK3kOpso81BGjNbC5 cZ6JI6U17oby66E7bxEdznhDOikJlvGX+Bj8cujQacyBR6SEyEALIBbxtcTAJoEUZF3MY5Rm +JUJjT2daqIoL7JCRRC1IoxiqoRiExDFtwFLS1hxJ1ipGNyj4IMzmUiAPS2LFLbGSHy9Ow4j VkwVMEmOb/NKAZR8pABQhlvnLn2PqI1D6DHQu8Heh/Wj+EsiWIwSPnpDm5f3OIhKTM41SkwU cP4/OaBXp+rFKxGDYTo78HqihwZy0zBtPtKqWzs4kmeAoVKcY0HLff3edvSaoL1Ftl6C9tHb WO8inzFRkkDQ95bX2eRd9fXLkQkRORPxKpERsOZe23ESQajJ+DgQQIqw5ZOelxNUx35xPliB YWAGWcfBa7ae8fXZswNK5MoYym6G9qHeOlqBzEQBYSVeiC3h59XL5IIV+gxxWTreH4xqMtVv 6POWHyehYHJ9IGQJLnV8M68wSmg5ylhHbOCDSJWSlAU7HF+YQdS/RXeCbh3eP7/jxp5kfY7x nf7SEUhAjVyzn43+sITwhsv7oBDgUhBo3zwxLOAyKWzLdtC4oNbcx/NHFedIwCQdMMXEMfHj TTDksAIjfDMF3OOf7LuWrCVasoMUzvxFyUdjSSJhzMgAbeXEILJjAjDuUoY+A6M3WUji2TZ+ 7+HKb69utgdv7fEGM+OzSWwD8NGdW3l30KnDZ0qADpLdoCY7HvCEK5tkI9C+X6Op1vzBfLP7 Ay+V8BQmvkAac+Im+WOmR1aC8z9uPnHrM3SmX7lNzEB2amcPdTrUwwVnwKsfixITDzAUZLxK LpBXIxXOQ6EfzW1OsHmYclLolMfukisxWMEEIeG6CGZ39EUVEVThRViQxoX+xZiq8wmoZpEG uILDlpFSGZ31vzPQG0d5XBYStxF0eaWpjFaRNmnuZJZ5Dr6fEspjODwtU+XToAQUf8BIiCbC j3WFw1tyzXpAdgpWeuT3k+KbwlH8U1EgfKtgbqJU+91HCz46LktZ/SpRsXcnbPubYxRkQYZ4 mcLIXCLfUVfY7MFPQwJE0QYTIYo20JB3PCZ2usjfpuMsS6GbZqNuVnql0NBxzoY1E1rC5fyY fsFrpvIDSPuEa8wDZJmbyWQ8l0ZGM16ycg6A8pBG6v/LUUAmKxJHAq9v3hQJchToZIoCn16G HxCWrXjgsSOvEu/QN70jNVGcpsnEO+h1rTFBkSeGKCC5e+aKF4Ad0/Qdw7AACl4Rtnztzx7q vyrnLeCMhTbFJeb7pC1LQgaIrqW/tR2o29xmFDg4AxbY7TX4Bo1z3U3CFg67sJW4Q2FjkrXi J1EhCEa1L/WNQYIKgyh0f5xzmbbz+nSX5Z+ZWIrI5CN1d0NpjuKOn3CVD67lnaCgQOzeCtK5 7RAeSwlxna8DivRrPbjC1iRB3eD9gxMJs4dTlTolJEyLCbvEmC5Ywh+E+zvHBEb2wC41yl0G UmQpLQ9Q558+NvsojmP1UV47sb6IJ/6H4vfBkY49J7Ka69ZMTjiK36SRXUUO6m1M5FHqn19i ZapOgjoakWunFI65LkbWhy5/2gR5dkOVPL4emSNJfonlM2d/6MbKbkZ+VfuqKPb3noJzVViW du8wEZPhCv1gnw7+vwD7OVKFgTkXbmunK5tcI+PyBme5xtZjsZ83zDVj4LOzP0v6C89FIfg9 UX6AMyz/UFH/uHP3lI+XslKTcF1JvZAXI//KXTKHxGaWLItZdbge/cuMFAnrshNWRv8scdxj cGXcSRn8bRnBpfMqjSNdFoorBp+/xsFuEQc/L+LIlEUavC6wpqDgnQTNIsXMX5eu47BYL6aF BLfkaromVxJMkEZlnsv/fvIojZMUsjsAzSTNppXei9pBDkwF4sgKxOJp2l1AnvELPr1H/iA0 K5HykuEdovk6g8lLcaL2fNjJnCVhnj0cfHCJ4WHiOo7J4zQ7mV1B9PeZLUj7VMDl+04Q/+3B bwSLxShKcDSTZZ8wIKzGxIGS5Lv1fc+5MZNTTpMPlT16XRMJDqVL6vHareRlycifObmlzLuT fNz9f4uMRf/gchM6TtRnKxn6skBC0aj3XvU/MFbczGVuZHN0cmVhbQplbmRvYmoKMzUgMCBv YmogPDwKL1R5cGUgL1BhZ2UKL0NvbnRlbnRzIDM2IDAgUgovUmVzb3VyY2VzIDM0IDAgUgov TWVkaWFCb3ggWzAgMCA2MTIgNzkyXQovUGFyZW50IDIyIDAgUgo+PiBlbmRvYmoKMzMgMCBv YmogPDwKL1R5cGUgL1hPYmplY3QKL1N1YnR5cGUgL0Zvcm0KL0Zvcm1UeXBlIDEKL1BURVgu RmlsZU5hbWUgKC4vc25tcHYzLXRtc20ucGRmKQovUFRFWC5QYWdlTnVtYmVyIDEKL1BURVgu SW5mb0RpY3QgNDkgMCBSIAovTWF0cml4IFsxLjAwMDAwMDAwIDAuMDAwMDAwMDAgMC4wMDAw MDAwMCAxLjAwMDAwMDAwIDAuMDAwMDAwMDAgMC4wMDAwMDAwMF0KL0JCb3ggWzAuMDAwMDAw MDAgMC4wMDAwMDAwMCA0NDEuMDAwMDAwMDAgMTU4LjAwMDAwMDAwXQovUmVzb3VyY2VzIDw8 Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCi9FeHRHU3RhdGUgPDwKL1I2IDUwIDAgUgo+Pi9G b250IDw8IC9SMTAgNTEgMCBSID4+Cj4+Ci9MZW5ndGggNTIgMCBSCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp4nJVVTW/bMAy961fw2A4IJ5H6PHZdge3QoZ0D7NJL57pphiRN kwxD//0o27KTfm7JIRFFPZKPj9IDaDSg87f/rZfqQX387mG2VRqTJpgpA3MV5H9KBgJ6Jiaw nBidA+Ncgk2jbj8oi4EsOfjzrnMlkDNFySB7B2wSWmYI3iFTBGO0Qxt61H/wEjg2BiME45FC 75Ig6CgJFKB3fSpFzIRk38Z536lSzI7QPwkWnwC971SpS+mGFt6ihqXK/Vkoa83en3Zroe6U 8Skggw0avU7ibaJmNDRYFoPFSQSrOVu6Q28ZQiCMCWxM6LQfXUbYO/XjA6z22p/1EqNHT8Mx SSeIBqTaEair7vDY8ypeiz+m+D8skdU6k11OLxVRsmjdHl6xjBWWU29amOxhfU9jvcIUsXQl 7TFFgRLqA6TekrlI3rzC3Qu1vZrTmHelHqClSpefegmfpnIHZN7kCpAPTG9Vdz0YMDGgzggW jZYo06U6Oj05/XJ2PP2lzqZwKTLzCcmD19K5GFspHlqyFCmgo8FS1OHEUVs/rin3uh7V4wwG kfBitOgknMiJHpGDF41bKDHLupa+UkQ2gyV3WmjQbrCUVvSQZdnHrEuruqQWw7LPuaCVmkq8 sq6l/2+ynTLZEnePbWcxsRa2GSka17I9Pa8uMtlPOxQNJukOOMbo5Mac3qij6vfP7eN21yzz AfGWpgVpXt662NzXzXY7X83ynkPvkxTZecTW41y2r2dN3p6kJLew5DaxhE64bh2mm+vVdn2/ 2WUXltpDEg8jAtGBO4jr9bqPQDK2Tq4EtqiN0PUsva4e05KQ65kwG/SWYJI0Bu36I9/OL+Bs NZuvGrg6mt80q938dt7cwM9H2K6W627r6+er45c4YisPXdaXthhDV+bp/Wq3uV88Z+ikzgS1 5ctrg05emwnJlR28fZ59S6BM1H71VVP/3sx3jy0EiaqCyxAY2bquP5/n2/X1rr5rNsP4kBO9 iGzKsMuAo4kMJslYm/79/D8VkYsYOELMiDIjWUVVr6I2pvVGHtc4DEIXk/qYsbxFl+ovpoG7 m2VuZHN0cmVhbQplbmRvYmoKNDkgMCBvYmoKPDwKL1Byb2R1Y2VyIChBRlBMIEdob3N0c2Ny aXB0IDguMCkKL0NyZWF0aW9uRGF0ZSAoRDoyMDA2MDUxODE3MzExOSkKL01vZERhdGUgKEQ6 MjAwNjA1MTgxNzMxMTkpCi9UaXRsZSAoc25tcHYzLXRtc20uZmlnKQovQ3JlYXRvciAoZmln MmRldiBWZXJzaW9uIDMuMiBQYXRjaGxldmVsIDUtYWxwaGE1KQovQXV0aG9yIChzY2hvZW53 QGJvc2tvcC5sb2NhbCBcKEp1ZXJnZW4gU2Nob2Vud2FlbGRlclwpKQo+PgplbmRvYmoKNTAg MCBvYmoKPDwKL1R5cGUgL0V4dEdTdGF0ZQovTmFtZSAvUjYKL1RSIC9JZGVudGl0eQovQkcg NTMgMCBSCi9VQ1IgNTQgMCBSCi9PUE0gMQovU00gMC4wMgo+PgplbmRvYmoKNTEgMCBvYmoK PDwKL0Jhc2VGb250IC9IZWx2ZXRpY2EtQm9sZAovVHlwZSAvRm9udAovTmFtZSAvUjEwCi9T dWJ0eXBlIC9UeXBlMQo+PgplbmRvYmoKNTIgMCBvYmoKNzk0CmVuZG9iago1MyAwIG9iago8 PAovRmlsdGVyIC9GbGF0ZURlY29kZQovRnVuY3Rpb25UeXBlIDAKL0RvbWFpbiBbIDAgMV0K L1JhbmdlIFsgMCAxXQovQml0c1BlclNhbXBsZSA4Ci9TaXplIFsgMjU2XQovTGVuZ3RoIDEy Cj4+CnN0cmVhbQp4nGNgGNkAAAEAAAFlbmRzdHJlYW0KZW5kb2JqCjU0IDAgb2JqCjw8Ci9G aWx0ZXIgL0ZsYXRlRGVjb2RlCi9GdW5jdGlvblR5cGUgMAovRG9tYWluIFsgMCAxXQovUmFu Z2UgWyAtMSAxXQovQml0c1BlclNhbXBsZSA4Ci9TaXplIFsgMjU2XQovTGVuZ3RoIDEyCj4+ CnN0cmVhbQp4nGtoGNkAAETAgAFlbmRzdHJlYW0KZW5kb2JqCjM0IDAgb2JqIDw8Ci9Gb250 IDw8IC9GOCA5IDAgUiAvRjcgMzkgMCBSIC9GMjAgMjEgMCBSIC9GMTcgMTIgMCBSIC9GMjcg NDIgMCBSIC9GMjggNDUgMCBSIC9GMjMgNDggMCBSID4+Ci9YT2JqZWN0IDw8IC9JbTIgMzMg MCBSID4+Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCj4+IGVuZG9iago1NyAwIG9iaiA8PAov TGVuZ3RoIDI5MjUgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjatVlL j9s4Er7nV/RRBmJFb1lzy84mSC+2gwbagz1kcmBbals7suQV6fR49s9vvUjRtrwJMJiLRReL RbJY9VWx+Lf1m3cfV3dVWBVJcbd+uYuzKiyjVXFXFEWYRHF5t66/BOvFKg1G1S/iQC+WcXBY LJMyGEazWKbQQ7Rmg79HYBlbs0hWwYk7D+NggDjAkFVAPEPHctJVHqgR2g23edQBCO1GdR2N zwLdkHjdDv3yWemmDpm+3vHI2E501Ec7Kg12CoV9w59m8XX9j7tlnIVVlsE3Dqs8T2hfarHM Klg/idE4BRMabdRz19rt4kx72mOPAg0z4UJ3Csfiv9cdCZHtIOVCOP7KBEnwGy3sJIyo11q4 h70MdzOrkSTUPBJWZoSj1bSzyO4ppj2xumD9MLRr9a6BgUmeBi94CF034MyvCzg+7kiCZzks ZDKi1CTPZOGb42j1LPy1MopbRP19g+N3tIktUUKWRQcEa6Q//M3kRMaTiGp/jeK04Q2CbivU LS0WJx32PAbNZ9ec75XPb+/pVm0bsg9ZaZqBYg8HkqM2uN8dEjOyUDbYmgnPOO+J2788PfDQ V6t9/1TTDAwWjbdj7tt2D51oPT0pfdwrQydvyZpFbdQ4tpNyZ/bX4qAiDxoxZFzKiUm67bed LKsoQRPsJWpLhELOBhh4797x1CzgmXyYKEZsQqZoZFbjTGVgwtPnh0dZUL9te7t0zTNaM6ah OzpUJLfS3RMIzBhsT/jACkrTYHjhr+IP69hBgPCMczyTiyHRuhiAQYjTvvsYF3dOuS+4ijSC f2VFq0hhcJzAHp8+wfgSGg2aPko0izSiUy2z4IEADNqwVdp8x9wvtKSyAB3BZojrkWf10RXm TJKwWpUCq4gZWVzgXM6ILMkZX9chJQ9+jfLo6Qmon6AVMxfbtxFwHTqmfkm/8hDUfRaXBEXI jfKZu3RQTD1sp9y+8Hsc7yBgPxhZXzegBdAsqp813sF4/rNMiuhSclLEgTOiyQaH8TefHZm/ tRtradgxeNg+SQf7A7iowGl+eJ6QR94b/m6GXrfaaB6ChojyzM5tv2E+igWg0zwP/g1am9n7 Zth7cbKXuKF/YpNISs8mIMwmRQmGEYV5mrIx/vfadOII4nK1goms5bCoM54qLEoQITyLEk8O YFYRvOrDIqdTjgllIYT+Ewnq1KACwU0eR2IA+8gRNnIyj+uFwEpWUZTKLGyBdCBt3Qjay8kJ 2DPWq+NkDwz1LZmgEu9/y2xslnhcEBqy+mKE6izGwvLfSmAHN87KLLkI7T0GTPDMloeSlC0u 1klAYCAWPP8MfHevEOxOTBwOBsF56DmpQJLq9MCc57tmmjtzdOIJsGKepRBvh4aZzaRmkLFT vFLRYlqsfBcWh0eqnzmRTilInbgTl3qUCdOi8r1HhCr+rH9+fHf/yPEEXKFvNobPBQnPR7Yb ZNy3250kQjS8s7sZmGBDy4xjHDWlHQCoiNMJRXwYdxDaC9NULzGZiOc4Ah3OHylFg0ytYU60 Fk5O4I82Y6P2If8hD4eRR+1wBKiosCPnSZsl0l1ahrwbiz6ngxnIctRhxwcyszE8kjRFM0c9 7cTjIZFFy8MOs5OGB2s+hKUQUqwQx7vpWpdzknQbY5Fp4EG8o4uElXqUPyHAoRUKZ2s1SEc8 Z3uvu5YTO047aUfUmvIn7eW5yXWgvshzE3HJKnEjTnvOqs2IZosk8fX4TPnshjK02w6UNJnd nqc313lF4iGTkW1yUiCKTT2Y6Tn2Guur1wi9tNiL4ssky/8MRidxGEcOo3/RzchB9P0Cko8j qtlQ0rEQCJbUEUPuD+JzmoRpmpUyA8Aupc9n9shYUBWiD2hsOJeBiT24XfJhCginVYn+M8rI YZLAMJynYZbCzfHsEM4jQciBhrwRb5RoS73mPxaWysDGI3cZAaw35H8Yw5YUuqcghosW3LbR ZpVe4aTMzPkTt7VNuQ4OhLXX4+fcC4JU6rNXluWcyTlfTbLCYg0uCO8N3wl/PIYvNN6NqqW1 7DV3uyXbCw0SlXQelNacrY/17TmVYDr2Hybwm0GACQyzaAbW2F/eSrfgUpJWMo4u5hwIBjWi CS2tXbOMZlTseLhLq2ue6ruaglkwG/YwCgfqI566d5hziRkrDs+zg0tMs/Sud2DrNmHTBBPZ /1mLBSUEk73cA63ovtV7OipM1P96RIHEsYQm8/yMgZsAQu6cELt/DDgqwI1ylYicPe4GD70z Laq1a353wJFNvontC9A+4SGYRu7g18EGyAllZSvBbuK74XMMLTFcmvJodX6UeAPZoFtmcPae 8vum0yFTKbHLYkmBNBMHZHX5D1IIBakxCsRIcQtpfhIm/ozk60QMqerFWKGer+LWvUoFXraO 3ZzLeSlk1zjnIJ0B+NLNGL5O99XKAxnsmfdS6poBRCR/OE9DTky1AOROrmM6KVjzzK3RsizU 52s/6222dIVZt1+dSdIC8/tcqlHwHxfFy6awjWibloHUskzDf9uev8NY+ylhyuEIhTi6Egmv LcU/TxwRjhbANI975YIFMnkFEzSluX2p8WYaQXaPmcYgJYrDgTGWJtQMK25RyDFbBEMusUS+ edY6FGcIqyrJ6b5YFllB6/lMaU5S4WVVYfiB83GhDqjXSQDjKB6jZhauni6omkpDzrKzn5j4 Xgah6CeRfSOdRbZz9MQIMFOJZcvnzIQsCubeKooT2rCpqZ6/dlo2UZv/W71xkkxJSttvxWAH K2NzBvTX90qxagwr0yAJgZoLLkiBkGOrbqTtGU+cs5fbSRjc0c+2C/+l3kltt+VSon8z3aqR Zvda+vkG/gPXq+189oKGAnGD55x2k9xv61gHcXUYOJvqSAml1i7G3c2dK196i8htJMurs3KX q5lixwPDU+3BDpKnytfTg9S+gOpqViKdipPY8aX4yg0qf0llKOPKkFGik8WUWkMPQit+1e23 gvUDTvIQ8iV6zQcUBZKRNhv04swhLrC4XRg6XrKwMppsBtqNzbq5uOZZpDAT5IMsRm/GbmfA fKGDXi4+FtWZbFjvo9zP5+tzE3NC+mP+Mgr8HFswq+RyGH4vhz19cnqB3nvDXy6VYKtu2Lmg +WozQLOTvjkVwcXwaNM6EqUl6am8ZCWN0rBaZZKsUDm6uf/7dVKztIxnVlm7m/LmspZ4kjJ/ X3ODb0iQXnNEqAlyyOWARjoBpn4wdPw22tv0EPMQ5Pt8o59766Zrp3cRlEc186zkmrlhLg3J iau7zBznCx0YXQDoUQ2j7CpnQ2m4zdFf9oQNdvCTfd7ay02cur6fhQOX2CXXwfx3olU2vSsB nwsYKLmfVjdd8YoJnP+DwNCOzfL2k497h4u4aJJF9jWqGTctvclFEHs3G68owVw2YuOORkrb gMi3EmqqczYxE2cvZnoCBC4CQWUBDAjkibgojuaq5isS8QLUNdJ2L37Q5jNuX05zCeH5DiRn W3tvUxh5fC+ySI9Rc5R+bVr7aFW54pwLkZ4vHPX0MFZxtnWZb94/PeBRcocto9NT0JYZqFA2 wE3sPGW9+YR3/2H9UTKlyxqNafdyDbNvQmZnn88wiQKF8sxz4Yel/8tlf9kUV7EtyPVgr7Di a9z03w9cfOIr9qjASVzGo5mfNI0NSWEnOOFrQ82jW7nkP33GaR+/pf6d3z1ian5CvZkpvWeT 4BSY999RMRsLtWnlqfoCMssszFe5rdvv9ZZeuFpzepRdjXqu2p+GSZzbWyGCWNNRiruSU6mm /bxz2QpQ7bbo8YG2hVTGkNFmgqsS3xLy80ObHkXRZ/OCfDLPgz+c3gcmdC6z3GJEQZLESNMY HgqoaQEbu7kEiW/KlJcAQ2vBjy9d/jO/yw8yyQ8mvCLRfOs/cjnSvhwA0/4qi4HNvvmwfvM/ fMJrUWVuZHN0cmVhbQplbmRvYmoKNTYgMCBvYmogPDwKL1R5cGUgL1BhZ2UKL0NvbnRlbnRz IDU3IDAgUgovUmVzb3VyY2VzIDU1IDAgUgovTWVkaWFCb3ggWzAgMCA2MTIgNzkyXQovUGFy ZW50IDIyIDAgUgo+PiBlbmRvYmoKNTUgMCBvYmogPDwKL0ZvbnQgPDwgL0Y4IDkgMCBSIC9G MTYgNiAwIFIgL0YyNyA0MiAwIFIgL0YyOCA0NSAwIFIgL0YyOSA2MCAwIFIgPj4KL1Byb2NT ZXQgWyAvUERGIC9UZXh0IF0KPj4gZW5kb2JqCjYzIDAgb2JqIDw8Ci9MZW5ndGggMzA0MSAg ICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqtWktz2zgSvvtX6LZyVcwQ IMHH3BJPUuOpcSZb1tbWVDYHWqQk1vKhIak43tofv/0CSMpUkq3di9kAGkCj0Y8PLb/dXL1+ n6xSL410tNrsVioIvTgKo1UURZ72Vbza5J/Wx+sbHa/bbijb5vom8M263fF3OFyrdYF0tH54 APqXh3se6cv6WD0z3TGTWg9IlUR+udbJuuh56nSZptjiOA6pdZ91skbZAMuu7epslOLxWqdr Gc9o1pbW7mluCROavYxef978uvJXN0p5qTGajrWFOXCuA25s4vXTodyiUAdulj1/+0PWFTnT j6SIYkC2J5xb0H4ojsFTyEpDl6G0JIXTHfPU2JcdYfRIJ9rzDORKgAt6hml/1uRna9OirKIT 8HUlCfM8P5+i89UtrZoXFUwNgvkmpEPopJuEr7uCIBxvUq09XPj1exWtnOZ2uE+gPaXZOkKQ RWmzvqOzHStSSS2KCfR6oCMPJX5gV1pvanOwmg49ZaKUltvgSXXkr48oaDu0fEDWIw3x1fJu QNgNG+QbxDy0SelouBCe5sP9R+lELjY+nNZxL5+Y2fNiHK5QBNYb2gAOZwNPufvb21GYnslM di6+DnJ+tb5Zupqe9Z/4rH/48gUnav1U5tZdcPdn7j1ZeyJTxHlOIWx/0NW3J1QZuw/rWadT 5458Lw0DkAVF+FAMNw+olhcXEhovCrTlAx5Y9CNvgU5d2LtldaNHt43H4++vkxAtjGTGoQMJ AjfsR56JTTD3QKv2INXuuknZ27Z6xd3DYekoifZMKgJW5WPfH14eIzCeTuJk5EJ3yTrRKSxN Hpz13Dj1dCrUveyMl4lfq2lpopYxzARpsL7lLtSKvTOnnNTaIp1fqdhLYpBmdn6+fGt+qMPU Jwd4eWKTeCpU5gfOHJlLR/ZBr3JtpQSoIAWrReErZtihoTVbEtwxuPj9JxCn0jVzln7HF55K cMOJJTrmqUKvlyAMa3MQvkkDL/RByJlDbKtSHPiGg7c4gTbB6JxGs3GTbJInrLsrjpXIw16o wQsnPtK5mGEDRcVcfO8DNyhkwHeH4k/VgHLQOXG0zhpc7Yi6wjNywF7IMBnHVnbcjsNKNz8g xVsgH35h3oUDol80FIhXKgQPDmET7fl+aMaAGZrk+1GRTDvEtDLwDBv0iS5roVAJyEWjmAax 8wkyDV+mrJGzpxYy3pD3iiD1Swlkk0lIcGeZmMEEQ4A9kW/Ctxzk24sVU5zrZGVCGTCai7QQ AU99PzVQkptJCbMQvt9t3ntMkgJxXZS6e5lxcAg9KXOwgi4mq1x8hrTSVM9LFtCfjiMCYEsK U6d3pDf3DxxfdZiQBBliBWyQMcKXzQP/3o9c1annRsaf3iaMcn8QhWO3xQAo9T98FW5tfnTr x6wT7LhtyXxqnH8iN2ZN3Cyd7DHrKReFAQlYsOLJzQSS0Ni9CDDmNOjWIIvxbx/u4aO44wkH yeAYlHHvMWMsR0AxDOT6gMhOVoc22JZ8KcM0OMEKLsXAJInxHY+UuRjQNyAUXnkYCPxCorfn HLXDA6iujOOLTGnlyyZP9DlIxT7r8HiGrq1km9OjTfjPlhiK2uPRzaGUyd8ySxzflw5nYxNs ZuEmJcN/Ua9dIEoigZ5ACHz6Ah9NO0zYEDWjJqqCWw5FAn2HvGS1D7zQ0zXBz3+6nABMe8r6 pyNz5AXaaGOvsGceEmDRBgG9wEsieG3z5zdDpKZMPcbHWTKQKCtcA19zhQ6SqklMZlX3A/pe yuAZGTJuOsGfeJ0L7wAcsn55kkCJ059m5k+CSMiAwVJk+14EbTvnamjnWjHI0HqttO8zVZUz FWvteG75wweeO67Hq22sny4iTOMDLoN3wQ9ATPB8y1dKirByky9VLMqbj3dMYEomoAF0llOw JyPSmp+VWdNPHzi9qCgFMBuOSmK7sZbocD6ZesL9DnpXkoVQHGHISyFsukOGER7hbZZd4ebJ 8xQa/LKkpfaseJd8rMcAkMq2g01T1xTLXqpYRwlAPD/9ERXHSlu+rHJSZjnFB1JPoAIvjYPk e0krRKDEOAkTLy1TY7daNvKexxzCxsYk0I0PLAJSk/cEPTmJHZ4SAV04No4uzvW0Jt1xzmOQ CsgnJJhzhnslwo3echbZL7wuA0iDWwihlG9im2/i9W9so3jBX7nnY4WN/T57FOyPU98sycL8 GGNnTt/zFMyEH/HZ9MZlw3j9CTjiz0w7GL8IMDDNIG5k7G0tGnsINcG3O0mCrAVujuEMo+2e ygjjKYDh0HKBg6sGkoLFZ/Keu7POrYaWXVDYmjqU1A4W4/F926NwUcSBJzKiaOhw8YZtpGqP I4LE8WHE8dxBchFSjOJ1P3sVs9viLg3v0h7H6Uj8iwhbb4kmhagoFmMuuh0Z2/i22U42B/Ev RuJh4tln0Pws9XAtAKQvG3pZJsls8qRk0WF2J154dxTN9pm5KaMyPgeGZ8nM7nkLHP2pI3Rb 9nzcSmYeBDFyfIeOu2bJyuZZRccMb3Qco0pxiblKCx5jYBk7VfJ0KeNNVUkL7eyka9f3gCiD duskvNsUCoMoEQPWjM7/irttDEeandZBIHxM7acIccmfXB0Mbq0BBzH4FCz4YoJU6mUJ58Fb xB9/6XnkQ7avhCmr9i0jxEPN7JkwcdWQLnHSy9aPw3Q7Ofsf5zdgq6XmR8AArbDsayfNQmx7 Wctj2r5vbIlFinuQr2fVuMD3VCCeGnoKy3vGX29uqQYU0DmtC0DzbizyFZSHt0SDUffLtT5Y PVYJrf4zlzCdAyIUxBQf+eyVYNKEA6DNOuAcQLNmTtS/4un28mmpx95Z3JdZpo+w3JYNlhL+ 4qtgeylp8TAHKMXFi7NcHPipp5WrqPVNfdwXw8tT3zjGuVOduYWNBFG4UKXE3jE6mfFeMXhS BJ85CLLnbY11HqK7woKTnDuyI1sD7vG1rLNhVnGERRNAi1z7VbMjR55JwkiOXC/cMUCKUMVW KR5vR08WhhxgAL6v0rnJ5kWV2VejSSdB3UhZCTJGJYP8nMdr70aMetq66zUJ/jIgayW2dD46 qBEHLSlX19zDRSwzOjY1/s2DbollRL8QRuxpKGgjSo0nZ9I2OJMEAmPjCcKNqHIEXRwguyGz JQycVbcnpwHuYvgOyZOCm8wlZKDdjxbc6OTXFXkX5uPOHcZSmncJ3f+P5s4WVzlQhK+Zx9ED +PTyFLKIntPKwD+L7O3rTF5CrfDahAF0tn+BJbH774iv7NKHois4pxPvK14tL+29Zo+ueJXL TpMd2IiWSgWzmK915IxQawNxihEWn0KbC3VthSvGvnUvjLnAdPVuc6Wgy18pwP8BPJ0AscNr zkv8JF5t66s/rz599lf5lb/69cr3gjQxqydoQKRNU72qrwII6Im27erq4eqvbsEbt+LNdMm3 +NPg2csjgvlajTvTA+T3n9/99uaPhVJ04iWRr+QkmEgzOTpdvh4rI0iPF5dS6UpLAWLkF4yI IwAegL/jRi+VVMZhsY9F/2ihzK5tJIAdtm3jXsC2yOvx0MYWPbFRFVnO1MDoHcmMP325pxTF VbXRG5NJkaGbxPFpuhK+5kys78Ek5DnP+GeoxcRjNdmYy79EmjE7AM2R1v3KGNnHAlCYOErK t/JLpItSZrxBpMf0aUsp2EuqN+b/mz7Vt9JnCJbCMMAVnrWxkErG5TaRNNFCllOQo8JIaZHs p5cyaS+O4lDGzcIS8CBIVPDfpEmUxgYqpHdUZMRwxe16THZkdHghdJiL1RiVeiqJ1fd/M4qU 0cs/GuEG6Ij8I14aeaFOzdz2LkbOKBhdHCCApF/slvR74FcRDpZ17d6N5RyM0ITdQP4OJFdP Bginbt+DC6yRlIiRcIkcGy89fqmkPRqU/YlfABj/+GefqSnFK+fK2LSPzSmPhCmPu7loi/30 49J4t9jlXlfbTjBucb7a+MySjsu/yi1kJ4Y3+G5fqikFnjEu6Vz0wwBIWELYLqFX/F8CqUmo Jd+CLBJr/aOupeKFJYiKv+VbsAclPJbU/qsDvRuY3mVUgYBHUZ25h1XZFL1nE+5/AOCJuIpl bmRzdHJlYW0KZW5kb2JqCjYyIDAgb2JqIDw8Ci9UeXBlIC9QYWdlCi9Db250ZW50cyA2MyAw IFIKL1Jlc291cmNlcyA2MSAwIFIKL01lZGlhQm94IFswIDAgNjEyIDc5Ml0KL1BhcmVudCAy MiAwIFIKPj4gZW5kb2JqCjYxIDAgb2JqIDw8Ci9Gb250IDw8IC9GOCA5IDAgUiAvRjE2IDYg MCBSIC9GMjkgNjAgMCBSIC9GMjcgNDIgMCBSIC9GMTEgNjYgMCBSID4+Ci9Qcm9jU2V0IFsg L1BERiAvVGV4dCBdCj4+IGVuZG9iago2OSAwIG9iaiA8PAovTGVuZ3RoIDI5NzIgICAgICAK L0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnjazRrZkptI8r2/Qo8owsLUwfVoj4/x 7Nrr3e6O3YiZeaAlWsJG0API7d6v3zyqoEBI7YjRROwTRVZWVt6ZVfD65urlOxkvUj+NZLS4 uV8Ipf040tEiiiJfBiJe3Gx+9bQvlyshwsC7vv55uVKJ9v69FF4BQK/a1EslvUcEK+/V5suh 7fZ5hbAO59vl7ze/vHyXOJsEi5VIfJ2mEVG/2eWwOE28a6BJ9NMY6eEGTF8m3mNRwcuWEfc5 zq4RvssQXrQI2PMsrmp5eGgJc8M0u5qfhPywXMnYY0LFPSx54iU7GMKOxAEi73F8WNJ2McwS cJN1maFpmW8Ahajt6y5HmUlM4adhKEnMhwxROmQatgpVCBQBHfinlzavNjy6GzhDvuomZ3jR 8bPniOQwwEekm1mU+7rhQbdjtkIVGRUadTKoI2Fp2O+KL9kGJr4Me+Qbn+l9MNziwt1ETEFi /sNRLO53jVYFo0oNEuwfynxvpoALpJJ1RV3xdHtgk/LbhF0EZZsvAEIHQxK5oUFTTLVtsy0P zALUHQ7qqnzCkWbGvju+szUuMmeyQRS0XQGqgmWbgrwBbVeW5Djg+KAfLZT35kCI1RZftVej ChueKqoC5S2y0szdWfXmzbdlGBlNEEwLY9Gccau66zfNNwwjE2Qdv+SZdU/cyiqDeNwaGvn3 1ZyMZh064pZIQ3DfkZx5x6pHFRib0az1KZ2EnlE3WCJFSxCo2hzj7Y2rC7uiYRx225aR7mvS p4k+lp6Cl3mCLZ7MFnbxJEeYWXTe1ZxvOh69FN7YiVR4pDefoTc7G9qYTVSoeYdNQTapKzQo r6aFjgsitOANGo40dJ+Da0lEaYstJbHfAqHXmcvQHdkFd+tl3YBaZ8xICvjWK62h+AQ+wYED UrCMhbElKHkELbMur9ZP/OLQaQYClE9wUNYmDSNu66iLVdH6PPPKkM54VcOaQcHLjmdMAqFx nyIMvMmqdnU6HuumYzNs6n0G6qXxJFSB4T2rV7PUddNHG0JNZszMas7iMLhFDGTno5lossou PLP7Y9Ht2GIN68StLp3ZkDxgxit7/atQcowQ48K745fHYkPa8hn6oWJMkmiTN/xGtQ1m6wfy yr21yX97kWUfkMinYbC5JzJDeLJjvmBi7C+8eO8kP3RU1q50KgG0Eumkyju2K4u7tt0dNwPQ cESJTgDdYJEDNKYgKyOZssbD5IJvk+qAiNOitR+lJsQ4LhIIJZcunwxdnOgDvmJgZd/XboJo nNyPWDe7gpqdxcrKNFIAFL/GZjcOsFElhNQVeSVFnE64V8GnKctdN2TNyHEM7Ch2DDR5Nxr8 Cde7ccHdxD6r1jlP1vdmsz5TxzYYZ/z0RCzoAGIBKbMTUT5m6JEudaDYweo9d0N9ggdskjhw ykYQerfXHw3QpIXpviYGcUxVBNbk3x/QnllRDRvM5BKnyyrZi3x2ThEtejzyYhX4OgRr4qoQ +2AZep+XCut236ORfk0UoXZVHHqvqgwZQeBTa9vl+XZYSh8KWuy0w4J1jGl4ZDYlJJkNEWx3 gePrTx8/4yhwHczO2b4aiZIPdjX3oWYLntqhBnFgyn8fAUCUxtyllAfq2vrGmhZwbcaxse9s /WWjU3ekTEOLz2zLxrL9LMKQZxDpGzzUS3IDhJo8i2sO5PqmfBdr00bSlE2hMCZxC2acOHti eF5lmGhKI4XwXjC8OVTHzQM7TEWejazHwXG5JSj7VE08wuvNT5950HME49s3n5fQu/j8Rskc MTbIRGE6wBcMpMwXG+W3HXNctIZ6ZvbMuAyXxF5ul5ITwWDsRLOCGc+SUUqehc8+guAtcW0h 11zR3TaBlziy4xqSHeFWdgSi7DSgwkL9B2BwGszag5MRBCoIJ23zRV0IylCWo/PgjJe1puyC LnEH6AixXjWOgyFsk7fkEA3q7c7GAc6Q7nDARwVbKQu3nmDPhyhclLoDqVlzDmYaTtrDmU3B 2/XlqZ1sxpR4ik9EyAFzTJaftR26w37oYeF844Z/zwRWFZzsHVEPeVbB8ehklcBJBvAiNlz5 1Ryx8WR1zzO2MVB8ohnx1I67EbMSg5lSWGeZm03UJuaDBNIHHVa+LvlwArAUcjdXY59R3pFb wLnsCYPsBeNwMMDgqG4isLcIdTSIZbOZu/SkeDBn4sOsmFaqds5H8cJCRWK+GqooYE/CAXMQ 2ePKvm6e+L1f8QdKUDSjdsKQp74dqXztU1X+0OexCNtF97ROqLYbx+mpU7LVI+qZmM3ZIyW3 AnuWQamBVauVivtWmCJFKO4gjkLESQbcX8aTspn4OpK8aegLc0f1FkMW+rq8sUXX3kdllCj5 puqaovaH7qa0luNc0F8ITO4ysAPRyrTNjVk5KeN9y6NZi1qjKzZ5zmvf5HeFOZggxvtPty// zkdIVMt3hnKjwXcYQ5vT8uRvQRiw3WavoW6wY+2Ln4aYEbBC4P1FEBt5AbjP+ouB8Q5BYs7m jcFc19XQH3dDR4dZCK87eJwxcgvR3BN2cd8j7jYj4TvGfcsVvumpd4xKCWFGsvYA8RmRCxVD fIKPrTPIHIW5eaN+HVZfvb25EkAiWIiFiCMfIjNayAh6vSQWi/X+6o+rX38PFpurYPHLVeCr NAkXj/AS+CJN5WJ/JSPpyxBc0kDKq+urf/YkVwa6EgFwmKSnKTJeABTN0K6YEEQm4cClwe11 6ocykUjzNV3hBosEPDjSdIWbhH4g0mQBzPmJCFNSzqeMA2EqupQgsYbu1iX65xjtST7DqNTA qFZjPn/6fLs0XfKIzTQCw4CyL8imJfkMmyqA1BIGcsznv159nPKoVOprJdUFeexJPsej1n4Y KTHm8S1HD3UoR8ymYCQhL2n3nuRzzKapHyRThf4NWM3LKZtaJX4E6emSdoe4DUIVYojS2v/v WAcFiDhIelWKZBTrqS8ShS4n4JAKm1BDn2fd6Th3CF4szo+YjN04l1heg2TMpMSmT3r/yamV gMqnGPAe/fVn6hVP5oDLiTDkgLMiqCCGOJyXgBh+fToZXIxZJxmcZzYM/FimE6cQDrd3D+3p fHA5fod8cJ7fNIY6EOqJdv3IR15F5At9Oi1czhVsiP8lUSxjXwqRnopi7esYug+8abKd57d8 uy3OlGuH4sXC+IjL+TB22fwzYXw5EYYwPitCH8auBOLHwvhizDphfJ7ZPoxPcXs2jC/H7xDG 5/mFsq400Bn7hw1jGJyO4st5wl8axZCLZKieCWIBjQocU/jK/NB05ZkgHgheLIanPI5DGFpZ EUyYNC51W9oPo03GoXz9kDVrnvwAh9jU+1CcDuaLiTLE8jlRVACGhpQ0EUUmzO/HM5F8KU6d QD7LKRxzQqHlhNMgMJyejeKL8ToE8Vle+1Ls8vqDpfhiHnD5Br0/4IP4oZ+EOjxxJIWzXhpI ECYAqZQwl0DLNPGyu5L+9NGesB+KXM3pANwxNF8xP+LlSert+Acpvu9U+DPShkebQ8MfQWBs P4TjmK/48CY8739OSL1u5pvRCqMETvqLlVZ+lCTaua2SgfkapEVqLxj5Lg4BzeQizl6uNLxy +CFD8h0XfRCp7N9XiAKV/vhrL2agALoxowF7BBlzjekniJTBMfe9U0KgSBUZlCF/Tj4aQ0hF sUGiS04UrTN/JK0UGjmOxeQ7x9F3BvdGn/4Yo0tpNEh9wLujVB3fOYMD0E8q9hIfAfOSiFj7 MomsLENDdySLAnc3WL3+kZls3Q2/vWkD1vTlBx4j0yKv2/6nK/5WsJIBRHEKdXWkh7zJurrB Cz8de7djD9DOx2CdmC0q928XnqAvxzqmD0UTDeE03sq/4OExOeuMsNz8GDLrjDp2nBEWz36a E+NPc1pH8+4JSQoiXz3vVskQxY+7orS8R3wPj4OJECGovWKV8mv/bQuRG7y1pftR/ieMfkWb 83rIhYkM4/PhA/lSCm1wfCb3Dm807d4mAjA//w8PzLEDZW5kc3RyZWFtCmVuZG9iago2OCAw IG9iaiA8PAovVHlwZSAvUGFnZQovQ29udGVudHMgNjkgMCBSCi9SZXNvdXJjZXMgNjcgMCBS Ci9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9QYXJlbnQgMjIgMCBSCj4+IGVuZG9iago2NyAw IG9iaiA8PAovRm9udCA8PCAvRjI3IDQyIDAgUiAvRjggOSAwIFIgL0YyOSA2MCAwIFIgL0Yx NiA2IDAgUiAvRjIwIDIxIDAgUiAvRjE4IDE4IDAgUiAvRjE3IDEyIDAgUiA+PgovUHJvY1Nl dCBbIC9QREYgL1RleHQgXQo+PiBlbmRvYmoKNzIgMCBvYmogPDwKL0xlbmd0aCAzNTQwICAg ICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42s1bSXPbRha+61fwSFZZLfSC BnBMbKecVJzRlOTJIckBIiEJMUgwAGhH8+vnLd0NgAIpTQ1cNRex0cvrr9/ei76/vbj6IV1k IrPKLm7vF1IbkVhjF9ZaoSKZLG43vy1vfvm4ksvrq0838PNxdWlMtNyuLuWyyFv8OUB1U3DN bqXSZde+4V5fVypZFljmXtS92HBj9+hacmyCLx5bwsca++VdWe+46x7qKkcAR+wb7PVlFcfL fP3EfZj2OgAqOyT3tPrj9qdFtLiUUmRxrGhBVfEF2wrsW60udaSXX8vukUsfcLHfIfC3lx/f xVyJC9WRAZTQWHA5P/gvuQToGUB3uKGWoNPI6qEmtN3j1o3bwdeGW797jzy9xGFSpafncpNg 19F6JK1n3Twhh5hfOoYpKvjEeYkGSUZgi17eYpkJA6GrH1Q2FH+UijSJLdAnNpV3bfvI/YZa AkqSRUna90J25w38feLpSey0DPhY17vfI2kQUK8sG27rakaVVyS9mmt7TXG9PCNA3EPpECsu pdEiSbUZi5gll2avkRL2qobc0lkEUtpwU5gdKkFclyynyTH3dcNNxW4sEuwN9CZUkXQeF1yh ImrNql9v940H3RIrUIPqnSASEvhvcL1aZAksHOn8ukpJS1QGfXeegR1SOWwHi6cirEzRyqaU IAN2SpU46ba77f6h6CaUwAorlXHd3kwQioWNk3hA52tefX5OyIDL0TCQ+zk2HStmCiuWckDr 7lB9nqZncV6jXF/iY/3Q5NuWmfN7FEcombzpWH9UGgkVm3Qsl/oeutvkBI9UImSW+rX9UnSX 4COvJ9cWy8jj3udrlPbnVWyX+QNJAtBInAj83or0H4vPfavr4jRR2WyJBp53wS2Q1jwx5Dv2 ezRknVcVqcPDJFeNsNavAqTclduivt/kT8gkgvZsRUks0kx527+DWRJWU2eNWiuhrD2yRjQM hq6TZb3nUTsHDCqBH/zDZk9/WzIdrEQ00PPu0OE3uPz7rmi4aU9uJ1jIzlEj6cEvOosfv+dp nROqmLpjPM7s3DGV79FmaT0Nz0WMrep2iJUC1xTaCdfMbgTCk7drinUlAtVG9s7FqCVyn0sb dE2AVzsk3n2tC8HDBl6cBtQHVJ89Mgibv6IGkP/1xBoOjB05Xpy3ntTqTOgomP7VpvhytTuA Y3qmBXEkTKLHJguyV5lIkjgZy75ArU+WGF2t5YX8jWDRBy2LBhbNcR/bkwF0+GgK1ytn4DBe RhG3IbdaH9ig4XbaUCOwwEh5b9Ct95vDdj9hqOADrHdmGJVg1rpiyiNIh9Z7UGyi+AW/HFGq 9cFZgUKnZq06SjvIYMFCyNgfXTlEgC2yaWBRGEu0JF3G3zv030+snC1XMTPJqTySGj8EcNAa 8gwtT7gxmQHMOAn+aZtPsEYZoZTWE7zRQ02DlQx4oyXzBn45+uTtwekxrZ/hAKPQs6eRGRsN D9nWDaZ2sOq2/Le3NKMj4ghWey5iHbr0hrGtXdjkH8F9rwkoaeJnyv06rgfTdgzFr5C4IMm2 3JJoKtY+bPeuFcuHY8dDkCb5rGUmbAiFu6KDZPkZny99r3F+UFAaS8DIiX7mNIE55PFxdsAt fx2Kg4eE35uyXXuY+4paSArGaZbunRDU/VxSnnD4m5s+hzy5oYEuSWFfd2xrEHl1H0+2YLXT 2mSCPZ6I9uCGEukzgu7QdFUxkYBIoVNPSHgPFAsjU+tzo5gab8nUDCwYrAtyyD+dM+RK5MjG 7z1ckAj2B+0u+vzjx3ccM7AONH3DJYxsEyuwUkiZ2JeTnxj8TmZfYodJQrr9QvJjITGRQQJj y+uDdJRMGZzzw6TWyureuPGjTz4UJpjYs2ju87Wr6vK7atLFQKqkIuUhlfe3fceRNDPwMtKH nt/SPwTSlSw7nIBkZ5d/+qWsO4dlc5TdowgpPYDG0Z4TKzC+T0vMKJFkUfxS2gu8A6Sw5xib 6XNWD5Nu9I8qGjhLyZ6CCoQP8rR8EpZKIUWLgvCf2ndFu24mFSkCd+75lyH/tEyd7sM0HGbI Y9y50Ms9yAtAB/Ce6GgcvHLnYLKPnUCmYxFDKvGSYE8wbBA4DCe8FK5K9OPe46Kn8R6XtkYN uJTS+7UvJfK6O+TOJ/383S9cQIP9F3w5c4WaXl8xa173WZtwC0sGgCGBA2XMkow3VmCg0FPG 0fKmaFu3ndPL9+2KPAjQu6vK9hGzGArszxiA9CIQjk3ZGa1gdH5HmSjKIV0q/EmW7WMQAH5y kpliEhQ2AlXHVZTepjbkUKzVW2TNlC9KhYnDTu30hg7dTNC0pvjrEHagXctIKSFPbY+tdYnP pO5mVkSvUV089IAk4GjLcAgptzZxnxGT7Jo+ZQQX3DV52PDy1qJuulbwwNuw+W8Krim5LxZz /mnLhx3WoudY5z1pyP45O3AT5a0/pcAso3RKavC8w8VXOkNCSI9uMpZdR/KePLrxusNzqoTt EX9v8GToA5bBR7iUBtQPF4bNYQtQttynxEM3bHF6FCI3n3U1rnVXu3nYV+2bst/b4Exl2E4W XBMcP5QR0s0HHr9var9nTd3uppo64RiyAFdb0LmQIubDT/vskAPr5SDzeOIKVIgHLrqh75xS WEJ7+YHP8yp/4pWPKDkq45T5oeBadBkD+rRJu6vCSeTlEMzEEv1hD54z7B8pT+9zhUFGz3Za eB3x+7d4EKco6dDHp1ZHx6KeTUCF816Xla8pLXc5jdPx4u/+TDSc/tAUfnswwmK83k0dM/I+ Djm78+AqFkXZ8kHeM2FvBHe4GekVdu1P9dyhFx0g7pGJOMWedHvN7bX3dH7xbrq8cQTeXn/i eZjb9WGHHuONmynEsGPBjZSPE2jlfV7OCtB6Oxueb7u8udz2uzGMMhigwpkABjbyLC6nXDud xISgegp5NP8eGi60lTNeGt71HtgFyjzIoAwioCB28f72AmNxtJALGUuRRLCt01EkZBSni/X2 4q+L3/6IFpuLaPHTRSQ0nl59hQ/okGVqsb3QyBfInX1NdXFz8c9A8pJqMYZHwL00O02RR0dA 0RX9iCOCCDLGU2Q8ihTSWKL5Pd5IqGgBu0I8RMLwlRihlYwXKlPCaGNJcNes8yCtNXud4fqV tkLjtnZI+X9DG0i+gFYZKSIFYXCE9hYVheIeZLiDzglIJ/MBkvYZ3CkddNIiTnX6bE81IgSb 6FRlqickn7EkS2HNNpmTJZ7kCyzB6B5ZFf8XLMlewZJkYns4JpXCTlOnZ5iibSbSOMpmZEog +RJT0lhIBSnhiCnv8i4/Bmlg+xdHekaMnuILEA1s1SF3PIJ4vQIvBV6IzgbwHAJyw2PEVgtj YFM7I1vBOSUGdOjSjf3/dmhJIpI0iwNf9cihAXsk7OuAPeArkkT5O9brL2p99Qm8+jv06ten vdqA/Gxe7Rjy2JRiLRKVxGPIUNScSmzb0/5mPrC9vzkLFnbasJExZgw2goh4CmzvB2YDO/AD 58EmsDmOyVYGYJVWfHbPu9+uOOkUZgPcO4WzeI2ms7nkCO9pFzAfR705fxOLtVakOrKnLTZW aHhAT6Z6ZLC3b1dnjXVAeTZjPUZ7wliHcKWQrzDW+cD2xnoWbG+sY7DRK4x1NrADYz0PNhjr EGyqzCuNdTbAvbGexWt0AplXkh0xNzptrfOx9JtaaxyLFJ3QtLWC/ssIpgZRCRm7YzwyV331 6ebjq0LsYIbZrPYY9QmrHaIGJiYvW+18YHurPQu2t9ohWCXoZcwLVjsb2IHVngcbrHYI1tr0 lVY7G+Deas/i7UPsEK85bbTzcfSbGq0xIsO096TRxqDTBjZtURQfm+xLQXZAezZzPcZ7wlyH iNWrMuL5wPbmehZsb65DsPoM2N5cZwM7MNfzYBO8ws3SMVip5WtT4tkQ9/Z6FnAfZUeAz+TE 8/H0mxqs1tBDZ6dyYiNkil4Klq+MtKOk+Obmw2ljHdCdzViPsY6N1YDqpbCmEVZphXxFcJ0P bW+tZ9FqAGa1OeJsJoVVL5vrbGgH5noebTDXIVqj09eG19kQ9+Z6FnBvrkPA+oy5zsfT+U+x wlE/rTqOY3PiFD3DZ5kwXinIFkCL3F10li7p2v5SZwbC18QxKr6MU/5ZxDVfJd7XzTbfrQvW x/p+4owW3IMdP4AJl85j/bF8Xh5unemuqqArZyR+6ggYcrosNkd3yyKaWgDIO1HZ0Tnw0RU0 8EYk9KganHim42zirh50Be/q8Sev2ppL4XrI39vwWzJp+X4r7wYf4Roaa0rXDW8pjYyX64qf kDT8uXEX0uHCe03jEn5tNiZKZOh6qj6swjMeqqanckiOnrvn/sW8ez8+uAlDPnd1h48pjFXh xR1/ERWr3H9sWL18z/+w0YQ7qI473NPVHd+UtXwFit39VeOAhpp+kDKc7cdr/g3Ppv0dLOoG Npx8/jhx0ze4he3G1+MF/Y9Jtvz0jnJMKgfAxl20v73mj5NvDbDx18eychKJI751JCkDQdKO L6PHdI9FvuFGd82Ig8JFMBbyqnpiynRpj4WcR9yV/kn38R1t2Ybh7m6Zb4o1P3Ywg4XTfxxA w/0hXM26/4noX16YZeWulnN3tZyHF06O4EAHPF/r5vOb/iLavZ7Y+hv+h8fB440gF3qP4aA+ X0TpWp4/h2ynpO3+m0frZUV4H9zrxk1R5RSQ3P1s7a5d6UL1wQ3Z8yOh8FLUvwBBanXrRjb9 +/s2XMD+BxBLNIFlbmRzdHJlYW0KZW5kb2JqCjcxIDAgb2JqIDw8Ci9UeXBlIC9QYWdlCi9D b250ZW50cyA3MiAwIFIKL1Jlc291cmNlcyA3MCAwIFIKL01lZGlhQm94IFswIDAgNjEyIDc5 Ml0KL1BhcmVudCA3NiAwIFIKPj4gZW5kb2JqCjcwIDAgb2JqIDw8Ci9Gb250IDw8IC9GOCA5 IDAgUiAvRjI5IDYwIDAgUiAvRjI3IDQyIDAgUiAvRjIwIDIxIDAgUiAvRjE3IDEyIDAgUiAv RjE4IDE4IDAgUiAvRjMwIDc1IDAgUiA+PgovUHJvY1NldCBbIC9QREYgL1RleHQgXQo+PiBl bmRvYmoKODMgMCBvYmogPDwKL0xlbmd0aCAxNDEyICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVj b2RlCj4+CnN0cmVhbQp42q1XS3ObSBC++1dwhKpozDyA4ZrNupytJOWUlVOSA5aQRRmBAjha 76/ffoGQrSSVrb2Ipqenpx/f14xeLy8ur0wW5CpPTRosN4G2TmWpS4M0TZWJdRYs15/DRNlo oXUSh++KoWxWT9HCehceIh1WsBAO2/ZxQJ0NbyJrwmIVWR0+oFiK/l3b99HX5V+XV352XBws dKZS5/mcq+r+EXx2ZbRwNg0tP/ptGxkfHnp+HbayXI+x4MsG9rXdaAEvZJSFHYsQI0pV+T1K krCocTEJ241sgCXwSuGZfBafsbEyeZZDoBhftVkWd3X5Mg8Xqzyxo9ln/5X9H/DgKsIC8UFr jOFLrC2FNMXWYH4Dug0WJtPKJNpDZTQ4TQy57Kt/0LDEGmR5iFXqyXkD0v2ZyBOtfJ5piahv dvtDUT+ciRzsHECA7RS69+GSSgzC+mywOlxRMGxzFy0geugz9igyWViKGaxm0i0wG7qiGaPe w5YM2jX0vPbpzQ0LRbPmbUs0++OGS5Jbldl8qojmlOiUcoe/6MaYkOQCA72vGuqxkVDb3b6Y EljzwtDyLo4QBEm2e5klLK6Kx/6420DWJg+fWJ42ADiwwc0964tHan3J7a1WxVC1DaUUn3aX 0raJg8JAoSvAaAoceoqAN4oXqB4CawsI3nPRO4b9rmhWsoCQxqdAmuTbW3i5Fj2WoWh6dtDi 28ArVS/PBlMbTpveD5CVxPK2IUhXRV1DiC58dXLimfRWLXWduu01s84jmAcoWDWCYjuVzmOE +Iyn0FG3QnBtKfxmjKtms1Oi4X5+THYHfucW9j32gRQP2JrySQ7gHjtvpvKhWmI4SYwxeBbT zFBCF0TG6qmYG2jWGDLVv5dDBk5Msgb5w/sb+P1uLz/dvgdB8cp1e6TZd4p99PyKDcbZN/UO nVc9Lxb8uKMZWzwszjVr5hZzW8xyq2ROAbjzsNgMZcfzRLvZQMmc0lnuZKB8ia1+OXS0UVr7 cTglcYzT8Zg2+ZfDyq5YIW16NjlsS/46xLMpr2nn7bXoMTtB+NgQG9OYkkas2h3jgMeLT3HG J6dl2LV4js3TsISpkNK2qhwLgHqCCHbM5kCxD9ikG2oXCO8Vq5dbYhVYt3cjUMqO+U3DgKzG USamCB18ThHjCw36dSm8b9ZnPh3PwEmTwNqpTta6OVLLcZqhzWQ7Tg2w3RUT4apGdPgiZB7Z ykeULMiw3fFAA0VXjpOG4+8Uhnrx5/ICux8Hmm8c3jn4hsJHVGcuWO0ugm9BrKwjk0kA/bdp mygu3+5s8Ka9+HgRfDy6BAwChBI2+R1f7oWvhY1zZTR82xfzAF/TzSkOPGA6dSc3J5sB0PPE y40Gv0aABp1noVXCl2y2z8IH2JhEuPDueKfJEafw2aIbVk8DC3QtDhEWb5Er7NDPAzFwo8qM EY/35dCUfw/nTk6V94kVO5pHeEWQ7ykc8CVO4jMHmFwl3vpzd6JT/wbAqPU0CRKNbr0Ma7kz omKPSMtlFg98ds0wE4qaBNxqB03QeNPyOYdcjUjcMjwLQSEWiS4DcyCSuxGMaxmRjP6Gn7J9 U/QDS3yhoJsA7NoKDSwVpibObsRyX7cDZ0iOxlOfee5pU4vJHmYky8E1cXnmvqvut6fUniU+ nfYjLmnvlHHxb3Mp+R+5lP6MS/MAf8IlnVpltWR9wiV3lkuxSjJvn3PJxvELLqGOph48f0gk o1Ik8i+JlMBfmAnoz4iEB/yISF5ZmO3/iUjo9hFg3LH4nEKoq/EvF0j6hCjCJ/hfEyfP+IQo dQZLNeOOm4Z4jrw53i7Ilkrp7LiVOFtPAHcjhQTkBHBQSjxb3rSmN7x7o/Pu+JGFtRd5wW7J C6R9194Vd7S9nlKs5I+ScONfXNWaV2VuZHN0cmVhbQplbmRvYmoKODIgMCBvYmogPDwKL1R5 cGUgL1BhZ2UKL0NvbnRlbnRzIDgzIDAgUgovUmVzb3VyY2VzIDgxIDAgUgovTWVkaWFCb3gg WzAgMCA2MTIgNzkyXQovUGFyZW50IDc2IDAgUgo+PiBlbmRvYmoKNzcgMCBvYmogPDwKL1R5 cGUgL1hPYmplY3QKL1N1YnR5cGUgL0Zvcm0KL0Zvcm1UeXBlIDEKL1BURVguRmlsZU5hbWUg KC4vc25tcHdhbGtfbWVhdC5wZGYpCi9QVEVYLlBhZ2VOdW1iZXIgMQovUFRFWC5JbmZvRGlj dCA4NyAwIFIgCi9NYXRyaXggWzEuMDAwMDAwMDAgMC4wMDAwMDAwMCAwLjAwMDAwMDAwIDEu MDAwMDAwMDAgMC4wMDAwMDAwMCAwLjAwMDAwMDAwXQovQkJveCBbMC4wMDAwMDAwMCAwLjAw MDAwMDAwIDUwNC4wMDAwMDAwMCAzNzguMDAwMDAwMDBdCi9SZXNvdXJjZXMgPDwKL1Byb2NT ZXQgWyAvUERGIC9UZXh0IF0KL0V4dEdTdGF0ZSA8PAovUjcgODggMCBSCj4+L0ZvbnQgPDwg L1I4IDg5IDAgUiA+Pgo+PgovTGVuZ3RoIDkwIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeJzNWlmPHcUVfu9f0S+RTCSua18eIXGcKGBh5iIiQR6cy9gx8fXgJeTvp5az 1njA18JKBNbMOf2drbrqqzrV82o3B7ub/h/8PJ23+1/n/dmbLe7/2ez+Y/v3vP17uKUY92Dj oXi3+2r6L7s3xRxK2F9fb1ebWUDnLcRkOgw1LxqqI3yo6ZCyQKAGEexD4vvT1ef7+Lgrj7uj 3H4a2r/b+U8ploP346nZn22vNjtGdIcfp/P++bGNaumK49NtDrTdkzvkuLt6iPvxvN0znxx/ 3B4ct8ebDT7qEkkDSaDMibCGk3nfRGwzdSKTaDgX5+yIwLmQBnJBmXNhzeW5OGsOsdVByVgj s6l1eBTZoAazAVlkQ5oPyKYU9Y6sHBqfcz1YOTSkgWRQ5mRYc3kyPqUWRwyNk0Nz97rAbNZ1 IlfO5dmEIMbFyXFZ1k71zbVTa+9duTorp9klmcR8MIOU8qHaVJbF1LMppjlvTzgb1MhsGIXZ SNR7j0ucWeTEE1glY21B8oBkUCOTYRQmI1GXJmMtzRidS8x2yQU0KhdCUS4CdXEu0cPI+DWb GteRAY3KhlCUjUBdnE11I5ew5OJ8WEYGNTIXRmEuEnVpLs6bdzDwyCa7ZWRQo7IhFGUjUBdn k+rIJS25eGuXkUGNIhlCYS4SdWku3mQYmbxmw1sxZvOOw4KkPMhGoC7OJqSRS7mT9P53B59X t+Ms9aKm+WkSxGy//XP7dn+5OTOOfb3grx9upU+fVnGssZ8xog1987ImgS/nDPCBHZm82Lzz rr0q57yfO0rwU1HTsJ2HpD6a0r1pm+JgXgxRsoGBoxDOQFAIYXMGjxjCB4+72Hd7MvvfW5wf th5LF2MS8DxFi7ejOfBF0cawi2iueD71Ce/J4KGNhqtENVZZF+J86rObPHsbaai+gyLsrSFr 9akQMP4UJbmoQhT1OrwztOM/ni+9dBJNob3rcKg1Ne+kyeUQ2v7Yhtf5Fnk+n5kEkk9baZPA 1EKaXJU9iRUNUJMaM8TUdmVwkJwOgXILMXMgQFwcxDVEOyvH0MYowaxNY9RQE3vb0zYkc8ht YzF+AOagJpJP7XBd84EVNhRlT2IiPGrKSJfs6xKgogGlgIigHSw1nMa521vwNt79mTWhle8a +ztbZvg5O+bcSCSftgaIs4IJsFk7QBlCdAPUuHwIO9rHoAOAfNooBUJ4Zb/U0OvyLkkGObOi dRW5MZkL9WB6dWYAiHGmeGr4tlSrFwCj7Y303/GgaH7rztZJu08Ex/gISMo8ae+NuH1iBuzz jxShz4rgwV/14zkR5hRPDQ4ZEcAocyO9dzgoyphSbF21+0p4jI+ApO2T9n/FvDBoOwimCLVh 2wKGZRryBOA6RpmpAjXIBOiAuMKgBWlc7GkR13gdAmWiCgJEbR/XAMwUuPkwU5TGyG7M07lO S5gIXMkoE1UQAJiAHKCc2QA0JR98KwgcVKMjoMxcwYigHSxVKK4Ym2iSXGFr5zBapzYPAK1k kJkqEIBEAPYoQgDBFH0ndZ6ownkdwCHJUgqE8NrBUoPginkUSMwVNsc+iLhUbZ5DQnt5gLmM i50BRpkb6Z2YwuY63gBZF6Pcg8hUwYCk7ZP2z1wBRxnmiobt5EWL1dsBoKOPBbqh5U4Ao+2N 9M9s4WNnL7bO2n0mOMZHQFLmSXuXXDF/Sq6YK5i4YqqZK+ZPyRVTw1wx9cwVaMFcMVwzV+gQ KAuuAEDU9nENILgi3uIKv3CFW7jCrVzhFq7wC1fEW1yRFFeUskQoK1cwImgHSxWaKxzMQbXy sjhX2NFyCbKo8N6JLAAg2SGLcwWEkGzh+0Qisog6AMiSLBDhlf1Sg+KKeZBnrki19sMOLdZU 5k0qrGYQBVkQwGh7I/0Ltmh+wi6oRrkHUZAFAZIyT9o7cwU0IswVbfIoroAxosYlrlxBAKPt jfTPXNFOCoor7qSilauSMk/au+AKaqFIE+aSoHU6AbyQcfryUp8aYgJwQHJCC25S5pIgD3WJ USkGJIGAuDiIawjZg5SoGpA0OiM+/o87OewOmiB6j/6IO41px31GlG2HNb0doraj3/6R1y6I hmM+C9pOZqtbjbweH3qV4vgQg97dQWZGQAD1EUkdHyIfN1BT1fEhGR0g0XkDUyCE1w6WGmSr MRtw7jR8o8PqudPwPo+eGSb4kESfgY+NNjbCN3cZvr0jk7jN8FX5rojG0PA4aeOkfBMXzKsD 0WO0pSd7DG+dbAJQZCpggFHmRnonJvA2qx7D26Ldl6XHYEDS9kn7F1zQDxb6NqItP3Eb4aq+ jQBZUAFomAq8uo2IdbmN6BNE3kbEsoQoVd9GECAuDuIaQjEBdO2CDEbTLcgAbt+JD6BHZkqY AGaF6YBZgQxQU3vXzbygA1hswgU7ACIo+6UGRRH93knwQzKDqZggahTsUKOkhv4Ilz3akeyi ZIUUBlMRK0ThNQ3eZD4Yz7y2k9lqJij60sFHqy4dvC/yVgBERQZFXjqQvZH+NR1UyQbafSU4 8UGRlw5onrR3JgS45xOEUK08HLQlWMTujaJkBAQYbW+kf6YE16/mmBGcV+6dL/pwwICkzJP2 fsHH7Gh239q3/hG5X9JfPfryq28/++Kv+1/+dPzs8y8e7Dcv9/P1k7f705vXu/nd/tOT07+u 3+4vbt686Zf5ne/6/eqnPjS3P2z3Hv37/I/r1/vN0/3hg+OjB3877jc/Xb9+8vb5zcth0GN+ 2v5vUev8DtkOcPCx4vj8fP39vfOb7z/pSPruH+B75fxUuY+w7TCR+jV9K9i2nz3yzn8QsD/b 8mghy+7KvNWy3sTmqv+e+t9fPP09/MXGw1+FzgvrFdUWrTHj4zRq+uUwonwI+D0dUKiRKPa1 2o1v84v/9/X1S3n9csT/1xov+TORRrp9KXg/JghO6Z/d6f7V1Z9pirx6ZxXNE4cdYsvLjY8N opypeNf3n5zAp89unJDGHtOLmYr5+eDCSpxtA+NVJd/88auPUwl9aqJKOpHaLEsBzQfV0pZr tfqtHP/w29ciPmdBWXZ5Qdap12Pdh70c185Akjl/9r2e+99cffnRa6JSjIEvx1QNaD6ooLZB uijraXPto9RDK0fNN1cybMBYDWpmNY+3/wJperb/ZW5kc3RyZWFtCmVuZG9iago4NyAwIG9i ago8PAovUHJvZHVjZXIgKEFGUEwgR2hvc3RzY3JpcHQgOC41MSkKL0NyZWF0aW9uRGF0ZSAo RDoyMDA2MDUxNzIyNDMyMCkKL01vZERhdGUgKEQ6MjAwNjA1MTcyMjQzMjApCi9DcmVhdG9y IChNQVRMQUIsIFRoZSBNYXRod29ya3MsIEluYy4pCi9UaXRsZSAoL3Blb3BsZS9ob21lL3Zt YXJpbm92L3NubXBmaWdzL3dpbmRvdy9zbm1wd2Fsa19tZWF0LmVwcykKPj4KZW5kb2JqCjg4 IDAgb2JqCjw8Ci9UeXBlIC9FeHRHU3RhdGUKL09QTSAxCj4+CmVuZG9iago4OSAwIG9iago8 PAovQmFzZUZvbnQgL0hlbHZldGljYQovVHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTEKPj4K ZW5kb2JqCjkwIDAgb2JqCjIzNDMKZW5kb2JqCjc4IDAgb2JqIDw8Ci9UeXBlIC9YT2JqZWN0 Ci9TdWJ0eXBlIC9Gb3JtCi9Gb3JtVHlwZSAxCi9QVEVYLkZpbGVOYW1lICguL3NubXB3YWxr X3R1cnRsZS5wZGYpCi9QVEVYLlBhZ2VOdW1iZXIgMQovUFRFWC5JbmZvRGljdCA5MSAwIFIg Ci9NYXRyaXggWzEuMDAwMDAwMDAgMC4wMDAwMDAwMCAwLjAwMDAwMDAwIDEuMDAwMDAwMDAg MC4wMDAwMDAwMCAwLjAwMDAwMDAwXQovQkJveCBbMC4wMDAwMDAwMCAwLjAwMDAwMDAwIDUw NC4wMDAwMDAwMCAzNzguMDAwMDAwMDBdCi9SZXNvdXJjZXMgPDwKL1Byb2NTZXQgWyAvUERG IC9UZXh0IF0KL0V4dEdTdGF0ZSA8PAovUjcgOTIgMCBSCj4+L0ZvbnQgPDwgL1I4IDkzIDAg UiA+Pgo+PgovTGVuZ3RoIDk0IDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0K eJzNWluPHTUSfu9f0S8rhZXo+G73I+yGsFqICHMQSLAP7GESAnMyZJLA36dsV5WrnAnMiYiE IJqpcl2+cnd9vvS8WM1mV1P/w5/H03L/y7w+fbnE9bfFrj/Bv2fw7+GSYlyDjVvxbvW7qb+s 3hSzlbDeXC4Xi5mMTkuIyVQz0lyBVbXwYU9bysKCNGQxYkj7OjrHvEuMt+F4e5Y3RwP8exN/ l2LZvG+jZn26vFhsm9EVfxxP68cHmNVSFYcnS59ouya35bi6fYvr4bTcMx8cfloeHJbHiw0+ 6hJZgyBIHkCGZoC5KxALrk4giWZgcc62DAMLaxALyQPL0JyPxVmzRaiDwVgj0ex7iyjQkIbQ oCzQsOYd0JSinpGVU+Nz3jcrp4Y1CIbkAWZozgfjU4I8YmqcnJq39wWhmftEds75aEIQ8+Lk vEy9s3sI7VTv3YbVWfmanYMk5s00UsrbblOZmqmiKQaCw8hAQxqJZlgRGml153mJHUVOt3RT BWNtIfJAMKSRYIYVgZFWdwZjtlDBWHtLMzUwMdsJDGoUGLZiMMLqbDDR39ZODc4e57lBjYLD VgxHWJ0NZ3dvdlMF43yY5oY0EsywIjDS6lwwzpu3tZTLbpob0ig4bMVwhNXZcNLewPh5bry1 09yQRjENWxEYaXUuGG8yzo2f50YsyATnli2DJD6EI6zOhhNSAxPmufk77H9evJlnKpg0EAck zAm//bh8vT5fnGm7v1rxlw+XvHcejIUY0kYb6joGj9OAk3MGaSHVZ3S1eOcd/OJcadAgnW8K DwzUFXWvVKdThA+Z9zsYPu8quskquo1tZcPQzmDui+XbNZn1fxD+h6WmMDpJaS+ITOKaH6dh jJyn9MicybZF/Ao3vTw93k+hYXpiD8XBU5TzE3dceGl+fOLQ32IJdp6nCOuunR6D8T3OyONQ w6mCk0V4P4p43J93qU2RAj7mAPFZk+Jm9gILYtmcX2Ps6g4osHxccu6GbJF0AJYLe5Bmb6Ep QLI6BcnHBTGQgiF2/7mGY90txwCzlPrLehqiAa4IdXUD0s3wEw4za5/R1IUjbKv3vKFkQ9F+ JNew1ZRE4NsIP9HVBhG1CmBKGftY0H4S7bFtsH2thZrrJBTRbDtwvrOtdgibW9MZHG7icYHh CMc7GrZZe7OcyJwUUJBJK7vvOvqO5pwdx7321uhrQd4lSQ6noUhhc0BSLuybgZUL1sBGbEQm XTyCPbRVK5wMjPY3Mn61RwUgDCt7AxnJ8ChWc8zPBkm5Jx0dONknSW4nVpjSAAXfA8IK1rkb WxDFI9h3SMPAaH8j41d7VNiKiL2tV+FRrOaYnw2Sck86+gX3/WBk1sR9c/A4sQvhFNAMqE1J HkzAFkkHYDmzB2mAj33lCuISo3OQzFRACsaIAeYqJBfksm/7ngQd5KzYIMduQK1LMnMCG2Df kz+JZdh3TTG1vx0RQ7E6AcmDHoZF0AGmGhRJ9DVSkIRJmiRMUG3cxUESOEwcQN4s54kkzK5I whoVvYuCJGjca2+NXpBEW+NPQ/KlTjJ1qI0urrxKuyi4AYeMdjMck1mhHWWAd4djETFLFISA Q0m7JRGTuQB3I6chd7alVnSmkTHvKJCqqZV52GhnI2IzDTjTqXY47yr2TtaUGoeTdk4qtiQB 2jGxBjo1SxLoBoMEuixJAC2SDjBIgD2YBMJWFAnoHCQLEuiKQQI9wFyFIgEgijCRAL4DSAKp GzAJoDxIgAyYBLo/ifuwJxKAZyBIwOkEJAsSYIugA0w1KBLghWg0Vl9JBgv0hWbQAC1FzANo wH2OAUjm1WJo2mrCROB1Al6MBhWQhVf+Uw2KC0rvqdGCrS1Ge8Y6Pk4H/U0ejY3DRjsbEXuw QjKtLdg5WRm7S4IZaDhp56RiC3aom+8k6QGyJmYHu5c2ji1M4uCHYWCUu5HRBUH4WN+lQRBB hidRUgQZJO2fdPxBEuPswxqbJElE46cG9hNJsEXSAVj2fiKJCCgVSaQpR/ITSaCCMWKAuYrp 1BB7M4mDw157QRwcYr8m47ND7K/uOD50g3GC6AHGCYIdSANPJogzhE6AsjpJoEVQ/lMNiiRS VPuE1NdIbs/kxDqenNwjtCFqe/JjOar9QerLJLsWGbWovUEf89pPopWHBzw5j8NDPfFlcXiI qV/70/G3i+LwwAZG+xsZfxweEsz9Pg4PyanwKIrDAxsk5Z509HF4aCd/QQneR0kJ3nvZsySK swMbGOVuZPRxdPBFUQI46/D7RAnDIGn/pOMLSmjXFOoawYLtuEYIezfgfQPKYt9AFkkHYNmx B1NCgzXuIXQKkgcjoGIwQuyr7pxAEkK/bJGEUFJ9dwYh5GYxCKHLghDQgAkBA3D7G3ZgioDN /iAErxOgLAmBLILyn2rQhOCwrqExDZY44jcLcQeAUcYdQTfg7scALDt2YPqouJgeok6AsiQJ svDKf6pBMUW7+BJE4aLcNbj2Ug2eaJKkCRw22tmI2IMk6uskdg0uZhU7kzWlxuGknZOKLSjC zhShdg3eqV0DiYIiXNEUYRRF2Jki/EQRQVPEvGsYBkn7Jx3/jC/TEDCDa924wfJVr9svHn3+ xdcfffbf9T+fHD76+LMH6/Xz9dXrm1dXl+uT65vV/GP95fvjz5ev1qvrly/rvTx9FvzQB4j9 w3Lv0evT/y9v1usn68MHh0cPvjms179c3nz/6tn18+ZQE38I/xuAXNPCXjuHrX95ODw7XX53 7/Tyuw+qJX/JD/gFsn98XFva3cALWe98ClSdW+Z1fOJfny7ZhHaN60rvRdgPRwhVf0/1Lyqe /BP/BuPhn5riPfRkBY1sTLvkJU297CUrHwJ9IUcr0kirEWv2a1/bp/h3jfVHuP4449+1xnP+ 8AO2f7092gtCL/Wv7nj/4uJTfkVe3FoFRBppmwi4+sW+KKcrbv2UkzCmz50VrUntEwIq+ueA MyuBxRKqUZV89e8v3k8l46sRVVLJ1GZZCmreqRZo193qp3L4119fi/hEhWXZ6QFZpx5PFd+l ILcnxZ2/+lrP/a8uPn/vNXEpxuBnYK4GNe9UUL2IiLIeeNfeSz3cOep9cyXjyYOqIU2v5vHy O2gErP5lbmRzdHJlYW0KZW5kb2JqCjkxIDAgb2JqCjw8Ci9Qcm9kdWNlciAoQUZQTCBHaG9z dHNjcmlwdCA4LjUxKQovQ3JlYXRpb25EYXRlIChEOjIwMDYwNTE3MjI0MzE1KQovTW9kRGF0 ZSAoRDoyMDA2MDUxNzIyNDMxNSkKL0NyZWF0b3IgKE1BVExBQiwgVGhlIE1hdGh3b3Jrcywg SW5jLikKL1RpdGxlICgvcGVvcGxlL2hvbWUvdm1hcmlub3Yvc25tcGZpZ3Mvd2luZG93L3Nu bXB3YWxrX3R1cnRsZS5lcHMpCj4+CmVuZG9iago5MiAwIG9iago8PAovVHlwZSAvRXh0R1N0 YXRlCi9PUE0gMQo+PgplbmRvYmoKOTMgMCBvYmoKPDwKL0Jhc2VGb250IC9IZWx2ZXRpY2EK L1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUxCj4+CmVuZG9iago5NCAwIG9iagoyMzI3CmVu ZG9iago3OSAwIG9iaiA8PAovVHlwZSAvWE9iamVjdAovU3VidHlwZSAvRm9ybQovRm9ybVR5 cGUgMQovUFRFWC5GaWxlTmFtZSAoLi9zbm1wd2Fsa19sb3NzMS5wZGYpCi9QVEVYLlBhZ2VO dW1iZXIgMQovUFRFWC5JbmZvRGljdCA5NSAwIFIgCi9NYXRyaXggWzEuMDAwMDAwMDAgMC4w MDAwMDAwMCAwLjAwMDAwMDAwIDEuMDAwMDAwMDAgMC4wMDAwMDAwMCAwLjAwMDAwMDAwXQov QkJveCBbMC4wMDAwMDAwMCAwLjAwMDAwMDAwIDUwNC4wMDAwMDAwMCAzNzguMDAwMDAwMDBd Ci9SZXNvdXJjZXMgPDwKL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0KL0V4dEdTdGF0ZSA8PAov UjcgOTYgMCBSCj4+L0ZvbnQgPDwgL1I4IDk3IDAgUiA+Pgo+PgovTGVuZ3RoIDk4IDAgUgov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJzNWl+PHLcNf59PMS8FnAIZS6KkmXlM WtctmhhxboMUaPqQrM+uU68vPjt/Pn4oiaRIrS/1GjWaOMYOKZIiOeJvRMmvZrf42ZU/9Hs8 Tfe/XOdnr6c0/zz5+Xv8+xz/PpxySnP0adkgzLC78jCD2/yS1/n2erqa3CB0mmLKrogx5wVK FQmI+7okJUAMHu8WlHQZHA2+g4W7fLhzjvPBmJJ2PZeIWS1tC0AddfOz6dXkazJn+jme5k8P mNCtMA5Pp5ZjP+ewrGkOO055OE333EeH76cHh+nx5CMkG6BwyAmmuyOd0515V0c8qgblSXLd lxB8naH7IhzyhenuS+dc7kvwbkkYhzjjnfZm36tF5Q1z2BuilTfCeQ9vts28I69TA+u6L16n RjjkDNPdmc653BnIGedRqQk6NXdXBXujqoS86ZzLvYlR5SXovAy1swOaDqb03uZr8HqZXeJJ WhdX8Whddp+3oZiKN95BqFDDzhBD+yIy7IqSeeec1NWy72UFh+bHkqwnOdZMK1eIY3wRKXFG SV2aF5/94tFGXcDGmxCyzkoltR80zk7I+GX5CCHUdVvnH/KBBVZnUk4Qx/ghUuKKkro0H2GL S/QtH8F4o3CdvGHOXfXTvNFSl+UGYm5+tLwgbiJzw9dV1vGT6d4vqFUGij5Ogf+t1chWMhqQ hZLRV9F4RwH+f76/r4aEosiQKuagGaRoRnz69/T1/HIKru48Sq6+fDitO4piSpLb6mvB713y sQDpDhxVCK6VCgRaGhBqBfttJ0aEygik2z7Y5WWoKTgrMkFM2ngEqkMyHlxdKcr4FhKvzH/O 2c3/whmeTGUWE0rc7Dzb2tBGZgqwNyclDJfUNJBVDDpDwboP+IN8nR/XZmK7LYXKdHaO3G++ +zFHyY+vAcHSOJ+cmiGEIUfg1jbD4/aet1JGOarXy5yIM645zxuOBFxyaxNojkShj9O6psXt W5fI1gDTPAVqMCfEZUNNtpDAzsH0cSInmCFek4EximPZqKVY8i/L9NQ5fl8COuYTuGWFuW2m Ea1rRrPQR9za4ZLsDB83a4Bp6ArESWEBdIwN5GGGLArsg0hEa2CI4li3fVDClXI7KY6LSyif C1/z5cNOXxPXxok+TiiQsOUQAb9aA0IHUWAOfuzjzPqQ7AREHydxQSTA6A8xlLggZA0ap85Y q1MQ4r44XOIbYR5XZyYTEBAXd1ACzuo7bb/IN8buikuivQdjfg8iTvOLQDbq2VpHuIbcQS8X KCZGWxURmr1Ai4ZBgMgjijePuoAz6k5bL+LEaEtKtGkJCQRHkaf5RSBb/WztXylswIj3rNEC NwU4F4NFbuMCFkQrsGCJbPQ7dogCYwV64XLoWBHsFEx3rCCGYAMZGGMwWIE/e41LOGFbInSo 8E1ACpnoDhUswEBA+kzGLk8cjC/lIEixDhOsosAuiES0BoYYDFLQt1MhRcQ0rAopYoXOXshE d6RgAcYBNiA0iAJzEnoiSBHzMEFmeXGBJcDoDzEopOAdwKkz1lyc4koNLlcB2TE0siNFF3BW 32n7ghTYIu/okmjjTkGbJ7IjRRfIRj1b6x0paAfTkWJDDYQuKdV1b6cRVMtEKqgQAWf1nbbf sWKLAbFLtLdkzBOpoEIEslHP1rpCiu0MKVaDFGlAinSGFGlAitUixXaGFG5ACj8ghR+Rwg9I 4Qak2M6RouwZo0GKkpm9I0XNjCpkpgUpRICAgPWZXLs8cba9uiWbEjsB0wopRCJaA0MMBinq 3jdrpChNZFZbClcF+pai0WpLQQIMA6QvJIg8czDyFQQoQh4myKwgLrAEWANDDGZP4ZLaUKxb RWX5oK+lH6TPfXlWW4k25KyaE5t9E1FWS8p9F7FBt1me1f6hDWWrlpXNDgi119BbB4hm6wBg vu1EKjwQAWfUnbbe4QA2u3WA3Zrfx62DCGSrn639K9VohLOtQ9KAQIuy9xlhBASWyEa/l384 2zrsFhDATsG0ajPCsHXYDSD0KXSbUX6iaTOwzaxbeC7HJtELttGqzSABaTPIgLQZXYHbjGpZ uoxhgizy0mWwRDT6Qwy2yaC2tldXy3evxrV1mlyulVRw0Ial2Em7Nxwszoya7N5ggLHeSN1e 0DhYbeu9RgLquTsY1G5OdRd8t8Lbf5eG7kIEnNV32r7qLlIw3UW25nMauwsWyEY9W+sdIsqZ QceHtEHBqL63x35fdv74rKChDTmr5sRmR4Xsc8EoUczQbZZnhQdtKFu1rGwqJPDjkUNy9shh G44ctrMjh80eObCBXvlnRw4wHDnE4cghjkcOcThygOHIwZ8fOdQjmZMivWkivEOQ5yKthEBA G6LqFj2hIani9y7VT4eoZm01J1X3NBatnvbWlHxypuBj++z1ffqqCjKuutjrkOz/SY/p5Eyh p/blY9UEymoCU+RtDKye9lY3BWFsCsLQFATbFISzpiDYpiDYpiCMTQHYpgBsUwBnTQHYpgBM UxDOmoJ6ZHfqVDIFDi5KMdbnXuA05KyaE5tS4OA2U+CAy1BseqcLnIayVcvK5gWXnzHVC0fA HX75LafxV48+/+LrTz77+/y3vxw++fSzB/PNy/nNj7dvXlzPT29uyzX5H+Yfvj3+5/rN/OLm 9ety8I77aLdBnj8GDLccxz/68fTd9e1883R++ODw6ME/DvPND9e33755fvOyKpS5P8b/MRDf 7q089tTtOu3w/HT9zb3T628+qpcCfF8c6Z6rXXHNZQx2t5Q7AcxCu+N5QgPtInl+Nq2uHQBj E1bfKX6MEpoqz7lc2T/9I13yP/yvonTSPEhhjTpXj6qZU052WQpi5HtYkmKOluq2Rr16pzvY f1dbv+XXb8/4e43xkn9eUNp8rAeAukB4Wf8Ujvevrv4qS+TVW6NAS33aSqJf7dZAhdMYb72v yWQTVrqOcO26ghjt7P/CSBBxAcBE8tWfv/gwkfRrIY6k4KZfdSjEea9YsFx3b9/K4U//+1jU BRSF5YcXhG2rjqmQ7xNQ2LNBz5+gxHP/q6vPP3hMEoprd08qGuK8V0C4vQlJx4Nr7YPEI5Vj 1lvYVjos5WiY06J5PP0K4U1dY2VuZHN0cmVhbQplbmRvYmoKOTUgMCBvYmoKPDwKL1Byb2R1 Y2VyIChBRlBMIEdob3N0c2NyaXB0IDguNTEpCi9DcmVhdGlvbkRhdGUgKEQ6MjAwNjA1MTcy MjQ2MjgpCi9Nb2REYXRlIChEOjIwMDYwNTE3MjI0NjI4KQovQ3JlYXRvciAoTUFUTEFCLCBU aGUgTWF0aHdvcmtzLCBJbmMuKQovVGl0bGUgKC9wZW9wbGUvaG9tZS92bWFyaW5vdi9zbm1w Zmlncy93aW5kb3cvbG9zczFfc25tcHdhbGsuZXBzKQo+PgplbmRvYmoKOTYgMCBvYmoKPDwK L1R5cGUgL0V4dEdTdGF0ZQovT1BNIDEKPj4KZW5kb2JqCjk3IDAgb2JqCjw8Ci9CYXNlRm9u dCAvSGVsdmV0aWNhCi9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMQo+PgplbmRvYmoKOTgg MCBvYmoKMjMxMQplbmRvYmoKODAgMCBvYmogPDwKL1R5cGUgL1hPYmplY3QKL1N1YnR5cGUg L0Zvcm0KL0Zvcm1UeXBlIDEKL1BURVguRmlsZU5hbWUgKC4vc25tcHdhbGtfbG9zczUucGRm KQovUFRFWC5QYWdlTnVtYmVyIDEKL1BURVguSW5mb0RpY3QgOTkgMCBSIAovTWF0cml4IFsx LjAwMDAwMDAwIDAuMDAwMDAwMDAgMC4wMDAwMDAwMCAxLjAwMDAwMDAwIDAuMDAwMDAwMDAg MC4wMDAwMDAwMF0KL0JCb3ggWzAuMDAwMDAwMDAgMC4wMDAwMDAwMCA1MDQuMDAwMDAwMDAg Mzc4LjAwMDAwMDAwXQovUmVzb3VyY2VzIDw8Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCi9F eHRHU3RhdGUgPDwKL1I3IDEwMCAwIFIKPj4vRm9udCA8PCAvUjggMTAxIDAgUiA+Pgo+Pgov TGVuZ3RoIDEwMiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic5Vpbj1xF Dn4/v6JeVgpInNT98sglm0ULETCNQAIeoJmEsOkMmQR2fz51sV12TSakI6JFQsmo2y7b9dmn ymWf6mdK70bp9g8+j6ft7hdJPXq+BfXfzaif69/j+nd/iyEob8KenVWu6PZFOZ3NHpO6vtwu Nr0InTYfom5iyHlSpZqE8yXtgQkAA8enBSbdBleDr2HhNgy3znFz0IfAocfmMaqFvDvXR7V6 tD3bTA+mgo/jSX1wqAHNjXF4uI0YGxXtnoKypU55OG139DuHn7d7h+3zzXgXpIPEARBITyCT M8G8LhBTVS1DEvTEYq3pM0wsxAEsSE8sk3M+Fmv0HqofBMZojqaUbpGhQQ6iAZqhIc4boMlZ PCPDQ+NSKrvhoSEOgEF6gpmc88G4GOs8LDSWh+b2XYFo2C4BNJNzPhrvWVwsj8uyd4qrpq3Y ei/Dag1fZucgCWnXPR+lvZiYl83U0KTuHkeDHI5mSiEaLvXacekrJtndRMSyB4HG1CXd5pto kMPRTClEw6XOjY3Rcfd13fVFLNF430BwNMARaEiK0DCp82JjvN5jBCxrbFIOS2yAI9CQFKFh UmfHJvm6cAYeK9BYY8cRhWCAwbGQDEJhMufFxerSAA0cS1ysT5rjaKRAMcYJA46fGwvbH+rA 4CSCbKyMxWAIFChDOKbMmbFIqR8DHccSC2cCx9FJkd/GOGKg8bPziTE93zYMXiKY5z+CAM5t eRagMKnz4uF8HDhGLOr5WpkZcsyP253/Va020PTrFLHvr2okNw9sZVVJb7qovyVR/3/qtGdL QKvIEirkVDOVghnrt5+2r9TTzepeobZYfXF/S6WK1pD4dsrWz1oXBePbgZv6hrBWj3ShvRnW nXVthRof27h3g8qln9KjomtPgdkOrbgRto12cHySfcBM9q3LzL4zEf3/RtWJv6tz/Li1eaQX 8YYXPrBZShmbi3zQkAPRjVQ0+MBDM54mmQxjklcGBx4X2i1WA/iB3NyIkfULcqPTGqOoIcgY o+5vYmGyCOSi1X7tSee2kaKHB+zrBMSp5XQoWWWdd1sXnR8CA5En+rilFHZdBUkiSgNEJ9JA Tgl7qnUCGAhaToH0cQMMyCCIQ3/14dgK+uBbxOrkZS8l9sABJ7jd1yMvON0nd0NgxDUSfdz6 U5oM47PQRzJOeeDkuIdoFeqXZYJCCgiBJLw0sPhw7M2Ba87Cmoq9OUCODbXdrL1Cj5XRprPH 6ohEH7cq0ARJwCShT6QneeSEbpn00zJBQgWCgBJOGlh8aH45GyltnCble6zruq0neSuRnFa0 h+r3Y5WsybA4HNJSTZPNJglUatFVU7Ewm2VI4nR9KEq1yGzWnOziTHDtcRAj2/rwvQNTuace RflwkMcqDjBIQAt1za038cEopq980i5WmAeyycP8JBClfpT2L2j7j6zME0JtSfo2xYSQhwAl BKBZQkCJKA0QbUgDOc4105QQvJwC6ZkQgEEQh/7qA08IeLacGKeKp0QZoXYFXQI3LNKUEUgA NjwZINqRAnJCLYkV6cdlgojyBAElvNBffBAJoZ+QIiEELxJCcHK/Aj0TAgrgfgd9IuOaEEIS CSGUZYKyJgSScNLA4gNLCP2cP00qioRgXaDN27/PhABDWqppskkJwboiEkI9I6fN9n0mBBiK Ui0ym5QQoCI5TTroZh03pDOujVP90qmZDmhYS2XNbFM2cKauMh3VVC7CdkFpnBqGo1SOwvYF KwRulAZBlgZuKQ3cjdLALaVBWEqDeKM0yKI08GWZoiylATIIYpalQXxJaVA/ltLAZlEaGC9P bqBnaYACePKDPpLer6VB9Y6XBmmZIPm1NCAJLw0sPvBM0KpYX3gmKGmsbNiGJQ4B3KhIUyYg AdjoqI9kmfJYGrRWO87SwPY9QZVBJ3lhAONOai8OiLpAwwsKZLhcdptmaeDSeF0LJzmQrEAg AS31NbfPyoQK0bMqwQnzQPJaAQWiUI/S+iwYWisxq4WUeoKi4zrV8oKajl5q0FE/hrRU02Rz 1ghZ9wQ1Kww7bbbvrDoYQ1GqRWaTZYPa7ozVNfdWT07UJ4zx2SckeJizTwCJKPRnm0AK1Ca0 DGVZnyCnQJr1CYMx+4RhYPVBZIOAWW7urZGkaC/aIUG71WJOwe2MArT/wQB1DlMBOKlnKdTP ywSZ5BECSXihv/jwt2gU4CUK0bmvorkf+zk230aMU23uZxjWUlkz2zMXtOehWcsQLLc9KJYK cDhK5Shsz0zQmv+ZCYqWmSAXtmuLyARjSEs1TTZZt+BkJihh2ixBZIIxFKVaZDZZh9DfScgO IYm6oPjl0PZrXYASURog2pIGcrwWrwyCnALpmQqAQRCH/uqD7BDSjQ4hLh2CXwp4v3YIfukQ 4tIhpBsdQuEdgllaEKPXDoEkvNBffBCZoL8fkh1CaV3mLM/7CxRWwCdoC6nCBwFqAIY+kjAB ywTR9gSF+tHJCYBmmYAknDSw+MA7hFHbsSahVZdx9gij+JwlPc45C34U0EJdc+uzXYDKcmoX ab6QPM6PAlHqR2l/tg4WMzYxesKl+t2OfEwv9TBfU/1PAlqoa259dg82QBWP2kmaTySP86NA lPpR2j/jvrw2mu1ywoV5SXHx4NPPvnr/k3+rj/95eP+DT+6pq6fqxa/XL55cqodX10rv4R/q l++P/7l8oZ5cPX/e3sHX41ZnF9V7zuv+Zv7Br6cfLq/V1UN1/97hwb2vD+rql8vr7188vnra Fdrc79X/NeWZcdXZrq7GDezh8eny2zun59++0+8H8CcGHq4yxk2kamOujOs3p9v9Qeozq/nb A/VoS3q8vbVZ9ys+43Soptr32H7l8fBd+F3I/T8UhXfPi1Td0nq8/EVOe8WLUs57vLoHKeRw qWlr1es/A1jsv66tV+F69Yx/VR/P+UVKzcptSzi34/1sW9a/2ePdi4t/0RJ59lIv2qsGmraT Fde4n2DuDMZLr24i2HRp3CHWQ6jfHABjXAKc6Uk9NvE2Ez358qPP3o4n86IIPWkZ1STuCnDe yJe6XfGWGn05fPjn+8IupMAtszwgY8XjaeSbOGTbCymWPX9zzZ+7X158+tZ9Ilf0uIpi3gDn jRyqpZEN3J+61t6KP7RzxHqzmQpB8AY5w5vPt98BLObMNWVuZHN0cmVhbQplbmRvYmoKOTkg MCBvYmoKPDwKL1Byb2R1Y2VyIChBRlBMIEdob3N0c2NyaXB0IDguNTEpCi9DcmVhdGlvbkRh dGUgKEQ6MjAwNjA1MTcyMjQ2MzUpCi9Nb2REYXRlIChEOjIwMDYwNTE3MjI0NjM1KQovQ3Jl YXRvciAoTUFUTEFCLCBUaGUgTWF0aHdvcmtzLCBJbmMuKQovVGl0bGUgKC9wZW9wbGUvaG9t ZS92bWFyaW5vdi9zbm1wZmlncy93aW5kb3cvc25tcHdhbGtfbG9zczUuZXBzKQo+PgplbmRv YmoKMTAwIDAgb2JqCjw8Ci9UeXBlIC9FeHRHU3RhdGUKL09QTSAxCj4+CmVuZG9iagoxMDEg MCBvYmoKPDwKL0Jhc2VGb250IC9IZWx2ZXRpY2EKL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5 cGUxCj4+CmVuZG9iagoxMDIgMCBvYmoKMjM2NAplbmRvYmoKODEgMCBvYmogPDwKL0ZvbnQg PDwgL0YyNyA0MiAwIFIgL0Y4IDkgMCBSIC9GMjkgNjAgMCBSIC9GMTQgODYgMCBSIC9GMjAg MjEgMCBSIC9GMTcgMTIgMCBSIC9GMTggMTggMCBSID4+Ci9YT2JqZWN0IDw8IC9JbTMgNzcg MCBSIC9JbTQgNzggMCBSIC9JbTUgNzkgMCBSIC9JbTYgODAgMCBSID4+Ci9Qcm9jU2V0IFsg L1BERiAvVGV4dCBdCj4+IGVuZG9iagoxMDYgMCBvYmogPDwKL0xlbmd0aCAyMDczICAgICAg Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42pVYS4/jNhK+96/wJYAMxGqJol7X SdLILDKDDqaDPezugW2rbWH06NFj3J1fv/VVleSXdoC9WGSxSNbzq6I/PN3dP5h0lft5YpLV 08sqjKyfJjZZJUnimyBMV0+7f3mxb9ebMIwD7w83FM32fb2JMusd16FX0oI3HECIvMd1ZDy3 xe9X/BS8KGt/tD2x9+v/PP3j/iE7uzJYbcKc7jI53/VQ7kdi7GhvlOeelU+Pkw5Eb9cm9Y69 UIeDclWzWDRpX6ZV4icGGwRe7+pCrqZrztRNMz8L0pSEwN19U78eXfX1Vkgb+pk1M59e1JzE uD3bBqRUrjvKlyf3XBULBwd+nKWZsh1LNmWeeYEf/gTu1SYKQt/aNCQzhX4ex4Y5XbMjzQwY 459oFAXeK6lLxif7fF3TQjGAgWzT9r0wjH3ZEM9eZgMNYT+M+6rFlqPs2MLYbV3j47BjJ/Su 6F/XG+JrmVh0Soa/GpDKZi8kYrg1SETyJ2lqVNdh7IYli0ShH2UTk682sJEfxLmZbBDy4hOL H1qvHzso35UnBYlK4kIDSFcNQio5BGkYS3Q4pc+hQuMnbPrlkQgbjJ7BxgcVMEMYeUPnGjZE 6rXd0MsuV1WyysarCtdVtPFdFtsRxhbbFd0LwrirWbPg0quzHNZ4f/36uHl2PecQbraUSh2E aSYvYDawaL6sfxxkK24bu0aVJQIEkBMOpPKta0xg/SSMYrX652LYfPn86XEhXAkVbJAo38Hp +U5O/85xB4E6VZ7W+rJ+rU5qdby+Eb+aOPCz2JorK3ROZQ+9uuz5C88h32yWeT0HuZqKWAoh S/LYLGVxiLCbOGBxN3IQ0OpQ1kxtERmDsAIzsBbKR/wteTAlAM5tdBDLrm66gB1T8rD3hWUK owsvS9x2hdsKMrKSURR5NTQat7AfAICw88X1g5qS50MrX0rnQfZIaOzrosG2QU8qG+FrR91Y vEmszn5R9WWXq4RLDhtGiVNQWFm+GZYu9XhmewNX5eCTpv9RHEfk8GeHc6zE/5kYLxy/J5Bh k+gehnAbKMBLMsghsNl1/oGB1T7fAUCo2mlZDgy9B6iyH7uTeNaXlc/toJQpRxaVYjvE9uT6 fqwkjKJYk5+1aVolPU9aY7JXy4cnM7iq/HvK8Sg2EnrlhUFoYzscTpuYj/OTR8iv4tynDGxl 2/Syt3YIrndhPjiwaKIuxOblRYYqUVcw4NUlS9aXyELQeSoRW7AXC4S+oXr4uxYT6H0JCT8L A0NCoePBDZrGcxwbLqoAZ1zEvmfSre8X3LQMtlSWjPf0Cy56xGQ5ksCESMK61E2BMZo2VE8n rThyvyq/A6Jh8G2cYwLWhxdQ8oVJmSuGsf0lUSvxgi7ulcO43LI/JQNxhHqUNRSqeOkGNadN C5AZRXbOaolW8GFVE7Wqip1QyaS+Vo30snMzuR8mcaxdYqxd4gc3hfnuWO4oov6Pps+Sx2P5 3DZ9oHKGY+DqGcU17pnMUJ4L+rvByWSGLbEDW2o/l9Y89XaMCdLA5NmZS64rZUIazwXwBw1j Qo3lVE8FguGscj3XviiM/Ty8auuu0riX7hWVbapWaDhfr9o8boE1XH2ZflTy1mmT+iwSnLXT hd7F/aak23Xb7Op2nGx73lrPtsVEbCtIcGHYBXg5AdsMoNri9CLH8VCwRFqDSXM5eGrswIOc 7tpaJlIZiJ8LJH3nJMcEgo6FqqgMlev2nDb5qUrz5FA4amp7X2YPa3q1cFRuflTiaL1uu4KQ zSaJ94WIBMzf6WNYzXtQvvwuq7PODBUlN6igV2IBnqXScTaQXJKHiGhX4UiMCPhp6fF7dP8X zv50DwssYQfqt5EN6GZPGyYL0RMOiE0C/LY+b94aIbKG7bg/yDGcd4bkmzQCz7Zt5mq2FYwC mbvxFganM7dtJVS320lM4xSnl5QcX+9LwSL+IMtGSeCVCMEk1EalqHuZatwmgueHUsmyVXcq TRBxzw+VfwehRWogtLVRZ5YD1YFpn5hcRoWuU+bpsCk0ylX73ZIP0OMwgk6PLYDuWYzAJZ+E QyRmmL377ekupKOCVUidOQFJmmcrg3eRjbLVtr5bfVsFvmWO6UvUb/MmJdx/rNPVr+3dn3er P+e1zXzi5vzID/xXQLDKCMESy2/jOPKTJItXJqRLjIkUqZGHFDYhpUisVSFMz/ZFAemfTw/f DxSGR/6TYMc2QItFadVzaaGRWIi6rh0zkV+iOa/QEOQMPbTOvhpr/M5QRjy9HNOioZRh8aaN SQ442stFc79EDLVmm9sXC39HEAvBMswTRX5srLw0gQUOiSkFPfAivOxywjMEAOrzBGKgSlDK qJDBVd3BETOMYaJBgTwEcICE9MHW64SfDkTx67UH2oQktbWX+SPdQ8fd2FtZk4wVx3ns5QG+ CVmSrPQ+y44lhnh8IbBgQjdDHbfytKgdQqez63JEtONUu8uqkLvmN8EEk+AQzcyMknwcYJLA Yxl2GS3mp4TJWCiKrl4nUFlOgExv/N5R70B7kwWeDeR7pT1I0J6/Z12yFiskqCxePGSUcvPX C8gCgIofGHyZXXy/+D68ff/O3elaXvnGev9koJue1MZqkBl7HkSITxN52pizhm6vbOfuPPX6 YC97+fKGilP9IBj5LgtT7cRY/kFppsm5DJslOD9FN4HJ/xDCUDt8VLODa5zsgDQ22p0bA+/q Xzu6qdZeYuzOe1xupXL9k+Tn2+OfT56s5hf895nBTK8QNOtV3+qoke8pLzV6Fbr/C2IySdJl bmRzdHJlYW0KZW5kb2JqCjEwNSAwIG9iaiA8PAovVHlwZSAvUGFnZQovQ29udGVudHMgMTA2 IDAgUgovUmVzb3VyY2VzIDEwNCAwIFIKL01lZGlhQm94IFswIDAgNjEyIDc5Ml0KL1BhcmVu dCA3NiAwIFIKPj4gZW5kb2JqCjEwMyAwIG9iaiA8PAovVHlwZSAvWE9iamVjdAovU3VidHlw ZSAvRm9ybQovRm9ybVR5cGUgMQovUFRFWC5GaWxlTmFtZSAoLi9iYW5kd2lkdGgucGRmKQov UFRFWC5QYWdlTnVtYmVyIDEKL1BURVguSW5mb0RpY3QgMTA3IDAgUiAKL01hdHJpeCBbMS4w MDAwMDAwMCAwLjAwMDAwMDAwIDAuMDAwMDAwMDAgMS4wMDAwMDAwMCAwLjAwMDAwMDAwIDAu MDAwMDAwMDBdCi9CQm94IFswLjAwMDAwMDAwIDAuMDAwMDAwMDAgNTA0LjAwMDAwMDAwIDM3 OC4wMDAwMDAwMF0KL1Jlc291cmNlcyA8PAovUHJvY1NldCBbIC9QREYgL1RleHQgXQovRXh0 R1N0YXRlIDw8Ci9SNyAxMDggMCBSCj4+L0ZvbnQgPDwgL1I4IDEwOSAwIFIgPj4KPj4KL0xl bmd0aCAxMTAgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nM1aS5Mctw2+ 96/oo5wqt8Bnk1cnKflil+VdVw52DvLsQ3J516WHY+ffByQBEOiVbM1WVElJWzMA8fjIbnwE u+f1Cptbof2jz9Pd8vTbfb19u6T1t8WtP+HfK/x7tuSU1ujSVoJfQ4X2ZQ1QYCtxfXO9XCxw MLpbYsrQzFjzM1o1ixBr3vKuLFjDFjOGtm+jx5gfE+NDOD6c5eFoxL+H+IeUyhZCH4X1dnm9 uL6iK32c7tYvLnFVS1Nc3ixjod2a/ban1dctrZd3yxP47PKn5e+Xy3N0jzr7ECl9F2Z+EieA j02OAVzOZaZPoADEkOwai4ZhkKyQiOZ8MC74Ta2EA42l+J5BYWENYyFZYRHNI7Dsbks4j4lG r4z37oBGNISG5Ylmas5H4x1YNF6vjc+wb/pWYQVjGaKCwopHIIl1yxhkIjHrUmuPqKCwhrGQ rMCI5hFoSjHFE/SyhFAOYERDYFieYKbmfDDB7xaMXpmw73Vz+o4RDYMhWYERzSPA5Ix51B0T 9dJEt4Mmxi4Sji4oah7i+Qgi7g3VqTsl6vX4MH8LjgOfa4Z/BJqYDMlNJAeOrwFDe7NHvA+r d7r+z0GS9g365rnj8iD1WtJvaHYftzYy0bBGo5lWjEZbnYsm90LqRGewOOikPKGQQiMRGwai bM7FUWsjOj+oxSIJsWdTUEhjsIiVgFFW56JxATYsgFHOFk2O/R5UaEhj0IiVoFFWZ6PJDq/v QBMtmpq4E2E0pDFoxErQKKuz0dRxlZJB4n3Wd0sXNQYaZwAyfm52733nt4YgWwRpt3csKQwK thEc0+ZsJCn0vbkh2S2SUg53LGsMFrESMMrqbDQlyh1bDJrgSt9NJhrWGLYVK0ajrc7mOORH P2ilWjCzdWYw72nuNfUTGGX10WBc73UyNZUNh4trGY3v5dXy5Pd1aJsrRs+tv2n+pd1hSI3N Mrpumj6wbfzvjjivH+Y5rBRrMA5KlBO/vVz+sd4vHvoBry3Vt8+WvaIpLkty4xOb6ORiu/w1 D83P2MgCEWul2zT40blDiONOiWEodow+zkPtQqj4MfPmxfF3t/cC5Oi17/F+RsfTAczQ2JWM cv1+zbD+E+NfLS2HmUVs/ZPJUgDo+sgsHNA6cZ6U05gWzwJS4nJsh1tZowAqssNAOmzOYfA8 L06sg2Eoagi7XMPvaQLuuEw9tpmAA09xJVOCYjP5YCcQwDlO9Xxc8NLKKUe6zhETsCbWtEEt uFJl83jzlaEeiKLIp2Xfh6FYZBuAZU6BHqzxPTQHSNGmYPm0EAZWCOjhf5zDqR0CU2wrRndr 7AtHmjiyObxs2x7WGobFWNgs8gnJoe7bVLhYbACW83Qgzd5xsX89JKhizxDEIhr/wxxO/TjZ 0UjN3SnNHjffdlI3vANvtEDjQz4taJA2Nw3aEVcHELmKA2kiHhfjyv7R2wQknxaBIBbB+B/m 0OYVfJ7MkduZhxWurWFox01AbAB9XIhmiCc0R3KsQRmAcQcdvZmTIvULML2zDZ/FnvOzQbb+ 2cZH0g5ZmO9uShC2iMUUKFyueN4idmnfT2hJUMYQWDeQmM2SpJC3lFdx3NOM2b43S0o3hrJ1 yyrmxSz/PlFDCBGJWRFCGAZCCCQrQmCLbAOInMWDNaUvpwSohxSVHRgDKQTi8D/OQRNC215w R1SEsONWUIPwQS7DgMuVZeEDMaBqZ38W3bQnDa4DZM98sEebgOXJB9Mi2gCHOWhC4G1yEkJF ttzxk6ux+kKt+KhXloUQxIDKXQKwnKYDaZAxCl4oDlAOGYo4MAaxCDbAYRaKEvp2fzelUQpc kM5jmfCG7XsFcTHTEFg3kJjCAi6MUhDHkGbMkEDVPw1l65ZVTKn83phI5ePmXXTl4/EtcZX2 77PyaQisG0hMqXy3432uKt/tYcZs32fl01C2blnFVJXfmyVT+c1QVX6stixJVpXPFtkGEHmv x8rHZkFVfgKbguXZCpBCdyu68iXBrHxu+VTlY336thFx3e3DQiqTZCl9MeDK5gAkc4pZ+wVL NfRmoQcowWZgedb+tIg2wGEWphnorWvWzQDU9gZHNmLYu4Fs1STPXoANeKcnfxYpgWoFHLaf PkgvgM2ESUCy6gXEItgAhznoyqcGfBZ/wvsKOxSpxkTvGLhhH6KiADEA6w86/iSCVDz2J9O7 2vBVzDk/G2Tjnm302QzQAWL2AxA6INmgwY/XKnzg8BRCNncxAOsPOv7sDWBviKZ3seGLmHN+ NsjGPdvokyuSr1vtu+lswjvRygY9xucOPmRFFWyRjf88IogDa2JjXT+pItkULE+qIIUgpADH OWiu6Ie4SRRYDh0VF6mDAlLDXRCKGENU/eLHcgs7yQFroO8g7Ir98YzahEkLNBatn0ZrCIEO nYoQMs56V6eDHLqFFCzJkxHYgAueA4icxYE1SLpVGGE8z1EJKtsLBLYIxv8wB306GEfneTiI e7+vpTvv+4x070NSZwMeBusMKvY8GrQdBmZT4JPXsYekDgY8nK1zNrGFCcahP08mCO0w5oQI Qoh9XJ4RRCJHLuVpAMYddHThgRBqGD07eUcw4SOIPeUXg2z9s42vmMA9OC9Ue14oh2a+PDgv sEW2ASY1HM8Lsm/zAwSbgmX1AMGeF3jP9ccEignoOYsmA+iVME/v9KRdzveBelh5AEAGwgoU QGRPd/rUhFYKQimpj0/CSWwvfMQW0fgf5mAogp4WKYqIuGyaIuJeTAWTPCmCDeTxAAVgmVIo ikg+KopIwSYgWVGEWATjf5iDpgh65jU5wjvTM2AyvamzqFhCDMD6g44/eQIrX/UM7T2GCZ8P PcM0yMY92+iTKfozO8UUvtakmMLX/thN9nQSVcsgBmDcQUefTAG+GKaAqMOzqJhCDLL1zzb+ Gb+4iNBeGqwh7fI+5YsX91e/vXr3cr355c169erm5vrN9f279f7Xux+v36y/3Kx312/fvri9 frte/356+eL+9vqqPaDHc3RAalw/Rz7rj+2//hOHlv9z/A94hEHcufXdVd4vMYofnvz473fX b3/4rL9CINg50quO8SZ3bWPtAVd7iRCgjBd2VzQwfsqy3i47jAe7vsCo4ICnsRzb99x+RnXz F/rh1bM/NaWH0gcrrG+A/t6GNe3pL1uFGPnXF2TFGm01Yx39+i85DvE/NtYf4frjjP+vczzn 117YGvadNPQbpN0xF19/9c2//OnpxcWXcou8fu8sHKi0XURc46WCms5QvPflDr10wX189FOu P9bcWTHeD5w5E9xDA9UJz+S7v33zaWYyXyPxTBq7ul1PhTSPmguWa3X2qlz+9b8/F/XKiqbl DhfIeXN5mviYCfmahUr7hEKbz9PvLr765HOSqcB4S6VmQ5pHTag9eEl6PnivfZL5SOWY+82X nbonng1rxmyeL/8BI6J6y2VuZHN0cmVhbQplbmRvYmoKMTA3IDAgb2JqCjw8Ci9Qcm9kdWNl ciAoQUZQTCBHaG9zdHNjcmlwdCA4LjUxKQovQ3JlYXRpb25EYXRlIChEOjIwMDYwNTE5MDA1 MTUzKQovTW9kRGF0ZSAoRDoyMDA2MDUxOTAwNTE1MykKL0NyZWF0b3IgKE1BVExBQiwgVGhl IE1hdGh3b3JrcywgSW5jLikKL1RpdGxlICgvcGVvcGxlL2hvbWUvdm1hcmlub3Yvc25tcGZp Z3Mvd2luZG93L2JhbmR3aXRoLmVwcykKPj4KZW5kb2JqCjEwOCAwIG9iago8PAovVHlwZSAv RXh0R1N0YXRlCi9PUE0gMQo+PgplbmRvYmoKMTA5IDAgb2JqCjw8Ci9CYXNlRm9udCAvSGVs dmV0aWNhCi9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMQo+PgplbmRvYmoKMTEwIDAgb2Jq CjI1NjQKZW5kb2JqCjEwNCAwIG9iaiA8PAovRm9udCA8PCAvRjI3IDQyIDAgUiAvRjggOSAw IFIgL0YyOSA2MCAwIFIgL0YyMCAyMSAwIFIgL0YxNyAxMiAwIFIgPj4KL1hPYmplY3QgPDwg L0ltNyAxMDMgMCBSID4+Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCj4+IGVuZG9iagoxMTQg MCBvYmogPDwKL0xlbmd0aCAyMDc0ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0 cmVhbQp42s1ZSY/bxhK+61fwSAERzV7YC94pcRJkgQO/N/K7BDlwJFpDmCIVkuPx+Nenqqu5 jkQHCA0EA4i9VFd9XfVVdZPDghj+WMBsHMWxkIHSSaRVYoPDefPn5vc/4uC4iYNfNnEkrEmC J+jEEbOWB+cNF0kkJDT9SLG52/x3w7zKnRsVwY7FkU3MgkZaHYNG3+xWzBQyYyMTS2gpJaGl UeV3+82rH3kcmMjCaLB/H3DGI8W0CZQyUWylDvbH38O3ddVW253g4aEqtn/sf9n8sO9Vcy0j leD2B8X/DGuv8QtYtY0EAzUTrP9Ly1M2xyhgW1pxsx7GXuMyRsF0JLlRM39uhQjTA/5+wJ+s bV4gTlSkYcGKiDuNX0CsWCR0MvPqfmtNWG1Z2KbbHQsLIIOVf2cfkicRW5cdAjViiriV/+5c S0QkpVW9q8WEwDGLZGxZoDA0Qgvn6rvf3rz9yA+v3oG3v0dnv72dcSP1q6XcHDLTY8gmjkzC +RSyiXcAlsXx7bxbDeko8RaRCiCenuGUmsW3E209iEOmLUM0LLKQHF8GOWTRehGnpPhKvJc8 knZUYl7w3jDYrpIQI23khPf719tFzo9Ur8b5Odwp57WJEmnkFC5jRHqxQPrVoI5Ivwi1I/0Y qAQq3ib9ehAH0i9D7Ek/Bcn4bdKvF/KvSnrBokQwc530zDLUDcVewEHIbDKQXrx6d/fmb9X7 kYXVuD9HfYP7Y9RME/ftAvdXgzri/iLUjvtjoMsFfz2IA/eXIfbcn4Fc4P56If+q3OdxlGhu b3PfxAr2zUVkVKzm3P9SzR9pX433c8Q3eD9GzGPHe84XeL8a1BHvF6F2vB8DXa7560EceL8M sef9FCSTt3m/Xsi/Ku9jC+/L8tY9B84tfJeGSNqY6ck15+7up9t8H7SuRvcZ0BtsHyNlCVV5 vcD2tYCOyL4EtOP6GCbQiN3m+moAB6ovAuyZPoUoFyr8asFe+8W4/7Dl9sxZIq9/MmBwmmkl NWwFdm95MnwySO+LbLtLtAxFhB6YuUuKiEsuwRx9FuEGPydwG37AZtZud9LasMnxWvQZuJhh o6HR91VNjfYh86rNSLVRURInyqtuyvPlKS0+XMPAIya49oJPzlYLth5IO/hIXlEPl1dujfCr TllbZp/aK9oFfv9Juh1Wl+0ON4Y26hQ/pzhzVdlEZG2PXdiP69TdpyyIbQKJHEs5FDFUd6iK xzOuKLc7IVTYPFTot6eGuugYaOjwiF9unGBepm1enmj4AqPoboPutoSq9Zryz34tgiDPYy8t jxPd6gWGyyyAE+ESp0Ac5u7BE2CzponqvdtnPN3fVBfuSsZh3hmDdvuQttRy3gR3/Qe7zFuE 8Qk8XFFhbNOCxBYMHPND2o4oR+ayXgva81pKXI67suNdgRjsyj0vL73sdLLQJ4UJLDCGK2QM +AApqRR9DsjPl6KDcc5oJ6CmhThWuCcbh08usojHfZdjsOmyeURh7BS0g4Z692kJgsen/Ijs e6BBeIJPvDY8oKBLNzNv4CErSfKcus0+99GChE8SPkTLeGe6XWKmMkjpOqNG9gkkdEjWTtkR Sc90+K2Ts+EBIaAcelGHfpHzU5b5qfewtq7O1HHxcA2IR0HK+mCQGuOCgTIYDBS4AvMbr2Xr cm+yNUZbQ++eTs+7+9Tt4MMWU8mlkaAow3P/+i01vkWR17821HvCXlWTvSONYQzyg9tY8UxD rpxhIy08s1AlinRq29r5raEaUmGvHZMIatiERVzDieXfr5NIgSSc6OGbzKWDW46mjQjfNekp u0pEBipkQofYj/npEZ3vU1nhI3lZcrpaocKUDOEiF5SWVpC7kvAj+rRuH10uQv88AwZDj40L 0JF698Q81x7bOVRu4ZmYTfN15jxzcUSqymOXQfVV4qLJynn10CcLV5xiwhXlBj5zNHEgRV5j 2jgi4CxRz5VasNqTGIXdPO4cn5Ceh8e61+CdA0F/JrMVwc68UUoA99tgzvelw83+XOa4Nk8L WG5k+A3p8Fx27YvLmd01Yg/7FYl2tHQD2dExNVGhhZsZtX6Fye9w8tmXRVzhgpkkdLhk56oG DAKh4SAdZoPwPMKJ8pXq4msZrDnVxCdXmkCgcJmWpXVxteY85SjIzcA8bvT1QNQk54IAzwMd vF08HbXrjGJREEAn7k/skrpN7y+ANY0FzO5HGM6eHY81uhJnacT5iFSjrY+uLNQPPZ2OVxk6 4ZIw5gUpYNC6M6Chkp1i0C/kzE95d/ynLdUbkNX0GKKK5STzm8GZ36ouzjb2J0RLM3QMQsOD mHqDTqT+ljPocAKdeYLepvcwdpWZRd48OBLGIrzH6KDxWIZl1dLgqDhA7+gC6PLzRIJt71MU xBEiadr08SY++qDjFQyl7rAY0AQNpFg9jnmLXqxKV67A4IjxpDw/PVAiX4lfXwuEkOERXV2m ZzoAqNw/d7W/8HUIIuXPiqHsie4iJUJ8e3SNAlHd12lfNeE8Kg+dpRT/XYdjs5O3ofk27U5B 7CFjipROpWj+usLgxUZpuPAyIyNu6C06+BPeHBIn0T3dW0e3yA+8+vlsgu8reLUIJi/RXuNu rPLm24UKmBKRUFr60wgjDSFjVofq2ruFiCPOrb94/z/3Jw2WzHHosD4e8HpcEi3OLltBqHM7 tluqpFi5z5RHpZeCc+birnxwxmS+zGPW0VnS+LsjjvZnycctlDW8PaJ5f40YTo8zJcPOo59c h7vLpbuN+nuH9MeFdSUKu7Ok7P8j+xdZmkI8ZW5kc3RyZWFtCmVuZG9iagoxMTMgMCBvYmog PDwKL1R5cGUgL1BhZ2UKL0NvbnRlbnRzIDExNCAwIFIKL1Jlc291cmNlcyAxMTIgMCBSCi9N ZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9QYXJlbnQgNzYgMCBSCj4+IGVuZG9iagoxMTEgMCBv YmogPDwKL1R5cGUgL1hPYmplY3QKL1N1YnR5cGUgL0Zvcm0KL0Zvcm1UeXBlIDEKL1BURVgu RmlsZU5hbWUgKC4vbWVtb3J5X2RhZW1vbi5wZGYpCi9QVEVYLlBhZ2VOdW1iZXIgMQovUFRF WC5JbmZvRGljdCAxMTUgMCBSIAovTWF0cml4IFsxLjAwMDAwMDAwIDAuMDAwMDAwMDAgMC4w MDAwMDAwMCAxLjAwMDAwMDAwIDAuMDAwMDAwMDAgMC4wMDAwMDAwMF0KL0JCb3ggWzAuMDAw MDAwMDAgMC4wMDAwMDAwMCA1MDQuMDAwMDAwMDAgMzc4LjAwMDAwMDAwXQovUmVzb3VyY2Vz IDw8Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCi9FeHRHU3RhdGUgPDwKL1I3IDExNiAwIFIK Pj4vRm9udCA8PCAvUjggMTE3IDAgUiA+Pgo+PgovTGVuZ3RoIDExOCAwIFIKL0ZpbHRlciAv RmxhdGVEZWNvZGUKPj4Kc3RyZWFtCniczVhLbxw3DL7Pr9DROWSq9+MatOihSJDEi/aSi7Pd vJqxGztBkX9fkhIpjRwD3luQLGZIfiQ/SaSk8RelV6M0/mvP47b88jqp93dLUP8tRn2C30f4 /b7EEJQ3Yc3OKlc0viins16zV7en5XLRE2hbfIgaYaz5DChEOF/iGtOAYA0jeowRj9Y55mNi PMTj4Sz3rR5+9/lXKeTVObJq9X75shiaUdUex009O8CsZlQc3i11oo2Kdk1B2bIGddiWC/3k 8Gn57bC8WkwJFL4TEE0jwXIn0jWdzGOJmAKrD75CJXQuztZ4nYtoGheWO5euOZ+LM2kdJsXo TuXhlWcqcyWMtXE+Fe/TboHMMC1TfRQHwe2uvn7E1ppxWc/ioldvYlYurQWfyKdYvSeUsQTA 2AmxZiTUUUxoRJ1LKNvKxU9cjJUWaVxYM3LpKOYyos7lYmysZOJMJrmZTNPsyAhKyAyos8kk XcnkiYw1aSLDmpFMRzGZEfXobvIQizJ4bqeZTTQzm6bZsRGUsBlQZ7MJubGZK9jpMLFhza69 BcVsRtS5bJy2jc1cw8M2z2x+cBCNm01j48+vYWHjY2MzF/HPcKx+uZ9nGjFrIA5ILSe8fVj+ UteL1XCpqAN+XS8LEU7BAJFSDqpY3oeMSbiF6LZnmxDpumF80SjG0sSEzp8hbI61X4NfDdKw PtE5ogvZo66SaQFtKfRmncaAzuUqhmzqMOCCUzCSzdFVF49QZ3yog6xTYzMRwal5VQdX1xMH l+vgYGZwulHyYS1OxWTWEKOKrhppFtr7cYkur975brXd0faIAEQplVVHq8SpDCGLIDkhW/Pg mceYl0s2vAweWJNk9KoLbPS6RsmlWnHB+P24pFgZiDV0T3q3gkTJu9U6xU50dWkh+f24cELW EJnqOLJE1lApvVy2Jppi1pTqM+AzkbmWVhOOUGkBSQxmP/r6HhexJFq/FiV+1g1hm4DQlpXN lWF1HdkS/VB6eW+DmBylCBkWCMQIfSOdAAKkCb6sNrHNTX6uh0VsE4OOMLFKfIMd4qKA2Jqy msrkV8awQD/ZsR23QRGocE0ydQAe7b17SYRkWIw0iGaPe2+RE+NZkbGIlfgHvYtfRcC39M0s 5Jr3nj0OyBo822LbTrB9uwYuYBGOU011CL4EqPtPFPkIe0HCL6oOCDt/EYPgWQN+CXYi9s9T gswOQqEhhGELMI2BxhW0bIpblxIVsvXFrxp2PB1BydtnxBmxUF24Es3k925eYiKySsZg7ypx NLbHxHdEtnRkalTYbeBJvKMbt++tKzS1qY2WYpnStvG63bMIyUIhHgIIaefPohF8UzjsV/a2 2o/hWQR4y98BbnTfs8cBwZWjHz9bF22mxnXakKOFK6ScVChAqpIr5WqLOz+RMSxiWTTUuOLr 3BAXhePCKVHq7Krfji3R92Y4LrE/ugZaEy8zuk5cIHs/XqsM6VxqM8+IsPMXMYsDa4A2lL0E iGafosng0TgwQBi2ANMYaFzFFeqlduhvg8ZHTOcKbBbYXXBXoy9cuiZEkSFthlO2K1xO+wAi R3FgDTyLEv8yJSiMFwqMcDv/aQw4Lk+riofXxu+WmtfTCgMrOM1Uu+AY7DnPlUgGrDVxqYKv KHqP1LTdJUmsRChJQgY3uAgvYoltNlyqtkETaYP32JYexBDqVz/fwqoMqYL3COwINwVwuxTo 0TRQ5BBaAjizT9FkdKgcBFD2/mVKUP8s9ui/xHj4AgiwXYAvfgX8+fH267erz+r5abu5/a4O V/+crtXb7+rrh5O6fPH8pfr1CizX6uXtzfF0d4ffC3Cpewq1rw5/Lxcvvm1vT7fq5p26+Rcc 7wDy8eaaYJjtKfyHnSDjCQofrYlS1lRvLv549uaJfH+8Wv4HZ8r1+mVuZHN0cmVhbQplbmRv YmoKMTE1IDAgb2JqCjw8Ci9Qcm9kdWNlciAoQUZQTCBHaG9zdHNjcmlwdCA4LjUxKQovQ3Jl YXRpb25EYXRlIChEOjIwMDYwNTE5MDA1NjEyKQovTW9kRGF0ZSAoRDoyMDA2MDUxOTAwNTYx MikKL0NyZWF0b3IgKE1BVExBQiwgVGhlIE1hdGh3b3JrcywgSW5jLikKL1RpdGxlICgvcGVv cGxlL2hvbWUvdm1hcmlub3Yvc25tcGZpZ3MvbWVtb3J5X2RhZW1vbi5lcHMpCj4+CmVuZG9i agoxMTYgMCBvYmoKPDwKL1R5cGUgL0V4dEdTdGF0ZQovT1BNIDEKPj4KZW5kb2JqCjExNyAw IG9iago8PAovQmFzZUZvbnQgL0hlbHZldGljYQovVHlwZSAvRm9udAovU3VidHlwZSAvVHlw ZTEKPj4KZW5kb2JqCjExOCAwIG9iagoxNDIyCmVuZG9iagoxMTIgMCBvYmogPDwKL0ZvbnQg PDwgL0YyMCAyMSAwIFIgL0YzMCA3NSAwIFIgL0YxNyAxMiAwIFIgL0YxOCAxOCAwIFIgL0Y4 IDkgMCBSIC9GMjcgNDIgMCBSID4+Ci9YT2JqZWN0IDw8IC9JbTggMTExIDAgUiA+PgovUHJv Y1NldCBbIC9QREYgL1RleHQgXQo+PiBlbmRvYmoKMTIxIDAgb2JqIDw8Ci9MZW5ndGggMjk3 NyAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNqFGcuS2zbynq+YI1Vl 0ST4EvfmbOyKt+xNaqWtHBwfMBRG4g5FKnxYkb9++wWQlDieiwg0Gg2g3936effT2w9h+hCG fp4k6mH39BBGsZ+lcfqQpqmvgjB72O2/eOlqHYYq8f4DX89UuqfvfrWOssT7Y5XHXoOQ9nn1 dfevtx82D7mfpypFgsHDWgHJKAqJ0na7Cr1fcWPglR1/ddUavb/CJM29CxIqAWlvqiuvDx0f FXh9w9/OIFYxtIBnEBR6/XEc66KgC3adrMm2ojkh/KRrpM+wCs+qjdyoXqmN15v2SRdGNjc1 Pgrf4dgE76hNj6iXlcq8Bq/xvFrHyQaYY+gMw5Q6n8Hv+EZNuwfUEo8/wOs2kfcG1zPHFsQl THkZXlMGQDD3+lJXHaP9GSTBMx5irh2uC6Wz7mh6wSU+j+aAHvJGLbRx3BJpTbeCC80eygLT SOfbKkk9XVb6sRIuxxk+A74psRNwrgzlh39DrrZNfZrwAVd3x5IvhBONzLOkAawf6VP2E3LN Ex9StGYvtIAFIw13CXoH8cjuPK/WQN+0er0kwL5sUAxAax2BHGrLZitWZN5zx4uoWlrGj0xV ZAwgBapneO2kSwGdmr7kl9E5BHtaoQIwZtHUXelE25IOHhhtu/2VB/ZEzVOSoiHlGJC5ZvFV Lek24fL7mxaMNYqi8XgYb//9+ffVJvZ8ohHGfh7HQEj5YZizxe/oTRFseUSefiubAa8TobX2 xmpoDc+DzzdSQ8YnW4MvKjS9JBJDjyY2CuNLKQYeOQOH0Q5tAt7QzS4feJ9IV650Tsug7YQX VmXwNWv3nAlf0Fh2n7ZsBFGcAHNQP/GysLFoKoZ+CYOvPg/f1fwtT+fKyuk0MUQrWEBhHU3o ychYBrLd2AsDZIebP21xEntHki4o7q0+AaJmxbx+FwewYJWkZ1kGFw7pwhm4mIrY2wyHI6+x WsKKHnil7Xg+dEKYV/kjV73yjBzCn0EYmZkzYgNklE7MBURwfsMnkto1Jzo298Q5MXZrOiut qpd76GUd7sqTjQGVbuUtzexN2SI9d02nPBw3MscuvO2Rww56yvPIe9zrM5zk5KIJsm+Fqivs E5dEvA++8gh8styveewcOWsVdyIUUyWvgsyM86nqbO5UZ+PtWG02bEmAf2pawxDDzj1MC8u0 uaRwU80ecbRbYnAnpz3xF6K6qYsrT/qjrnlkbwbvid7+d/t5SRufrF9BS2nqg5Epuyz67djd 0vgVr6MScXastP1awjaHTV7HS6skZH1AwCwQI2DfiEsn9Jq/js0EnLEZIcRmJPuoC6T3zLOy 5q8KgnByGlowToBX/cueR7cFHnEse1P0Q4vxJg423l8D8wU1EliDMT3Ima5B0eKsbnoecLQA +J7nNn/BcdkzQVAnhabN0JazEM3JjaAOuI3UxHk0tC/cfWw47C3o6Yl9JHhrEGqAtrSf25mp 93daF9jAXg12DdUNTuoG5gcjaYG6yABjCE4w+Z0RXKaHL3GJAWCRjzzJFtK/ILMx0mFnjJ2N D2Z5y1PuHBCr895ABngqmW8hoNUyOEseEHrOg9J6S36X2OAzaOpDGDsONzNdcM6TVQL2/DWy qnfWgtuOetRUhnAg4rzrcqTkbdGV3gYXsEm931P2MH8GrpCu8JDdLAw+4vp7WNh9QEDMAoOF PRMo2lLOsESEwpfkq5xnc23rDwbrf06axPSdbsfUJTvmHMVyo5BICzD1WsKSpnNPgIDWnEmD Cda7F6cJHwUYX2AhVF95won6iWTdOs2Fhd6eUDRsugInBwrfwfo366gQKMpMvhMGn+WOJSj8 iy5jj2zB4Eucac0s6t5kgWOyDIuVGWOOzZEhENNphGBvE0pkqyUHmDh5VbCLJvgfVrfGs114 5zC4GdMMrnuWs+1uAI80cREdu512Hq7HmodWUTyxdQ6leDaSCwvUiPPS1mFKoGDR6UfMDWSF WcBHzhMH8paLicP0Cl9QPRZcBeaVxj/4mAApCUeRUi+UE4xEDNZ0SY7ZToS4CK5+ODklBQgG V6qqVT4pq8Ms9zexyuBCxN/6dD6Y/r78jlI/DVUsaJj/3l7VPb4bOJMCmC0R6SkYhXBH6Qow G0bAc5ESqzD1Y2TJPPKhdqkYQjFnkhhkY3ECVHUfKGT1WAhjKUKrH2v+nukKfVkMFY3eMJjj PQwarh1JC5yf1XIgZQdx5NRdOeNDKOsCjiSzs88qflApEgfYXhRrWCsFHnFCpMfWybWCsJIy V/g6V4yTg5hCOCafuqJqCBZJ2w/HcXHUGnBLetIZYEHKAWLD39CXvd2O1vxC9RArYOLQ8kBM 985KMZqpGHyrNUCYcGIhKosA9zKc0O6/Af1c6bKeGrTC2tnuEknijidd9DxyGbGbEMqksMKN jnWLwjqMh+J9s1iKSxzRszNbwjfkEQDc9QPFHUMbkrE/Amv75SIoR3eM61oO4cStquZQ9wag OrYjehsf6HDWHlGdHtM2olAv1gxHutue/Al5PZWnyOmei/sTA1x9R34cIWRV8KVGz74kC27q Nwx0td5NuMG1zx9/5kEDTEsS739j4oLZb56xb2MGyX2eTE/Z83EifZVztMX1kf0Lqmn+tr69 tHmCbSH9A1iDLQKnjDAR2V155iKwkWURwIL7TEI/S5Wy7vPa/WK6or33n3HqhypILZ64PeuS 8Ay9QD4OfZXHkez6pexARtdt35b14f6ITPkqcy4afBdhhPH0usqPgmj04lF4T4aSodC+KA3Y NUdR4m/S+MY1O/lAmCzGstD2ETHVulCnrpLETEsCFvOHDblf5KwK/DhXG7nHx/O7/b7FTuzd hZPAj/Iot+++UTC+BCl6x3ewXaJJkglR2Rd2zbrY6zAL/M0mzYABys+CiJ+dSRv7n+RL66Ki TABKUzLr7tXm9c76LEqLKaRsGeAiPGZ/B4Yd2gYV8swzjEm3fu3je0yrEWqd6yR5dXSamr/O sV14vljskIeWis3iV0JcMolbpzLWW6DNLHbRD4LclE6tPhhpBPLnvi9J4MVOJKaV4Dx/qwXJ tbqHoqROLMAWyyDsGJbjkDoDeMeLHDZpLFo/u36pUxG6ZrFEVZSGZA347W2POoYUoTYXHlDC dqZKT1v2IPYs5zSyC2MykxLaHBZL5+ddCIjVyyk9LTbVIO6aAa8JMY5zykrv+jbuL4A4l4oW +zwNA+Siub0emn7FkMvYp66uDJo0AADY8HXHZhdRLp3057oRJ4HVpLEnhEB2fD9QzojfZUuY t3dFC77vlQIxVikUz7obbzQLMYxwHgtkWaAMQiWSOCWTigTRbR+xlcX2KoOGv4fS1e6APprF JHQKG2DZbhqLLYQKcxbLxX7WZ4iidGwuseLQny8RZwEQD5Zya1y+uC4+UtDyfxMkBjH73cS2 BVLpG/AfTVY5EW66Xj9WTs2PNyGckaZ9t2nq/lJjMQ7URL2D6KZxhxD++8znyQcsJxpZ6bB/ b2RfbdZjY7GXrVPKLsebOqHuzfQQIcs9FdtHRRAJLpj8QYQTvaTTkAJOs3ts6HB23/VkYWFO Zk8yIrNHQFkXhodsqzCwm0hzAvcHDy6J/LkGLruj8zewpoXiTXOWO1Tc6gIkFm5Dj+EyVU/q 86USf6oTRA/kNv5BGQex9eA47MpDLW2OuOBGVr8oP6Fqe6QRt1uJOCdjbSsJYIB1DPZAK9J7 J/aZhEtW67HsKqaG8kqJj9krKriZpL66eu6krEYY/cMg6xP54JSUmUiI9BFY1iW1gDH64Xzy XkZmMfXDWTL4VjbqE8TT8rvZy1TabEzfLP+zQh4rUaQBCWoq+jn9vJ6E93otwbq0JosbLkdu SifRpBZLwlkVzpj2bz8cgzNoSTlhW08RW44lAylGBwdA/kMDd/34D40X/0ipJ/9sSsyTfhvl kUKKGmHYlRxGExTKgMAK1Y8eLZKSHwazkv/KMFeKok7sKfT89H730/8BS/1QemVuZHN0cmVh bQplbmRvYmoKMTIwIDAgb2JqIDw8Ci9UeXBlIC9QYWdlCi9Db250ZW50cyAxMjEgMCBSCi9S ZXNvdXJjZXMgMTE5IDAgUgovTWVkaWFCb3ggWzAgMCA2MTIgNzkyXQovUGFyZW50IDc2IDAg Ugo+PiBlbmRvYmoKMTE5IDAgb2JqIDw8Ci9Gb250IDw8IC9GMTYgNiAwIFIgL0Y4IDkgMCBS IC9GMjkgNjAgMCBSIC9GMTQgODYgMCBSID4+Ci9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdCj4+ IGVuZG9iagoxMjQgMCBvYmogPDwKL0xlbmd0aCAzMDg5ICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42o1ZWW/jyBF+n19hIA+hAEsm2TyBIIDtsWc0azmGJGcS7O5D m6IkZihSISkfsw/566mrKUqm7X2xmtXVR1V9dbUv5p/OrqOTeBQHbnAyX544XjwK7Sg4CYJg 5NpOeDJf/GrN1+lgqDzH0sXAserB0LGeBm5kpTiqcMq2mpJZGuAw7P/dwQcx1U1WFsz4tE6b dVoxxwwYbid3PFPino/HGyPL7CuzZ3w8XYV/HjP9AMTcXDBv0govqZtMdvp9/u1k6Hij2PPg 1xnFvu+SVHTjIDB3eIQfdYYH3yNlwpPN2ohQmcESBmWV8vwi3Q6GeE6xkLsFoUWiBj4sFq4Z ywikXa1XKXNt6Zp0X2Ii5S4Oj0W+BuV4Qe4hCWMbMRwSI0t0Phh6nhgmpb81qRuJeVqsyCYj /v6OO2eoL89z9/rHqQZF1IusQTWXhc5z+H1hRlylax7jPUseJmWRkFLweg1vUy75VzNLvb/R KU9kzaEcbI4MlRfZFuoTVFjTqqw1biQQC2NLb/G0iuDynG10I/M1Q40XkgjMn2dL0SZukm2Y jT8fBm6MMuKYDKDzl58ZDlZM3CMUdmoq/ZvtBIlsRfpK9lof9cn1fRB5gJcfILsfkJSeH1ro GQSZFlvgUSHoDG0trAX/GizgstuU0EC87Z4TvEYBuNrQVQrkaHhqyhdLdZXgkjVTv5D68Apb Jvxm+/btZIoLv8DYYSoYsgdv7XVc1xrj5gWqsGnlKNKGJ3vOdh1rPogUIOkH81yzchLZD+8x niLH/FruAUvQ7jiblHmekrobngC3ggPvhKu1DfLCV2LsjN9LEnnTZ6AFYgWWKrpt1epPOQAh RmMrnMY4hv6mHJsk7RqDQeW41q+O+n2AcKA9IHqyIvizezP81pVMEPGZjYIRRSSViQWfST4A zCsT3ugrK+pstaZ714bSJ+rTOkuQC2yhlOKNyXyPWVUi6DeGJDsBk8QuGHXicyVz6B0Ym5XX xmYY5tkP4spfmI0uDb8PLBh/aOZ9xHX6ITfUvIMkTZFonxHIv86uneCkFWqJIrrRyAl9RSKe JwPlWj+KcqDQp4YcPkB/K+MdQAfZaKdu6sN9bMh5oirKea4KjHnhIj+YUEnIJ1pjjOMqnzwW f5s1ujnybrUAqOpspmWy3m0l2FVNumAaClzIWlRM1fDHgwQGHJsUi+OrS/4dz+bDq8n57fhy 1md4ihshZ22KG2TPJf9ewX7PjEkK+YIBx0oMbMFO6Jp/cYPI99Ax/4wlpukSxUadG8DzovAk Aq0HHq7xRoEdhnDZaORGLpcbsPvQh/jzDVOWE1qXmv3nlD+nQp7sisXLIPItoX8W+h0KiYoD 9WUkijBoCLgwCKwL4Zw16dOeGYhBGFpjjmeQXtDIi13CpQttwEGbxufbbU67J4RfGjKh4ZSC VnDckeNFMYhng5ZggOLNGk1e3UbrmHzNg6i3BEzBwKVLgAtCbUDRFCiwqljgBaoF804w5Btr bfZRP6KoCjDV7MxPeADZnESMQmVNr5F2yftA2WTDNqf8Rd5uANS59JQtyME8ttanWG8pxlXc xRUQz+salRdbSQa5uWbijX4gWoki6KasMt5RNrqqWJmcvZGpkJnPpKaklRSPkkBSMYdr2+7A ZN9hV+e2Qt+G67sCqXu0fBxbF/muq/41lVBAZ4gggzB+p2LiP0VaACGGRHJfp9XwQdepMM7S ZFd17U7UiaCHnYpp6EH3WMxOJLUBjQ0eH5S9VLu9iR6FudnjIgt+qcTEwYzusNnm4rNIe2Ud JE4OS4WYSwUP0yimyIaLO7QejvDuvk93n91iWUxsj4qDwDCM4g6agBHQBFzeKX/d7BIDzB5M zdF5U8ZTUeblKuNSyhg+TdLW2nHH2nCA7b5nbSXWnmMGBlf494CMgBVhijUhHEuGxsHliH9v eJ6TIfs1DI3X+OBV3AUB6yw1fr+rDGltwicdiOpCS8++sqlV1KffMufF5+JTWZMmDWwp501x gej2TTh4ru+IvmbcJbnWZbkhve0KFoTCTcbyiTciatERD4CLE5dltZX9Lgn6tZG1lJUvdVuX bLoe/E2TpXe6eukaKnjPUJ4YCkO3C1D6qqsqg36FWgUkTGWClZfWuzXNxHYbi3H2Qri+kzji rCqIrPOCJ85RVq58SMnGdDhHLoiDz2mdsEIe4A5Mm2Uk4zZP3zbBay+Dk8XL9hVWw/Q7QADH BjK/F8QtWCDySmDorG/DOtDasG6Oqk1MV/YBWogbPBGQ0eN2V7Kn6T10/VL3RnPaXqx7MbkU +2NsXrawoewCJSyxecbhSVyE4pGLEwZXWdrd+cDNu62/S4H9Pfj4Hfhg17yHDzfb7OQBVxLU h/NN/jfwHU+cnUpEJuh8kVa4pevzxStd1KbWa3iHCeJuu+W6YsXHdOPBoUPhgqNMgDSx+BxJ E0kHb8LrKDpQprId6+qZTkqh8m8zJs9wToEB5wYYdFAM366FgbztXaQ4QPrrRpJxC1sc49Z2 j3E76sOaFFOmjrGhSqv0koaBtcDh0MSmtFm245ojyxBButkThhz5m2cTgU55z2s01k68ml+m Mp75AH/Isr+iae565LgvpN+q+HWhGzIvKqMvQTRgZD8LGH43BAYHGI46GMYJ6FWOsw3wQLbJ WzhF7+EvYvzFgD9hJnTQKrAbHeEeWQknxUr4/NRjpTexytliUxtjcd2e1Oa+Q7JeI3qieLZr ujZD8gdlwcSUoHv9vln8cT8RiorPUcUuPn9w2MTxpKxWGlXtwZac4YF6k7Vxe/dshLnDe53j uyDEByz/CQkH2ZVXf04ZKzm9HmDlUv8VZ0Lry44YF6k5sCsqP+Qh277DbE7fyTslFSt01Ks6 ybWcOI7fA14kWvkFNRFCIEouQddrRhDqIbQlgMLgWph+0TWEnHWZ/yToGJUBx/goqywxUCZU /cO6L1z8IES3ctz4gnsu3AVLyAgTF+7kRoE65eGrEuTtpqpTluwxKJCh9L/iB2jVG/06Zcyu SFtk2R+0FbHocErOe1CmkGTcpeFj4lGXhj42LpbUDFHw0PJADvQLXae8HUbYyRh4LqSM3Ptv vH9oDw7KFPruExHpcJt3vPdVwYIwerMtQBVxW2DiP784tqaEeYW9gBO9riGW+0LDFA9/uhII RqEfBIeGgHGn5Ffgg9xeUhGD34xk5VtXwjDloJKUVa7padwXLKuj5B9L8gf6jQT29gUskPav DbiKk/v8ZiYWg1U9hT/3I8j9T4yBJquYvo8k9A+N44xaDXcrPdSbp7xAVDguOv+Q6NhSpqco 2Px60vGLLTt8/jpbdW6x17N5m/kXO68b+tbnHZbkIXSWQpitTQIEyGsq2IHaFuwdzmn5k13i wTydcGAGY4w32/zQaVonwR202eqOrQFuwX6Ep+BzE86dQzZ/4X8+tO9P/dqlpzC786KsoMAh h7T5X022zeXazexsfinzF7pNcdREokvzE5dyOk9cjopHYRAHUFPgUXfVwIe9B76yEkpCsRU2 mMxAjvH1+O5sfHV1xfRx0XkMNdK1L9DAMGMd05sx7FfW2W4j1jOHHopZcE6njeEWqwqXaf5Y 8Bw0AU8SMEL8L5jo1AxWJO+mfSZseh71HE+NfC8ORWJB2xbiizQanq/+8GCLwOB2luqmydNO ARV1CijgdFpU2iNlB+4RLM37zrnAMnawk63S9n8T1DKafvFGWOZUgFR6xNnm0JdxxTG4CnmG wrlX4CKqdEc4xMD4qHj81MJ7zQR5T5MCIaH/nr2JTvoHSMCPc48uoiZygn6whf7IUXbUjzUv jESdHn+MEWnQS5xhkgHsMfWW7gYowOyErUEYW/8ggKW0n0Fhzez8ZhZ2elYWZWjucpSo+yF7 /C4MawMveBNBoRv/EaIgbougcpd3cz4Etn1Q8wQ+gTOKXcc5rA8d1X1wVuFHbaJ5TeJuMcQs YJ7GcLVkD/6nUsC1C0xArZnqmmr4g6BmmvgQUsXRsy/mMSrEST+u19GPGwag3NARBf2tR4Uh aDD0heGwiqf37uWw2FQrrgeGbhCAy0bOobHqguuKoenD9hJQL2ZjNd9zu8gbKS/y5Oy/f3S5 Nnkdd2JE/qD3EnX2hg66Iye0T1fzT/8HwRoWDGVuZHN0cmVhbQplbmRvYmoKMTIzIDAgb2Jq IDw8Ci9UeXBlIC9QYWdlCi9Db250ZW50cyAxMjQgMCBSCi9SZXNvdXJjZXMgMTIyIDAgUgov TWVkaWFCb3ggWzAgMCA2MTIgNzkyXQovUGFyZW50IDc2IDAgUgo+PiBlbmRvYmoKMTIyIDAg b2JqIDw8Ci9Gb250IDw8IC9GOCA5IDAgUiAvRjE2IDYgMCBSIC9GMTcgMTIgMCBSIC9GMzEg MTI3IDAgUiAvRjI0IDEzMCAwIFIgPj4KL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0KPj4gZW5k b2JqCjEyOSAwIG9iaiA8PAovTGVuZ3RoMSA3NjgKL0xlbmd0aDIgMTE1MQovTGVuZ3RoMyA1 MzIKL0xlbmd0aCAxNzIxICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4 2u1SbTyU6R4uEo1sOaKsoRs5kcwLzUzDye7QcGRmyEt5XR4zz/Aw8zx6ZkZeIpU43nqXsHas Nh3JWr1wDrEhb202iWq0lS17LKrJoC2JHWy//R378ZxP53ee+8v9v/7Xff2v57pvK3NvXzuW AIuA3TBUakclUR2BK5frwQTqLYVCsLJyxWFIimDodkgKOwIqk0kHO2QiYO8AKAxHmoMjjUaw Aq5YbAKOREZJgbWrzRyJAVhiGEf4EAq4kDQKFqs1+JAI+GJ8BJYmkABLJAI+cyckwAeWwHgc LCARqFQgQPhSEAFHIiiBPGfJAxVigLEAC2SxH1pxMC5RmwLW8zZtgNqkAENFCUAACwlkHqae Bqu9/DdsLRZ3k4lEPEg8Jz8X1B/akBgRJfxGwMSxMimMAy4mgHF0MXU3vOCNCwsQmXhx10MK iRA+C40UwcCOuoVE2bKAIxI3JB4WeCNSfhQQQiIJPI/DqGCxE3V88z7IO1kePv5utgsXO9/z hhBU6pcQCwPK7+T5mvp7rY4IR+JBMIVEoVDVRPX6sAtdNIuN8jEBgkYCexodQDgOJRAoail7 Gg0kUQGCCuB4AMerDZNJKCZVHwHqYJKBEMMJc7dKpwCyCJZI5tAFwB6QI+denjq8OeyPf+bi gsUn2dkzgZ09TT2KwqABBo2S/G9EvgzHYVQ6/3jU+XyohYg6UhiOh/kExT2M75QWnV+TXp7C Ptt9QctGQiw4n3ar8fCVAifS6GOnP/Xitbf9YDOV/mH9aKRi9ekXnpVkgZA2YFzD2tee5Es+ /EC/XW+NzZeFvtpK/mjIZxod8rbmVeLizCHF+sHYWltlv+Xkk7hGrSrOMJVRavwia1n5/Xvv x1Ni9ncNKHTPCCx/Ok0Ilddz8uBdPz859t3Uc3fsLKY417E2pHDSYEZh3PyoJ+YHvQJmtpyr 2VewbXoFxSZe+GMXgVoUs14R8AVzh6+jDpF+b/Jm2Auvws7KQbNlb6d9hgI6J4JONCpo6W9v P9wtAezjjgKLSpflrPTVHaZ/Iw2efJxnectkxlDrkcGx6qKmU4lL/+nUFtVYtOkjpDzK34X5 j5wlVfKGV593Rd69tIKjX+IeMZPTNGyqQbC+3GTR4zly8Y2lwUS4F1mJrhVLCBlFg6HdvQXo qw2Jo8SSCp1ZBrfgldj9MpbnN6Uovfs922Tv8ZbY4izTR8qGtJUmLhUHuUF6sx+tMvym1uLr 0Yz9E5kBpmVTuWUe2/13Lh01+qVCd0/KmuykMw8evpes9DmZYgGzb+e2DOwLPqvNrJvuVl1x kZX1aU4evP7Oa3sBv7uSXPXYoW7b3mvld55k5PZPlz7dfKOuy8/W2lzQnt/c8GxdVbE3sXQ9 KiQlVsjOqbib15ECc9eGbv85q7pwqCswwCvvcuY656cmPsGTmz6xvD7je+jcriBjuukezDvn Qm2a/s0g7kb/zU03aHF6QZl9tFpioLMsBBJCdAed/rJDk7zu5k8uNVuV6DBtdffIhWMfn4pe obtvSU3E2ba8givPv7kV2xHiWa/SHtDARInGqovvEsNTvTqzPGfvfztrm2fzL0WvZapGfbP/ tYi8YszhwMzygQiTjOKwn66yeoPMZIVocoutqZE9PXdFeSzziVWw4ET1pdqnTa68Q8ufn78b lFBzb82VfPnqM9ntaJ9jGJsacr/fPML8jcv7Vc5aej11zX85w/UWH02GPL+L2eAVxrI39KjX 7Wa9G9dy0DZKT91CG+5kR7m5bnttGZpQx/7M79nOtAmgb7CsRanyGee486Zfj+483W6drdi6 ZDr6zt/jxBXY3quTrIG7qxMt0hqr3Qe32HzqNdZ0cP95cLVk2GVmpiL/en1Nw9EqX9GJ6l8K 2V/sqJETj3TaCD+/+HYkqverR3pH206PB9L9zIyceAo5h3yB2RdR0vRDKav1z63Hkl+OtK7V 1DzeL7UWQ4Y6M5zglurqaPck79GegkOM1Cazay9XbjxVibvsaTMOr5zClWl94/YHR25mKccI Fl+OOQfYhk8lnjRsTTl8oIhn+nIrp2/s4+acraeOvBnhHUjquR1m7T6xQXxjNl+ZH5derZP7 ANolfNXTivdcPkc01NjbFrjUubnuyHv2XzfuNjcLp+83mO4mp/O0dCPkDJbqgGry+JJlX3XY 1VIbNg3Xrkwl7vtaZXTh4VQmQ1PfobHwYvadhODEm0Ov3SU/lmzoGOY8MKJf9dcuy/B9p0uU 6/M5Q0E5aYPPxlsRZabyWv4sumaS8h9+hP8L/E8I8EUwhEsxMYTHEH4F3NqfAGVuZHN0cmVh bQplbmRvYmoKMTMwIDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMQovRW5j b2RpbmcgMTMxIDAgUgovRmlyc3RDaGFyIDYwCi9MYXN0Q2hhciA2MgovV2lkdGhzIDEzMiAw IFIKL0Jhc2VGb250IC9RQUlSVUYrQ01NSTkKL0ZvbnREZXNjcmlwdG9yIDEyOCAwIFIKPj4g ZW5kb2JqCjEyOCAwIG9iaiA8PAovQXNjZW50IDY5NAovQ2FwSGVpZ2h0IDY4MwovRGVzY2Vu dCAtMTk0Ci9Gb250TmFtZSAvUUFJUlVGK0NNTUk5Ci9JdGFsaWNBbmdsZSAtMTQuMDQKL1N0 ZW1WIDc0Ci9YSGVpZ2h0IDQzMQovRm9udEJCb3ggWy0yOSAtMjUwIDEwNzUgNzUwXQovRmxh Z3MgNAovQ2hhclNldCAoL2xlc3MvZ3JlYXRlcikKL0ZvbnRGaWxlIDEyOSAwIFIKPj4gZW5k b2JqCjEzMiAwIG9iagpbNzk5IDAgNzk5IF0KZW5kb2JqCjEzMSAwIG9iaiA8PAovVHlwZSAv RW5jb2RpbmcKL0RpZmZlcmVuY2VzIFsgMCAvLm5vdGRlZiA2MC9sZXNzIDYxLy5ub3RkZWYg NjIvZ3JlYXRlciA2My8ubm90ZGVmXQo+PiBlbmRvYmoKMTI2IDAgb2JqIDw8Ci9MZW5ndGgx IDEyMjcKL0xlbmd0aDIgNzQ5MQovTGVuZ3RoMyA1MzIKL0xlbmd0aCA4MjcwICAgICAgCi9G aWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42u2UZVyb27buoVCgwa14CRQLrsWtuGtx hwDBQiG4OxQvVqRo8aKluBSH4u6uxd3lsNa+e7V3n4/3fjq/k/dL/mOO+TzPO+ZMqCmU1ZhE zaAmYEmoHYyJjZmNDyimoC7DC2RjZgVQU4s5gI1hEKiduDEMzAdk4+VlA4o6WQDZeIDsbHys PHys3ABqoBjU3s0BYmEJA9KJgf5q4gaK2oIdIKbGdkAFY5gl2PZJw9TYBqgGNYWAYW7MQFEb G6DqXzscgapgR7CDM9iMGcDGBjSDmMKAJmALiB2A5a9AMnbmUCD3v8pmTvb/XnIGOzg+hQLS PYUEAZ8imkHtbNyAZmBzAIsi9MkL/JTk/0eo/xSXdLKxUTS2/Uv+ryH9t2VjW4iN2/9pgNra O8HADkAFqBnYwe4/WzXB/8qmADaDONn+56oMzNgGYipqZ2EDBjKxcTKzcv6rDnGUhLiCzZQh MFNLoLmxjSP47zrYzuw/kzwN7+8cLBoyCm/VxRn+dah/rykbQ+xg6m72YCDr7+a/me03P43I AeIK1GVlZmVle2p8ev79Tf8/vCTsTKFmEDsLIDvXG6Cxg4OxG4D1SYqdiwvowQaE2JmBXYFg 16fALMx2UNjTFuDTYLyA5lAHwF9nyvkGyGL/dDBQs7/q/ypxA1kcbYwdLX9XeIAs7mAH6D8F LlYgC8zlD2YHsphDnRx+F7ieNMDOYLt/Km94gSwS/xD3k4Dkb+IAssj8pid/hd/05K34m55U lP4hnicV5d/0pKL2Dz3dOBbj3/S0z/QfYmN92mj2B7IBWcB/4JOQxR/ICWSx/AOfXg3yBz75 WP+BT3Ft/sAnX9vfyPbka/cHPvlC/8CnKdr/gU++Dn/gXyP9A58ODvYHPsVw+gOffF1+I/uT kdvf+N8v6tu3UFcPJg4uIBP707E+ufIAublYvf6vRlMnBwewHezvf4Kn6/5vNoc8/ULAYFew KWBmEmrKH2iVVB1c6C2RM1z0HORImpwf2N8cVJXMz7y7yI8z7lAzpA5+dYIdhG0FKcZK3Jcr YTEz51omqhb17PZQYwmaxu5GxwNlpaghH5ru6hk868noasO0/Ry2NUO+bl/DcDj7+nzJufl5 mfwvNu5sov0PiIVTk/en3tY+A8szqJ/MXm8kAvQzGuQTwBrbSzF9N3tS0BzoTG4PgV7KOe7D DFHbwqj1PHoyb3iGAsJEsuDdC1aQq/nKAIAt1Zp8RiudV/rx25LHI1Zv05fDjYsPERWqkJgR LvfN0cu20cPAREWpb+kWOLthKDk0BobFIhrewTZU0njiGa+S+YrfMgqTLRV0YwcFnmwQ+Yy3 5BSUpicI2IxbMGKevxJtLySCpREfmSsvyRsQyFCYNTUuURqlwFryL5KN8uQy4jPu6H1hWkFu b2yURJtW7m/7pSVuiBqqEwXBB0Hs6h9h9btLJ0p5CK/1SdY8kSriPpxCZp1aeBYaQ7IexQ2K Xq6E6TQnINVREL1zEhJ3BY8JHMI5xo6aWyGauOQAZHyV7vaFdwwq2zeYV2QznKheZaHFJsnP mrzZDcQcV7BdVEhlN2+vSx0Ln+ZqLOjzS0Pm9L1NYvxBN0p4kTUmPkhienZ70kNzhrNih/o8 25g6WAfv3sOetcq1IbyrkVeNq70+HoOU09/i7Bpw7dG8qqZCJHKMGEWgzwW5HNahCyKBKjsb 7tokqj/Mk5yzqOl/b4hpbdJnbnFaLm32r3yOfNr2AQFm4QcfqVgJilJipP16KZwv1Cx2hNeg qVOiYoOIXJn+Uo1bhWuvRqEX1+EIWnDI3U58eiNdCmaLKrLhDACouRRXLuXOquXCxDgD6/HM 7VPkCC2MwXpR0nQc1UkWQoGeECy3reP52kniGWz4Kc1aIWAMh5eqzkHfs+hvvRd5myUs7Iz3 nQUcm6Tr+y2i95z3xqbP/UYpr9TzbZgL7x3crDzTWi/a7gZe/tLL1KL5sncza2VYKyCaj/tK tR4ctGA7FYQ/fcnudQeNR7yK+540Vk53m5u2IZwDTsxdRKdnBMkZ43DWiBKRbLwKWn+/P2HV k+v1a9Gb6Ws3HlV5RZQmSQmyoTviQMvjkkaVihibJeHj2H5GKtoN89c+i7I2IUn6sO3KbfzC lRDRBJyNmMiiYH8aK3QQ9SqvzDpWz1ZaFkWVjMuaPsMk2btEaJVfwiEEzEbvb+XyRaS62atZ qLv3UEfF2mj2MmuHc5BPrh1WvyNrJNfsjHDKXbP7KQmsqRxlP/Q20K8zsl9e2qiZJQHw/jgU 3Hcn2eU8Az8cCALJbnGv1Qau2Xe0YXxk9ztlU2wfULwqlqLzduFtgVr6ktVi+0U9QBNPN0ea 6iWksmrM2S3HcVEHfJgf11uN63kWqzhM5DwfnmfBz2o6UZh8dRM+ZDi4jtHamaUtVyn08g8r WHktC3cvD8NtV271ohbCiOjJytOgHsGbOmM+fKHCjlFvnETM/eXUL/mgoidIT8+xcMUni4Nd IiU0ABPvNhrLD9VyUvnK25Vrr9fH702FOv/KoaG8nCL81E2TcA/gSowuOOUNDwUFwPIQzeoI tCPDL4qbuw89wb1sJrU020kszUGfxWPJXHei7EzrqS/S3hhnEew92oiwZmXPW8hcqiQYs38u sGkg7QWdPMSgMkepf23hLc8K1Jasr2VwTl/UyhUpGl0JfJWNXz80u6ph1nSVpij1WFz2Or5t 5m0md2SjZQ64qHdDVFnWPOwE34aUFH0PQRRN5IVmNhpvdXqYW6a/rlSFhxsPjgjByWh+Q3Nf 4GWWT+C+fZDZYocaJQDbr9uRxbs9FVuvcUCl4gCrA8cS1ELCzV4CfLavASJws97YBj8oZCJ1 67UenG913Lh2fVAr1XR6O70P56YczOI0R6VLWESxMSeDxjlhneU1Jh2kPOQMP8L2tq6UsXlM jiOT68enQq+GJudHHknufggCL0RHW3fn9DjyReNuK2mDdkfZNz6JBxX34HG51Ji2zqTCzFWj Hqfk6li3xL1K8gU/xCgrlOJ9/e2wGoW+Qd2cwHnK2kH2YYnw3Giesp1WvDwIeIvRajaiQiS3 Xu2zUce48oNFl0repo66t2yQY1jp+YDSt0iAfjrB1d2ay0TY2VRx7sYefbA1kG30+AgvDxe9 XiBQP8RfnglqErL+Kd8liCtlEJeO1nQit/9KeoMYdw4iXumB+pGdkZfqNW4oKRg00Uor4XGR k1zgLe0b3IOVeGvqvduRerqIXq2AR+AJGYttSLteu6EOgi+W8vQcxxkvLCpEYlKszfRfTbAQ RryULBhbUEpPkkpR3o0ZOMntcXcOeQAEf8+jNE95bDri45SxgGrHock6zYTu4fScORlBd3Tf ok5Lgj72OIIcaLBTRY8M+5xD89EenhPSSDzeozCVfgq4OLTD9mvqO2FbvqRIFYMhpvRDDRBL mc5ITZ09dT9v9n9OMstIWRL5PKVBWPwQg5T3IzWh8VnbOZDK5Xu8rsnaYaVX4QDJWgLhFFfI cWEJsfquiwXtR6hU4juwXJjW450VHXUQLy+y4XNd5ngbNenkHqVvSDgRvSp2l2lBomh7hFFu tWTSntHFF8I8n5Atjn7qYWf6fLgU1MDpXtHl7X0G36gokzcjmYJ2e4zabKAUF3G0yqqn60hk vB0zXyOZLQMGwoh0KC2PU1L0QGvIzRlCoDwJ38FHLH1NG/o++e7waTPbH+KNScFiHMnppKo6 X42eL5GGiYg1dMTZj/fRTr0X5A0fRnZZv5898XjfxaPxsS7jhytqZ9L7t7uDC+fq6NpsoNJ+ wkal6/3tw9eatVA0dVWuQUYsk4oe7JlDV4Bj5EVIo2p+Vk9AUrusr04DPcI6j/rxaOFVViGJ MtqvAaxgebw4VK2qC7nVJAuKfrLOQ2tUY5BaOF2my/wVuelQeatwSpn8ofFCmutBSLJ6ysuX 4DZjPYz9ON4u0EsC8dpD/unrZ41IrtoB/YKrjVC2R04DqpZz56+8Rwoy73y377YejnWUx4KG U/QsvnXXVV7dO/eKtDgYGXKQHQiLWh+OYhoKxnXBxdCrOBL6A5VjP8svf9kOE0GszuWQLBio 6/5R/eyHXTa9qkpjYwha+daMFb4Hekk3hMR92bWJxtHvja6YauFoX0J8XzSuUTHybrRFQNjj qbQpnKhTholvAK56YnhdD371Jb281xyp5Ot7GoWaF4ec+lr6169UjtTouyizheA7T0KKX7ZK XW91hjnDzcXLO0OLsFCw2tpju7l5vPxX/Sw5QaReiB0UQcQ226HjpKPLL51Cox+EBjWuRR57 3/2qqvCg0cehUcXL5p7z2UomuZSX6O0GlHRI+5SfNo/BSyvjW5CsfQ/EdGPq3s0vq8vO2g9S VHlDru1nX7Fv4cQrGPkletz1vL8Y9zVyXZnM2DHdrl3iCF78+97VSIPcyPI5c7VHpt5feUWG BpraQcMzmjdMKqpKMdTfswj5Lt7ReeuaRvs8KJaTlsAbYqIdRnwg4HzVVsNvJi2Zf3n9HZdf HV4HG/6w88ecFzHhSY0BZXGSNwOUsVfzTTk7OLLrl7Jk/li9Ax0FCg36/oRaagK0CTmV378t yYSQkJ0VtHhhVnOMkh1Ht5jgWZlABiUiXwS9mzBWRPcnoe7efImnHgW0aCIweI4QI1fLW9cE DFkMQ5Eb1CV3+8QZUBv56sd06ybNarucX+YtWldNAIawiacNv4Lg109IA0FZpdtJUJVJpQwT l2LN88JN/qo9aXsxs5iSnDIZngpFfeFPzYfKeGhqxC+4glcWm7iKM3KrcKEGShRlcgsz+BWl Co9DmK4WmHV7i6dtOlksDHMNuNkxyyEfwAnzgwqzAkyyoLW6d7l7xmU1CLsL5YSTfAb3pe87 lDNQ1saWsR+IvxagOUQiS2LzxQnsn5TLzaemeG7eEWla8NpK5NV3pPJQRoibBNDaho2P6PhI pN8Kzn82VHEIbmxnnsT/jHYOz57SdVIPt5aruP624FHz9pS/dwLtvN6O7643P+uDRoBZ6Jzc RtC3L8sLfE3fQ6PHB/B1eN4+BMGwmWOIUFaaSWAOyL+8TfMbHazjVeIkKdMDi9s/shM3L7mE qdXwfeWznPLi9peLvxx8ITvSvMZ+rIucpey4H92suxK3H4uB4It0eirnJ3ibfBAMUlPYyx1j wvH0PpvSP+CohGXSgO9ja2LlNlFit0Z0ma5vY/NJL5rEyYzxZZMAdugl6EbM3ApD86YfZMFr A9UpL1HL41qvwvF7Kwzr3S1LkF1kzme8q4PbmOiBQHlYSV7gY+DUtpRpCIbTZ11yMKU0FduH 6Ey3mrTAY+FnlpJG9eyr0GnUgVuvguqNTgc0+QacNMPRILmewCzMdyYsFwTxpvYmERmJTshX XwxL6Ou8b5OtfmFGS7GykHN3tScxllNLZWM6IC1kdInrVKrO9n+y11sKNz8wA3nkV5JLQ2T2 VePv5CYH53NdL4mIxwt8VamiMPttmG371kUSAnSRLL1oRN5M2HhObdZ3bEttdAzWJ6kI6giJ wcXVJPeteSz45jwvNLWh5+HhefWqoDxmKUNPR1TLkXIRZVK7pVjFjMV9m6Zwflc7nSPEvTdm sxXkTDyx6rzm+0nPaD4QbmfUmPWGrJAvwOYeE5au0CafWgqjEcbOn2yc8shsKxjwHM8VkMgd KpnmJZjgGOaY+wUOkncvE9s1rrgFUMi07hpqHk8uT78aNpfEgKEo6cflZDtQ4EmdPJSFVwMc EHPwOcsaasEslfnfNL95c2qFNjOFoFy4hCCpJ4gQojDVcPCs0Cmys8RN/0I1ec8dwsO8wIda R60+SMGTr588jW1bwMhnhP4GPYquPEr8GdpXfYxcgulD9SQR9HdiQvsyisp7Ha39L/xqkw/2 kl6vlvC8+FKn5tWCVuy+tvx6kCF8rrLtCPjxzqeU6gKVpB2w8mFwvY9jaTcaq6yt2KfoeSDQ +60or+rgTkBIhsOL5z/HHsvfsNFa8TJYUSzrhi8XCDiyRH9H/ooJoPV6+6LE+hlWX4DOD2ZA bifiiRF2NJ7KmeKLzkXhwwgTT4bze64U9ZImVHO1j48GXD1tXvcDRRk7F/uXmKnXfFVyLbx3 jLc5jwIFHB1rixoB+PjWVt+B5cHoll8j5z21nzEt0A72yJwgyp1syvpbtFMRkZgXGKx+jg9Q tFnCGV2wzWsIoAW3FAui7Alrfb1GL3v/IrlSFuMR3hvNZcpBku6Z59CPSZTUJrLeUJ5s+R+J GXZnEISIiioFnEHBZmLb+M4BXx2CoyNGZ+Bu5Tc67CtjXtHPU8NwOYf62rYpY3zQ5YQYIH2p +FK+ofxIuozIBfQFZTl7Am/SbSBCqWWXEbN8AFPZy37N6agjW+2F6YKM1of6pcTtLcJO3noq HGob0MEE8Bq/n5Dzix2j8uz3+Ss86ud4SC8vFeF4ypR0paWK5nENFl6WL8b2DuO3C6X5yBYU W1ZoDOUStMskDW1l7TGtiiUEL9IOL6oZbJP2i3yImOR+HFY3A0q/u4Yp4vk3LVGZxPpIHtnx 8O8aCr9hRTweuFUO79BWEl6cmn72Pl91gS+8y8e83rb4ZvQBrWo4pSUkWZtKyVDvzZCV9GGd tBY8q8HDdZRUuxHRBg9rxLVTmhbA5O5EukLfSn2OuPcgW/88yXQqdraaiv+iU0apvjjiTR4k qfknfHziuKaGSkeXQJXpmYm2Rb5ItXtaEqwJ+e78PptbVHeA/M7SVpGwN0nvRIooA3WB42Ly Yxh1++gkAktEfxDKhTn2B8Lpik9HGf22A3GTvbl4X/izhE0NH98npyVTfT3dCZZDS53RTe25 bTJk9vGdJK6roZ+xYNjSvcsbl3V0CMrz9ft51tQFmplD7HL0+3TVIEU031Vve1JcD8BDUExG vm/7AD9gZQHZrELLhhEQy2NeG0sCK1Xwhmsnmr+54t0fqV8B+hjdyYbKPmOTqudsnjhFtFgK iFqEoDTuaCnaPTBWqmFKMpAJhQ66xBvkfXMX80dibNcqXRlEn0V5Zk506u46tGyupCjaHL1v setfgsb/DTAcdv1tLUnIbmqXRhIRnP9Oa0Y7K2EyCG0CuU3qFr8GwcFayaOvL6Sc4+BGV1cK 8SjQxvCrlnew4nHXEDfb/seqRFebHpfB/XSMzXYOrklJ7sxsYo0dhdVNy19z5IXKARTIQsVy xQphvBSbqBdrQvjqOF64Pk15noJUiDLM+iYwpH5KAcdaCzIhPgdlI1/WKuHsfqrb+Gp8y5mX YtiN34KohqE8+W1fM1mwj+RMW09lcaVSawveSKDHhYcnmL+4NGT1SfJj/gBoFaCBVyed85Tq yyR5J5WZAM41QWH+avVddgvNd+rmWr/eaDDhAgb3LcRXbRWQxvWiaG+kPX9t8HHRcSBguZzR 1uPHUK3QVDknJbLHuwH/s5Bkn21HGuvle6bLz1jqWJbrTR1B2HlKh5a6dWpYS7XhnjGS6+xJ PufT+7GvQROLAeemVqWWgsQg2fGfUmunncZvFYpzwYIXkxGSAbubvw75rK8+yb2XEtfkLcEi qtABOSZTaC5n+0h7uoqRQ0k5JOv4QG9pwsx4LqU0jIO96d2Q0QFFz152H66xJLCfbAejf1xV 84cV6cL5EWz4BIs5t4Od7WRiNxGuuwdoSdhjBGv27El1fzHeuu645M+tBUJCW1crL+yl3BcD rJQ9Zgqwj7KHs5STPofi85sr9UGZmL27btKYcs0MuXIe5ekrkipwe1dlehdWJFPI8/ift30a 8G0aSrLpdG+cMmluTLaGSTS7+3jTej8blPEjDMXP2UbB9LnyVkErWq9Abgsnt6nOdb0KfbBb gUdKH5PNGHUNR8lIuSuEb1jZHkMqdW5bJJgbf388z9VQpkLomdsgO9JjnulkpUXK4bpTFv5p PrWC7dTdg/WyDt9UNWp4yDFyqAImGOEY1/ZeyfM0Zo1nuEKudsT1B9VuPQnRiwIp75Py13iG ru23ADid2ldG2/U5UP4f6TolqrvQ5+n2UbS53CuXtSXhtGnUtuYvN/YmgDmLSgrojAP6etL7 uKc22e9LCiGzN/6d78S73cAOMu7oCbZYqBaa+REo/esP7gSdHmh1zpGUuIlznp6yFY/bbHZ2 zWamZPR9NJt56tHuyXyqBJrKby33LRVj6hMOmn6FIcVJ8xaC9H0GfIPZxCUjl4fbr+JEmM18 UXmHdWWEOyB7cHq9NCszsRSZQqXy1Rg7brFThUs4FDUaOSpVsnnIQaNC5IKvWogjZwdmz9QZ DpOpxrpKFDxVxj+1s6N7hysLCkEgdGAfpBXD/pHXPW0qU8sjoM1a/QpMzrKgkrDxpgnvKP/W o+A50L0kXNY4A9XD189RpFGq2x6FLlpvWErOejOCxvLE1l4t46mLjOD7A9xohTQzL0pWjqgo Yh1lfw3Ky8Y2bg8LqjFxYnmQuvPPN33frd3qfMmC1Gv0U5qP8ceRHdmrx1sED67Mdbhe5bmm yI0zBnPnXt9YggemaTEOLqmvr5huN/d4X1Dk8IeOtT7HGnG9VOPORhAn3kGaDQPy6p1lVtkJ BZ78xJPyxSiysyOr+9hbS1vHEBdvlySUxTIef1sD8xrKejmburnOzVh5+/0L2BlR60o6zrHd pM2RqN3pqM90lor/sSfuh1iMX0Qgw1Bfrlec9WLjCwKxu5xZA2OCwpKzmZsY+Tas0HRv8miC Kh6M+DBUzY9h7rcfM6T0SOrKl+Z2lLd8SVy7XAcLR6hZtY47V4J8WmbSThQkfjG3Lk3bf1AQ FvFJsaHt9T+ceFgbliWtdDs6Krg2zgJ8z5hbp1+xbXEM+zmhhBhxYE3FREMrPlFT9dGXbIL0 fZkIyGuTlltXSaQaY5CAugzdeIC02+icUdPjavCbebzkK6WGt5/7FhsTX9/gyxnQ4zEJxOY9 4wmhluQeAvaFY1dh0Kcx2Qx8OwFgr4yZ7A3ZkX7L06hR/AynGmcwqZEP82k5PO7Yz8N6FXCg afsmcjavjHLfLdCXioCTyst6GpmtdHIet+SC7MojAL1KoYv+HfXdpG5zIWmdGiFS5xfv2slu Bjm3WsHzQmXd77o7Ohstk7H5m2qVTFmh/FemS7kYgJ8f8fpiqvpCsmPt72rI6GCXcLK2gBF1 lzRPrMIXVUVNwXkp5YsZj4XFdbVr0l/FPt38VPdG9vlOtJknLE1AZGlCYPWLWxn+U/NqNDVf UI0SPixYlWaPcgsJobf59ZBh5EE5MQ7F0lyhpebySnt+4dXLGZichMQWoLX3p9PzhRot5ynE Agcdx56aNjkNJ5PmodJDkVnrhXWtN8uxiGARp3TXJdIZBw7mkUy1pLRaIuV6EQoxgf1NWYnZ zc95okT6jXiiEObB3RvMizqlpnpOIoguplGaHkmCpDldUlSRmpON75hsWmQS0U53od/IReNo 8UYBYaHwWRlXIYMTGcK3zXV1aP4dogNfS2pnv77sFgJV/SfirGsZ7RXl3vzoFNrXkKjWLG1U o9CHX1t31aDAXVyzzKncqH7b3MXr6Md92jcBnw9vJkqC0dFRlAUX2o1ir4U/HLmATfOEuxTO JZjPIWZ1Ycc3l9tgONmaTwUCO1S2H9jULI4YVur70MEFoy1IFT7Um4zkLO5t5soADgaDMt4w y6iljC1k7liKH7uE3xd2tKqtm/KjC4kp8rEeH/lA5PvaB/Y01tOkWZhR7aB1CqQ9R5kGLXNj ueOsCj/BWKmlSYe7Olm6ztZBPRKx3S5rt48XLQ19UFrtlyZEgdSZxlvKDx/cPZuPwW4IqIdS 3bfkfbkzizg0P8jZpGWaX6skHm0nLB1VTxfeiSGa9LNq+3fO6dlTXmCQqxuSz/V/8FGyzi5/ iKVZssiKsvVhUVJC/sbi3+SH7bC4Y4KTcOn33ojDorX4hiotAje4n5M8SyVzxhxpH0SZRkxq QbgjsmucYxp6Gz4sN7V5uRBvZT9c3BDDjkTo6oSdStMDL7a3RfXS7cAHdFFPcLYwHBZVzaXf pqWW/LMVqxQHApaY92NMIk8xhSzhIdibKw0lHOervoFwK/KcuRIs/dwISawBq0h9kd9arm36 laqoUkmIsBRXsGZjaJMkPO+O8DA1uWvm7LYXr1IM/KItLP1sdePt3JzLA3M+7YaAeS8PPSle RrR7bRFE2uTn++P0X8NLDF/ZaQi308RNzFSMqM4WFFdZXtmC+sA2rJTv2tJGTXRrQ7p/SfWe yA6UaRpAzNp3ueN8rYOH8Aesgqnku+GkrPzReN4SlD/u3yLgGDIgDdB/HLfnXMB9a9pdKUuK ge2HeID2RVbRw6EAGDNqoIJqChRROq4CuI+H4NwoYprWQt/5E6wNjG6kz6WwTNcPqRMDu1jd XTmCySh7ct97DNiH0jJBj7ICIUoCe3SuY1jDU+XPinlpB1owB563wXos+cVJB3Km3qklSXoS 4eAJiEX0K2+fnhmXl4xpvD3xO5lVS73N0tv24td5sZ+HYzrP5FgoFqn4/mGnitf5IVtMwtkH S2n/qmrgoE7U9cL7YRlntmUqt7zuUHyqbnn9slN2LubLDi9dT9i7Q1xonoonupPYYDMSS72+ vPilGECSLHbjC8N6fBHjzXoGnRjQOUqGQuC94t731VqK2XemgDw6OfTQCy/8d45qDsJYCO+f FdP/TAMBu9HMvXAp73q3PtDu11WfvuiZj6Ug8W0ekUuHG0bxAg1i7MiQZfu6ftMoEpiXF7SQ d3YKh80M4p2Q7bTvwq+OiFd5omKAD0dM4K1mWLYEPz/OZlnUqluHx6E12KNBDZR/fpxFFBFW JFV3Xx2OKyvNWRkhurx7HNBCIMfIUGWBW/Y4iO/Y0XcSpr35ibnx/jMvQBvgdi6sbXof9xPT TsC+mSikNbYcf/5rWSeNf+sPUA2EBvUA/k7tc9onlPoyIrDiZmv/bF2bPnkN0okWw2cB9bFO qyFdJZJf+BNY6dwSLk6zQ182yVLNdip8kdx5ygdE2+x7COU2jyXcjUwVxqLjE000OkZwVdNe 2o1VNomRdkQys/4/fgD/K/A/QsDUBmzsAIPaGjtYA/4Lut+hTGVuZHN0cmVhbQplbmRvYmoK MTI3IDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMQovRW5jb2RpbmcgMTMz IDAgUgovRmlyc3RDaGFyIDQ2Ci9MYXN0Q2hhciAxMjEKL1dpZHRocyAxMzQgMCBSCi9CYXNl Rm9udCAvVklNQlREK0NNVEk5Ci9Gb250RGVzY3JpcHRvciAxMjUgMCBSCj4+IGVuZG9iagox MjUgMCBvYmogPDwKL0FzY2VudCA2OTQKL0NhcEhlaWdodCA2ODMKL0Rlc2NlbnQgLTE5NAov Rm9udE5hbWUgL1ZJTUJURCtDTVRJOQovSXRhbGljQW5nbGUgLTE0LjA0Ci9TdGVtViA3MAov WEhlaWdodCA0MzEKL0ZvbnRCQm94IFstMzUgLTI1MCAxMTQ4IDc1MF0KL0ZsYWdzIDQKL0No YXJTZXQgKC9wZXJpb2Qvc2xhc2gvemVyby90d28vZm91ci9zZXZlbi9FL0YvSS9NL04vTy9Q L1MvYS9jL2QvZS9nL2gvaS9rL2wvbS9uL28vcC9yL3MvdC91L3cveSkKL0ZvbnRGaWxlIDEy NiAwIFIKPj4gZW5kb2JqCjEzNCAwIG9iagpbMzE1IDUyNSA1MjUgMCA1MjUgMCA1MjUgMCAw IDUyNSAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDY5NiA2NzAgMCAwIDM5NiAwIDAgMCA5 MjAgNzYzIDc4NyA2OTYgMCAwIDU3NyAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDUyNSAw IDQ3MiA1MjUgNDcyIDAgNDcyIDUyNSAzMTUgMCA0NzIgMjYyIDg0MCA1NzcgNTI1IDUyNSAw IDQzMyA0MjAgMzQxIDU1MSAwIDY4MiAwIDQ5OCBdCmVuZG9iagoxMzMgMCBvYmogPDwKL1R5 cGUgL0VuY29kaW5nCi9EaWZmZXJlbmNlcyBbIDAgLy5ub3RkZWYgNDYvcGVyaW9kL3NsYXNo L3plcm8gNDkvLm5vdGRlZiA1MC90d28gNTEvLm5vdGRlZiA1Mi9mb3VyIDUzLy5ub3RkZWYg NTUvc2V2ZW4gNTYvLm5vdGRlZiA2OS9FL0YgNzEvLm5vdGRlZiA3My9JIDc0Ly5ub3RkZWYg NzcvTS9OL08vUCA4MS8ubm90ZGVmIDgzL1MgODQvLm5vdGRlZiA5Ny9hIDk4Ly5ub3RkZWYg OTkvYy9kL2UgMTAyLy5ub3RkZWYgMTAzL2cvaC9pIDEwNi8ubm90ZGVmIDEwNy9rL2wvbS9u L28vcCAxMTMvLm5vdGRlZiAxMTQvci9zL3QvdSAxMTgvLm5vdGRlZiAxMTkvdyAxMjAvLm5v dGRlZiAxMjEveSAxMjIvLm5vdGRlZl0KPj4gZW5kb2JqCjg1IDAgb2JqIDw8Ci9MZW5ndGgx IDc1NQovTGVuZ3RoMiA3MjYKL0xlbmd0aDMgNTMyCi9MZW5ndGggMTI3NCAgICAgIAovRmls dGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNpTVQwI1nVMyU9KdcvPK9E11DO0UnD2DY40 NFAw1DPgUlV1LkpNLMnMz3NJLEm1UjC0tDRUcCxNVzA0VTAwtzIysDI151JVcM4vqCzKTM8o UdBw1gQpMldwzE0tykxOzFPwTSzJSM0FmpGcmKMQnJ+cmVpSqafgmJOjEATSUawQlFqcWlSW mqLHZWiokJKZXKKQlJqemcelD3KRZ15avoI5RDiltAAmVZZaVAx0lIIG0JGaCkAnpuTn5VQq pKSmcen75QPtSgW6hBqOQjfcrTQnxy8xF2Q8OJQw5BNzM3MqoSrycwtKS1KLFHzzU1KL8tCV hqdCHOebmpJZmosu61mSmJOZ7JiXnpOqoGtoomdgbAqRyCx2y6xITQnILEnOUEhLzClOBYun 5qWgOwUYfGCH6Lv5e3oGe2lD4xUsGZCYmVcSUlmQqmCAUA3mGyL4wFAqyqxQiDbQMzAwBCoE QhgrFs0y17zk/JTMvHQFI1MzhcSiosRKLmAKAvJMFaoNFTLzUlIrFFIrgC7W18vLLwFqUQAG Ta1CWn4RFyhajUwV9BMLCoryK1ILS4FRApTkwvSNk1N+RbWukaWCrqUZ0HRDQzMFc3PTWhSF yaVFRal5JeAEAwwTGD8tExiOqakVqclcN6/lJ1u3ZE3f1rayznXxhVWs+pw/T6x9eZP9QMSO utmZKbXBpvMCFdNLlrxa+Ghr32Hx7IsSXsnWU4WLtkj2+vXEfVkkvGZr14JlERMaTPfr3QgW r2zumsb7T1v9lefhwrAZc1ofSVvtL3o8q1NZ5+YX5foTPPNSXjhFLd73/d41biGtoElaSlLm N1ew32UUE6+8+/yy/Kcd9dOP2ya/O3vLxzNAvNitS/1imh130pfEb0+4YtPKLl7UDnzmePDK i0flEil/BPx79kdXvJHtUGpX/XgkeFnF16466errpwrYxS91vO5d+LXGn5Nrv6zT0bsXDrcc f6Tf3+C+T9ZH5sRj44zfUie0/aaJpBvcM2ba9GyH5OmsJ6Eb1xu2/3/BLrW07seyxOw526fI urypKly+2/Z7qHhvrZ73thmR75fsPsx9bbeoobD9lZvO/T/nc/qdYesy8i3d+m3ajoy+1/ri T9+anLl2wX3J44ZcBh7JuTWBsdu5ev0T3f6x9R58eq/7aIG54C1OZqFd9ge4OI4EH+M8pr5i 7yyL2d+Za1u+zBKZuU9Cfs32gJvvcyYwskm2X7rfFNgx+cznjypOdnVvw1Wsk2pyTzXVPdjH PqvN85KXLYPSTrE3r04L1LhlzVG1e6XqcU6z69Wtt9svZLNNUs4W9C1vdjG2z5JZskdO8K9N mmncPt2Wv16P59w+ptH1+ujdSZ0TPmdcOmTgILZBcmLKvNrnrz0TfrT0Rky1nc7QL202leGL qPKhw97ZqrLu+1TmiyU1xG/XfqHCsdbxdpm1b5Lt9wtm1l7XomtuHb2WvSpahP9FmPC5T7G/ Tr5c8+0Uj/Fii5ehPycGnz0xU95Rw4xx6a9rmc7NEvvWTNh4Z+uE6zxa1/mdCm2WKp34LfHk 7vHZqYkhN/wNnkwqNG5MvW1TJvjf8ddHM453irGT4tjZ6jQF2YpqVr1OSO77V673udpR4+Mv 51+7jOwWfN9Ydv5JIcfxjmWtug/8fy12O3G+rNtnXc4zAwoB16gBw8KA5JzUxKKS/NzEomwu AAkSwABlbmRzdHJlYW0KZW5kb2JqCjg2IDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBl IC9UeXBlMQovRW5jb2RpbmcgMTM1IDAgUgovRmlyc3RDaGFyIDI1Ci9MYXN0Q2hhciAyNQov V2lkdGhzIDEzNiAwIFIKL0Jhc2VGb250IC9GT0lJU0orQ01TWTEwCi9Gb250RGVzY3JpcHRv ciA4NCAwIFIKPj4gZW5kb2JqCjg0IDAgb2JqIDw8Ci9Bc2NlbnQgNzUwCi9DYXBIZWlnaHQg NjgzCi9EZXNjZW50IC0xOTQKL0ZvbnROYW1lIC9GT0lJU0orQ01TWTEwCi9JdGFsaWNBbmds ZSAtMTQuMDM1Ci9TdGVtViA4NQovWEhlaWdodCA0MzEKL0ZvbnRCQm94IFstMjkgLTk2MCAx MTE2IDc3NV0KL0ZsYWdzIDQKL0NoYXJTZXQgKC9hcHByb3hlcXVhbCkKL0ZvbnRGaWxlIDg1 IDAgUgo+PiBlbmRvYmoKMTM2IDAgb2JqCls3NzggXQplbmRvYmoKMTM1IDAgb2JqIDw8Ci9U eXBlIC9FbmNvZGluZwovRGlmZmVyZW5jZXMgWyAwIC8ubm90ZGVmIDI1L2FwcHJveGVxdWFs IDI2Ly5ub3RkZWZdCj4+IGVuZG9iago3NCAwIG9iaiA8PAovTGVuZ3RoMSA5MjkKL0xlbmd0 aDIgMjQ0MgovTGVuZ3RoMyA1MzIKL0xlbmd0aCAzMDg2ICAgICAgCi9GaWx0ZXIgL0ZsYXRl RGVjb2RlCj4+CnN0cmVhbQp42u2SaTyU/RrH0XgwWbJEEW5ibDEzyKCiaRAizJBRT2nM3BjG DDNjGYUsLZIUWbKLLIXsRurJXikpLZZQJKHBRCkKZ9R56nM6L895dT7nvt/c3+v6Xdf/d1/X X13FEaeLJtE8QCsalamL1EOaAhh7HM4EQOohoOrqGDpIYJJpVAsCEzQFkCYmSAAd6AXoIwAk ytTA0FTfEKoOYGj+LDrZy5sJaGK01kQoAO0H0slEAhWwJzC9QT9eDyKBAuBoRDLIZOkBaAoF wK5VMAAsyADpQSBJD4pEAiQykQl4gF5kKhS+ZsiG6kkDUD/CpED/v1NBIJ3BMwVo8kxqATyL JBqVwgJIoCcUvp/GOwvkOflvmPq9uVUghbKf4LfWfm1I/5Ym+JEprH8KaH7+gUyQDtjTSCCd +rvUFfzhzR4kkQP9fs/aMAkUMhFN9aKAAOJHiMywIoeAJEcyk+gNeBIoDPB7HKSSfjfBm9t3 C3C8K87VyUbnxz6/5xwJZCrTmeX/s+ua+DsjfzFvOnRyCHAIoYdAIHlC3vv31+HfzrKkEmkk MpV3IbYbAQQ6ncCC8m4Gj7YDx5AAmUoCQwAwhGcYrkelMXklAG8mYYAnjQ5dW6chCoAzKASG 91r4e2Q7AoAzg2m/GMljbzoI/owY8Wowv8gYgFv8JJQ+ALf+RTyl/S/iKff/JGPeOY6/yACA 436RIQB3/kXbAbjLTzIxAeDEn4RE8poGfcd/38GePbSQY7pGBoCuPu+vkAh9FIAyQoT9i5AY SKeDVOb3+83b5N/sSebtHQRDQCK0/wWNuCPGJ7XuVEm4Zf7ja4La/Hu86i/sr256ent9dN9F fkph574A7eEq/NL1dGnxccFx5eBvCoyzt447dVnNRgZcSHu+Mh50dDw9tEEBP5duz3rrr/o5 +r1EY92zj5zt/A49ww9KLrkVtGdxO97nOWpaOL8TGlThaz4UVNOcEWOEwlulU1xOn6yCGahg N6QFlJwxPD0UvOFSImSoOzrc57QwW+flB9qtQKmlfOHcpJU/P29MkCTefjR1Jl6oxuTls4ma +0/SmoyDpPI7yC8K6Xf2whoEpFs4fxjI5WLqLCI4sb6P3eKheUNsZn0v3CwWm/PV2U62TRly nUwXMb3Ywo/PIhSvoIMFRvm+wcYYbuzIx/DjNdqHVBYhal/gszPt024LbWeSsYi0XoQRLtSZ mAyLzgk5HOD6Ov5lV0o5d6tnRNNmFSHx3NTOa5Njk897FBuMtruUJWniR01xDmElc9x32VlW Tc+n27ByGT76Z7FoOLzdusJU0JM4OIopQE8NihETFp5kcwKO+hidb51VZC9dlHtJIE/v6E3s v64piTrvWIzD6nvv/LrtiMTO7aI9l26kQerZCfes+z0iL+8uPaMWfOC20jCyNVWI6GTBYi4q lGTM745sLuzAs1rJhiM2aOE7S4TacNNI594HdaUZXnJ8K6qhnEVZfsvkUD2PTBNkp/0emVBK Afzt60thPTPvoSTxxbvGfFdzJNb7Brbev0csm07RGL6lEoleQttIEzYQqt/X+OQndVUwCyCJ y1NPgBDjvJ1FIi1db70avOPbn71QLe3FFr0YNmfxaXcVlqNnmmIaFXemaKiPXBdMhKW1p61c FxMoXU7tiiuLlEzy5MOUz4CZmwaGxAm2u5VzuQUny2z3vmQsV/dUXZJx//qw4dKynncNp9po HypiQc2s30RlvvrVQOujzOrRKuTG25aryl6G/kOtEQG6Ic6mZ88eULxhsG4oAbXnvT8fBgiD FEX122CVXDnhePy1i9xAtblZbaks484v5EgYO20jqsu+7WBD9oyrtOqAKtPdBRZ49+Tj4tiz w0OHi4zPSb6S+HS1x+RU2GJXxbeube/971o+PXbuxJES4YOY0UubraYKywNViF1iGKkQ6sno yeR9AXf3MQX04zvIHWZodrg7xzesOe4C8l3Z21Cp0gAjMqHq4/MTIeu5QnHrN63EKqfmV78T f+3yYOJK16Ztda+v6EWnmOGaJ4Z7zq0+fWGZYSxfULjYGLpsJnG7qJFTFSRm3TlJCf801b5J SILheM4cH6Os6eZuPgRauGc+oSK6506J0W+wB+2yhYJ34L20tqW3D24gHbK7k+W8J1NIh3s2 2TcTQtIyHtPO2VH2TgM/aq09a7qnAO2wen/uDYWP0nlzOsxsNFZGea6TAuwtsc6V1zLZ1Yyv aNIHIamNtSSwsEyGfSMeryS3IVA/aXJBWd7E3sWpRek8Nb56VnHXumCnwk1alfpvIqxPg3A7 qyLt5z292VE2CmH9CNfRPpFDux913prFidGjHky9YttUvNE4pSKYtMtJ9Om5oD/e6xgp4cSs 34czdi/FGBlJdJbl+DvDd5xeWC8zK//pmIvktcrXI7AweOfjyZGLugFVmz84sfo9os7JKn7S 6D3lmHFPbwlba47vzJIUWJGV2vkMStx7uLH246hBVrr0fM8RxwO2DuUT64HxBybxCuL6xZFx 1fUB9d65VmFxbdcOrWhsDuJ4DQys4ldzz8mVdRcz27D5ePidxOqPKdlNPsG+2eJxb/5EhTWF xvu2RHFqRTHSTQepPqItVWxFOPSggzfzxMR++KviRe7xj2bKnANuY5bc1IRSZnDu7tYx5cvz GhNwj7jMvrbBlev3C5Xmx9nqWeaHBgpLBiWww2JVof4NExA17npIlK9vcmL/jqKL1Q7HJ9Ly J/lzpgLDJ466VywcxaZWXh4bjkzFzAp0FW51zRBoCsrvdCiXle9QtM5c2FooILDgsyH1TuiS 1u0IhcuuElEl+tgvx3Y0fChykwu3VU9NlxHGT5eqJGalaEIUelSTqKHDtfWfPdFbz3Lt5WPT p30zPw0GSkTX3lSfulKy/njCknj35Dg7XS3b0sxL039MV9AnQ1xUMXLePQJDZ9q0LlHvh2x5 TDTAJfZ2h2rwq1rLP0JcZ8kJtH3p1gkQnMhbuLpNeOnD1uwYtM5CZmQzpljgFXMiTXVz2K6B 11a+Mo0V3jNnvs6MzFYylm51OvZyNLA1ruE2XTLBf10DZLytlGQTtuDmMB+ewBi73CeOzy2m tvg1pa6OZNRonYAwg6YQYNW+2yWru+MPD/5x/sO6xJ3SHosrhRhiW85zw3cFC+59HNjuQbeO yRN7DbEf5l+se3mmOdix2RddU1to6QfpHHWMyKvOUmfYmhybydGtbOZ++CtaKAElULKupl6+ 8RapVrrunvdYwZjY0MPFzI/4rTToOBQjdS8E56Dqc88EOslXm33B2DMxvS29Mhj1VWSd/5mM AftDGhbzsI5nA+1mvgiL7myVx1BDVvnlDjvW0t0v+Kt5ZzfP+UNrDMG2C97uxlLRsn4P8r7N 15wSjZU3f7FLBZLT1mlzrfUPeK6DdNo3kU12Q0VzdpXH86hK7Z7NXXdT6nf61M68qeV8ZGkz DW8FzM5Hl8rB6spjZVdrsZFJC58PzuhlLqdPFfaJrLNUiimlabpuEquxIELvw0OHKT1sw17K 5d6meQ/P50HLNmMrb0Xu3K3z2PSpX+0vN81y76ONoezxLbAdttQN6a8umiebcbaIiqM/q+m/ ns5DZnG7ZdzPLyed2Tyc5EqkoAbKRharU6BXqhhj+aGrlnXR4w+N+ltRFdSprDd7KRVK3CfN 0wV9tLy6uOp9TgWrjHpcj2ZEU1SkbNnAVSm1Mosg65uLt/ffm1G023/jmM3z+xo7W+bEXIcp kJg/c9Bk396xKaTUK0nbC3kz2O5qtszCqHTTrnHbvNRi6v0+6eASVfpKYCVswyps79OBQZiE ulC9y9NTXHSx3y2vaXWhi6sYUUkdvasdkiFiIS+fFKohL6yMGWgJxxXfPOwd2S5gwj9lLnqy 3otbXdm2xVmN07dY/iheU0GoXHD7N92H4SLv/Ms9jMLqFNY99Er2siErHPeEqb17K1heG+WE 67uT0WeTBTlX+izFY2TjwbL94fwYMe5SXzRhG24aUcImQnQ17S3jRK444I+En38xMeBy2Tis An5AqqikofH1YsDIXPC2GHM3idjTkaxdOqyCjz3NBL18HeFl3aWEgpY3sTWa4aXXI3pONCP+ wwf6/wb/Ew2IFJBAZ9L8CHRf6D8A6Dph8mVuZHN0cmVhbQplbmRvYmoKNzUgMCBvYmogPDwK L1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUxCi9FbmNvZGluZyAxMzcgMCBSCi9GaXJzdENo YXIgNDcKL0xhc3RDaGFyIDExOAovV2lkdGhzIDEzOCAwIFIKL0Jhc2VGb250IC9YV1NXUUkr Q01TUzkKL0ZvbnREZXNjcmlwdG9yIDczIDAgUgo+PiBlbmRvYmoKNzMgMCBvYmogPDwKL0Fz Y2VudCA2OTQKL0NhcEhlaWdodCA2OTQKL0Rlc2NlbnQgLTE5NAovRm9udE5hbWUgL1hXU1dR SStDTVNTOQovSXRhbGljQW5nbGUgMAovU3RlbVYgODMKL1hIZWlnaHQgNDQ0Ci9Gb250QkJv eCBbLTYzIC0yNTAgMTAyNyA3NjBdCi9GbGFncyA0Ci9DaGFyU2V0ICgvc2xhc2gvdHdvL3Ro cmVlL0MvRC9IL00vTi9QL1MvVC9VL2MvdikKL0ZvbnRGaWxlIDc0IDAgUgo+PiBlbmRvYmoK MTM4IDAgb2JqCls1MTQgMCAwIDUxNCA1MTQgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgNjU3IDc0MyAwIDAgMCA3MjcgMCAwIDAgMCA4OTggNzI3IDAgNjU3IDAgMCA1NzEgNzAy IDcwNyAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDQ1NyAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCA0NzQgXQplbmRvYmoKMTM3IDAgb2JqIDw8Ci9UeXBlIC9FbmNv ZGluZwovRGlmZmVyZW5jZXMgWyAwIC8ubm90ZGVmIDQ3L3NsYXNoIDQ4Ly5ub3RkZWYgNTAv dHdvL3RocmVlIDUyLy5ub3RkZWYgNjcvQy9EIDY5Ly5ub3RkZWYgNzIvSCA3My8ubm90ZGVm IDc3L00vTiA3OS8ubm90ZGVmIDgwL1AgODEvLm5vdGRlZiA4My9TL1QvVSA4Ni8ubm90ZGVm IDk5L2MgMTAwLy5ub3RkZWYgMTE4L3YgMTE5Ly5ub3RkZWZdCj4+IGVuZG9iago2NSAwIG9i aiA8PAovTGVuZ3RoMSA3ODMKL0xlbmd0aDIgMTQ2NwovTGVuZ3RoMyA1MzIKL0xlbmd0aCAy MDM1ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42u1SaVhT1xZFQYtB PxmVqJQTNQIiGSABEsaAIFGDKIOMSsy9CZHk3ngTLMhgBUULQn1FJlERUJGp8FpAsCoalaCC CFQgtTJI1FpFigoyiDZg/fye/fner/f1nD9n7b3O3uusfYgEH18rFoTugD1RRGZFJVGZwJ3D YVMpQH2mUHBEojsGc2VCFFnLlcFMQGUwbMH6KBGwtgEUOybdhkm3wxGBOyqJwYSCCBkwd7eY JtkBlhjGhDwuAjhcWQQsVtfgcUXAF+UJYVkMCbBEIrBl+oYUbIGlMLYbhkg4KhVAQp4M7IAF QgRHntbERvgosPsQhqIkH1O7YUyqFgXMZ2RaALVICEVEMQCC+TiyN6ruBqu1/C9kfV7cM0ok 8uaKp8vPOPW3PFcsFMX8xUDFkigZjAEOCsEY8jl1K/xBHAeGhFHiz7NsGVck5LEQgQgGVlQa iUL7EBdKPYXRMOQjlPEiAJ8rksIzcRiBPlei9m9GB5kdsMnLn23512hnkj5cISLzi5HAgPKJ PYOpn7DaJEwYDUIoJAqFqiaq98dT2GfNPBAeCgkRAbCm2wIuhnFjcOpPpEZ0EEsFQgSCowEc rVZMJiGoTH0FqJ2JB3wUw03PlW4PyBL1aFBoOj4TolIYgCz+BKl0QJbOwL8/080NjY61srEG VtZ0dVsKzR7Y0Snx/0HkRWEYjMhmvpLarI+YL1T7C8PRMA+n7ER5Dvt3ZtcmlyR4FN0tnWMh XZZbvL/58oHqXAfSsx4H/Z+x861+8Jcv9Q7o7RSW6WYNbqggQ3x6H76WFaeI9SUf6NZTLDC0 KDjm+8UQ71nottlN+Y3yheIT3zxRmqok5y2Hflkx0rv78pzKjU+pdoX4wRStkq7OqVcJkXtb +pQ6OdCKR1m4sPyfNmbCAb/1Hrk98XwdWoQqzzQtDj02YvBOiZc/aI/8dUEuIzWfo3kv1+nt PIpFNL+/BUfNizRVBp5krPdlai+z/TngVC7QWOJEyA10rq/bwHmhPdBmwRgg5M5vZyfGZ3lt ZfuPLi0t0OeVLBU5rTuDnwVXyYMbxM7I1YOqqs2J+pFVd62djlIl5zOJW8LHp4gvV6ZpvQ6b nOx58z4V3zDEiyVoGH8/e6ulfZ7LbnPLZxbNFPycjkMKQhA3IuOJjOXi1aPjmtoovuPSH1c/ xgGBjHtfG3aeO7RCaY17yhwXZ59awwm2/KFO8V2oR7QGI+g64thf+Mfv1xtS86y3ebqH9IRf 9OuybCqvuVK01qD8oFaYos7Ts2hlnTbaPeC2mOBssMzBSJcVqvIDEenKq+3RR55HXIrTp0+M m5QxbU+0v3V41Jrlrzg/WGxrkjDnUdLSyHTSc7/VsfYvNC9vKA+PuWtf/qPi5iKzbMgvzmpz dmRZyYaSZHHMMGNeZimj6g+q5qm4S69ZdTf4+dgRUGm+Ye/IaotG4vZb5cMy3SM+k4XhJCzI 5WKDHMEQ1ffjsbutL27aTncIFbxrdy7ecvpM7Ld7h4a7aCbfbMcxdfq7Bxh4iceerIT3+0e7 10Xp6HnUNYcokSeluQ9u9gkZA0mXTutFrXAKrFjl3ICvvPJwzHWzlbUe3y+WIgqyTJnVP0GE 6gvF5YZEyFDV5MYVmCuNFRyDa+zXxoiiXpKa7Ckjnp36sSgrgJyg6nattiXINo4VMhHfVexa 0WqN2Q+0xl5lGatGsH0nOrzsak6lQy6/FvgEjxZMOPW2TUR9bXBrMKXl/k82HD7nfYhvZvhi vuRoS5rc8Cy/q23ND85XKNRUt9ulrxdO2rPogdiuIAEgCTZtu0P9ItRy2XbfhykDV9m6+mtN aQUnn7gZHT0cl2vXv789RRpZlL6NmFXrZ9oxNblQu7LVTC42uYsfWgKlku/Z3OlwB/dFQTrX NwX4j+OTpOw3o12e8Ym14jq7h+sk2YGdgr63TGP5roA65vBBo+x/rVnU5hULkg15hgdMOy+F 3Rg3YwwI2r86aGLGN4ayDKvMmQT/96m7ch7Xn+pjFngktFjVTJSlOyzUWN4tlFWLTm9Kry2U 9J470VS0XXFEm1H9atYdflpA2JMHJ2wvNtScQd+93/WOddzWNc2eknt0r0nGtQvz79UbXXU0 GjV/kAA9M24UObomEfL9cjpotMut1mTHuEUvChol0aOLwor3Vy+qdQlQDHPFO08mDnr3FR6q alXdys6fH7hcuDSiOGTWRVbNSPy88tElb9ua/c61TN00Dl8vNR2QPCvzUYVcKmvUvy2vOVBk +AIvPn9vTJDUVT7+S9beYRHfP727k0RD2w0afPmrC4mmwQPMmrWpPBku5lr/Y1rGpDvuK5mr S4HgQlNxT8Vci3T3BbvMQgJF+MJ9bFVAfHCe1uk7Gfb7LlekYxPF30mePz7ayw4IbFIl98bu IZNOD0pnUxueB/ctZtsk+iSP9hsn5xweXMaae+zCqtWLV3qVv3FocuTTNAyyrygf354yaT2+ TVM8f67ebHlJR6DnWd3iww2xEZmR2nd7VgkUyyuRStvfo5oD03KoVTvC5d4dx4eC/30mTdNT kV9UHCYmLBBX3hx0fVlElB5uSzEwekPIcOwecYnTysy7n+GArGp/pKlR2nG4kT1fr/lp9VZ+ fvtve4w4HfwbWKGZvTfBaGMU6p1W7zVFdv2yIsdAd6RjSy2UR92TlB3jUOHIqU2Us3SUtDHK f7lw/xT4vyjAE8FcTIaKuVgk7k+BdS82ZW5kc3RyZWFtCmVuZG9iago2NiAwIG9iaiA8PAov VHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTEKL0VuY29kaW5nIDEzOSAwIFIKL0ZpcnN0Q2hh ciA1OAovTGFzdENoYXIgMTE1Ci9XaWR0aHMgMTQwIDAgUgovQmFzZUZvbnQgL0lWT0hVSStD TU1JMTAKL0ZvbnREZXNjcmlwdG9yIDY0IDAgUgo+PiBlbmRvYmoKNjQgMCBvYmogPDwKL0Fz Y2VudCA2OTQKL0NhcEhlaWdodCA2ODMKL0Rlc2NlbnQgLTE5NAovRm9udE5hbWUgL0lWT0hV SStDTU1JMTAKL0l0YWxpY0FuZ2xlIC0xNC4wNAovU3RlbVYgNzIKL1hIZWlnaHQgNDMxCi9G b250QkJveCBbLTMyIC0yNTAgMTA0OCA3NTBdCi9GbGFncyA0Ci9DaGFyU2V0ICgvcGVyaW9k L20vcykKL0ZvbnRGaWxlIDY1IDAgUgo+PiBlbmRvYmoKMTQwIDAgb2JqClsyNzggMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDg3OCAwIDAgMCAwIDAg NDY5IF0KZW5kb2JqCjEzOSAwIG9iaiA8PAovVHlwZSAvRW5jb2RpbmcKL0RpZmZlcmVuY2Vz IFsgMCAvLm5vdGRlZiA1OC9wZXJpb2QgNTkvLm5vdGRlZiAxMDkvbSAxMTAvLm5vdGRlZiAx MTUvcyAxMTYvLm5vdGRlZl0KPj4gZW5kb2JqCjU5IDAgb2JqIDw8Ci9MZW5ndGgxIDEzMTcK L0xlbmd0aDIgNzIxNQovTGVuZ3RoMyA1MzIKL0xlbmd0aCA4MDEwICAgICAgCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42u2XZVTb2/aucXdKcRrcIbgXd3d3AoSiIXixUgqU 4looVlyKe3Eoxd1dirsUit/sfc7Z7T3/j/d+uuMm+ZBnzrne+WautTLGj55aQ5td0sbFCiTn 4gxl5+LgEgZIq+rocAEBXBxAoBQGPb00BGQJBbs4y1hCQcIALiEhboCkKwTAzQ/gAgrzcsM+ GPQAaRdXHwjYzh4KYJJm/qtIACDpBIKArS2dAaqWUHuQE0zD2tIRoO1iDQZBfTgAko6OAK2/ VrgDtEDuIIgnyIYDg4sLYAO2hgKsQHZgZwzOvzwpOtu6AAT+FbbxcP1PyhMEcYeZAjD9bZMZ ADNp4+Ls6AOwAdlicKq5wLqBYF7+b9j6b3E5D0dHNUunv+T/ntT/yFs6gR19/l3h4uTqAQVB AKouNiCI83+X6oP+ZU4VZAP2cPrvrCLU0hFsLels5wgCAP8VArvLgb1BNhpgqLU9AArxAP0d Bjnb/LcH2OT+dsCpKyerr6LB+u9N/TupYQl2hur4uP6j+lf138z1m2HjgYC9AcZA2Hy5YIWw 93++mf5XM1lnaxcbsLMdgJuPH2AJgVj6YMCOD4z4AH5cALCzDcgbAPKGGebkcHaBwpYAYDPx B9i6QDD+2lFeIIDT1RICcnYE2UL/Sv0ryvXv6L/2758wH4DT3sfVHuT8OyQA4HR3tHS3/yfC DyuS/E2wvPRvEgRwyvwmIQCn7D8kwAPgVPxN/ABOld8EU1H9TTAVtd8EU1H/hwRhv0fjN8E0 tX8TL4BT5zfB1hn+Q7DDyWn5m2AdrH4TrNL6H+ICwlrY/IGwWYH+QG4Ap+0fCHNg9wfCLNj/ gbBZgf9AmIlXfyDMheMfCLPh9BthB4rT+Q+E2XD5A2E2XP9AWF/IHwjr6/4HwoYN/QNhNjz+ QJgNzz8QZsPrN3LD+vr8jf/zEkhJuXj7sfMC2Ll5+GD7ywXbHaD//1Zm7QGBnTLo338wsIv0 H7YFw24dCOQNssaYn3GxFnnrkFL/rjhANnesBJkFXsquIVatpmOyFTNkLg7esWBA2Y1lpdrg tjSNEGcbefuF1z25+/uW15rDcifBbrGp04/bnhbbab5N5Abnaao+W6401yEHuF/rpy4P+eDV J1YGixMN875lnPYe5GgwyejsoC5Rw3Uae9Z2pr/lFzCQS3PUDQutZuCh1sJLdSsO5w1b9sJL jEdaHg0JcAhDa2RdPHNp8SC4zUXLTng0h7uxRol8wy2VOdcw6iAWlsZOKrhsImN3s/zBlAwA V1PQzklvlV7e+bE8cqrZef7r9UL72Lp2c1WnD9zU/Qa6Fcsw6c53FSbUMSF3/SPUUjlsLaQD YdmGMlW8V+6IX0IUQoHchbKXxIni6epHINYQo7wUxqJafN8nSuWREKo6vPpQ4uSxNvCbBlvA oOhaF1vZsmzCuUyn2iGO0WulHtr4XxTwLVL6jwQVPJft+3FoT/ijKc9UZw5dP/d0/rhgyjmg /8FHf0f1vCOAaYgv4+qF1Ct/yX0HrLfL1ozaSfmIJXto633sglnjLNS74I8+mYF0xYnyHDk4 5V7oduht2PglE0rAeWeifEoIxp0I3sRaWVRnDkB5F2IGN7tZ7PLRu4VUwJV3XgwNSzpuy6db /eae1mcQP4vKuK2YbAOXV9QG0EbFOmb9Cul+CPMYu2vayfbUqZpOUJaJZnD/9OXefpFQDKNz xzxLYJN3pzfyIqeS/12+y0zFO9cDfnX4lZiBuwqQv313NhdBnD7/SGlJZH5HGT1TCNhUsTXi RenJLjgNY/MotPb9IA1NJpEVz8d+sZ15PnelhQXfZ1ad+FNK0y9zjfW3xuruMRVIAD+4aRaj 76cncYhumoHqRT5CHGstHesFVNCanHthMWIEklk62aDvJdi9pqTQF/mPLh/aLegxhhhlldvR UgaUYz+F5NtCksK0jpTNfNbfWXiqE5m9O828zfIMPf+JENBn5KUVVoMDAK+oqeoT7IzxKJBp f3ZlLdRhc0OhdkeMBY4yzTX1iugmF9ey8uzM0yQqCbrxhEzavFc6s8it7LsQSM8TYN3Y2Vcs afYoP/62vD7Xbq8gKkbNSBBU2kSpMxScHMTNUQpZp8fwxOxbevKJYWnvudBOiE81Uamhq4SD MBs4USFS62bZdeg/+CCQysTmdfIs+OBetNPmiLKSg48bDDVu8FxYczYHQP24PxMov5yK5b2/ C7W853CDC6Mnv5dqxGT2FatcIHzvSVPMtcAsggVFDyvbOy86ZG+KCfUWhbcSn7RkC1B6+5Ag Y+favQzlutHNv3BXB3O1+uBiyDaOv25QXshrv1qoE8Rqt4RcvK73TdFhdKz73tFyHKdLsaRV vTPwkyC3oMf+0LRnOns1I/LMxSNDzJUllIsCur8TjA0+lwqSHbbIpB0R8CG0SsKtNjs81xiZ U3O4d7N/vdfu6+pK9BmiM1zU6qd/EvMe0sOaL/JM+Q3NSXBrStpHzc1dX7f8RJaYhwjvl78W OFggnnAYT4WWCdlvIF/czYufvBvBrQg4P+p5D2yONxanmbi1fB43ZfU1GXOhVaY0tmY1lK88 ZrV+zC0jq3ioIwbbBNX584sy6Ykou6NoF+kiRVFiVLXPf1/xM5bBouOKpD8/2SI9OnKhW79G 8CvQPVK48xJSR9BPF9ov/hCeY006btAhvOHgIlNuzj85f6mSkE2CJ8xabvqK72k2jufT6uul QK/gHrrvbfmCQDQAizNPZj8iXQFIhZXvtT6psSQulKm/TlBfDr3Lz/Lb0rDvZp/CD6qIs93y BsKBvdpqctBJV9m3/H7eJyyedxKvknftkDf3asLkAre08KHsSi82f3jd7UKmTP1id0mpnZVo ZFsWBypNp4hA0RJCHt+Z2Fvegzq+Gaq4m6F8XhHVFxd2Y/ooGCsWT4+5OXxdpiH4bsnjA6Jv xtc8WR6vlt2YdTqeSDwfciP8qBM3a1rSau3FGmb15E7lxskA0dVJrtO5LdOi0YOaZgX4Epr8 PJb9kV8vy8Eu41dptCsFleoS/F0Rc1HHou/humaaC4qUAuKcA7lVRW9uRKEk/r5PLSdq1C/P k145FutLmwXGSN8pfRoMjAvo0ruwQCuos74KPjJ7pan7I2yJqidasjH5/ZWSfNYb1FekA5PX ZLNf51QMe6cYvNMzxHIVVHjxMOijQ/zSVq39nyRNrs7QrpR8k4os2EeWsBzkJtSvGOQ4tH/G NTsuQjEyig6py0nuDuwc85uEm7MoLZ8rsN3VeHWkPE1zWXSrNsYmp97kLW59WWPACJbqRJvk 9PQ7H3mxFyZgImZ4ZJ/YEZaPvvGucbvnKjQ8dO7RpF5b4rjnLtmK/ImF5pF7veduZEFdehdw ZJoYWraxw8PZ9PKtZaMMhzD5okfTJKkbr3Q7ouoevGIb9wrzZXA/U9qnO6ZVj5HrDNKTY6ln ljqcVaxZ/aW3K3TgX2ZR1s2Xg6XvI2QEahcoxqoIzBiQhSOAwgdvgf18FgAa9TBm03dU0wJj 4uJnCfnqOlV0kAp5Q78A0YB6zgoNrowQPutm/UOByCntObfQ/pnBkZvna4N5O7b7WnFbqSuE lYPKodkkpxHTnCaKAyRXyFRPofBM6fBlIpOEWpfUh7L+nPIOfOUm+AGPEJocx5Ly5x2fsL9/ f/rIfYi5SNuK59nwWexX3TRoiUjfhI09eNV7zsAQxZR0iti8BQ0/S8MEPUDJ3bDZZrixC2TG qirz0Um4iwET3Nm454sfg61xWt6PMAp/vExWVkRRMFpB9/i1nPHG0ZfJ8fFHH9p2UABvEYc3 7hcmW8xBmxXsaPOR1RpGITq4sFcQKu/iPK09y1YOh0LEsyF6uP65IbgxJZvViQ8OfpdXVteA MfYX6HwFDIoEhbhoE6LA1CZ87rWb/f3yrF9oMzNKqSV5VPwCJc7P7ypJOyeAVuKMU4coEaPv DKpKtPhvdEbmHKWNX74KU8B2MAkXz2wWM+PD+pFYJvXEd5QxqmfMMCmuW74VXFETpON12xb1 Nif0Y3iPdNeM0DOb+4ginps3kMt1k2XBIHs51oHYSE2T6tTmPYmrIqmgvp/qCrr0+zl6Aylv DWmVccJfxnIbFnjg0VzwYFy1jvCT4zmYVhWbxCNSYx3cfsPed4eYE1aTp8rPWzZME4VTtLdR vJJaeKd65Yt6f1T9gpIIvv3sxaCdriuEUr0mLkevliFajwY13vq9n+1J+tEVY/4lQ/4u3Nnh NugeQ/heN0WoP3nbp2ybk+M23C9OMgVNVjOGrP1knOrSEkzrOTdr7zgkvaw2mQZJZbc4Y4IH +j8z0c+ar3fU/IYxa1RBKfJSuq76i0aPB6fD0IHA0ttGQVy0hXQXBgvSreQsFZ06qhMmIV/s Oy6DpM535R3unhwb2BdaAqfCeZJvB/yqTytDBTptXxNdN3utLPhNdX2wOP35taM0TiO2rB8+ vhbj6loZNDPIGcqAwB4AwGeIs7jowW2SgwsgLrs2t7geGKIOV5Iz6lhFPtsHHKBue6fm87KM jQvoJcjWYkDNctMEtx9bABYl2SK7ezrDLNndiuyWZcpvuD9KTMs+l/+Q0pMp3jyHWYourHVy AZdE2h7Ks8YQwa71gPN2gtV0pTBXGFLD08DhnkFFBIXmZWPXUc8hGRh7NvEt+kYK0W+x5mLa tqZ1tfPeeZ0ZFR/SIwrOwO+/sbLNMWfK1cEjNjFNlhDpnFQQeMkkeEMdksVnmMSDrW6c4bh3 ENMwwxaN+7ytTZM9Ea7cvIq0ZKFFs+EczYJ3uPbTWqWIoBMj2jk+tcnpRXEf0RJ9RoCaiCm8 QDHmF3edXLZwPDai9OiSEsfiejU6VNJHgn6OQ59X4JBoocc+RAY8siPz+stURhKsvMCk9kHG b/sTxoa0otHh1eAwQyz9mY/ohBR6D/JI0um3eEmLdPR32G5sIbXLHF8p6bM2B2i16r00KUDE QeKx8facmliogt3RNU/3mmDRWW2O+3Ml9qlfR1lmFrVPb44xD/zg3Zsx/ODeVfuJUNKXAjBv XqZgq9M+A5wXyAqduuQY6rKxrCwNY9a2H2GVfBA4TCljT2iG9gokmftMt5GTvOjexhTVIWdt CtIVvi5k5CNPckzQ4hvMwXY5ls/cx8caM3UTXWRz3gGlFJqNs6uWWaqkzSWEIcpevjwntCM7 x7VU1WmUHr3u9duK4b5BejW9d+vXaN5FugYVlWCJ843HdpG0/QZPxvqgvL5cUAv0HEY5xfMZ Aqp7Rsnc5AW4lvJql25qMVjUdvw0fDOz8SE+I6PRCJ8vpjxqm7yQEPWZV+uHLVEhITUfg88D pIvIo8KuPYSI8CPnCKSzueF9ImDXa2XDflYZ0AZBkmtBwWUQz0oWevtZQ4nGXP2OUf7uYwF3 Mef1l1F9wLlYAHIY/8xGj2LeuDPlKga7jIp/H64tjn9QIj+S+DLAxIJ+bqciqzECR6tYb+26 5w4cy9U0tm4Z6P1mQt/nuGwtN5BODX5kXkU3vvED6mU+f/wxydaTe3eJ6Iqa+r0QUzTeuWoZ aJyeBNnT5jj7CyBn7Vcs/SVPbj5Rwr3HWGrMg/Ftx+xSPGZygnCFvdxeTWaDf8e7pJBCSe0Z fRnOYoXbL4Uqte03F0mx96tNUXXFTZiG8s/D9LtSniq5eiWY1HGZ7GeYr6efl+95+/rZthVn Ezqmmix28/s3l6n5Le3mB47KsuOFk4KqJu0DP5F2YbE27J7P1CyxGYD8nyCDaQmViajrmDNZ nS97LR4AszLP0C7IlYS0+g/AyK+XeuVG3toLF88j3k31I2WKjojhIXubG+TfqETd+R+jZK6t XnWCtW+/elFsvK6sJm6UItjDIjoEaBJqxlv3tetmtpyHlo7giQcZZub24uiYWmSj8xmKdLZH Iepkl8/Ln09vBwUSPWe65+C1h1Qla3fvChK0fzdgV8Ah5hRLmKXUWOh/nrLhMsOentk4j9M9 v3tfo3B9qj0YiP8APHUqqX82UeT/sYqcZT5MPf9L8Sfy09vhIs8lYxUlgyVsEuMoEuueQIU1 OL76lpUymZsHM+WvgKKtyiEz/k7IXAQjjkO934kOMGR4/LaDSi7YHpsaBQdJznKoi7X7QYNE B6xUPy6y8+6wR8yb7wAOnxyDwgi0M2diGYSZ6rqP6ZAOQmKOlJeyiktMWagMja5gXIncmbN5 jhNdORLrPymwlnEEjejIvJOxufixzdfQZLh+adlstIerziJXFY5Ave3fZ+nWx4PJV89Taw9E Jx6pVQ08T96nJ//5uI3S3Ja1LhjUF/6iyYwkjN8roQUOf5MYpF5NQCuMVoKyOyl0DQBFF2CB ns4OpaX1ZTSE9TCppDtaqHDwww891YSb6U4DnTm2Pk55zWqTjyvrzEQGD+WwF9dGmJDglhAY 9rzsMMaTdYf0tua/vOxnpLhi6BT2rxLPfWRzXwlFmNVTQqPYU37vmbOSaZwQdN5d2lsr2Rr/ iOKltuDO9Jl1OynVH0fzPo+Z5H1JTMUK6+dKcjf8wSFFI+Kdr5DoavTFuCiN+zvxlyulNN46 QumI/aIhl7DHRUYORa1AVg0i4uJW+hWD5UdswOyjVNsd9+61LFsEHVvfmzoKNSnh634zCJte 8GAnBvU8RgvJi1GrZeaX3M8RdISNNyNbD79NDxdu3MQm9p1/zkq083S1OptcmGe2t/5Y3m9B pGdPcrYvHx29GArkDLRoarLy/T4C6Q+9vSgbKM2dJ++WPDb6vr8gjIo63xDlvsHZzQsCl6PH UT7kVYkHJ9B74dTSGWZYCbFRuNgj2XRaZ3r7JN/bnGdUlI373vKA01/rBz9gjz+JM/cvSvdX vs3lQPWOFtMeytzvgbbSomfNXvHmf2vBo/GkmGgsryG8sJvwFKRgq4x8ejT9XHKbDHrVssqU fXkohvL6OKvQJp/Xoy78RHHrYLMAWENjigpVnotJsGq6+ZH1rhmttbN7J8qrVEojSDHGDzdL +gnuWsXijMsqlWraRR4UVEazxkxNTYDKk7f14dEwRj1FdLnI/MJKT3SBPvnF3va8twGCU2wt m8Y8hYbOJ+sQHxES/Xl9kTec/DLvPRAal73i9I1j9Uajfpp5A55NS8SUqeEtIB/qceSuQQ6q 6Z0mhwcKvolxxSARHBaSlME3daKa3ie1G7flDwXTZeiaruEzMUptHdOno9oorDiVK0c9o/nB +gIHGeiN54T2igLTntyp0cRrLjKbPPdatNo2QN8/XNjAQ/BwdgJQb6k4NkPqmeBDpNNLSkXf BNU9GcxNUbgwekgT7kasvKQkuwyLiJypgYhJlXpWRqdM1XiPUT1VWuEfgYnKdl+q6m6Dw3aP lzG8tRcyjJa1kC7xtOXAObTY0AV79nWr7EWDymHlDVtz7n5i0rQONff4kPSbUqfzBEhrs14Q m63Z7lCwhzuSX6XMbDJyYVxvu6aUNtmQNXEudr+4pt77e80dmeaPtc6yj2XgN+Cg1v1cccxM j6OACVzr2Gl/6/O07HzmytrgZbi1C+CAZ4xiFUpGhBtFzJESh3TNN6LPqFnWhuZkCIDzQdVq +8BSpq8bMuiygQORInspgZ+8070EmNragrUOgwtsNco21TNtcDGAUQ1M8Qgm7peMlc1IrdyN Z+CMiGXucDUjkxATniisONlQiBhvoLZ/zL6C665rhqFFEovc+948FTtfZJS3HMZwzYQhUlPO sQcftCmnLdvsvre57AvyNXx9AO8VrUm4kUW8dDP8JUFJqqKXOh/NZujkR/xDznwSjzJH8vLz HHma//kCXo9rLltkcdGQa372w4/HGPlRE1n5ee+Na1PROcIaAPoQ9jdWw4c+p+EId0H1ldfZ yIOVm8m/MHVwPdf3PtRS5n8Se5xKZgWZBwm1Jnax4Ta05xitrPgfP6GI71T07lU/uy2zVUt+ 4QEfWzY6aKTXZ2ZYtU4YYJ3EDmRa6haPmF7GzkJgnyOcaot5Ct16qTSdvuV8PhYvwmi28PmN 1KcZ/tsGBJzO17NdtVVa95Lo/fIUqgEhurNSlNyV5tXSw3lrGOZyxvUquQm484cf6wN4nRfr 3RDvETqGtHqfGa2SyoTuPov9QdL5eq7Kobe6693mYFmHARDIM/ElTtjazK9U/AdO1qTbpbdM u8MEgvxsF6ojzxiTnSdlx5ZIPiHKz8/PRX6VWsP3umEW9Xv8QrLFI6cgOa2wla8VWhWa8FIP ctFRUQwtqyNutyh1QBrGj+aofpQsZx5yLKIWlxQSB8kemEJCLUPCxT7rSzAzCXV9I+KKjhZn uavNbt5JyaX/tFwwxsQYFlneF+gDVgXHr0qjbcb213Qi0dGgRhcyR1WBcSU6IKtEyhIsVmso /EmCFhKdVEhg2XQ52bNNQx3LvhB/2VWVt0EP6+f8jEdFHN3WfedIkKjWpNsKxeoRdIJnQNpL LcK5ct5tnvroQZDtbMGqY6kqCoHnexmyFMZJ2XJkW5sacSVeK5MG3RejmU7s7kONdNOJjaKt AFE6ALJmseu3kU2v8BCs+Nj2kNiCgyVJKXS3LSkCaLJA1BvZiyXqjJXj8Te+reROPaTmQwZM aslxjZ/Nkb7g7cm1MLrxyuY/+0rr1Cw7hQa0OU8NUARBxdm7dHvJEfVpFuEm7TYO3mQlVNzY OgAgnitPi+hfSn9t6F4Kf5im5CvOftdcsKPW6qgoL0HlNc9X3keYZhBS8l2pJ7vOeZ/+XrO9 vb80hDcihvBMmWXENyY4yLy35/VQRDXcypVv9708TojN1xLsTSBut0QCHDGzGCNP+TC1D78r +1Uq/9g5HkC3oYnORs/61OdW3MIiatwGaKI7/mLwDUnOGqJG8FKjHs1MvHZ4F+vyL8Chils1 HY/tR2Oo4ygR2oVXZ+002rPNcSer1AHg1yUjP0FjpYsHO1M9t4pfaZIVwmJ788DlrGuFqAvn sfFOB9ZNpB/IvPmFiAw3rKSc9zi79eVD9DiK60KZcrCnOyC9cM9CCMt4iVryXAbFcR0G/7Mo 75XQD+t+ZKb2d7ydC2PQNKFojV5QeaCMizjRw96uQFNJ1XKlsNa5nuAsvdEnEC8/mUZ65ifC I7m9k/H12VwXH0MD5YPqRL5w7LoSf40YpfzCkTYd7oYNr/pZErweakFDA9AKahlAbMv9TPuY 0kzwmj2Mkw/j1z5bRQwAiF49vWb81ROA3QS5/SjBFakiE8rxRfJwmfrOlK+5LmNRb9U3MCIr OaJK49tLzfi5XFd1RzIdYSzBL7M6jTZ4z/sWu3ifsx/gT8v9SPq63LT+QE6e4oJE+fkkuBWd sK7RjkWObCg9QcWzgAbHJTjVOt8qwpZ/6StaQvrb/WX0w94Wz5jYjOVL/9Tjj5aiXIO0DA7s fNSGX0O5P+fRgSOb9HSLA70uLcAL74IK4TdoXsybPufPk28F63z9hC5KS7ApBzkTr8gNFgYG XXhlUSjbF7axVORx5nupdscu74PWNvfG4fVdZvcE3LnNaIlBOVk/e2Zbj5O6Tjf5F1mis+LT 6DS+UR8Mpi8l85aQ0Ogv5PLSNhAOrpLg+Q+1DYTtnlXUaZynn8FX0HGyR7kWpXbQV7psjPP4 U46hTrQM27I4yj3Rc1vJ13CL3ZDLAuZlThh8cUTgk1TNnINkIAJErhiLnUuTpa6cLTEEXPh4 S8s6taMnkAXQG7PxCXBqPeuWzZE242tLYxSZfPSPBorLVPFCDtyeh/gyHFmkTJHaIfSkqWUS 7Mnme7IAdI664xpgRokNRVzbMJxtso8YJoXbonvxR05nIg0y9cziEv0PKJ/RDutuWkdXUqLZ p9k1TJ16EbZJbR6zXZ/7nCmqFUt5lNgdpPLZmQ8LF6ssG0p8K6AMf+r9oq0fmrpqJG9SaHX5 tnI6dTpJmxHPCZrTm09GIRvDi/6eKVFJvvgwauQJrmTsfcuUIE/JHtwmj0qzcZQIAuBzUbFC Giv0u4pmtY6B4PiH+2YFYQIpfx+ZOnYfXI0NJYlnYoPdpzEcOFehjBkE8Hp7QLHvRQGEFKMx XaUo1l/OMavGQt8+vpMHSu3f6WLOReYj656PG8bHYHndLPWEfcbjHjFbtyJqVjLIFftJhAof O4GN18rRZnQXHobO/IO4DUNfzguxPzhui6HdShE0dcLxWps28tbmuhUDKXW027v03L6uymqZ 2NHW7yw4esW7izYlUzosDN5wJXZsvOxgUTLaS3Np8IMMm3V4qGpvN30h7kDqjvGUVlbNZHg4 89kOSmLfWOPzAFTg17cncVWnYkWRyQ9g2aXsscpJJpQfjV18LOpRlZNyr3cpP61hayU2QPBe 2/Elu766EfSt5+hT2FGF6KsXa8rtV9ycubCeWCTJ46VJ0S1/en1f75/NO8jpJQJwTQvYbYTi 4iTw4YzffCLubb8Cnke2TpfaUq9Nt8/09ZKFk2dOYIY7stcFc0SxfNqpDmmP4Hvgp9dv9VP2 RWAwgnuw2Yk7iSMbtDg/D45m1HmwTww5IPb2vegkcTDEUsKX4fbHlV1MrhoocHR+H6ybC67P mCi62WVnZIxU1p7dmiY1b41z5277UJBmUTGnrFFgXLmKMoCnVoHV/kiJKoCiZtvNypWxhLS4 3pQk6dK2tSVzVp0z6UeyV55m8R2rzo7C25OM/+AZIRXHoNjPscWAvZF+1xWiCWvN9X75vIpc hA32dygsG+wcifi41sD/wxfG/xf4f0LA2hFkCYG6OFlCXmH8Lx35+TtlbmRzdHJlYW0KZW5k b2JqCjYwIDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMQovRW5jb2Rpbmcg MTQxIDAgUgovRmlyc3RDaGFyIDQwCi9MYXN0Q2hhciAxMjEKL1dpZHRocyAxNDIgMCBSCi9C YXNlRm9udCAvVUZFV0xQK0NNVFQxMAovRm9udERlc2NyaXB0b3IgNTggMCBSCj4+IGVuZG9i ago1OCAwIG9iaiA8PAovQXNjZW50IDYxMQovQ2FwSGVpZ2h0IDYxMQovRGVzY2VudCAtMjIy Ci9Gb250TmFtZSAvVUZFV0xQK0NNVFQxMAovSXRhbGljQW5nbGUgMAovU3RlbVYgNjkKL1hI ZWlnaHQgNDMxCi9Gb250QkJveCBbLTQgLTIzNSA3MzEgODAwXQovRmxhZ3MgNAovQ2hhclNl dCAoL3BhcmVubGVmdC9wYXJlbnJpZ2h0L2h5cGhlbi9zbGFzaC9BL0MvRC9FL0kvTC9NL04v Ty9QL1MvVC9ZL2EvYi9jL2QvZS9mL2cvaC9pL2svbC9tL24vby9wL3Ivcy90L3Uvdi93L3kp Ci9Gb250RmlsZSA1OSAwIFIKPj4gZW5kb2JqCjE0MiAwIG9iagpbNTI1IDUyNSAwIDAgMCA1 MjUgMCA1MjUgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDUyNSAwIDUyNSA1 MjUgNTI1IDAgMCAwIDUyNSAwIDAgNTI1IDUyNSA1MjUgNTI1IDUyNSAwIDAgNTI1IDUyNSAw IDAgMCAwIDUyNSAwIDAgMCAwIDAgMCAwIDUyNSA1MjUgNTI1IDUyNSA1MjUgNTI1IDUyNSA1 MjUgNTI1IDAgNTI1IDUyNSA1MjUgNTI1IDUyNSA1MjUgMCA1MjUgNTI1IDUyNSA1MjUgNTI1 IDUyNSAwIDUyNSBdCmVuZG9iagoxNDEgMCBvYmogPDwKL1R5cGUgL0VuY29kaW5nCi9EaWZm ZXJlbmNlcyBbIDAgLy5ub3RkZWYgNDAvcGFyZW5sZWZ0L3BhcmVucmlnaHQgNDIvLm5vdGRl ZiA0NS9oeXBoZW4gNDYvLm5vdGRlZiA0Ny9zbGFzaCA0OC8ubm90ZGVmIDY1L0EgNjYvLm5v dGRlZiA2Ny9DL0QvRSA3MC8ubm90ZGVmIDczL0kgNzQvLm5vdGRlZiA3Ni9ML00vTi9PL1Ag ODEvLm5vdGRlZiA4My9TL1QgODUvLm5vdGRlZiA4OS9ZIDkwLy5ub3RkZWYgOTcvYS9iL2Mv ZC9lL2YvZy9oL2kgMTA2Ly5ub3RkZWYgMTA3L2svbC9tL24vby9wIDExMy8ubm90ZGVmIDEx NC9yL3MvdC91L3YvdyAxMjAvLm5vdGRlZiAxMjEveSAxMjIvLm5vdGRlZl0KPj4gZW5kb2Jq CjQ3IDAgb2JqIDw8Ci9MZW5ndGgxIDczNQovTGVuZ3RoMiAxMDUyCi9MZW5ndGgzIDUzMgov TGVuZ3RoIDE1OTMgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja7VJ7 WExpHBZFJpbKZYn1VaL0NM1pmqkpsZVaoWm6ICu2Y+ZMc+rMOTVzphpqRJZstS5hMk2PqFAu kZSSxZLb6KKtCINILvFMETFSe8rafTZ/7v61z37nn+/3e9/v/d7zfj8bS16wg6eAWIX4Ejjp ANEhN+DtH8QGEJ1Bs7HxliAwiRL4PJhE3ADE4UDAUxYBnBgAYrsxOW4MJ5oN8Cai5RI0QkQC W2+7fpIL8BQjEpQP48AfJkWImNLgwxgIJvgoQsrpwBPDQFD/CSkIQqSIJBYR0GkQBAQonwSr kAgUpzn2+/HDhQRw+dQWyKI/Q7GIREqZAraUSTtAWRQQOCYHAkRIc+QS1F0I5eTfMDVY3FeG YVxY3C9PZfQFCotRTP4HToijZSQiAf6EAJHgg6lLkU/W/BEBKhMPRv1IGEP5nngEhgDGpxYq 9UXjEQEPJfkiIIQxKTLQR3DBYBNUbAMWHEN5wYt4wfYDrzkA8WAUJ0Pk0X+K9nMHauivmspG gsaD5Qw6gwFRROr7vFsx6CofnE8IUJwaBxYbwBIJLKdRc0FVLLAGAiguQOIBEk/5daTjBEkd AVQkiUBISGj9j+nMAY4EjvQ3aV/+g5cXEb/GgRo0BycWpQpxmMCFxUj8G5Evk0gQnBwYDyqJ z7UQpXJDkHiET2tuIvjuGyKVpRsLFD65dYVGswy8Isq2ck+c++2MSfKtbQbY/msLY2bdKw7V H1KZf9Vm1DYtrsdC+lNlQmC1r25dzNbMxt622PA21epyi9BXKn/542ir7uT2MadLG7pesAwC 6u9pCnYsy6vK7rjUvpdnOy/kyYi7lkPOL48tOZ+1ge0S6qvCFm/6sXgG0zJobGZMQYrzJm3c 2B3bDbW1yYrITcan7O90EpUyM32ucU5Gb1jXs/pvl09QN7JX4DWNN0VNYkwEp6bNt3eelpb7 c1Z5RY/+iNpxbh2zdMbWTLzBQ50Bs31OWW9vvNYyOaEkW0Fff7fhR83exMl973/wml6rqGkN O1t25XKCVc4UZ158ffoczTvD6l97eTb60UbXq3TnLr5TaF6aa+9vcW417Iq5pKV7M6dKn2ZV xjw5m7JnVYZ8ru77q1qX7R1Oj1azF0Vvm+/dXQjNM6+zOurkKjXxoimyR72pexjAGxf4vvpF C627JaAzLMDsdU9eYnP17NXP08cHGiRam08Z+XLsIiMQEjRUlKefzXetwDoXeTyqePWcZYc/ utXktyquZWpfeGyv4MrBC557DpDfefCt5uo9NUfD1R7KqIz7JSNUdxO4HdJh712NtQVvA99a XO/eudhINU9TtOGAqTjTeLYu1Hp0yJH5GHlx39KeaLfabesn1eUr898mlQ5v1e048u7stvyR kUniUu5VIbsgWVk/i8yglzlHqheufBasmZ1UyF/YY1uYkRa98Hb6xRuswOu99jM3/JL6xmdo e0FRQ5bceo16CWTEq2Q8G5t6DD8sWxGZ15aie5hTeHwt6B1SbdJnoS49k6N3s8s1laaUioRL 9/JqBJYfV3iNCVh78tjtvRWTmlwjcHXnssNSG93E8m6usb1O1kKDLhtMGaPfXaasCckK87FO r9Nro3bXMw+jtg4dzd/su1OX9sCYY7i/WdR41P3GsjqL+10OE0wtzuVPvBTlrQRJzdoAd9WT D6bHWDUxYWZfF9+Ux05NV2S3P4wLtmjcAs05M/ORuy67ind5/eTUSvc99zdnKwpNdvi5K4ue Vw1rX3nzwCEhy07Ls2vpM2RPurBLyTFM1DxIwnBFfU2rT/s+aGTD88mvonrVulPvRnHXTUko b30v6MrZ2eYjTqo9xA1ov2rOFM2JVZ81O+Sv6lO6Pn3zkfm4zd/h4Oghpcp9d5K7vJQnDQpv GVxmbjafa9sSU9X9dAHnRlSti9/GzC35Ngc7mg4M5XKYFrVJp9XlIvqrC5vVZidude7qWsLW fIiy1rta2dt7COPYd7lwWXVJxZbhL47gM3eGl0Scv2I8jnhd/PI4tzkmx/oN3dF8OLJg6/Ki TdNNnzqd8NG6a5405JqYpc4aXrG6emdLXmDReBI6cTjKS5WS/OL4CDgsS35uIxJexCluYPzD Rftf4D8hwMcQWEISYlgSRfsdfCty6GVuZHN0cmVhbQplbmRvYmoKNDggMCBvYmogPDwKL1R5 cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUxCi9FbmNvZGluZyAxNDMgMCBSCi9GaXJzdENoYXIg NDkKL0xhc3RDaGFyIDQ5Ci9XaWR0aHMgMTQ0IDAgUgovQmFzZUZvbnQgL1hQU0xQUytDTVI2 Ci9Gb250RGVzY3JpcHRvciA0NiAwIFIKPj4gZW5kb2JqCjQ2IDAgb2JqIDw8Ci9Bc2NlbnQg Njk0Ci9DYXBIZWlnaHQgNjgzCi9EZXNjZW50IC0xOTQKL0ZvbnROYW1lIC9YUFNMUFMrQ01S NgovSXRhbGljQW5nbGUgMAovU3RlbVYgODMKL1hIZWlnaHQgNDMxCi9Gb250QkJveCBbLTIw IC0yNTAgMTE5MyA3NTBdCi9GbGFncyA0Ci9DaGFyU2V0ICgvb25lKQovRm9udEZpbGUgNDcg MCBSCj4+IGVuZG9iagoxNDQgMCBvYmoKWzYxMSBdCmVuZG9iagoxNDMgMCBvYmogPDwKL1R5 cGUgL0VuY29kaW5nCi9EaWZmZXJlbmNlcyBbIDAgLy5ub3RkZWYgNDkvb25lIDUwLy5ub3Rk ZWZdCj4+IGVuZG9iago0NCAwIG9iaiA8PAovTGVuZ3RoMSAxMDg1Ci9MZW5ndGgyIDU5OTYK L0xlbmd0aDMgNTMyCi9MZW5ndGggNjcxNCAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+ PgpzdHJlYW0KeNrtk2c8XG3X9oMo0VtEN1r0Mhid6KJGGb3EmBmMMsMo0UWPTkLU6ILoZER0 0Wu0aNEjjBKSIKLmdV33c9/Jez0f3/fT83v23h/O/7nWeaxjr702N7uBsZAyDGUP10AhvYSA wkBZgKoeWAsoCgAKi4qqEHNzq6LhEC8ECqkG8YLLAoAyMmIADbj99eL6kQVJygIlibkBqih3 PzTC0ckLwKvK91eSFEDZDY5GQCFIgB7Eywnudq0BhbgCjFFQBNzLTxig7OoKMPrrhCfACO4J R/vAYcLEQCAAhoB6AezhjggkschfnrSQDiiA1L+2Yd7u/w75wNGe16YAvH/b5ANcm4ShkK5+ ABjcgVhEH3VdDX7t5f+HrX+Ka3i7uupD3P6S/7tT/y0OcUO4+v1XBsrN3dsLjgbooWBwNPKf qWbwf5nTg8MQ3m7/jGp5QVwRUGWkoyscIASUEBaV+Nc+wlMD4QuHGSC8oE4AB4irJ/zvfTgS 9k8n1/3724eIBljfwshS4L8+7d9BAwgC6QX2c4cDRH9n/83A33zdJDTCF2Alet1l4HXi9f3v lc0/iqkjoSgYAukIEANJAiBoNMSP+HqIrgkECAACEEgY3BcA9712LCKMRHldHwFcdyYI4IBC E//1XSVBABHlv7b+RVIAEdX/kJQkQET3N13H9P5D0qIAEYPfJA4QMf5NEgAR8G+6rmDyH7oe BRHIb5IBiED/Q0DRa1HYHwgEiMD/wOsijn/gdRWnP/C6DOIPlAaIuP7G6+6LIP/Aa2XUHygG EHH/A6+V0X/gtbLnH3jdFa8/8PqFvH+j2LWy39/432dCRQXlGyAElBQHCImBRP+qIwmQkZQJ +r8yod5oNBzp9fePdz1a/2YHxPU0wuG+cCjx/AwKKhfhnN4YVR6sXjT+Cp/PkzmzNGKkPfJ1 ppzw7rIc9TT6zXswnPU7VSSVM6KC8vkXnSoRmANolaFRObA/wFgkco6qn4yWryDLmPAAumtt izuQ1/eOwu1FzNY824b7G4GDBc7jFZ92/BrdbaBUIcOX2JvlszOXh8EuIaOr8yQZMM7Pz4lt 8lp00+Cm2JXk4bM9TVQRar5k4I511jHN1TzDu6VJl0WyTJm4PD28D5kKF7dE+Xwd1kaJgdku bPPmuTL3f9W+3qJgFx70mTHInNMnkyot9eimZHGedMankUpi35NUJczdWx2sAL9+JGwzFDY+ Xdl/JPL62aubRR3aTDMEe2tRQJv2nMthRjw87BRWlGdU9iyJZNqhDDtE7gF7b9IgdjYtEeaV MF0wfE9pmM3WkUEgjC5/7kr09KvVV7pjzAgNsQ7h830CcJqKSLNJ+3bH/IubGnoZ/j2TUu+I zqJIqIRNxgKkwop03gkrfLpjMl/zLVeLNFG1yfbOHjak7C1tZDgd1+QDqe7s03Qhr809zQi0 fydJjrbs1AIzRxsCEky8cAzm+M4/ZKs3qnd6MRFd4vDm3IEFX1Rdj2ymr5fYX9q7b/jn3iPE IT/bvZCuTnTz8uCj1Olt8hsgXv47N3FBSMuc+Yo54h4JfqPwDfPSu0+NjsDMLTCjhtwPeuJu JAxPE3MmKu5Whe8CcoX7DagKYdI0+HI2LbgatwLvs2O+D3KDt2lJPlkJdYxmPM5KHLxIoVjO JYtSD3SvrDXdPaXg0ussaZk2WbNBAh8DWYzeG9R2BBGHwA4LwliJv7QKB1RjtK5YDInib0tl 9q3GYD7M2DLrCwmokq6wnXGO1NukWevNRQKJ3V3EiOutE7wEUXxpYuAz8EL1Jvn0o+gghtbJ xCyMT+0OUajH5Q0Su1k5ebMTcCvh7mCHN1OQgJj6i0xpyJue2vl4FX6q9rETlP4F+dB+DFrR 9YvxJ8cET3Go0Fen6q9XQedmMnILxTIvi7uf/7QTK398a2eNKyAIKye34fY9JjLjl63ryzQg jyr/8+AH08xLdjMbNPhZ5mcmyEPRFF9MIF0p9P1g+x4PQq1th9ss5kCfdXRtR3X/Y5oJzZHw 0nuZaiN+lndzJDzoWpuXFApdlqGWLjVfujP705De0obDoCfrfJLn59CS8Bt8cVQ9NmHS1kQK hDU0cnWtqYyX84d6tiSPow/4zXv1Yt+Yk3/6Yl7dJIceTuY9Qld1UOGX+hh+ow974DqOe+ug kZRFbNrZFzuw2FS7pRKWKBd0Z8XoxkxozCBb0/2cZWwrh7xK6NLQw6Aykg/vZpxpEbYFD/FX QTfMspbUyCd7Q4zNCU1JUZ+igaqzTz0f7LyVxS5B5V5emIYTSeB2ELlxWmhXRhRHxZ4V8Z+v RNEKgCiS7NeNadg3Rg5VnuHq/6yABFRQFZV8yZevtOwBDjyzC/r5uXsxSgPX3xtsb0l3Sa/t /vHh5uKOpAtMlZjWQ20kQ+YYHZZ3ptIqG0Ew83hDGw9/cHAdvs2IFV4RPZESXZx+xf2MsbH6 l4p2dJ00BWPhhM0i76DSwJAY2ux44sm7LZ9KIULQ0CaL3JM905VK6cjvM2Xkz9Y8OlwSsj0T +swPelnOkzHZ3ziwHhBHJjwmr4QwI9JmG59HDRjw/iRLWGJI4g4Bc6Ahz4AaE2JVsnsrOwCP vs6imUqJNlfLzX9eWIWVybEGdmvt0dQ2V7XOVALNkcO3Jq/Nxf4dAnW8ySHbgy6XtxpUFm21 iqmXBsML2q0ME164PzfJw4N9MU+6DYZeHgbHVIkH04Y/gRKNtksfiV9WnlB0KEfqymEI3OY9 S+nUjaq5CSIRqTokeeVqNmwSd+/ZiWOrmJbvoz5Q/MC5qyVCar1J1D2oCrN4x8qEiRxaLNmT YEl/6wTxEm3pG631AukA0syQAURo0DOBlXLPJ3gs38ayUxlZzbHDelHg5gJZI5obJHHmZMbw sW5TBdXGjX18ku58kbHgMn29W8sww673n7WzcqfU3NJ8nuHhTq56jBn1JKKzcWrvqljnaD5k sGg9O82XQgkvjqXQyH5Lj9xQXI6qYRcY4FiIxbpGuggd3D4iLS6ss1I8La+lb+RJzXe3e5TB mzsup3FW7iaHxtOt/n7zoJMuDXLqTlWYriZh2D6UJJCxGDMaMcrNX2Jy2ZrurQaKab1fcwN0 Bxda1d4a+Zm3pEAzdACUJh8WmH5u874GbsZ8e+LBeS5VF10y2Ow4gG20dnslwZRIEZMO83yc mii1QfronGio7Eqpxfmjw82Q5VAWU8bs9cBZ5IeWOtFvTcX9Cx7COi3i5DeQw8q+KPkELLTN uruwT141OHkqod2sP+PGTDQOzR3VoII0IimSN8nJImhIuz8Gby797q4xG0Vsj7jDauSr81Jr QaNM3Q+rHz9ejmG2cvFfCF1iM5uZthQHqXWSYVVHncv7LHzYoqYleg7zc1k321vWOLoix7q7 b8qjnU0JlpC2FpvTiHHygaHypNcpAo4bH05TOgPV71ozm34VUBxiDbdtrdxbHBVC4mJTOl5R j7xLnum2ZMVbo3PFHWa5K4v5zP9KNMAbVLM9d+QeURK17HDWMQwrVaI7Cp3ijd7vdA+/qqOp K+lByrFHl1dYk+NJO5Oxv6+zs2yICumOCQzb2hi7i6bZzDBkkjm8v3JsqzvUVD8Uba1obyDB ywoJ1afOAjXcvrNLmrDW75vIyx8rzDhdn5hopCLjW+3a8tPoXmiBbO1IdcCw+EfPPClKJvPo CZOROg2g3UN7ZKiB69SCSaxAnJpMT2F0uV4MvtwhP8qLufUyKdZz8/VWRqf+kjpXXJ0/XWBk Yz4vTcc3WVGN+PfhNgYfa6s9a1sW87rVwxxUanubodWTIRs4Wy9cLQwEKBq+n3j3NrWHjULG qMZ1Ms8gX+CtCynOAJm4my+JajkyW5VIbXlKCL7fNbiPsH6qL9S4xM8vb695fO8G52Omp/FQ wzck2vWKhMp+rPrDngga3vsfH3wYGhZszrBxiYHuvjDE3QdTBVOmgbb8LEIsMJe2UYzS6/QK ek2ebrxDpprO7a+MdUmx70l/aeE2C+q1KH/aJnyZcL5Am/tIP322Tr+UnRBcSzc7X7HbDRXk saO3f3rRQnTcsJyrDumw8VL5YWesbr16+ZD3iHiYr42e8czVe60C1OyyfWg7OIMZoTMPlK2o lBk7XI7Rfp7GfXsPx3zMoe6Fn2+aFccCkXO5oKQQM/Ke5xoFmfJOaQQor0SqpogR5I7WOe4W 0gVLl5M1/BCwyOI44mjZLDeK3a89174l5WSijN/WQ1/jxUTK7O/+PrTSCKsnq1qT16ySvvnW uLf9O2FhPTZZ0Tva8LPdBLHtZPr6ANXn+KyWYtSiXEpcUeTxTTuWSPgXdZs5v6WGpwTQXYVx xbnnNwaMi3tJeSdxelWii/GqwvBjuMXDPxm1203dXBVvFgPjz2eLtxEt5OazcFJVvrsQkl5g U+1f2jp3sc0PJNnq+micI/dEKKFuIbcWuR6uvR+ZNnK3g68YX3ounXFiRSwNkRSn6Vb1K1f6 fLMMvhXkMPU48U2CNkKMY3d03nkeX8SyWTampmnWe97Ji2U+KZWOG4hPvZ1tnxHvBtZUIf35 QQKpTM1DtuL76Lso3VCao0hHXxfZth2yWcpwNCvwGTb/4OTxrFXGTzWH8ugL9wsXyR9hQxSZ EeO6X90Fxn6IRhXsHtG0qp6Q3y/IW8hfrpHReUMgbGXu6sNbn6x6Z0tsRZdBMMRF5ZkcwfT4 fDyZwi8840R0XUSIjK1R9m15u2q2wc+TFe0nOE8FAL3Huy+5MrJAzbZxPsNBceXLCuZmTt5R WqGkxR4KvkcMWIYANNTXUpU0fsRps2qdwvSGvZOV9auLNDrYfEann3jpvP0qdWeMo/1CvOOG cCSK3hnwgw9d7o4rHcgwdo/+s+/OtEZv/zv8x3axjL73Mg73mMSsOCeJSReNx1E8DP1MAQsb vgev+hIE3W+vHEuV3o/8kaP8vGwWXEKltfkxAlnMHd4TY0Daot2aHU341tHtqYuC8NhVogDu Q4080pfP76AyjM/ous5EzqkUussjrVaqU7/Y/6Rto8zCSCa9yD7Wk8XiHWSLDbdVO4ZEmr3g 2p8HlS3aC3NIV5fQ2RWDFhlqMSv9b3syfAR89MMPhuQJ4yQHy/SvAJw8aqM4UljKs21oNr7j wyDcu3uTnet6U2LUEpQKNUzs0iOqKs9PBUMow8HKAsNalCqKfL5byVmVyToc8JwJjvjqknVS C21rxYtuBcfDtQ/cGR2EvFZKd3yjRyJAOaGNXZvPUmhc0p5UCfAKBWm8eUogZsZOX0cHtObA +LyeW4/pVKuo5Jjs3bSxEGNljRqNgFA89BO7Svfdrbn1iESy2WL29lMCTIcffxGJ+1gzcWED Yf+KMiLXmRJ8x85gtqI1WT93tUqdukr7NP6cOWRqlXms/5WnEOWn6lKeAMG3AxGNiO5uMtlT q1gXls8k6YiQ+IL6g6oDTj7/K8YGp5zGBbat3S81qbe7NB6lYM5+XMq/pukMj2jt8L6lFOyO TlDEpE7Ncod8B0/K0E6GJdC31OEsmY9z0BVqUO9K/9Rb5lnDLrXup9wKjDDH/ijj/B7bC91L JRuGRHdutL/sYzXSFcPDEufChHLE3XIki7XBHpHu7GMM3G4HpfI3T+lNrlzb6jzzijfCmstf ONs+MGAd7aDJCVpbGr/r/Zw5vaMmo8NAOS5WNc1JvzPUS0+AUnFF5YJGM+rdQ9JdfyM7WdOm iHyvnEtY3VkbppGnBvU6zMj7nbpDFkNhaRG31r4ICpt/g8tOgLj/QWZjhbiOmUKYxKlzylee 9e1v93mFbNKpZTzV7iWky7nGFZzRYxukkfdjD1XxL4daFUd90zxZPPKdhGb1P/3qPtwfN7R+ LVPNv6bpTS4pBqsrK2IrTZvPwXzZNuSGFtxYpw9cdWzLjTF6SX102jOzkZsvbcp+GotrJkOj e6FxGNeFUZKSd5qBLwr31QTjM9X3SJ1d9ctG35V8EuvzSjYHJNPDMcsIBV4YR7O2bwFJnRwK pnouyXbE+l/fXHWPZKL7vKgpyc+kgrsAFXzySb1kgsnoqB7A7Fy6UBToXvBRe8NS6PEprz8t doy9Vd5Y/3LeD/+ipEBk5mZJIqxoBdlw6zh5ifYkjCnOM0/Ja+2H/z6xeMYpi/CBiEWner0/ 05xdaMTtyjPJomSCnWmc0knzwDWYWYXHzsspnUiLA8qn6y8E5Vmc1MDqNWTamZxvQNqmGat8 SUZvivrBLzyCty2yD32spQa3uR1xnfzpfUook9aN6mr6BIUf0h64Zddc5aqRCqeflzIPcdet +U7Y7ohtm9P0d/n8bPYDGPtWOCjvOXBak/4oFn7cuZLIXXZ/YPDs6zhfo13VCv23b9FkSZ+U EEzLppQa1mNitpul+upl9UoD2Kkoq5NUUD3OpwkuHGoxw6bUlK99BUtPjhMpwAN+ocqvJpWw E5vCkDHybjGolAA1zaD3fAQ99ZP72jY7xFtij/Ct2JYP+OnYz5qbP/c90ARdFv5SmlTqSS8d +FW653RhI2RG9CmCHz2Z5wTmDGH0mBsJt2UamP3+cdk9StvcFO8ty0CyN1Pbab8ECcWhZ/m4 7S/d2AQSM8uwCDcb3htPTJ8dLtrFYlDvOTTn3dgNK75JJGSVxaRM5ldLV8UZfbyanatn8F0Z AVl5D8ifR3LxW8FGSzpexE/z79sSjFmr1I4jltkytT4D0SRvn/y6AODq32U7YOw7I9oL9Lti cYl75dzxGkdwIso396sB28fer1SQmJ9TNfIRXMMlbqvfz18ktyxkJtXZoYiCqH8m3tyowl3V qLR919xvUdJCaTtyKqxA3UwhsaDQ1J6ls/9NWfVMcyzjRF8xUwqnOaSqniMEGtUO5iWbXvC7 UE89aL07LEzRaXxhio7+NT4RK4KawXERK0jKytOlDXk1j7rYnJZr+lHSty9DwyMjhnlm20RU KXD/XtSQaUJTrfZb8Y6LalM+l6v6kiqFwaKB24wwO9etjaOSGvA6IY3KIhdtIOXFSafJ2rOX vl1ktfVOlnFOF7ynpOLFXp6TKX0Bj7dBRpusm5nlE70UJs6IT0kjj22Tg6PNuVjoWzO3zL/n 6eKQu+ZQ4+PRT1L5Dt54nls3zVkJaQIOf6VjiBOzfPKS/YiQlt2xLZXtOVeYjMBTCMDl0GLv IwEJrfed0+J1Hu/0ItH3xCqVGdwut4/kikdSUqvxUsQYVXUIjxYjZpPmZ+OZptaexg5WDe0D 04gzEfGijJbbQnpatBa6PcZp73dxmbh6/W8ZbIXZWE3R2I6vXKb4IzsGtZ57MSjAxzO1a7eV BwHiycdhlE8qlNQC0u2NTAwFDG885dxB0/BfuYtEzh51OVc/v+2q99DhIOZAgWiTlVL/FcxH qg2bvXV4VHh5ko7IYdTXgv78fJ7+4/juNmeQuwyX5kGwr+KXdPfqgIt+wcebqEITLdhlNZVP sSS5Sk3lVRc+hulp3ElpgzzGVliJoQbIn85lT6659INN6+vNuRHeDeauQ1gG5E6C9vsTN9EZ LrxFtq8n36NNQEkGGbe25AbaoA0/+FWIurMaz4ySzcU+JEF65smpW3lvUbuHD4lSV6WE6mf3 058bvDJna4uvQsJqF50b1Fe3outCp1lQUqO+ZfLywCWAq13wr/roB02b820A/omuZyHkLoDj FxkgVkKefdY9Qy/RFLWlFNrQ3lmOtRHxrtxI2A4WQ1Kg+kZv84T61wlb+TfJZGmczufNTnrt G8nyKVGyUUuZcq57v/BfKBmvz9234z6ptQwdzFHHgRg8ZDEZOm7fSm6pn1uC4rPNcH1Jwuxf HRjSg4/ZbjcJzpROPUhkfaEcgxZ+y+iuHRdVSMtV5mPXPo9eXO3cApd11WvghIZsgvHvglw7 HjYXM1GOSHFmgTkLL9v1hoDGeJ4jgeUGbeVFvLaHPF+8sEO6PqFVgngauD+rF3vK6UbbZ7VZ dmK+wYOtv2lyXAaeZhn4WMU6iQ+CvDDEtsdzvrEgRQ5S5EK1PedASHvQXFgze5lrh7pszwgz B69zzWSX573+B/zmrdxIRcOrtKQ+niBSU+gNZ44MK9JpHVm4kQinfnm+slb7Wy94NU3sVO/r r2oxtCaS0/XMl0EyFf2fkktXOGVrQ0ezGgphC5b4wVePsoCfBU4/8BNUOKmksKMsUk9tw+Wd k6IECe61SATbs2gWKbV5v/lAVNUnW/p5Y8SjObtyONnY5cNY/OXBCP3l1tPlchGTokrtdX82 aF5o8lAQi81YUuxy/NwOsZDCpIh0pY+itlhg7QVkn7n9jcCCoM1H+ljfc7MHFLK9yU1rNR6J /nKFhl+eJbQXZ2Ie37ThcEqyjmXVNPIu8iikIRNcg9Fm+NOXdlQ97LNE8vuOeSSWdBIAhdvd SEpsUhvD2TeagU5Yz8xXbyo64+4wb8gYeJ8BTiQe4NF6W/9iqXg6kqXEvz8v73SP9XK0Va3J I1LaJKqgyVt//2UDgvMbFHauXqUcjEazJu7Yr04tqI2lTWTK0r2cyj+rlwLjRxKI0jwK5vYX yKLe6YF1QTIzS/0qlB7Ec0kq5PNY19cmfOxEhlrP3tyNCje1FX8tTDtc0cRg0tlF7Lb/k7jR EG2zrCxVpSll6fIyzyWvydkrII9qPNhsCdPB9LoOP9qQvrFIvhhAY2Tx4X3R6U3HIWcTHZPg 2OLVhizf8ffHnzGqTSntDdTJJSvcr3C7uOnfca2zji0l44c1HiAy4y25eczr1j6ljn777kH5 mAu+KgihVWHOtKwMqCF+yRzECo7b4MM+WK/DeLol24nKOISOF6RYatiVNG/eIq+xHkqzeFgF /Wb2yJPNakmmet71KtGQrua1rWNHQLpEB+dUF2S1LIO20UySsy3nQwlGnWJCnesm3zsGJWa5 d47VenCd71H8eWw1JmtvNTfH5B60zxjTcael0/kWf679VfdM5Cw/ChN99Gh0/WFNU2dCTsaV 6P/jRfy/Av8jBKCucAjaC+UGQbsQ/x+x42K/ZW5kc3RyZWFtCmVuZG9iago0NSAwIG9iaiA8 PAovVHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTEKL0VuY29kaW5nIDE0NSAwIFIKL0ZpcnN0 Q2hhciA2NQovTGFzdENoYXIgMTIxCi9XaWR0aHMgMTQ2IDAgUgovQmFzZUZvbnQgL0ZUTllS WitDTVRJMTAKL0ZvbnREZXNjcmlwdG9yIDQzIDAgUgo+PiBlbmRvYmoKNDMgMCBvYmogPDwK L0FzY2VudCA2OTQKL0NhcEhlaWdodCA2ODMKL0Rlc2NlbnQgLTE5NAovRm9udE5hbWUgL0ZU TllSWitDTVRJMTAKL0l0YWxpY0FuZ2xlIC0xNC4wNAovU3RlbVYgNjgKL1hIZWlnaHQgNDMx Ci9Gb250QkJveCBbLTE2MyAtMjUwIDExNDYgOTY5XQovRmxhZ3MgNAovQ2hhclNldCAoL0Ev Qy9ML00vUC9TL1QvVS9hL2MvZC9lL2cvaC9pL2wvbi9vL3Avci9zL3QvdS95KQovRm9udEZp bGUgNDQgMCBSCj4+IGVuZG9iagoxNDYgMCBvYmoKWzc0MyAwIDcxNiAwIDAgMCAwIDAgMCAw IDAgNjI3IDg5NyAwIDAgNjc4IDAgMCA1NjIgNzE2IDc0MyAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgNTExIDAgNDYwIDUxMSA0NjAgMCA0NjAgNTExIDMwNyAwIDAgMjU2IDAgNTYyIDUxMSA1 MTEgMCA0MjIgNDA5IDMzMiA1MzcgMCAwIDAgNDg2IF0KZW5kb2JqCjE0NSAwIG9iaiA8PAov VHlwZSAvRW5jb2RpbmcKL0RpZmZlcmVuY2VzIFsgMCAvLm5vdGRlZiA2NS9BIDY2Ly5ub3Rk ZWYgNjcvQyA2OC8ubm90ZGVmIDc2L0wvTSA3OC8ubm90ZGVmIDgwL1AgODEvLm5vdGRlZiA4 My9TL1QvVSA4Ni8ubm90ZGVmIDk3L2EgOTgvLm5vdGRlZiA5OS9jL2QvZSAxMDIvLm5vdGRl ZiAxMDMvZy9oL2kgMTA2Ly5ub3RkZWYgMTA4L2wgMTA5Ly5ub3RkZWYgMTEwL24vby9wIDEx My8ubm90ZGVmIDExNC9yL3MvdC91IDExOC8ubm90ZGVmIDEyMS95IDEyMi8ubm90ZGVmXQo+ PiBlbmRvYmoKNDEgMCBvYmogPDwKL0xlbmd0aDEgMTM5MAovTGVuZ3RoMiA4ODU5Ci9MZW5n dGgzIDUzMgovTGVuZ3RoIDk2ODkgICAgICAKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3Ry ZWFtCnja7ZdlVBzr1qAhWOjgFiRA4xJcA8EdgruHBhqHRhonuIYgwd1DcHeCW3B3CxrcPcj0 Ofe7J5l7f878mjXd/aOeXbv2ft5db9VaTUOhrMYsagoxBktB7KDM7Czs/EBxBTFtdjYgOwsb mxiAhkbcEQyCWkLsJEBQMD+QnY+PAygFNoYdwH783Fz8bDwAGqA4xN7d0dLcAgqkF2f4K4kX KGoLdrQ0AdkBFUBQC7AtrIYJyAaoBjGxBEPdWYCiNjZA1b+ucAKqgp3Aji5gUxYAOzvQ1NIE CjQGm1vaAVj/cpK1M4MAef8VNnW2//cpF7CjE0wKSP+3JgMQJmkKsbNxB5qCzQCsihBYNzDM 5f+G1n8Wl3K2sVEE2f5V/u9J/dd5kK2ljfv/ZEBs7Z2hYEegAsQU7Gj3n6la4H/JiUFs/quN LBRkY2kiamduAway/Stk6SRl6QY2VbaEmlgAzUA2TuC/42A70/9UgA3ubwFWeXFtJSXx1/9z T/8+qQyytIOqu9v/U/av7L+Z/TfDpuNo6QbUY4ONlx2WCPv++8jgP5pJ2plATC3tzIEc3DxA kKMjyB0A2z0w4gZ6sgMt7UzBbkCwG8yYlcUOAoVdAoSN5APQDOII+OuGcvEAWe1h9wRi+lf8 XyE+ICvEDvwPc7MBWaGukN/MDmMLR/AfGRxAVjOIs+PvACcsYOnyRwYXkNUJtqJ/Mw83kFX0 N8EkxH4TL5BV/DfBbCT/IV5YJ5nfBGsj+5tgVeR/E6yKwm96A2RV/IfewFak/JtgVdR+E8xU /TfBPDV+E6ym1j8E286soN8E62D8m2DWJv8QOxusoekfCJsg+A+ECZj/gTADiz8QpmD5B8JW afUHwiSs/0CYhc0fCNOw/Y2wPchq9wfCNCB/IGy29n8gTMPxD4RpOP2BMA3oHwjTcP4DYX1d fyMHrK/bHwjr6/4HwpYPe4hATv9a9H8/S2JiEDdPZk7Y1Jg5YJsR1psLyMfF8+F/yzRxdnQE 20H/flPBqv2bzSxhDzAY7AY2AczPQEzeBlol1gUXekvmjhUhMcKLmddHK1a3T7a8CJj7DG+T P/DOgXGlSvuuOAUXYxtpm9z1nsTp4zcvlWGpYz+H6KTpx20Xo+0Uj0YS7bMUBfcte8rrgH3M 5rqpiwNueKWJlcHCOJ28nvST3v1sZXoJ9Z8oSxRwHXouNR2pgTy82lIpNhohQVW0nBSqWEkO haFcIcuuWHExiMujAd5WIc8bXi+eQr4549zlPs+KfXwPd2uCHB7uRBw6C32BvnBIIuz/oXG1 hpeZj7szeCPjZ0lmXWHtiAJrGUn7lu6P1/dS4m6ujVf6VBtNNWR3GxLL/cUkAoPtIP/oOcE+ zdvp1sdBQuaKjeTEM9Op5y0oEPAXDO+4/u8RgSlVu0Ck0VyCkuHPT6pypY7GlQgqPRhNY1E1 wxoTG5ZXOzzfmXQIkNe2+oRXhHMHJhx7vWzaxOsgmw3mH8qPsmNCxSJQHisv4EiKLDxKbRc3 ORwU3dPuZOeys+nPWcLpkai/+YqebiuOiKh1ZwIOLFOcG+jgWDLj/W2rr8Q5o4J8seEiOT+G RQMTKFxGzfJZ+I8RbT9//xSyUiGwPbSqVKeSjIkRPA5FPaVwFbRwXYULWq2yzG33yDdDJGrB xDjvEcxhD88OBlQr0jf17jAvvhLfAvL3r8a4okaxiLVftyD0zr8wTt91ZaPWi4wMQ2ikVE5C SdPI9VbUKWPM4KnjysxpT628vBAXUjzuMxROYtt/bugNaaU1K9Hl+8R8Ro/MOJo5oKnJB8AP 8JJLPuAVmXMaPWahDpcYwJWK/eqvozBm+VqhjZyge/ggP6YbQ+Kh9RoRC5vwm5qW3hkd+89r B3euUgfdrrcGPO71gf0iUtvDAoA5jPErTdpKRc7RBbsqf4NuiTtjVJBeu5/TEyFSy/3AO+xL dOupgIdgvtudMWo9KUFw1ikT7feCIwYsZ5eErlN2ibk9TVk/q1JQoWzXV6ri2qBkpNgzAPew tTdmVmmQysgmOShGoctKSg4ru1Ke8+4XYjALW68NSY8m2BZl/u0ndB07rIz1yqIa9+u7XFX3 0hqLfOpW2mm6tsvDH+Y6kSThbmS18ZYbY9MKkXc/zg/Xjd1drZrwucjEtnnsnvnZ+7dCflSI yeYFomHfvv+48uT4UijlPWPVFZOYt94SPAahKVlJtJXhye03iufIFFxfT1E1KdK0pdvnWDGC TXDmTX7grKLPJX8m65lDhfjWpOVKyJ8yKLUVa62W9I+9kjpvYhV8hXfANngjpMVw2g6dOjVT R+ovulsM3yQ7Ei8iSLBjQhsKEpBHPZMsfpBC6C7S2FsC6BTZZWrH351P3gUc9q6rI75UA/xc LjjmXGnAk2CHVN8K3UrM/0KG6pVsBgYktdZLbwVgNeemmW6IEur7D7ruTolndOgdn3K+p7w5 4VHxEjemucAxnPEY8AikQld8bfMV98Fa4Mu7fXV0KcTpjwHc34BI1CLd0bzBj0KchpyvRniy hZGusWmvfFE8Sg/KsAa9kLyYNc4DHQX12SYwx7k/NYOKkI4lRQTe+hIdmCgfVIlcJXxbHi88 kdKveesvoRXEdIQ3NK6U84pJN9Rh0PR5Tbx4PVWiwDn2oobqnClRtab8z0byALjatoh3m6gl nYZFioVUhMdIzAhxHRH8xV/Uu95iWY2tNhnVwE0ncu7XJCtMS8yspUQx9XOO5krLxDZw4WCE +B3arMuuLOXl/0xdzVO2L6fCOgEwSr1Da6jdWzaOLRWm4SiM0l0Q5GdpAkpqiESU1rQsnZwW DozIxLpnXe8/fLm5KrD8XCrV90iDJgLxxDHT/Db73oGL/GNB4/N95URMv2tulyAcmdAAPPnl 9BBRSX7fHGaevLJtIzbarx0JUT8dSGMPv4nHkQESgC2evswNomjwKvMfkgY2f6k60q1kJrz5 Sm81F9/iylwh2v51ZealLxLiicu4tc6+Ky7yaoOkUnhZSfALTagZNQa/TiQ6e03zV5GBKZfz ldJ8D1KlsHzgW+z6Um6TILrj+usJLqrI81G09C3Nq1KDIsxsP8btRTnjl2edcm0y9jKkaxYd Duwf2YUnmOAaGz03NpK9RN6Qv1RcqcyciGNq8q8IR2POeZVdQDgW9lZ3riozhaoEl0x+pd6q pEAy79mSnio/MtfVh2A2XuL6IeGtdnwyvZM2SKu5XXq4tmh6/AydZn2m6AKuwo7bMPXNfEnG 3aIHzYkIKGexiqqGS5tRVqnFi+xs6LGtETdjHtUxBNs4Ui1/PXvo+ci0X/2Pr/mJXacHmJMk MfGXnMdbR113+ptiWpIScVn8GABV/qajEZ6TXmCqLTvaTE8AUZL+VhRgZ3AczoynKleSt1sv stPf662zj2WvZc+BCC8UKJuOWD5I98NS3C3hHTG/82TNW7e95/IDSCle0PV5cBXjdPEhSC4v YI2P1VmXlQN16nb1l+UZg22mo7jsoqzFjOnYQlP3t18JSJsDSnUKVAYkhn0yLGvDR6i1+05D DDgDXaFZnbcRGzZQOOus9qVp7OFfjAR98jfF9kNRTmjX1w0uMn15Rx7C43a94Zc8NRGywTJY rU/47fzy2/TP6/I+vMozJSsUKOM+hGYmoliF+TLVaaMZnCCvWlehPLQPo2dFZofqjRhYNAwK Xu35501cc48SXcvTTic9tgiOqUaRhqFxsIEnDdX2u9dm3bTy5gT5UuGXUS7UrOISWrb1CFPZ kVZAbSLbZFZ4bEzLwlG+GLiaPxHz/EVDqpkeGyleg2K8ZufceLm8ZS9Ik/yF7nBDml/bq5Io 3+AEMe27H5+YZTtss8lgKBAcdWZEF3BmW0nt0Rc1igZHr0wV5Rey2FTrgM0T4J7ZLWBDtl6d ea07b3SwLrHxj6i3WPRN4CQ4A/g3T9excyMXu0hAiJIY/S5Ylmo3gLmwu9JoCRMazjxWwWJl PO8o9RRuBPlN6mdqiPhxTp0p3vgFxFlx4/6s4vLx3kIhnOUremXY7BcEM70RUMYIC5yOIiT5 L6Zko0IBRMav1YTWTUcxt+ZDS+Errzk/nbCNeUrQjrvZV/AKJJnrnuzrUGguvQhDcSb+ivUa 04XuMfaeSmjCYaLNV5EesX4driiHGXKb5iE6w5OKbiSpLMJl7kyeptJ2trQXKppAGnRqdJWl 4CG6Zu1KrQwMpGRAOtKZIEgOAXu8SHGEuj+tHFfPt1DxaIddNRAsmvxU3dp3vN8VO+i7Ms8a tbP6blMZNEd0Rrp+1h/LLXeDH1sszABZ3B/faKAvwZq/eZu+msm/5Hq1iGBKwxoyZIco8yMF W7Fdl8umXDIumVeVT7va1Q4Fs0P9RRghnsF60EFtldTnZ2pVgkY9yggvJNWSlBrtaqQiZEq+ 06II8Y56HLCwf+l23zoyDuAVeFc+JYNSpO97qy+8eJYdw0GTjrIbgioEd4zyZZ/uBCcE4foa 77iBKGebxIA6eQOtURKN8nGtfFkKyhbvYBLUoLUTURBlltQVMvqFCWzgIcmu3Ly4bhkKumt/ VTi91agps+WuxvcJQ12hkH/JxkndV3KY4k2lh4u/RQkpCTWRXJ8e51cIFxnQSHRUsc8YmcXD QMiMG62jAmMzXScKMc+78oRbf1A1Nq6BqH3lsBWdPxov3F97HjM+A77Q9lCs3sURRbnHYf3r C9qLa7HX9MLln0eMHpMW5aqP9+hDi1Z1ZaSSfar37zp5UI5vMADuRN3dXEXkKdbzTgAXvMD+ iA6NsZy6vmKqbZzDOmzoLrG1+QwBDsMgQeFOdX9WNSqpsmJQaegPZHxCBtEmtXN87z1xqer6 +UZfwu9l75rgio/hbuAefwgjBn/PLNVHCapzZ7dQQk+lmjNkYO77CXc/JJ5g/L3dWu98aDd1 dKtRVZvs+1sL+eq96syDUKNCHTo5NBYJp6Kx/oyVs/56iylJJWabAO2a1XHsECEqiA9lXmTF 4y8HGc3mAMk0/1uZqXM0zbJYBCiWILWh4qLbarND6rwRCStpRByXX39hOtcS3CohjwZ5nneW aS68Z5Yy9Li3xFzhZWM+Rf445FxfWYb8gPuti9qm0dwTWozrkRyzBzfRxwjW2kKM0KZ3LQro acFtQ6BnCC83O2y1zCmw8w31Kr+QoKNRxTEtX1sW32y3SPHmmhw+ra7jvbjGG1v+HLQibpu5 0vDc9penXAoexmmHeR2xjJeHWluOM2XZZS0ivNhQ9GE7Xsf+gK+hwVsrPtcKl3t3keJabub9 eoBce9xqkW+T1TTBytcqgUP+0dizMksDLKtVR+RyKlzPvvV1BpX36PC7guxfe8qFenTKzlIf W6U4LQ6IUqxX4MudKeMUNz5fiqrQPZQs8ponqW/zvSO20UCRWWCUI6KpO1d8S+fzketeMsU2 kqpe94rXSD+H7K2/BqI7rkv8LJW4fHkAWdg7yYUpQHPY5YeOEsLSafQ+3p+jUaxRxv0Oa4+j Zoc3QC3WPaz2Gz9iWRnBt9mgnakYaezDF7v2Pq43Hehu2Ht6NLUVFuvRTT+okm/DcxlWBHgQ HbRIYqp/fJeexn7s4sgjv32f94FgPXtXb6FJ9mPYmWsTtmgPAF+GE83XauGTcOLgkOqgvgXn 1jlnCVqHkqCbEHkqGqcuhfV6Wb2dXFrc027dwrnbOd5slZACZZhpfDN+otGutmWv7SwT4Dz8 +aTTtMxqCQ802/DH4O4h7uBzX6/rk6GvbdbwQrGvDTHGPI7j1XQR3ywFmtCMUga2HdkqKtc7 Ie+XcD3eXy0I2zT4k3tHgmLOekefHae/rQw7GSThiN4WCmO4luUk+zmXtnbROyx5wZs76an+ EHaATK5jUpkJL4rRtAtn+MAtQjGa0mFwL1GHETD7npbt0upNngHnnr5nK8Scfx4pIFL3w4bF q80QrUK+09LrhmnUDn0IGnh1Jgc55P3nk/CDxMTsVk4pm9hDOZoyxFhr8aWFb7uMRvcthJga e++V317QfdLQ0xZOmzeCn+mhsFTpG+FA1MGfSViZu3/flBtDKLhOq8ga1I+EmlO/kF7uWocP uNq9EXfXisTCoAxNCU+Lde3z4zNAWdqLjc/0RgdzKgM2O5Qta+VG8tkrLFczvhgw8jdw0VuL Epoep4VUCOe7iBLTKJXWsdiYvxl8Y55KmSZSx4835OIZPQdaEa+SJPr5akBSo1exMK0q+ltl z8yeAf18yDs54nw8XTtsyKGD+i/NSIHCjKyCj+mEaG+Anch1PBSQZu3xD1++DQhcinfyFWdG X8wMUXkWL9G7xRk35eawv92Z0Vj+oEL3aUXpfAwrI0oFRBsiZehZO/IcvxIUyu3kY87pNue4 /l1B7Lh8JdEe1fCSCh4u5XLu809f0xGuS1SuWftw9dodBXYv+5air1zaGTf2t6gzrR/5C/3L ZhgyXB2fHZqLdUufGrGM4IJw23TPkb6rOSQcQALsGqjGVpDvFfeTrlL2rq5a+VH16OrEOEqZ x744cz8FZ8S2JY/mrQYIHLsDt+vKXY4oPPLOc8QLxq9eEjbo7eV4nd7TXU9hVyyMOJdeDefV 7Aa4MLQsqWY2udy8FtS2AM5o+mSio2uqSaGxvFhVwNNOvnK0kBbfRBwo7i3Qh3cgCGxefbzw 2Xl9GiYtK2zJZbCuEyC7Hwb9Ie+i5UiTbUOZWW8YhEl6+dJPvJ4cA8DL1ox98e0tNQXBSEzh 2/s+OuEorg7B/nSXAsNZavbEugwvz9Uv9sY8lMslEdmC4gyTTF8z8bXxjmcpPVNSSQ6C2AJ8 rCcnZ7CX7/2NYjyaIGeyARdS9m4Gsk0cEWCxIs1XJJ35Ytl5toDWlM7uGUW0/FKRbZKkDHg5 bEztoFQCKQk1bKgh9r2laOCPHySCnYfYIGvjwsh9ivsHO+hr608L9F7T8vBMEf0skOMHWzrf 4jXMjgfX+Eti/8Zb1UbS25lEOElaD2wHsW0yB5Vs+6lGL6WqdvIjtahzt2RE0S8fqBFiI1oK Wk/3J69TJpyXlak/pZw4jNktFtJ4v0riEqOF7zzg2ATuyFT1fBnfMRhSswO6lx34+Y2nKauL ITWjffpVu/2BhGd4ZZALCjSwuu8rPUkv11grbHwVm+41c6Y/3EWz4CcI8aS7lOtztVBWJt9s 2GG0FUeyFXltA0rqJ2ZiA27NQMxDVN1D01o/SUheQHrgHESK4HSgpoX+KONY+o0IXcZuelOE NApJjNWuU6ULuCotGe/5ZreO01GLmJxoP5E2flhcVTWaOswGqsZ4luhwYd6VC6CZ557JDL9E adzS7bnSMplFF4OkyzTFE09hisWeoIIrzVJvT1sGAhFHP6qlp3W+0B2/mWMWysnwnklcJ5XG YrJZLtoBp3WSkLYWrm45zwQcP+28W5FmnAEDrUxYNuSg/XUqut6LXbHRLdmEtO0O7EyfvsLT 89BBGWlNOH4etUvHHv6MbHpKAHhtzjzsz0Z3lzepQL6JHem0OH0LR0p0Su93efImhqoRL/L3 szVqvvMam9jLQWlBOHcFFchR1qpGUKqFhn9Wzo6ULzEotUcC6e3rzsaOqFWjhzqPN9O9KeqO RZ9JJtC6GX7gIxNWSgstdgBgVpGZamT2vv3oqdeEDk1hmXd/Fkwr4puo7BSy3cGF12jb2lPe O8C0PMwWZfNMgVar1m80PYPQJqhzXtgIm9CaFCx4gDvd3dyj4Wgb0IsTPjmRM2m0Of4wuTPP yPNJj6L/I08gwJ82XGjqB/2b4pJiP9P4H73nvd1dHNV012LPFk46t5dnONL2xqdqjuzxegYT 9BCYPR6mKpvTj0aVYqAYU0PPn1Ugk/mGvR5JZukaZ+qXTMcfnyC+o2oL5KuTIVHOH1aLl2a2 Rn3CQ548McOUMa1UtUXgt6oTgvRvtM2VN3kw11v7qCAVQreGdqpjTyAcozqCzEsELvB69KiP 4RVxwhvLV+VAx1T+7P4EtoraTu5M5EwTxp2xpVycwhdhKtvno6nB1nQxOyfvGinf7LG0ftFv HiVbHCPTjQLYnr2xDo1vfGpULeI3BNJtxDX6fJyOyCQ5H2IZatmy0LS43HOVOX+f+XnGU2gC PbhUcy951a8vZWzQrUsDaG5RgeozYly2q2wpfC0QUR1WXYlNGgrCfJrqnEKhzdsQaTqxJtdQ AW1QLovNeBuJGH56ya6GEHQrVsU4QEogUp6TQYeIRWCKE4YryDbvWki3fXF5Zipu65DiCnmF w/fJtXU2FlpM043UuhrJfG58BEDbseL29ooK/nERNivtJfXiYqQznDaRq8NbkVByiI2bUl1u PGTL1Hy6BMUqKN3P+szzFW8GL8YaktSG+0O4VZ1JKAIc3eNBh2GkysQL3Ltk1uF0Ddw0QkmA WZLJ2KE/rVakDjCifJeesgfo5VvCRtZlW7KT+0Rnp4W7yi31zCYInjSf021VM6G5lccgxFfB RJtY42dMS6skX2Q+QqZ1QhkKx2H6Yv6SKGJ51Tv7PC6mIWOtpFYQX9/bxVkv0GtRU6dxeD+J cCn3nExA6bOsnsrD9SxTf1XETT4/Y7hiqiv2e38B4KQYoIWkND0rm2ePN0GHbyLwNYt8cPuV x9j3RAv8FfI8Y551AHPQe2ARQ8f7oCwE9tfvqHkVwrOl+1EModtIBxndGe9A/LbtfiHhhhTw x8mffuFmyVl4JwNDzgtiVNeok61qxHTSbP3mcVovO17K6SX62DMjEXF+9PxZ4MtgToK7MEJ2 z41lbfQMXoJU4ZJc9fM50YR0heevmwGKiy+s8Wsukxsjvrr8LNbimZP3hpldz14r1HObrh85 z38dXK+64Wb2tvrFvYZyP29J3SSWTjtQcli2EEPszqTpg950aXkGp/mp0uSTvHGnNUmr1tGv x6+GD+/FeoLaAyUzS/LMO9c7upHS8p7D25NmAtF2wyBKh5QtoGZ+C7Vfx3ghKEHJd7kUVGFD +oQqTbrq8uxVdP6TuyBbP37xEqLN/ud6QSgLxAg1xMSiTYT+MbzkwwT1HdSpRG8+pCzNIr7e vEEFFrnahY2N533pxYtZB5ketszgIqjoY4w0PG8Je6xpoPzCSk+qmnSZkMbVjLQ1Louhr+VL raK5CXcFTh3GyJAKVWMNT2GN23YQzwrriCz3EUfrbJZcNj0NVWCj0imlYtljoeYvsh9LMdXB DvarzoXTvUo2ZSAiDeowoAx9se+g753LzXcZTFgtgm8VtUam0BbRyzC6bNnZ2t3UijecqOq1 HGBH9nE0i3vVyKgP82yag+eG0AqElqyd4+FjiElwRHayxXxKZmTlUez8Ja0at98V955KAaJh 3atqy1t+MfyDXfL62dfjD5tJQcLZtG2mEonSpH4r5ZALUiWDAnqqeT/hCIkrwWyOToRx0Z8t YtcQjUT+m9xXTh3hAHZr2pm0cmTWa0ll6qOwGtZjlvJmLYzg5xpBOaERbfDudMu7yQnXWOec lOJnTuNu4VeAyx2376FjNsBYzQ/4dSm63yR17+kXVb5NtJIsM4QuZRcVNQGdlp550Q/d5L7L EHhEgvpwj+Fn4/RG9WFnWBu0UZbPziAjRbRcTUwhrdKHqu+2SFrDQ7V5NpTCF0pvqZZavdNW ZeilQwQz/INs4dt93evivmXvtzQXzpKsALdCra6m3z9THBQKRG5V5A8ECYMOX8D+CgtL4q52 s0QU5ZV+UP+RofyRExlwc2fXeIbnhQtfLtrTkJwb6cEbQhEvblZWlmpExXIONSeudsXg+ohT 2RksXs0yO2unoKF3zuXVhSGDRPyxE0Fs5dcGr1Mc2lDc5AtUu67GdNZc4hbJiAPOrcchLbdj TiVvgC8SepeCfJ9omRh5Y/NC5YY0ILHi0T4DO7B67ymQjEHku1y54edvx2ZheRSQ0DQE/+LN YdZgnnHjGSpTtyvhhpo0aF0C0QSVx46AXEZnu0d3RMHENr6HzepkvH/myvU8ftvnrZuN3L6p KE4+w9QXCU0pNUEgKyYvmnvljTedqTOJtfr1qsLIXsHfWZeQb+hELSS/tLEWEklr4rDN91tm dlTVj0zN2rEAv+oChtIeZteLzBmt5d2tLdIOx5zfgbzgucxZjZrlS0OM16n1BkTuVsdAZztf lHGyUZKeXaEQd88PNstUcOeYfCCkOhDwXYrQd16XO4oVD3NIrluXDVO+RkwjPL3yvyVYWVUx H4qbPfdEI+qPjEhZ63K34h7xGHzmLLqRPwbwfnqwGWCkAl+zSAYpaugQB6Z44QBlRuj4fwxY 5iyLdrX4jDVlRpUvOZjlKSsOUX7YJKjNqp8ZcfFX5xZHrVxD5GIZfncA9OFYVI1tWrwK2CPJ CrNWUpKiHWAqQHvI6E9IeJ6lT8psUEA1Jdk+OKLxQ8NUJVdSqkp1AaNMaD0nlW5XgoLPVPwo g8stleThyYnbyYYvZDQA26xi3naH/DTrCperIOLXu0uxoAvhiu+jHXaXyMbFSLhA6K0O7/JI yVwutpXB+CEto/012fQEN4608ZHQBkVZJNqdJJ6rLwWZ9OsJeh322r4zt48pj67B9QmyWg4j VSH18mleTMVnWt+DRyvdBymZYvDSTNhFBPp0Py5Xm256HtEaEpIpCxmg5z01ET8BQ1TSRx1y u4PFIBeVoWJwNtjHXtEYYLu0DPhr+14VAeFnCRaTEOS23e5GSp2fny8a+dGkvrJAzBPtYq6J kMXAzYK6kx2/oA0AsZ9zE54HmD8ff6RQyPpT+EcOVJA/1j68ZJ/GpSHWNuwYM0yJG9PT6Hkq rU/4dLGYXrwtlGiskWxR1yC8DuqerIUaCa0Hjade8SoMlHz+EjnCXUxHP4mHsoCOYI0B0Xvc EhZ8nhVWHvkGPkHD8eTswtW9whgaCn2pshqvSYSw5TfUeMQThjV8mP256qF8TG2uG+t7I5No kCw12vQAWal0fiwbGFULNU1YRgaVA6VihE22d8bDRKHk6qCiwtc8IKpcFy4dm06DN3tvp16R KUsOo+b9cxlGo8dpm8xAZzQtn1x9IT56oSlDy03+4mulU4pVrpYWaUHCF6nT6bmNiJVpFvr8 gmk8reE+HbfSrg4hwWY/sS4mDy13TfZiaRcY01xGBZoX1myUCq4KtLGeBo3qMnFAC67ME6H9 MdWsFg17IAGd3Ks6jBUrhfKWHGnxOfRmwA61/s0tX2EJ+QNBUltxfJ1sPLIy1CY39Qp6EWnH dPo2OdM9JmWcITTVB/nbGddWIWLxV17Mn/AunmdhzD7dY6lLbbToX+UrDAwoshjoLz3mZ6o4 3Yhvy1K/c50ssKntarHRcsThXxaeeHW3qpzSo15qJg6SygKMmz8OIU9MxEYH7nlalihy03r0 pBEtkzL1FGaqX7aXbEVTMTXoKWAL9AB3Dato5oW04ciIqE91Lhou/IZN4dIljky7vQpeINSX NQZ/dkNhKN7CZsVTpOl4Fpo4SY4p3/1GyCcUexZtTfXqtUuwQH/VW7Sd1lrq7WVex23IxNKX MwMD7/RpHWjZJa9FXvzj8J32wVDHN3PruczrGeDD7QdAOema8hHj5kKg2a2ezhPaxAjCIAbS PJAk410pkn1qkDqhsR0KEzRgreqWFQvooP1r+4wdBbRdRA4Ht9EyVHfU0Y6teZj+EmlqcaeC 9ltgQK2UJWPTp2sLPSzuKE7z6CWQiBjuViG+rJbPL6WxCSL3/SrBApzVknxiI1LD5b1zh7qL 1jY937CxSd/ia1STA9bOtIdmJvK+pfe69RjjHkLROMrtyURiz5jW3IQTyN2JA4qwpSvMs2le Ycsf4dBQRi5H62yjcIlFi7vEE9+XN494PEGUfg10XauQt69eDQfeewh7RFLEE39TqvQ9wzM5 jmuDh4AdkMo3+7Fk8LVMA+vl8BkZ6naef7+s577hXpifG2LBf/lylUwK7JF8oRcIlsCkoHbZ uETQVkxlA4JlUBvhOot6LeX8rLD3MyTYVhzAD4VJ8FCT5GMEL4Ig+tc9a2PerHdJpvM0LFel Pny0AoPzMvxTJC/UGwXaGUkNjUKeLwGN7xzwXsJbOXNMRl5m0iNS2h70h3y0KLfXs6lLWLMK WOc+4u3AIaAcOS84zeT9uGoCV+u6QdqIjWihk7Kz/9AnYgpikxvWi7f2omnSYwWno3DbjfB2 D98yosKB9nEQjMpDHnR9Gdpa+I2QvBjQH9AXHq+yUoY9BobKIrPJaByzfnR+NibN0X5JWiBv bdwjwrgW8NXVUyXRV1d/fy8Po9/KnLis9dLjuzLBu1Lzqfhykhen3GhWRPc7C0Scn1Bx2kS/ 1RFoNblVHSVhEmYprhk2BtK1uEsujM2gblSs9lNf1PEEt18qFCfcBmCi0vF956sbPfXnnqhN xdW0xI2eFb4w7h2TI6vUJCDp0YS7Dbmr5eyZ5z2zb3QVP5c5eaUprT3jLZ24Dd/qL+ul+GAH DpBbLiBqbBtp+bDuD8gx2DhRvKBcfPlzGio69YutuVD6OgM1QJiItEoCs8sYyqqSM6XeDa4z Vg/FqSmdjc6obnAkWeq2YSoErBkYd91+cFHKc8TFM251JaPgbKchfYf/SwZd8tWvA4TMeWa1 pwlnlQEQDfnk42pLYeiNueYN/WHIT8oxjQ2oZF4yy54C3OLyaY50UV6PeCmZyg2+Z5XlUWOQ l00OlEyyiVgZJR/gEB7KpNyYEdPCz5CpiUcuV9S2foGDVqb1vfi104e6Bhpk5RBMcCutGz7H 5+MnDbp3mqK8GTpiJML4GMdh+yMnB3n04qcTpftBLhgI1SjTBh4tgrNhoAfC8BddhW2YJz0W jRq5XQmfz7ZkjQNFZ1Jq4Xe9RwEsCad1etZMFF9C7jKXNvFp5PMFxDnVc3bQj6U9Oxlyin85 Uf/ofuzh9/cJskRfDO82zK4iZpwZ3181CzoPdQPqNmQeZlusqceIfZG52cTbLD4tG4Y3aWb7 P/wA/n+B/ycKmNiAQY5QiC3I0RrwvwDdGVyDZW5kc3RyZWFtCmVuZG9iago0MiAwIG9iaiA8 PAovVHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTEKL0VuY29kaW5nIDE0NyAwIFIKL0ZpcnN0 Q2hhciA0NgovTGFzdENoYXIgMTIzCi9XaWR0aHMgMTQ4IDAgUgovQmFzZUZvbnQgL0xDWE9P QytDTUJYMTAKL0ZvbnREZXNjcmlwdG9yIDQwIDAgUgo+PiBlbmRvYmoKNDAgMCBvYmogPDwK L0FzY2VudCA2OTQKL0NhcEhlaWdodCA2ODYKL0Rlc2NlbnQgLTE5NAovRm9udE5hbWUgL0xD WE9PQytDTUJYMTAKL0l0YWxpY0FuZ2xlIDAKL1N0ZW1WIDExNAovWEhlaWdodCA0NDQKL0Zv bnRCQm94IFstMzAxIC0yNTAgMTE2NCA5NDZdCi9GbGFncyA0Ci9DaGFyU2V0ICgvcGVyaW9k L29uZS90d28vdGhyZWUvZm91ci9maXZlL3NpeC9BL0IvQy9FL0gvSS9ML00vTi9QL1MvVC9V L1cvYS9iL2MvZC9lL2cvaC9pL2ovay9sL20vbi9vL3Avci9zL3QvdS93L3gveS9lbmRhc2gp Ci9Gb250RmlsZSA0MSAwIFIKPj4gZW5kb2JqCjE0OCAwIG9iagpbMzE5IDAgMCA1NzUgNTc1 IDU3NSA1NzUgNTc1IDU3NSAwIDAgMCAwIDAgMCAwIDAgMCAwIDg2OSA4MTggODMxIDAgNzU2 IDAgMCA5MDAgNDM2IDAgMCA2OTIgMTA5MiA5MDAgMCA3ODYgMCAwIDYzOSA4MDAgODg1IDAg MTE4OSAwIDAgMCAwIDAgMCAwIDAgMCA1NTkgNjM5IDUxMSA2MzkgNTI3IDAgNTc1IDYzOSAz MTkgMzUxIDYwNyAzMTkgOTU4IDYzOSA1NzUgNjM5IDAgNDc0IDQ1NCA0NDcgNjM5IDAgODMx IDYwNyA2MDcgMCA1NzUgXQplbmRvYmoKMTQ3IDAgb2JqIDw8Ci9UeXBlIC9FbmNvZGluZwov RGlmZmVyZW5jZXMgWyAwIC8ubm90ZGVmIDQ2L3BlcmlvZCA0Ny8ubm90ZGVmIDQ5L29uZS90 d28vdGhyZWUvZm91ci9maXZlL3NpeCA1NS8ubm90ZGVmIDY1L0EvQi9DIDY4Ly5ub3RkZWYg NjkvRSA3MC8ubm90ZGVmIDcyL0gvSSA3NC8ubm90ZGVmIDc2L0wvTS9OIDc5Ly5ub3RkZWYg ODAvUCA4MS8ubm90ZGVmIDgzL1MvVC9VIDg2Ly5ub3RkZWYgODcvVyA4OC8ubm90ZGVmIDk3 L2EvYi9jL2QvZSAxMDIvLm5vdGRlZiAxMDMvZy9oL2kvai9rL2wvbS9uL28vcCAxMTMvLm5v dGRlZiAxMTQvci9zL3QvdSAxMTgvLm5vdGRlZiAxMTkvdy94L3kgMTIyLy5ub3RkZWYgMTIz L2VuZGFzaCAxMjQvLm5vdGRlZl0KPj4gZW5kb2JqCjM4IDAgb2JqIDw8Ci9MZW5ndGgxIDcz NQovTGVuZ3RoMiAxMDUzCi9MZW5ndGgzIDUzMgovTGVuZ3RoIDE1OTIgICAgICAKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnja7VJrPFRpHM5uxZ7sUHRveZHcipkxl4xug5mJ mmhSKJVj5uBMxzljnGFGpTAubWVVbKX6qclmXVLRdhEbKZQkuulCSWlbrdCmUtk9tO3+Vh93 P+1v3/Pl/f+f533e5zzv39rCZ8kMvowIRoQETs5gODJ4wF0s4QKGIx2ytnZXIjCJErgHTCI8 wHBxYQC+KhQw6YDB4Tm78JgMyBq4EwqNEg0NI4Gtu90AiQv44YgSlcI4EMNkGBJOaUhhDCwh pChCahwBH8OAZOBEJJAgkYgyCpE5QgwGkKFSEgQjoSgOOQ348cRDCMD90JapFB+hKEQZSZkC tpRJO0BZlBE4pgEyJARyWkRQdyGUk3/D1FBxoQrDFsHhA/JURp+gcDiKaf7AiXCFikSUQEzI ECU+lOqHfLAmRmSoKnwo6knCGCrl46EYAugfWmikEFUjMh+UlIaBEBiLRAb7CC4baoKKbdCC U4DX8qXLhQ6DrzkI+cAoTvpqFH+KDnAHa8ZfNZWNElWDFXRHOp1BEanv427lkKsEuJSQoTg1 DmwOgJVKWANRc0FVbLCWAVBchqgBoqb8OjniBEkdAVQk60EIoYQGHpPlApwIHBloQp/+g5sb oV47g8kFM5hsSpXBZAIum77+b0SpSqlEcHJwPKgkPtYhKJUbgqgRKXT7JiF11cp3nkjKjRUc vJo3wl7PLfRk2qLi8mtloxKatulhhy4tiLBvKfLvy880obWPaDePfjc58uvSdYvrhM/jItJ2 3ehvjwpqz4w5Pdm/J1OseaywfJXQYXTmxPVfn7H1vBtbanPTA7Iv7Ouq6jjgY+vh+0T/nsWw ihVRxyv2aDlcf2EmtjQ5sWias4XEeFdEbgoruTnaOH378Ob6hFh5ssEph7vdRKlqTN9Bg/07 +gNfnrp0JusdVtn9tJDZw+oI6l/f5plxrOA3iVuqzjD1+vvIth2BHddptMOK8pQYgdnkSTWi whb+tst3N8Os1VcV7+nnX6ia+FubBSI73eLi3q8K16XEz3SLf3/T2P6nzv4WmchP3jfB3CY7 flzupVv0ZaboI3VRUo+VbU+h9vmE2Y9G751nE6HzzKvo82WjkG3DcTLJOKhm2JdzW88KTGa9 FukWeGtlh2b9rPdMm2f5ftgqUhur57YmLC1j0vqGl9BqZmLrG/9u8+ou2kOic510d+oB5uaL 2il+NV8IG8+9i2MFex6SPXtroLui78O5ksPOumSWVt6bVHnGprNPcGP+qzL9he20YLl3QlXW U96SqSY8NceJnrr18sZmQ89Wbt3FAoOStu3xD+Ux4i1j92T02JTpdHFHcu90vDD3cd9YZDBG N7o+q2O047nMucVlc+I2ZlXZsZJzBKuKT2kaj5cJ0x2OTZ357TSRZW2AKTYXKQs4LSePORRl mvgeGe/JtDDEJ/b7L5hsWk4jgzbVHosN065cO2f/4hGdj+A2dEN9QuCP4cLqpVai1KgwpmpK 7228cmbZYb8brpKXLKOCrAcCeQNDL96NVRRcYJif7RrcccdFs6IQ69+5jOeT19qdkZLs0hMa lJQbZxaY6RU76oX3HOtlm+iHXxuNai5wlXpdL5EHKGnZ5HZOvZEmPzsCYxntWryBGHk7P7bp V6IiafPq2Rz1/Yi86Ondr5otp6/p3pfaVX8yh6hqgK5ZVUSZeOrnc1eD+rqQmKPpD6trLTTn bZ3tLj5iP8k2G25/tWR/QPHrYCt4Y7F47pUmZ5F1dEmdyF7c1tZr6RRj7aA2TPJQB/jtDXs8 bVurx2tORZXTxAOObyM+d7/GDDbXLO0P5OovfPymOr9bx9dPnJh9axsPaoIftPn9YHSS/sSv vFGa1v7ZNwVwBy3dNEJeM0+Os+8pciryJPOHv0vdFVgZ5OXw4HurwJqMouJZJzsT+72nN40v qWyMabZbCdFKaVu1uyWlOcyV5+CcxDqrEaXcmKpJFx4X1TFk9V3Otb6cU8NGRmbfkv4yzYZB V0wVVS+PXhi9++2WOb66NvF443p1Qu5RSWL1ffoLU8FyD9vvOPu2l7O2Cs56PVs1Dv5qnNmq rrFpRuJenv89K9fOFP5aIC4bDRU0tMxWGe2l/8MF/S/wnxCQYgisJIlwWLkG+h3FZVukZW5k c3RyZWFtCmVuZG9iagozOSAwIG9iaiA8PAovVHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTEK L0VuY29kaW5nIDE0OSAwIFIKL0ZpcnN0Q2hhciA0OQovTGFzdENoYXIgNDkKL1dpZHRocyAx NTAgMCBSCi9CYXNlRm9udCAvWUpaVVpGK0NNUjcKL0ZvbnREZXNjcmlwdG9yIDM3IDAgUgo+ PiBlbmRvYmoKMzcgMCBvYmogPDwKL0FzY2VudCA2OTQKL0NhcEhlaWdodCA2ODMKL0Rlc2Nl bnQgLTE5NAovRm9udE5hbWUgL1lKWlVaRitDTVI3Ci9JdGFsaWNBbmdsZSAwCi9TdGVtViA3 OQovWEhlaWdodCA0MzEKL0ZvbnRCQm94IFstMjcgLTI1MCAxMTIyIDc1MF0KL0ZsYWdzIDQK L0NoYXJTZXQgKC9vbmUpCi9Gb250RmlsZSAzOCAwIFIKPj4gZW5kb2JqCjE1MCAwIG9iagpb NTY5IF0KZW5kb2JqCjE0OSAwIG9iaiA8PAovVHlwZSAvRW5jb2RpbmcKL0RpZmZlcmVuY2Vz IFsgMCAvLm5vdGRlZiA0OS9vbmUgNTAvLm5vdGRlZl0KPj4gZW5kb2JqCjIwIDAgb2JqIDw8 Ci9MZW5ndGgxIDEyMjkKL0xlbmd0aDIgNjIxNAovTGVuZ3RoMyA1MzIKL0xlbmd0aCA2OTc3 ICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42u2WZVjb67L28eJQXEso 7kGCF5fi7k4IToAQtEWKFinu7hQtLgsoDm1xLV4cSinFpdjJWuvdq333/njOp3Od5Et+88xz z/2fmeQKE72mDpe0jas1RMEVCufi5eYVBciqyRiKAHi5gdhMTLIwiBXcwRUqZwWHiAJ4RUR4 AdKedgA+IIBXUJRfUJQPhM0EkHV184U52NnDAayybH8mCQGkXSAwB7AVFKBmBbeHuCA0wFbO AB1XsAME7ssNkHZ2Bmj/ecMDoA3xgMC8IDbc2Ly8ABsHMBxgDbFzgGLz/GlICWrrChD6O2zj 6favIy8IzANhCsCKMMkGQFi0cYU6+wJsILbYPOquiFoQhJP/CVP/Lq7g6eysbuXyp/yfTfqP YysXB2ff/5fg6uLmCYfAAGquNhAY9N9TDSB/e5Nxdf6PKkpwK2cHsDTUzhkCAP4dcvBQcPCB 2Gg6wMH2AFsrZw/IX3EI1ObfLSC69pcBHl1FaTldJY6/p/nXmaaVAxSu6+v2j+qfyX8x7y9G 9Abm4AMwAXIDgbyIRMT7X5/M/q2WPBTsauMARawDSBBgBYNZ+WIj9gJBIMALXoAD1AbiA4D4 IAzzcENd4YgrAERH/AG2rjDsP4cpIAjgcUNMxNXmz/jfIREAjysU8g+DgAAeuLfrL+ZFsD0M 8lsGH4DH1tUT9ivAjwg4eP2WIQDg8UA80b9YEATgkf5FQgAe2V8kDOCR+0UIN/L/kBDCi8Iv Qqio/CKEitovQqio/0PCiHuavwjhV/sXIbzp/iKEpt4/hFhYHqtfhNC0/kUIZ+B/iBcxHh7I b4hogd1viChi/xsiqjj8hogyTr8hoo7zb4go5PILeRHPAv0NEXVdf0NEIdhviCjk8Rsixg3/ C/9zY2VkXH1ecIGEAVx8iJHz8oqAEA0G+v9/iWBPGAwChf/1W4DY+3+xrQPiWwKB+EDA2Atz rmCxUMe05vDyAPmiiQp0dmQZu5Z49Ybu6U6ckPkEZOfSTyru7Kv1hj8rM4nxd9B36LxvqT2i Ol5qjSr8eOUenz57v+NluZPp10ZteJKp5rvt9vQy5BtBe/PM2QEIWWNqdbg82ah4IOdo8FuB Jquc7u6jZXqkHhOvxp6sUEEhQ4VMZ72IsHpmfnptwnT38tcCESvehMmJaCvjIQGOEZitHEvH rh2eRD+LMPOT7i1QbUb1LS9VDlN98TaNf8aPXBLVBZm9jdr0zFfLMIqtvrU2WabL5jVxPonJ mmE55YSbZtS8d1usmcktNr7WwKQUqFCMVBbCA5sl1QVL9Jm38joWhKPSjWScv6x/Eoq0rVwM b3InOprxVCZ735NA/nUaHBn+yLuMmti0JxawnlTjzDEaeVboSbY01bWTd52Ip+udeh25Fmzi NHuW2OB4LLif0MqsSbVE6VsMUOFs6tYK5EhOzgJ4n5JNNSwyOWdc6uY69ddqrANgtVkaZs/Z iRw3tU7TlsJOURx9xbR26qN1bem+YQYi0+E82LFwTe4Fm1I8Ynha4z1qZTtlaYZLQEwqJP2y GSn8KNY9rSLBxQhLrjOIenXvJO9WC/pYxHk4JGX8INF6g4n+NVc3rxM2UU5XyY3Bjn4kLqO7 nTm67b0CIesNug43i7rLZYA/Hx5WPUCs3TiawsS2/qogSskwW33DM3VFnxkPzzOHnWjs8hZI +Ae1YFjhnTxRTjcVrqebDD96r1mK/0MiKSHPA+iM9QPDrNI2snpgRlVpD454YpCO18TpSdCc ofZYiYbpx9XrA2LFYJVH/NMC1AJJHmS7ASnsC4IuYtwT8mR6kKOXzYLC5sZGj5kB62F16D+c kyIx+dHV0ZuBj4X4oyRpHeuvxykSCCgTFKYye6UVY3qfah/hMqtXXMS4BN4RMUHfaZcMxkha k5OXuZeV0liWe/pA0yXbXKNIiD0B7q9qQ7CTtyeTQio6Wc2eLDJSHrqpAJdMbG54MITpBaeR c6HrBH4S3bijF0pBzWHp91Qi0KGnxqzWW8QNcnW4t3YDtiOu9mRdMVucpys2R6gFvnwrz1UW hLBmfbs5kcMuTXdoOQ2e0GyAGRMZvV7l5ZCCt9LgktpRqwUJBnKtu4v7d5+TMm7CxoL77Eu0 K/jdr6QjMNSNLEkzSQfPP5OX9753SWwOuU6A2mE8UzURoqurD0fK1erfHLOd376nedNMFgaZ iXn6WY96t3a+cM1tZ7FzN/1G4hOLG5xlp8or/7L4asxvnkT/U+O+0vYCpQPX68H41rz1YY07 NQyPlQ1nLOjYQN2aEBMQniVUs/eJbCwgI7/FQB+TGwUcMI0yTPNeV7r464+F5WimsCc1ZG18 azKSFgr7bm5pUkqF3zCzTNjJ+rCAAop0/pnQWq7wrJgsIhpZzMZVAdkt+qFU0zBidLz+r9QW Slr7qoQDiVec2AQ9aI26AWzgb8ND852unzpPO/qCqHYv8hjYAYHgoDpcJeTEJFVdkaefuPGb Wdu+yyN5P/mhOdd7cGgS/QUFLbE2bKG0sW8elGuAn50q0A/H4dPcr+gmrCUgVHFHu0a+a7Cb 1H+/+fAWR1ojJ1A3XyQrVjvjaDpiqwwgoqhE0jF3D/XrqBxWGX4N+QqPMegzOOqWK5OtUaUN lEeKHKQP3YawhaRpE1sXOvq8fWaXoaOB4vBJjCz+neoUJ4Of4FxjMl+rKfNBFOSSkDY7a3P5 ZD7e16Kw/3OfDEmAp5VFYugr2pHpElbwa+o0balAW2nt9gi7lQkBtaIvcXcNjxrZjAn8pDAO irzFEszO2gKuZx2pgGZ+FjoChDIf37ldsKzOvLzmEbX0qV3ytXi9vcQQcNUEVVOdtNyhCNue YItcvt4joCriPhJe/WmcGqoM9mMuVb6P0QDtfQ/evZQV2MEvA7x0ZaC6oqxW0D2uMx1jwat9 WyaY9oeY2kaBbmDXZbovBsVSFzLgDaepxfcPdyTTLgUr+pj11lB5Gn2hNfp53RIUOe6d6YPD 5mlK7iYe8a7Q4pT7015p6HT4EJKaqFzWa12PlZoro7wCL5yv2Wf7WIG3+O9EHBSSb4I8OFHK ZbCtF2g5WB9haY1+TNHWWlMO/GQ0rdLhyQL7hiL5AtKpUpeaXIT34jRbTNRJYNduPYadubP8 XJGMNEHKOOjL1c3koQ6WPUYzZhjLdSy8nBVz4ePUS81vNuHqfO4nhFHjV/5OrwN37u3RmAEc aEmWZNL96p0xVFqyglUeqg7oE1YL7K2SNLUlKVER5iE4hPpDHWlMohkSWMWTOj3WAVibkBh8 CgGnnWPA6dggvyCWvFZdZXEnrER14qlGHnC946VYCdPkFxJ6l8OgIR3avdD9e8+gydofuc5V 0fjbJwASuwnPUMhsssnH52L2TVQELTZa6ShJdY93Ret32Wwo9zFfK5aB1J93rdGGoo7lKh8f f+XGMyJmvMn8Ek+D9TZrp6uud/6P2Rq6LSZSOlNajJ4fNFCuTYLNIwUenzZI3tQk4IAhjeC1 srCui2zjWOCOCbcb6aZtzWoExqE82lJj+W67N6ZO19DSXWyXn88XVD0onmEyTR8hn6Hb7ccj uhNvNs+0pC25eQo+J0auos4dm1hLvROn5xvBvgJzewRJP9PbfWr89Bu9z9KwTZwUP+ChbCvy d0Y38ZH2fbNENVw0ncpdCnj1YOJweX/b+7Hjvix1wY6Tm6SHjOZkHSaGmvNusroDn19U4pMA J88xe/twwtvW3pEs1F73qA40qfOHyoHKp9APdZvk75CH7h0rmB5HM2y/+7wvwwpFo4IQDypX ipA6z9gZHLePWM5fJKt/7sw8iH5jmFmeas3C6xXYFNNx9EVv91m0da2BpnWJs9fAvh4BFzKn XQJEpPmV29B4o4BVJZjx+m0CHb8bIe/iuUBMNsNJHRzWpZIPa8eSs191H+/5JBpmozvD7aZR +zbCJKUNI/P9dEUhaKH4jkAcSs4RHyAYeqIhQJFKjcQZeLQympz6TTBFSizz0qOr30rla8VO llmO1YeLo4nbFC7m6IOiT325y7U2VSfdoLKGiUXrxtxs/5TqCx1d1N3HRnUgQvOGQkmmt8/1 txq/ao1unUTLnGsccF74t3/zhWDcktjyfUg+0EWtsc2XYBL1ODD3qMHtTxLSAoVnl0pWdLSu Uy0yHkpzEfNOt1RL4LIDVZAsY8ws9yuUxa1+9DXTTnelElzgnJQTa9XqrZtvPv8m88q+BUsq 0vJr01tZMSbiQtmFLUzli4eR47vX3bS8J/z7JmI2ZbLnRulInNWpS6HIO0ijQKnr0ZmCjzN9 7deUa4/eeSrcdLh3yUap822HpzLTRoRRmWphnSHTKZXooebbO7X6K5W7+4VfCImoPzvOWjNb 9FIrx+ADfM9sEFanoJlDH3F/bUCA3riskzvzIfhkR2O2qu7rZww+LfsW5924HYJ8LIKXXqqT yTHbe3Ul3tmKCYkKJU8NdSvGQXJxtEqq9E065WOSWAytz0SIyHpmkPQ3B3uQmc/Vn5QPo3ju pKcuVS0NknXQFHJYsQbTvgpHz1SqqRX21xYtw39sKFS+m8hmfPPdTZ5a5WZ/VvJdYx0N2xqZ tuURUpi65HNDeO2iiHE/rcU6GyM2+H5XZw48lEWur70vIVKbXfNDXAoYXodvHxcq498XjiKr UpWDVe4AsxIq5mNxTjf8udwAqNQO+FhqdblaQ/92nGwILSt7niIDSGkrh3tQtj3qtfgCKCAF s88rvXl6u8MsYn5F3S4Jf/Iid1gyuU1U9YzVPw63TzY91lnXhq311L7NTyRlQe5JcUONtkID SxsHeZMG7tAQUFQDX7U9iiK9Hkq+plw/kTYXdCrSHE0AZd4zoa8XEKQaW1CZ1Hb2tEaPLWl7 wAeN8ZaAtHQ5xataKkNPb1gz+0WD85wpIxLOkVoEf2BSvAnl7nr7Of3CHvOzPDHpiR8YSpS/ IWLUGO4+f5hCTc+AWaJ8zL65UOmEJl6+ABgnLRglQDU0p59h6kNHUcVpiUyor7hgIrqu03RS iaiZnDvxZf+ELL9Y1c+3SfCS5gex71PvATKWqrhDCVP1mmmymmkoY5rPnZTpj3e3rFXUU1an ruZBeK5+QzsqIYaXVCyCyJ6PKbS19yqwfna+yl1qQgqv4b69UaQZ2ohCE82j4T3oby81pcix Byqgrik+4Cg9QkHuSLUXSwRjUK1RcwUwh7rfMev0pe5IdIf7XlqRCD97b7okgS2dhjWI9Hja VorqvUaJgq0MhTCdcU6HwZBB20XylX1MXi39D+D5SJuVwQfKb+PXtaTMD4KNnEqR5HMbYef5 eGUCFZMV7vZvq04sB5IZx2w5mRdymNZ4dyIIl0g1Spy1voWCFzaLLhxNqQtLDKNyaSqEhFl5 stJVXM/12+1zY6DSkt9yG1drIouMw7Q4lPbF0RffEO5ypAzKN0xKTtDoQ//QjcFd7GvW27Po O9PwN3Uv9U4e+mgPZ7YliCOkn3+T4kF0BhqwAwV/k1pkRtHKS0t5P5i1o08s7S4bxtlaZ+t3 gFW6peiwaHS85SqF/TKq4jbT7oKn7sk5Nps6VmYsLCx+6roq4HLYDXeSxRxXsEquXKkqe0Z+ ewv7Y3dJTMSQR72CHfVELW5DiOc73pTxD2MnY3Pg+j7aD0PAm0ezzzpnlAs4lzOtF9p1At6k f11RoA5rEDPvqPdbfCXTNo6eVlC0wKxDNyXPGqs11LHEG0hQ7nWekB8VG5OwPuVIkEzNGEAp XI+7dCuB+9jQKlW0AuxvOHlLh847SoRT1B1vCPVJ4kZW7u4Opy7FnCaRO+k7N2p9plEldS64 yEhPeujn5zj4gLR990aL9YUsoG9zoXwD2zGYvgkgUHZxRpy6hPGdDNetJhRCl7nrNHTYdW64 eVStqwhgZ+4SJghyOvNLlopXcMT+Jn2txKWCb2/sT9nWrHNry1D6yLKD3K1G+3LtxkEosbI0 eLmQZL6jk37m4NpFTvepHjKmHZUECorX0c8w3twpDePFYu9Tzfk31UNfpDeexNh1qulthEi0 3cRIjd5Y3pmc9vO/G9AzGKmEzF6FVS4Gp+3aKk0VjVjway92aCanLsQ9j98htxtcJOW+Bj8N zr4i0pBmPs71KXWYsGlMp8Cx9I9nlIwef1dv2BxHwM90fhw7lx28DGdNNyQeZsIxZyzG/qkh +mS+9vYRBIvO/r62+B73io1WGEQS2sdUDoFacBSd1WT3pUXo9dpp/+AAzayvRnnAvVmFkzkY kasfhXyuN+dp3BM1GjLjDlXsKe8LZhDx99B2FayiJa9q0yYbs2Je+WOeH43tIcHxoB8zsd/F X49z9Ul9Hep8/ua4CnwjcGp+7rWeelpyxHA3cIntabknBp3elZM/m1qVthrOQDkO6lmm61jo V3xpURbwFGdcnhhn8c8E2ZH1OvFLSW2zKg9PKtkWia3vgQveCi1+2Xul3krtSs5+4zyu4MCS kF795oubzYV7V+uSUGXzcBWFkZx7Za2HAY2rm+kxsz5f6tfWio+lvMurAoxg6vHeInPKTKNx WMq9xRMrElL2rJXGi7r4yRpoYdWDVYnR2RX492XDpwfri6vbz1JAUgvG4vmrjk+yUVhhzwC4 VwWf+/XlUfjeJish2yjnvRXGs1iGsbhxa3L5aD5pHrC+k5goYBmaJYgpXmrheqQ3FyJRFTLj d00wK1E/o7uQLM6tD6JeVstx8siuQ8+A3vhFS+Dc249Fd3TTpce+3FClx8idGT4nHvfc9hRm aTXEg6EZ1tOh5QzQY+ZfWLAYZY1zAOIS+foZazGp4jgmLucMhBpd9x+wFNa8/Pa8s/s6sXGD wgFYDZw4+wKzEq22ZRdzaZjE1uVwAkKtZXlVxSNc8Gx5OIFkneF25613uNyWiohAyLv1ANay BgczDG9qkITlfJ5ImoK7jNnNiOlFUjG9jmmt9+6A/cwVmpL4WvZSqEfFyqx74hAPb/C9JFGg ml6Ob3CPXD5JUnLT1tW3u4sWSFAGCFUGC8auJxHBQBRsdHv9UsB+XgFIYW8qPOuz1jWZavQ5 W3Zeq2lgnhnc8kLgq1oLEyiIlGs7YlBAvOAZ/nRCz31Lkze6F0Su4NJ9oLAOin3Z91jExcTN liKjc+2of4rMV+eNqkYI5c1ploVyH2tY8lRxEAmr3l2a8eOlR/h33mv9joLLJ/tXqx6XdhnM 2hf2+rEb2mf5ey1Gqo5Cqs4kvoEoSRZJMBTRZMsCtFxFFShp8zXIkYajcI9u33hlSf3Bv1OL 42kkGlrOJSC84XttBmFyTDLdx9zhoxD/HkiqTG4IdoHDbGF2kQc9fIiTvSPHZo8/zsnT4zD1 zF9GpbT0g44vpluJPGdpyFzmOMFZiAvliT/N4nPk2eGvNKi8hBQv6hsDQtZ1LTC8frYp/czv DKfgUN+yznqvm4MqRSjYf0rDJi1memUZaliX41DCQ3cUlVTALhU0VuRWXaEA3z1aGVaMw4+j dHM60LuMiS7HjsBTo3ZHxzPLMrJ8UGXYrSzkG/oZ98MfVCfuf5rsPAHWrpnDeATpp0q/ZWbB LcUIMK+gJFF6zVuUCOOmAk5qBV7VO4gsm+tap7ROBs1vvt/vW6jyORDoXW2kIYDuHVpgw6uL uKCLPY+VydkdvE4lZd/fM43ejbShRPYd9/LDB8JadW57gJJjblXjXy8inv5skBS/blVoD6UZ zZBp6R+ZttTUoBLxZizAXlvyeLZ3JcuKtpVy7Dk9vinHavuQ5GaaNYaRih4biYd04/dW15Zy tuSL9zzIdDOoL8KjH2cWmN3Ve0ryHjrJ7AOc2vB98FDlrLNUHq4CnSGL7xazO9dfj8+j3XpF sQdI+b2hlD8Vjr5ekZ2muWWRPqspVfpxEhLZz/bwXqXcXwDkl6UsQT3nlcm/3hBhTsXj0t8m KEoYXmXWQX/hcva6c8GpaXTSYNzX6Vl7RQK2QBFcI9ngQu54yZOeKpzAMVs+w2RqcJ5zQt6c Vqn7A00iU9zy0hZ+SDk2O2FXSWsK/ydorVeeC/SzS2ypqZaIcH9QbZlVaT/q5DC5NflmM5XN aAYZA2llV5gLwROkPTjSkAeZk/dqvlF9oWfV8weKQ1v1NlBkJzNpE4vFt2HKc5+FTa02ckvy q+9FM3Qfmmx5YutHgoha1ueHjCyo6D8NlT0l7ld/DEkCkkeXLsO6UuX2th518UCnvhSybZq7 w1gq2SkGAdyZpHY8g3ZeUovdQAf0kGvtBfyC729g1gUhMO8M8U967JhkUhXaN1/bRHciDexG o3JQMJtjh7LR3Zp9NOcTMpWiW3UrXjIkLw5kxccknTNTsq/QSISRDIAwP9iaqANfLPM1+6wX SksO8iw/MJXmQpNo6Nn3N9DZiex4nlogS89s5+iTm8YtT+FuPWJdglEk1x/+0QBA588we5WQ JGZc14jnE7z2EqfqXnCcPAz66rN5o1HUfa/o4SIQ7pOmu3VLxrCctW69mhTvM76GZCu6oe/0 vKTYArejY9NkV5NHoDuxL+UZ1fPEJ0YUlxX6wJLn91NhIoT2F8cmrWNO9Fs8Gp1CzxmxrwNa 0Bn8rxrIBIXhFzw2cMEYVFTQ9NZn9PNqEmqqZSGsJn3XD+WVNC99oci82Uif/vjOdkzDE4pf ccTXC33vjxvSzyZHzFbtJAdjea7JSi1n7oWr/OL4JIDTI/B8pToc6ZZK/nN28uU7UsIVYP1C tTbijxGIXus+vLKIvCLDIW6TItYe5lYw7BY+yOAHN4KoEpLs5cIKX1ykjlbpHAfHz31dItxR cDgcYpeo2cL/jvXs6DImQygeC2j8VlerluVqAaNRxxMTXE75SatTGToJqarecrli1r7CaQik +3hxFLxB/cM/D8Dhii1W4DhD/zDJpfz60Fmd/iK/PFeyhv5qYOd4vScvkFHPh9IEs1gGlM1X ITpEUOoANPVBnmj/OBZpdtdRHNHsc5PS41VzhlO75j3yIURROrmSLqtwhDwOHFY0pdt5olK1 2lNMzDrIanPsGdAxWY1LYd7ysszGsPDJxV7Aq1S1fPCzQRSBylPUibarXrUV3OHFVI0DjEJN K9R+XEK3s+CycSoeZNs8hi9hO8ck8VrGRV/uXxC99XEqKmckrd5F23o+TRVyU1qcYZulhMv1 XAbp8WXYpYCPX3PVAwZX2RaSUkameLfYLp/xlZDSrF4eYSxMHeDxbMVBHP1o7g/TrmYzfpyd 8oF0eo6YKcD3Le6GbeRhbe4CizQvLS8sH1QL5zMykwqdq4g2OcixIzjnkQEhOx+FJvhZPDCN t+yEB+19m71iNat6/+mG0lIniG8yA/jffGH/n8D/CgGwM8QKBnd1sYI5Yf8XwG7f6WVuZHN0 cmVhbQplbmRvYmoKMjEgMCBvYmogPDwKL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUxCi9F bmNvZGluZyAxNTEgMCBSCi9GaXJzdENoYXIgNDYKL0xhc3RDaGFyIDExNgovV2lkdGhzIDE1 MiAwIFIKL0Jhc2VGb250IC9UR0FEVEkrQ01CWDkKL0ZvbnREZXNjcmlwdG9yIDE5IDAgUgo+ PiBlbmRvYmoKMTkgMCBvYmogPDwKL0FzY2VudCA2OTQKL0NhcEhlaWdodCA2ODYKL0Rlc2Nl bnQgLTE5NAovRm9udE5hbWUgL1RHQURUSStDTUJYOQovSXRhbGljQW5nbGUgMAovU3RlbVYg MTE3Ci9YSGVpZ2h0IDQ0NAovRm9udEJCb3ggWy01OCAtMjUwIDExOTUgNzUwXQovRmxhZ3Mg NAovQ2hhclNldCAoL3BlcmlvZC9vbmUvdHdvL3RocmVlL2ZvdXIvZml2ZS9zaXgvQS9DL0Qv RS9GL0svTS9OL1AvUi9UL1UvYS9iL2MvZS9nL2gvaS9rL2wvbS9uL28vci9zL3QpCi9Gb250 RmlsZSAyMCAwIFIKPj4gZW5kb2JqCjE1MiAwIG9iagpbMzI5IDAgMCA1OTIgNTkyIDU5MiA1 OTIgNTkyIDU5MiAwIDAgMCAwIDAgMCAwIDAgMCAwIDg5MyAwIDg1NSA5MDcgNzc3IDc0NCAw IDAgMCAwIDkyNiAwIDExMjIgOTI0IDAgODA4IDAgODg3IDAgODIzIDkwOSAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgNTc1IDY1NyA1MjYgMCA1NDMgMCA1OTIgNjU3IDMyOSAwIDYyNSAzMjkg OTg2IDY1NyA1OTIgMCAwIDQ4OCA0NjcgNDYwIF0KZW5kb2JqCjE1MSAwIG9iaiA8PAovVHlw ZSAvRW5jb2RpbmcKL0RpZmZlcmVuY2VzIFsgMCAvLm5vdGRlZiA0Ni9wZXJpb2QgNDcvLm5v dGRlZiA0OS9vbmUvdHdvL3RocmVlL2ZvdXIvZml2ZS9zaXggNTUvLm5vdGRlZiA2NS9BIDY2 Ly5ub3RkZWYgNjcvQy9EL0UvRiA3MS8ubm90ZGVmIDc1L0sgNzYvLm5vdGRlZiA3Ny9NL04g NzkvLm5vdGRlZiA4MC9QIDgxLy5ub3RkZWYgODIvUiA4My8ubm90ZGVmIDg0L1QvVSA4Ni8u bm90ZGVmIDk3L2EvYi9jIDEwMC8ubm90ZGVmIDEwMS9lIDEwMi8ubm90ZGVmIDEwMy9nL2gv aSAxMDYvLm5vdGRlZiAxMDcvay9sL20vbi9vIDExMi8ubm90ZGVmIDExNC9yL3MvdCAxMTcv Lm5vdGRlZl0KPj4gZW5kb2JqCjE3IDAgb2JqIDw8Ci9MZW5ndGgxIDExOTEKL0xlbmd0aDIg NTE5NAovTGVuZ3RoMyA1MzIKL0xlbmd0aCA1OTQyICAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVj b2RlCj4+CnN0cmVhbQp42u2WZ1hTW7eoAWkiSFVRKaF3QuhFpDch9CbSYhJIKAmEgFTpVUG6 dOlIkSoEQZoUkSK9o3QEQZogHU/23vfbm7vPz3t/nees/FnvGGON+a45x3qecLHpGwkpwdCP 4epoFFYIJAySBaiAjY1lACBhEQouLhUMHIJFolGqECxcFgCSkQEBlNztAaIiAJCkrLikrKg4 BRdABe3ihUHaI7AAXhW+P4qkAErOcAwSCkEBwBAsAu6M7wGFOAGM0FAkHOslDFBycgIY/vGE G8AQ7gbHeMBhwhQgEACGhGIBj+H2SBQF8A8hLZQdGiD1Vxjm7vKflAcc44aXAvDiJfkAeEUY GuXkBYDB7SiAumj8WnC8yf8PqX83V3d3ctKFOP/R/o9N+m9piDPSyev/FKCdXdyxcAwAjIbB Mah/l5rB/3IDw2FId+d/Z7WwECckVAll7wQHiPwVQrqpIz3hMH0kFooAYDHu8D/DcBTs3w74 bfvTAPhAxUhP10zgr+P8M6cPQaKwxl4ufzf9o/hPBv3D+M3BID0Bj0SERURA+EL87z93Vv9a Sw0FRcOQKPw8SEgCIBgMxIsCPxh4kgD4gABIFAzuCYB74n2Bwig0Fv8IAL8lfgA7NIbij9MU lwAAEV4uCDjqj/hfIUkA0AV/SmjYPyFpANAbjkH/HZAUBwAh2H8Qn1f9m6TxSeO/CX/oQMg/ hK98/A/JAIDQvwkkIgIAwi4hCACEX0JRANDuEooBgPaXEL8o4hLi3wt5CfHv5HAJ8U6OlxAv 5XQJ8VbO/yAIb4W6hHgr9CXEW7lcQrwG5hLiNdwuIV4DewnxGu6XEK/hcQnxGk/+Qfz3DvS8 hHgNr0uIX/cx5K+V//swKiujPX2EJAFComJiAAlxUYCkjLTf/1UGdcdg4Cjsn185fqD/w3ZI /PTD4Z5wKMXUOBoqF+Lwsi6s+Kla3mAJCT+hsj0uVremdaTpWvBkHKFTYY+2K//XavOT0jT6 66skq6xPzu66Rb33NehX3w50jU0Zu1j1sF1N835313wvDey14sJ+GLxB3Vg3ur8pQag3/LW3 OPFhfmfmTtdGjj6vqvE3slk2grZHHm/b0kMkpczV05xMwkOrucXYDGlSXIsjxMO/PKFJjCf+ MhD81CGcvF5gZhf93p3uJI88O+HChuAYSvosSFQ5axI34CAfnibEwgf6bGPF2GVuC3i447OK Qp3Fy0yUAuvze0dvutdv7nnBKflW5BjKrsvw22lqtoVoM202ClmeYgbjHO0t09JYJHa5kwt/ 8Wrcs32QJAVDzKP4LMYPnTYSMhNpJURJrmVaDO/fyTpN5JwKg3DQ12ddZES5gsQUqzV/hcqx zOwI+Gfta7BTL4AmxnROo3J4mRu+u63CG3pZb6oZ9lH+qJMbrXqQtlaGzmZXnlmbVq/Tdjyj 9QCShezdPHsWBxiPGHKxUHnGcLDytYI/RfGZHOwx1ZIbP7jcmXxs6qn4R6vy29+bGsiSb1rS GrxvqZqL5iuUDSaYmckS4+gNGhRzT6lX0BMo9j247Qxm2mSZibRb0Wydakv8JApKpjlV+X43 TBS4qlSq+YR6V27UvYj7KQNHhKn8HUXi252h1fwpYWTq4c1z2CmS5phlxQb+Ft7vdW4y6f50 6S/5vpjAugKT1Nli5UIae47SOt9UJ3Bi5vje5DY1vR20ge+9sNExTKYfZzSfJ3tAzh/KQ1PI z+CbjBYIrb17bc2GdpjE1+58nNXJzETSK+AVeDXAlhmcf1f9aJghRJ+AmP6Dd166uSP23ZNq G+qRVu2cjZPz5k7Qd/q5JnuCFWnGz8TD0mH15e6z7Y79oMgqKpOTRT8qOlRQ+U9mH6u9p+bt 1yrD/Jy926azTqOEdpJq34kXxiywT1ME1zglcYLMHZO8YgGQxLUEGeKowi0dIxcpqL71mK8W eIpscCtbz5FZ54Vckef+t5Jg/lKw+w4nZJ3JmescwdHLeRYmW7RGeaPRWFh73ohfvc3YpIq0 FsdvacEbhK2LJldRY2E3gW55vE4rTpEIEdK9uiXb1n/iP3DCxFXUxqHhbmXeMj9aJMJBFCK5 eCX+yvcFcOTDr5n72XBqb+GD0lxCwr528L1YyboAX0aAK3/p9oCjYGY3qKLsmCDBK2HqF1zw /tOauVqTgasyZMgO6MeAoznX8T3GL653OpTLHdPH+SS2FT6b17EoiZNTuiq2nRPJaZdbhEW9 9B5w6G3Nj+64+Y55qTNVi8jxtWLTE0Oi7fh3oSNu8hfhZ37J2j91XsFzeFVEHpOglmmq3mE8 EPa82Io0mclYhzkLpRMbS97b8wOut0I3lofGI0x0Iw7FZsdGe2oKCL7X8i7IMRTR4F7QDK1k VHtMSvmQ27RYZjSN57SZR7vg2tkNGrp6PkVGtkK4fj50MeJjUmuZvEqB1vOs9DVSebOiQd1c J39AEYSrQzb6TxbVcYbiBp43E5C05hetikCbAwu0vqjGjHd0ChzXWP0qLd9nXnuSjC1IEiDb 4XZRpfykJlS43mjhmTU4vWdj/2Dj6ZVXYyZWo0ujzwycxS/EH4MRNGO7YDoAIFp7EvpzSr45 UJJfv/9HYDLdYj+7hvh8KmewB58nA2peuWNbUNHBexoqI00DLleSrux3la3O29tISZaW7JBh /dGXOPz8B0LyQjFSgnHC1o30xf0jP45D09T3v1WDjl2/XK1osNBJn7r1eYngijfWs0HgF9qP vv3jVMS4KVTWXGg3kKA58LbGJ2RnA4OmoCqitvjdmBw0XO92X4DEaBl3l2PceOc1MOp5wmsd anjfRsLhifYAr4HR2E8/5gKpkkXyqJ/a5nqLQpV1hl6VfJalwka7Yx/SS2UbNfOO7MleCNzz 2rDI3xphcos+nu+mjnVVAT3+ICKm4fTedyMw71PsCSNVItPnC/40vpcbdR1Qf7rdbxoKUvHR dTlUlXeMs8Rs+CiSEL4fTicjrJczflNB+n4JaqtYzU3PugAq7t4bev42lVVDIHUm3r9Mmvmk wylSxiurPa/R75VNwpnMhrIes7SzT4sZQHrdte6zTvHM6RiHjvorRu7WIh7J+Al/bZhTxW/9 nESXeLYGxpW5FcLcR8Mrfh0TwuBEfrOQNM7Oz+6/DjjqnUqI4t9oUn4KorPOlX1SmxZn0MPD Bb/qmoW5N4KlvWd+IvzAsVTrRajU8/HkqRFWER+zePWrcRScczGg+z9dNLzOG0ZOp9dYr31p cVWm9KmsuZOgSCovQPlOysq+21UZvTbCMj1RpKjWI4uek5FjOxqVMikNZOIJrl+vMmALrSZ8 2Fn3tpK28mTfrLMyHkIO99dMAAx9J1lX+aTHMC7Mzst8JvsaidUWE8ZBYq20s24aihGf3Trw FTcpEpFY8IVM+QiTmeZhAIuhMa97We7xwpSjArlalGabxYGM337e8mot88DONo7Rv9Ah6AxY yxjlNzx/TWxOf80ZqW6o882zJsaI2LYHd1ri25rnVmXiwzwkLW5SEko2R8c24bfFae/3DcVY OMIgFyGPm1A4gjJ2jznATV/34hyozWcQtxDl4gdJ81AMy/j9IpHf+TbaOQkhv5r3BN+as5aQ 3vHISg9sP+XMBZ1Rhcdxuk53LxYJrNgtE8Qmm+RYPrkvVHg+mkXcV89h8sjP0JB02LFFit8a ReyAY9zQo2JdmpOSlme0eAttXd+tVlxRSTRgrValCD2qlCuwLwq9R8KUG9X/5uFVIZ5NW6eC AJXHmUjq8kz/8o31AePhgDHVUVuEQwLFRJNXNf+wrc38SSUaoV1QLV98GGjipXUuXhhCxHsX iNNidGYWddmNyAlZZdALwPVl6jxPi+6qPw+rPfsu9OhMdxNEE7qj18JSUMj/6fP14wapsgtP 2YzTZ8xABqOO4N0B5pMvZ7JdbHrVNQ3ds5G3uYOGEl+BoQ+s+Vqh39mZRRscibkSKJcqh5e/ kJ2az/JvucTPh6CLuY4/rXdLeirpsojr7PlqCQXla5mdEhGWyu4U+7XKbMyHR2TkKGrPfxjv dRUTvuEqf2+9JUBTuaDmVdZXTm2H5ZtPswSrqGb1GEytGQ5UYznkNlalxivvOCFiVRfzkioS pOl/bLHYB7JGi2iM8WHmvooZLdz6ZO8KQWSQhE61DGaGRkiPDb2tfeHwQqKMEflkPQPOc0Yb Whdk1W2AeYCx0ohwXW0JBX2GuNpDB5q5LSUX6e579AnIMhkECSqsfPP7npCtL+cssldg9FGb BVIJTPMpDrdcsjl0mMAV6yXqfSL9+HXSUf7KT9+jW5TfdLrs9zlYnjYeR2WPP9y/GGqfDgr/ uVmusrakBpgovq1T4ZGtPDjOklPvP889w0zvVyUPo1t2S/UygVVYzfxuj5S4tn37Qafi5xhr D8gbK8MWjHrtGaTVqO1rmbjH4VGct9QbQ4Br45Xer9NlS1qhpfGKdSMbha5Hn595dl0w+Wla 9pkbdI+aHZ9BlIhjrsu4netyckswrTZYad//OHL/84OVrTjs8dxpPrOVb6RmSv6EgTww+iyN ybTfjmPf9QKRqE+i8tCv64rWnfK1gCnac09QF4q8J7owVTf9+o+97tuGVD8qVuGP30udZDBB At7e6PfZ2okzIgmtWDNfHVvv2+5mKrrVUNdHmppl6sMeSeB8tAl/y6YDNdvFkUWLpppSDUdN ZfgqgwNFUqf3I/wMkhgv1p7U/nx+gzRsLaMxnvwKYjcycKKsspnZhFKd47pMvz3zfmU4PWIT QAVa788u3+Fv52Yx2xTaJ8WZRxQit+u0UDONAJ0bPOE10VFS9dbRvEktaN3V/ZN9qU4pTPUp GV9eILkW3RB2T8Mozxt2leNOU8N+3/BhOcH9K845EtQ9RhMfRpR1jyZlltYEFQq4cFWuHnag wGJYeEL5RAD9GMkFbStQ4XChY/uO3lReuujkykttco8xcybe86mB7LjaOAxrWeyWkATgWixD 7KNZlM+iYk1ifrXBXJrg8/SsLYN25ZcRuu+zFEi96/aG1ruoDmhQipIhbocfrpEDFWfKnIWr a8eJGeLWltwNSCsOYmnMcw9U2HbeKSdeP30O3Ak2p37knalH+N6Dg3VEvo/hDNl4aO0+99qu nuhNmuD8FSc1MG/9Wq44NjEwHjFGx261wN89OG/7Otw9sNJ9yWCz1b8k2NjTW18yTBy6HQ/K PzJWdxmM4bsr9FLAuSqXdN95xuaJ9zKGca2F8v4+YrNJm408iO/aWdt7nt9vI9t3RHuxNtzg oy+fX9RMP5I7zk8ro+3PjAyTH/rg5mGdiDMBteU5hB36k5fdeP+monue98ozmWMRe5Ju44f2 uh13CDwynoPvfEptksdUd44hRquuKFrqsvIWOoxsmh18LC0QVnBJXWlPKy82IHVUEqlg7n0Q YoEViOR1zX0KvilMsQZ7jCPz32k8RKtmU0d4GsFVo3Zlkuqu3ohfNVejgAwvk5DvkG0/nuda ydotrNyksbHOwXHNGw1T4/931K6um3uJPalZWjSCKcfUYznjYhk8ZPpCgyQmqYQnWeSQfAGq MK5e3QFC7Jjv5A0P/SCmdQhtunVGuOFvIPkCyQm51QUwm3H2QqIuyDrZremWbBNjQx73tMKv X2tVha+JS7Tv4OLVP/IiY/bfyeesZt7aoNqPdSdfSBTsb8Gu0q5uW2feMGhnfWqVBe7uJ5gf u0ehXEVZLyeQ+tGLRkmIs8gvzXmwJEAhNIQ9SSPBb4X9vW6cNvpFWy+Rvj64VH77ode65lKe xEBqy8P4GCtn1o/fOHHXkwLjsKaMyQbLIC4TfjrgcRRUKDcK4H2Q61VV5ZthZ/v+nnYFNwEH GfRbqWhWX9XsytW769hIv0Z6NUvx9KYGp5WeZ3yxw/ep+YaSdMyuenyR6ykYVFHc+2mbRJyX gqP7VkGJbGPJunjIQzVlmRqoeIs/4nW0ItnKTKsRX21bBxk56lciD3ox8rr4EM+v5WAaXK9P CE+cd98NObfYxTShmfa8XZ9dUj+iQy2aB1ov20DBhX47C14J5O8yd9h29lauxhKLs+zIkzC5 SW/bCU54Zr+tbgaa1bqFLu/ayEQmP6Chpm4xczq03Rbigb6i+qw70P+bSNtdsm0CBFUtIdnJ EjAqN36EY5/TQHr7soSJwRm1ddcNihaChZwiqPV53iwfDpgTUczmFKd3NoCNSd+eM4TahKKm L3RL9noGVKl0F+gWYbTP1OkXf/RA6LE3hrfznKvyEj6KzX+y/fb16mcWnbLHpFEjUx1L1Mjb UxSWPh3BgzHizT9WT8ROposmues4rW5TP0imS4QtfI3bDB8meVRvYQN6IeKCELQouNqSPPjg 4sJ8yg9xvZA1M5dQNTaGw8jdv/7QcDIufCbMJKFwTEWkss/eGvfpbTvBIG82fV7fYMvjJ+IS afmoenaGjTnspmuD80tfE5v5L4LUp5P3aSmFQkiIQzVv+PFpFuRRSw0aUVf64CgbiMysMtQQ GCPrzJUuN//mmzopyBcMzJzrrbmchOVMNuTai+unOdQZpz+srqVK1sdN3qwXNXdMm4w8t764 b6Pj51cgjmo8vxOnONbHOvnqZQp4j/1XsczOBCSPq1nDXiFBplDPcZHQuxn5YvVa6NyKV7xd MhHj3FR0pcKYudjqYLpssD3/HZV2LpvtEQXvn3lBq+5wBpFnXce/e3sXfKrWoD3FyZyJX2/W yFa/uwhm9L5HNGHDBb1urC616KVP42Y8Vta5KLQsaZ+eGhZ9gPowXXZWx2QBzzDMwXbf2cq7 6Gm7zaPmMypM7iLgoSbxBa3QPHRUI6tErx4ZhlzNb4xCZkPezHI1JXrfdZRKNdRtLCCF8Iz9 WPeLNOhN/myWOksvRWdt0e4f3HXG3IprTqJo9qSOqHRJPJPNyfGHcb4UToxx6jOisX4l9aE2 JVeyVnPqBuMOTomZz9aeVlnVztG/he81V9wx7KmMnS6u5brNM7b+9Pz8tKuM16VtK07tHJzm n/DyhcnPOYusFE+I9q3sf4BAEIXMD33WTggyxd/ypEs+ODvT5Crmt+d74dC19Np6dmFOKpPc VAUNe9z3QeQusLd0wKs5gK2PdWlrYGDU4f4BmaIDhuAV5f2hVCi08+Wh79KvdY5rnlXdM3YB KenqLvy5Ktz0Zg/Dw6cOWK+FLqn8GPMJ2omgSndSGbsV3pB9LL8ynaI36xD58V7yp/YpAxGY QAoMiTR9YsaauZewqXiADae2CCYt+aoXGmsWD3z5XUOfbSGcY9XSLpCV5Tm9wWpjVJl5DfHc 8OY0oeUNHUq5ZK1Oz1L4uTd3a10/bPiQpjZ5aTrcJTdEUxGxZynAFjCXWfeTpy08wyGysob4 /beEClU9VriHGsIzmnqYJERKyvr4yDr1dSNT1aJDgxcxkRMbci5nprGmxvYTUOoHKH/2CgU1 IElx8azzDYVHymkfa3aqqW5xui2zcnL/fAL9cECUZ9bH3xTtmVaE55OGFWeCR7g+mL1JDNXd czSUc9PUMoWOVdpCd8fU9h5Cdul5+ZTa64LncUiwSX38JL0v+/j9gBQn4+hXtvknhWeCiUt1 IDpj8AcIsJXhUasItWdtNim/UksrIcscmIlu0TRErLx1y/EtV2KkBFHRXjtfxhe7TiHPd56E +sg+uHHQqrLLhrLg+uJImk0pQzyPOkuPtCCG2U96XeGdpJGur1PaKQbQsYFQF2i2U6rt/SVM BpgzTL8hayR3t3HxZTpPP9g0xLtnjvsHo5Trsv35qzomIkIvYZwfYc7vhTK4XprRkI7a9Dzf vbBV5X1CGwE2OWqAy1bZFtzaviRfyyqZfAvcGHmLQ6rraxB/VR2O+vc0/RdMCYizlI42N/zt j77aVqP63qdNtOMxJT5SawJ1nmmKJcFqLAKUGRoL5e/AKIE1yuWYZcNlD5H/x4vifxv8j2gA dYJDMFi0MwTjSPFf+y3x2WVuZHN0cmVhbQplbmRvYmoKMTggMCBvYmogPDwKL1R5cGUgL0Zv bnQKL1N1YnR5cGUgL1R5cGUxCi9FbmNvZGluZyAxNTMgMCBSCi9GaXJzdENoYXIgNDUKL0xh c3RDaGFyIDEyNAovV2lkdGhzIDE1NCAwIFIKL0Jhc2VGb250IC9KQ1NPTlcrQ01UVDkKL0Zv bnREZXNjcmlwdG9yIDE2IDAgUgo+PiBlbmRvYmoKMTYgMCBvYmogPDwKL0FzY2VudCA2MTEK L0NhcEhlaWdodCA2MTEKL0Rlc2NlbnQgLTIyMgovRm9udE5hbWUgL0pDU09OVytDTVRUOQov SXRhbGljQW5nbGUgMAovU3RlbVYgNzQKL1hIZWlnaHQgNDMxCi9Gb250QkJveCBbLTYgLTIz MyA1NDIgNjk4XQovRmxhZ3MgNAovQ2hhclNldCAoL2h5cGhlbi9wZXJpb2QvemVyby9hdC9E L1QvYS9iL2MvZC9lL2YvZy9oL2kvai9rL2wvbS9uL28vcC9yL3MvdC91L3Yvdy94L3kvYmFy KQovRm9udEZpbGUgMTcgMCBSCj4+IGVuZG9iagoxNTQgMCBvYmoKWzUyNSA1MjUgMCA1MjUg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNTI1IDAgMCAwIDUyNSAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCA1MjUgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNTI1IDUy NSA1MjUgNTI1IDUyNSA1MjUgNTI1IDUyNSA1MjUgNTI1IDUyNSA1MjUgNTI1IDUyNSA1MjUg NTI1IDAgNTI1IDUyNSA1MjUgNTI1IDUyNSA1MjUgNTI1IDUyNSAwIDAgNTI1IF0KZW5kb2Jq CjE1MyAwIG9iaiA8PAovVHlwZSAvRW5jb2RpbmcKL0RpZmZlcmVuY2VzIFsgMCAvLm5vdGRl ZiA0NS9oeXBoZW4vcGVyaW9kIDQ3Ly5ub3RkZWYgNDgvemVybyA0OS8ubm90ZGVmIDY0L2F0 IDY1Ly5ub3RkZWYgNjgvRCA2OS8ubm90ZGVmIDg0L1QgODUvLm5vdGRlZiA5Ny9hL2IvYy9k L2UvZi9nL2gvaS9qL2svbC9tL24vby9wIDExMy8ubm90ZGVmIDExNC9yL3MvdC91L3Yvdy94 L3kgMTIyLy5ub3RkZWYgMTI0L2JhciAxMjUvLm5vdGRlZl0KPj4gZW5kb2JqCjE0IDAgb2Jq IDw8Ci9MZW5ndGgxIDc3NQovTGVuZ3RoMiA5MTIKL0xlbmd0aDMgNTMyCi9MZW5ndGggMTQ3 MCAgICAgIAovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeNrtUntYTGkcLrbShLVC ysiXpDSaW01jQkypTNepcUltcuacb8YxZ+bkdLqMnulCRNt6bEVtiC5oqQ2rFhHbTaSnLCvt PmkVu24lJLt2aafi8Wz+3P1rnz3fP+f3e9/v/d7v/X12NlKZkxgj5dCb1NBOPDbPDXgGyNaI AI/NZdjZeVIQoXFSswyhoRvgiUQ8II5RAp4AcIVufL4bX8iwA55klJbCletp4OA5b4gkBGI1 pHAU0YAAhF4P1XoNFCGAjERxSGvZQEwQIGRoRzQIgdGQioUYm8HjAQxHaSCHSlzD4AwZkmgU JBCOtLGYqHdQLKSi9aaAg97kPKC3iJEaQgswqGBwAkn9WVDv5N8wNVrcO4YgAhH1kPxQSB/A iBontG8JpDoqhoYUCCAxSGlGU1fDEW8BEMNj1KNRCY0QOCrWKAkInHgubK6zYATAo73xeIhJ cRpdDxQIEQ2H+1CDjbaiT2/YCCdktdhH5sEameowJkVwDb1CGwUB9z15uOa9r/UZUXg8COey uVyenqhf7/4iRp3lpUFJDNcoAV/gChCKQrQMrl6KLxCABB7ANRiMBzBeb5jD1pC0fgvQJ6MD CpJiDA2Vx+UDjpxCUEhABT2EvW07v22PjHGo/+EdPTzI+AQnZy5wEgkWAB7PxRUIhULd34ho DEVBDT38ivRJvasVuD5dCOMhymi/SaILUzfkVG77KtGrqPWoEcf098ayB+0mF0NPJ+7FMZ1M kB9so6SLHxZ0VeystVBdm+6LLtxtTp2y/DwwY21/oXlpRfrBw6G7kgUX2LdkFtot6XsmvGHZ P5TUblyVu29r1wy3C1R33g7b+e39tkmN4/Ox+x5hRdUvb980m+wYkuk420rYXmLSYTjNQtvx 6/VZz04n5VxajPY2/+gvkVpEe6fbX1O4m8n7kYG7jAhFbOtYnfOzQE4py8C0bNEWafNvV+G5 Eq22Vj2laSU7L3ft8urA7Y8L1P3T6by+oA7WRPPk71Oq5sRWeQ1ys1VzdK+TVnMjSxKlV5xT bC4xOzszN+2LG5zS5DtTnSwgT1hYX88QRtlKJQnL7s7vnnmyPytZd3Tq6bSGjZZ5K+q+m+dX D17IMqauVNUtOiB3YU1mqpuJSMnM4qTn64B1F3PckZQeox2HO784c+DO9DMn84OMt1H3OFbG 9VPamf5ZukDMbqyIxbx2IazvXOHO86mMNqI2r+1oy3wjSsRNf1FJNs7AwmN5BYJM98Igh6xD S/c93mF7vten/IFB6CNx7yurklKixXdt6GbD/cqFUqslyYldJmtM5Rktl0q3LKjq25xiLvJf aW7Jelrm6lM4u3Kt7ZLlY3o/U2VPPTAYeGpL1kDvuhONNQnXp16pxy1Vg+JefML+JU3cGZNa u8eORyvHbJ+R/YB7Jm3cs3uxjdHyucf25JhbpzjoSquIgskzYegmt4azZl3LPlKF1RTPDfg4 0fOnY2lPD1XXBQmnxEXEWRoerzbJ5Ne5TLLoC87AoJei3GDWhp4BSXNFbIr3rfgjhynOExeX zq5x+T3S08wJX8+5k3s7EH2TOvnk5TT5gugGm4Ntj51TI4xkN56rQsNt/DAz7zcn8jrDVihL iksadCJX909dz7tbx4lkbfg6xNBf3ZZzXXxTyimfzU/NT2NOl+yUXx0TeqrzlseuL79Zldt4 256WPpp4UG4W6WNvV9heVDOvNm4v8XNk/51PcosuJuVxjMwcOubsLqu/Ma0ygJVoeCz7Vssf Lu1PE+w6lp6tCsl8Esa3f7J4v+4mM72JlfWgVHivbqJ4dw++J3wgOJy0TDP4oSaiH7VoTnr9 y8u5qrG+puVbzVf2lln7NRL2r84Ijc3/7NYM2OJ+FaYV9y87ep1acMV7HFgaPK02E3G5arb4 PFsycFzHNL6c+hCpblV+e9txbxsetPCpv18k9x9+jP8F/hMCKAERiibVCKVi/AWJ+hEZZW5k c3RyZWFtCmVuZG9iagoxNSAwIG9iaiA8PAovVHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTEK L0VuY29kaW5nIDE1NSAwIFIKL0ZpcnN0Q2hhciAxMDIKL0xhc3RDaGFyIDEwMwovV2lkdGhz IDE1NiAwIFIKL0Jhc2VGb250IC9SV0FHU0IrQ01TWTkKL0ZvbnREZXNjcmlwdG9yIDEzIDAg Ugo+PiBlbmRvYmoKMTMgMCBvYmogPDwKL0FzY2VudCA3NTAKL0NhcEhlaWdodCA2ODMKL0Rl c2NlbnQgLTE5NAovRm9udE5hbWUgL1JXQUdTQitDTVNZOQovSXRhbGljQW5nbGUgLTE0LjAz NQovU3RlbVYgODcKL1hIZWlnaHQgNDMxCi9Gb250QkJveCBbLTMwIC05NTggMTE0NiA3Nzdd Ci9GbGFncyA0Ci9DaGFyU2V0ICgvYnJhY2VsZWZ0L2JyYWNlcmlnaHQpCi9Gb250RmlsZSAx NCAwIFIKPj4gZW5kb2JqCjE1NiAwIG9iagpbNTE0IDUxNCBdCmVuZG9iagoxNTUgMCBvYmog PDwKL1R5cGUgL0VuY29kaW5nCi9EaWZmZXJlbmNlcyBbIDAgLy5ub3RkZWYgMTAyL2JyYWNl bGVmdC9icmFjZXJpZ2h0IDEwNC8ubm90ZGVmXQo+PiBlbmRvYmoKMTEgMCBvYmogPDwKL0xl bmd0aDEgMTgzNQovTGVuZ3RoMiAxMjI3NQovTGVuZ3RoMyA1MzIKL0xlbmd0aCAxMzI5OSAg ICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42u21VVhczdaoi7sHQvDGJbhr sODu7jQOjbsEt+DuENzdneDugeAOIbj77m+t/a9kr315ztV5TvdNv6NGjfFWzeqalKSKKgzC piBjoDjIzpmBhZGFFyAqp8wDYGFkRqKkFHUEGjlbguw+GzkDeQEsPDwsAGEXcwArM4CFk5eN h5eDB4kSIAqy93C0NLdwBtCI0v6TxAUQtgU6WpoY2QHkjJwtgLbgGiZGNgAVkIkl0NmDESBs YwNQ/meGE0AZ6AR0dAWaMiKxsABMLU2cAcZAc0s7JKZ/fKTszEAArn+HTV3s/2fIFejoBJYC 0IAlaQFgRVOQnY0HwBRohsQkDwL3AoJN/t+Q+u/i4i42NvJGtv+UB+/R/zVqZGtp4/G/x0G2 9i7OQEeAHMgU6Gj336kawH+ryQFNLV1s/3tUytnIxtJE2M7cBghg/nfI0knc0h1oqmjpbGIB MDOycQL+Kw60M/1vCfC2/UuBSUNLWFxJ6+O/nua/hhSNLO2cVT3s/1P0n9x/McsfBu+No6U7 QIeZkZmZBZwI/v7PL73/aiVmZwIytbQDHwcOToCRo6ORBxL4XICJA+DFArC0MwW6A4DuYF8m RjuQM3gKALwlPgAzkCPSPw8T/LyZzP4V+zey/4OW/2E2HgCTgwsIvIf/2qr/CbMzA5jsjRyB djZAs7+iLP87+l/J4JomIFtboz8RDgCThYe9BdDuT4gTPBfcBWT6J8QFYHKyMXKy+BPhBjB5 Ah1BfwJgPZAd8D/MAfZydvszzgE2crZwBP6VwQpeIMjF8U+ADRywdP0rA6zrBN78/zBY1gno +pcreKOZgP/HEjnAqnaWf4vw/DPJ1tIEZAP6M5ETXEr4D4HLiPwhcAnRPwRe6ec/BK4m9h/i Ai9S/A+Blyjxh8DLk/xD4LVJ/SHwwqT/ENhF5g+BXWT/ENhF7g+BXeT/Q9zg7op/CNxP+Q+B +6n8IXA/1T8E7qf2h8D91P8QuJ/GHwL30/xD4LVr/YfAFwjTn3PEA840/kPgTJM/J5kZLGr6 F4L3CfgX/nMO/kKwuflfCFa3+AvB7pZ/IVje6i8EO1n/hWApm78QbGX7B1nAVnZ/IdgK9BeC rez/QrCVw18ItnL8C/85mH8h2Mr5LwRbufyFYCvXvxBs5fYHwa8SJve/EGzl8ReCrTz/QrAV +Mr7+4/JwgruZmoJdAQ6Wf5b6f++D0VEQO5eDOALhYEV/DcF7zgn+Awy+/wfiSYujuDrw/lf rxpwi/9hM0vwHQwEugNNkJYXQSZ8QVYpTSGlvmL502WwdJAi5s2x8vU9c53IgUtxkDZFozIO dOt1mo/l6e/Q9mH3SdyeCZwiOryVJsTP/B1iUxde910N99M9Wwk0L9PlPPbsye4Cj9Hbm+av f3NAKsyuj5UmahUMZJ0PHucp0nxWPYBfJYXo1XFt6M0I4uTSFE+3UQsNrqNiI1XGSHUoDWMP XXPDSIyHWZsK9LUKRWj5uHIB6nDBesxHyE141b3DicE06SBhU96mw1Y+EPxdUhCKgV771j9c LZQBMFdxBOzD/kRQHpUKzH4XUp3liS9mMHOOOykWJud6Rt/aoUn6Qsmpt160a8D20cCiQHqp kPk8Ph9U2eQxpdn2MrdH9DKH3YpvqIbzg/YU0E8J+yKPwMGfxamD3QPdYTunfE4W8fU9CS4D pdIEofkEMgHp+gIrNAyo+qEWK848nmiJXsv0YW1jc9bCwqUT3mD4A0up8CXawEQsDBIio1qO LREfWkYzLpuW9uYvw4SHEC7PZDjkC7q8RsqJnGLhV1iiBWnWrgm1Eos1E8x0Uft7Vvqx32EZ fcXkY0I4z9KlSIdOv7DX33HTl06hRj0Bz8tPXtJN2wXlnIgZCdNxw8liroXfkyPZf+cZ8U92 haKrJ9DN1Ew/QpRBDAMoVYpz9TqgJhyuYXrJe0kEJbQSFzGDVgSLfnCX1Uo91eFDVNClZZJ+ 1tvB9SNdaiqr57YcDjD6VNT4W13CWp39A/HYOd/risa5x69JPjYFELfMRpZ9VacWffQUKVek aknjyt1YfMCWVSHulqRobAJP48GADnTkVbuUIF+YNGGfQXZMK9bYNktaZRb9Jw0uanuCfEhl G7PvRl5J2IsXJJgJyEQpve7vh3UIXjJSePEI2Mb5eD7gVIhThcQNCdfNS5YIXWBFZTBlnvvA I756WJOXcAp73TXWMpjffVYZZjKgvKuHh1y8nb9eNeZHoV4sevo9xELHP4PI+uyNEUzIr0zR rPcrwjTSj/3GgajmUHQEe1vdZADjg853rxWXhN4+LdKltUq2VHo260vHtrrraAtSZ+jXHNVQ LwpO7BJfU3c56uRTYY+nByPyma6ds/DFgAbqNgWsPJYIjYvIvbVYbhyq9zFE9RNl2KNiOaPP BLGc8VnQ3nBYGU/h0eSFR2LCmHioY07dho22qI3+/EkmHRSo9wnXv9nD+AiMXwHC3iEtJmyE zbSuXMJGJi/DId8zvJ6+Zci5zmdWQB3TcTyqORDPXQOilqK+j+ALCo4xGVMF3A/n1BXdtoOq nRSf+vWibJHJvfX63bR0ZMfhh5M6nGLdj8d3bt9/fpyIZo9Sg9zD0whh5TofsVBUubGIZEXe N30pq8J74dmlnSJJL/KMqco+8SPziL8VrJ+rm2VCWXWo416V4gGcBhm8RZdXy60EuNluoC+j rtS/e+uK4YoX7U8UMt96/Mjo9oCmw9WVqQR1ltH84WxXm/OwONZtyuIdiqLgBo/lWbbqEXsD WswQCUiZn1uNc9w6dbCpQd8Hv48xSDn+cnCSvoYANvBUBce+kmKAVSQBv4l3kFEhkWJ+PCQc aaaafoRd/+PyEL17+cW6ZNvT76irDPd56WnNaRmz3RDKL+O/Q3NJNPFXrLslhjlAoYbWFBr2 pxePnBtwYSIKy7mpeSrWjWTBPcnlv6kO3pdWuODZZqprkAmsvTRHNGOgLs5lC5CmWnpXVXGY hqbq46GbKJRVOeTRScNW8NL0DSd/pztWNPENYeZwwVQ3G4MjqsO6BelODGZHvNs4/GKFITeJ NyvN17AL+2g4oydg88g2RoFbfIOulJL05QAYsnVFuEWhNkYaYzGu6VUjaztLjNBqaJhEwxXe To43cugI1+njvFBr0P2o/UI8vL28JvRG9yZ4wV4b/1NIgh+lrQPH6hb5d0H9hGvo+xhIWZ+U TrQOzgEvmqZZK9PiHXlk0DPZeHa6IXCISA8n/0jWjBguMivoWeVjuArMlN4ZprN73W58fduU 52re2c/IyHMgcPlL5L5GTua+d3R83wgJSBr364kdgXf6rWTk65ePnIb65uNZN5n0CYUyTIvu WhQ5CQlYR+8YYu/qZ8XlFTBWyYnmaWSwXHICroUXjgmliycX2Br9EQHCVJ3ffT4ZkRKE/j4i ZKwRGqMVc9WqEZQl6I0PKpzupW8lHVaDuFYvvPSW0cF6MKsfeG7XRkS1OEcJfgAdqXa9lGGi j27j3ITbsaT0HZ+S62eLclYwCVhSuJGddDapxuRHp3bcSCjO/3J87ZaQVfhJjAfXyHX10VmF iq1/ukm2ZWwoZx0ec7lDqDyifWBcGnZ1DJfWFn8xQgE455TN8H0QDwYvIB/d8i3iQROPYtDJ 6xQAeMtejcx+32Ul+aYUwZvhHEaK1LD3u+ESfYZrmtVIMgwTAdLaWZlwNzp/tCa1JMwDc35e jdGKhYLrt+br9u3BmaxU/AAJhNfETxIvyR8NhcmfpjmlJmOIiCB5zZYwEDJXNNMbnmKCyyw2 +Fptizmulx+VAry59+yflFEYHS6bFzUMkRet/aauUyADgD2KgT13sF/xIaMIYEiBzY62o/a/ pbO89ymMumKRIqz8zn4KMX5DR9JKplyARSmOAtWhqfrW+ABI+6U4FjxnBBpg5+dr5q1n7F7d w75unwwCkdN/wUAOogteCJm+Qffz7Wy/BODQu3NKKrKwvHOAsbSjC7/WgREoJ5Q/MM8rUi9/ U64M2Wrao5qkqDCMOameO4VHKULVwY3Ta+NdTVqxGwyOw0H7ddRsp4isAP2JtO3ySi5fgLzA 98EiokLa2YEL0+14iBZ5CODRQPIBHbu5qSfBqlViSF9BkJ+hyarvFDEDTdxVvKriaIlRS3SX XSU1r6zdVUEQqqRTfaYZbws5Na4Wh5mvmC4Rd1xt6DNVdEtIpZ97cq4kavYFnMhXJpN4iORP vCuLMbs/6fsMilOa+nBifEcsJyqeJYsRY68kW+A5xG5nxJ5QZuHPcxk40w64IIvMbSLHSZ9S ciZ7N46vYQu8SyFmIu8KfmaumyIVR4V+RIUfxg7xIXq5aLICrhjzIZTYeELv9EnXqsGoyofV n1VbQcfIVpFeiS7gCVsj5lq4xMgSdJ7pHye8u9Boj41Vj0OnDsXz+R2U7cF/ELUt+92mM/Rs Nu9Up9I08Yd129rbhhZhjQLTxU+1wUmILz5ve+f59qhPRpRYhlTMT/NKC1IRzNXTNnKsHDTS lOh5n0Uqm0YOTcwVU3U9Hje6gOtswW1sX+eGl/iX0ZKZUHHZjnS/PHV/dnTfdUH04nQu+cB4 VLMcpxNb5S2vqVscYO2tbIdedh4vbaf6XP0hV0pj4sUQdRrj2UsFqoDWotZwvGK+YXswwUCf CPawZbDG6UVQSpKbm7UxH9Rskxtc+WH9kuP48f49xmdYZbNs8/hCSozQgf2eU3t+2nfqxo+N ZIMBW3s2lQqRv0NJVzigxKRHbDG2yDwbudymdPoNX4O/HWncdf50XR9SOEwhMeBIE5j+ToDg szL4VV0J+ThQ4kpmxYjLij/DkrLFrUANR2iCvTYdQamWoaHKT2A1W6VGJ9Nmj/Ls+8p8B1zf 2fZIoSNN14xBKiiX2yF25TnpuBKDLqwoLhCpX+mr1hld3owltM4x02dCYMYDYhzP8Y9nFVY0 khaloo/K7mSRNLwdAjIPqbLWve+GCN1aPo24C8ZaxN5zyDIq4x9qfvL05I5cIV3RWIEuXoJr hWgiIORoMZpnPdjncz9AkXdmPTooYboT/JgMd2P7Wu3DvvHRs51yDNYukXKjx72f39ImBtFO sd86SkcJEF7qc8oLQYez4W02vR472uPhcAklwZs5yRHndA86rLt2IMPXZm85qrewrIJI/Hk8 rqrz3fsbOsubXcYRzjbie+Jy9i1Rz/oopeFsNi7R9zg1USDARK7fLyixzYc8SpYiaQBGIppw Uuh33rXn50CaVqMmFhlYV5bIjKg29+5bx6XhFtkGE0Q/B7WQ79mwyWm5rXKWunH9aPzvArtE jJNfKDc3J6hLcTkHKL1eyQwZ3uORmO7DH97jqlD4PE+NjR/nZGZuImOghvijdseHNjXIwDqI O0sNmOudXUFMoWwrKdR6ldyUBqbxFkgrvsa19Nsr18aHn7kIRKBA7ic6/Uqljax3Pdgbkj4S +/qD2+htV82JpgSRJm7KUyANh3D8pIjEBday3awFxePVoY6JVRpOie4u0PG34poqb17lcCXE fIyhuKKfdqAaspg1rDU9+9JTdM5IWX+dCfYzQbgZ0ecqf1A7FF3iIQfc4Q5JHIwRw+bbYbWE NwwzyztCQynGncRjTuJP4izXNo+l21mijKqBb1TcBLg/t2oYueoQOAbfIrOiD+c7McU1Vxjq 9m0tfgd6stij7U0PhluJO61jfGBUZXenY0/H69korm0OzhLBmsyyGeas5/wxUWAg0kjLZuv9 7ox0RXqvPv5E2w+rY15VPWjYd3OyE+6w5603NJKWuu/cRKXi1YFliKjQFr/O8lNncseLIrpv J0D/q2XwOASUFzLuBy3Ny/1WSP1nMiI1773crB9a6ywc32c+NhneR+Cc/wonvCThzRR/Aijz zm/+TsqSqvdg5fcKy7WD1PD+PJA356LKy8c3C9eqcv+kYY6NOlwwhrWs9GFkHZQYO/M8Lw1j 3TI69sGyN1Gij89xjp1V8OvxE046IR1fiMyM7+Sbs3H76k5PqwBH6C20CORqFg0kM6sgzGCe U7/xgVlqydZCUAQt/rK2EQXTlsXWg/UzOnLZu13IK13xWVRysu6QAkmbhVUjjA89Mxv3x9/3 gykZDct+DcttUDw8GhtyNvK332o1Po17kfUhxGQwwLv3kzrTwDTxH76i8FeL58INZYTDGcJ/ ZLN5CD+aOu9qMhRgj1yXwIxlhjYjn/0Q431zuOn+/oXK3c5G3ZNpHztKXc6CNXznQLiQ/oqC A57wkIuKcOF5Ox8+Wtbw+TvuqFMnp0COpml3SJ10RuNTlQauhw2uErO+8/WSYde40OaM9uua rKaZd61RhCtvMNXCLATUfCbncy+UfP2JYu2SBsGhj1Sp1RIRH5tdsrQNcxCDX5eY7EnkHJKl 2wipj1Ai0/vQnLtr/oecfCwNH4mPOb9QuwmrOp+e+ndePqzq/5aafsHaZo2mggnFeWrTOkeg W+3konM+VGeg0V2USO41oQQe1hkTANPkSN1WMVaR4l4pZ6CAjji08ji1RPT1dqcJE10kquGT AZKZqUYxqO9gQrs4tRfZtxwcUCkXGToa5flyPJ+LZ960ge9jwoA+zFi/vHnaU29Ju+vyFdcn J2VLCK5Kwjdf8S3c9iPXPGdSOX5atHgpRHsOlDhJDlX+EL43Ze0b5KIcG9mu68VKHovfbBIw tdE1di4526cvwDrcgHRaPyXKC5NFb/fJbNfYS29rh7n/7BiKHVqJnj4erybTC/8FgbbD8kLC HpHaKdNiKMFebZrZr//k27ux1CHvrVZfrvpgxhF1yPRUi+nkJ7UB5yshWB3atXAdF5269st5 r++IEPXsOglDcgGy25WarivY9xDQSgnvciDxLpmZvxpmvfte+TS3ojLSjqFeQrKgH3acuXSc 3rIld9QxjUhgr1yvx85nnobWgMNuWcRMYF84Ro3m/CAekj9qm/aDtsvFXTfOnQH9Bi9NiyTn jsCX/YDHdX3O4HAtQ7VV3XB6aLLr25bo8FZJvG3aL0fj4RGGM7zpzSZh6Pe0jEc+mQgjbyLZ hu93xpxPn7pDcXDj7q2INUtp1M5oEtXRVIpe4Qi3GqPk7luSdRaHC2PeOUnFBpOL51O9n+Sh Kf9uxB/3Ba4RPVEgQz24W5Q624iZ2hq7K4fFMBRJQmDhfeFYolSY+bMnA2xOP2ElT4Dloa4O xQseic+kNLtsLDEqxMu0dTo+/ra/c9OUYW+gvDtbzd7X+YreuItvBwP8OzbtoiXX0wBisxrN M2OahjtXxGlB5DK/A5OEHzf7qupbdWRoM59/xOS+nETDj54sfFXq9lzZz653OVN7n2RqlaeQ H6qBs7Z9F1bjZIBAcLGfY+1DDxHU7LvZUTstBzlpIpbOEUavCWEj9XNO5ZWYwk0XffY48yE2 xTzbuvZubP0Xc8kshTS8sOdqCegkqTNDVClJeBaq15uRvIrozXOgxeNjPJeYiSWaMOE8hzX9 pnqJq0Y0TpMd/zcBAbmgcNiWbw7VCi0zeL37zIA3HMly+oOfOJwJ/ugpSZgiXM0jlYRZHzLf 2axYvy+9mYv1ihrstZzPHfhdUnzqn1KqinGkW7gt5N6m0MpaCvSZpnbaMYQ115lw8JPnQcOU kYGEwW/2YEAbAJXdo5bV4xFJL3tO/mCrcG2UI9NGMX9R0VqTTjv1LKwiE4Ca5n3tyCO954/z iMuGMfZ83AkIL0+S4d4FFaFj3KoOC/6sIKFZHlEZGlP2nxE+GkGKU+iuh8BPO20yt6LyV2pS 1Dr/OBqsTPrbzqxqrqv+DLufmmekTXOrPg85QsVk1xD/CmpKVbxHQrA+FI/umt+bZAMLsQ6F FXE5M4VI6JzLiz1rF5DNgSmtwi4nwrkJRJLVoi2PLbkCdcMcCwvrjWtEHL9H0rpB34YMcdYF FeoAdUyXX9/wWM4SzoU/wO7R8PVY5LyliFcOCpRhTcJ5/kym66BbcOwdvzDVaISxJQFFmDRy fym/Jbo7QDVUd6l3oY2vtYpxIYptEufHcrJj5dIyNv1+bfNM6CzKrUr5wyR7mMPm2b3ITYkK Hmla0kFFfFq7XbVeMbuT/fotom+9RCxJ6OSM/y5tPmQ/VOzwoYSRZCUgc8rAqlGp4XKEJkgf Wn66x9S7Z11I2SK9pVIiBy9X3KvOEz2dkPxT1LUd0jhbZkySp68tIYWuc6+JBurRII0kdwTO 2feKkRNbr2VhwHRFGyRnHROxGv+ZDqdSmosIa16rnUNRBMxTIFmzK2ySnvvMRJeORxR1LmLE ah/BbBfbGs0Yk5aZ7keoEUw4uoH9qp8Mj7aR7bxFWpC/oioTy/1bPPuTTNawFdolzq8LLuzc HdvqClN2WzHlTNLFZLQRoyAHxD6lr7S1XCYZrn3RwMFD59+X1vqS2kTcImnxKlJe7l9ylbK8 G7SaXnsgzILCXG2fNlyi8KPx5VxHK9mTx93/DVeAEd71kVOCagFHVj5PpW/LCKLxppNU/5Tw qFoiHoYbHx8GI91GYer0ZTy6FhKqRsXzOkX1cbGOdRkTzrbGCB6z/8CUL1i4EvFjqEPCPsbK rAivtO3mywVwuYaIjbNB/12kTbJbjZWXgOrD48gBEr+H7tWwnuuH+P2OuEg1uVOa7TH23Cux AVkG1kfn4+G5xk8xlNwNzuhTPduvg/6jXPNLq9vVlURVXbvY6TMsuyxASaNq1HzQZyRtJc6t o1fq8RdxRaQsl5jsadnD2Z/4vCGVCLul28YMz+Y2jrQ2HO63LEpMesqsLfiI2cZs87XIenEr 2pI5zIcZy5G57AaXR8YOpDLeN6SSti1Yss9Hxp8qIH4rYTJ5s8g8p/f+gEOTleafNMJYHeqZ Se4dY/kiZIthVX/9YjpzyFB72cjFcArt/Z512gYp+XkRDgrFC36nnpBjoRSrz3pKC6gOLKIW 7wFIo9Ka7s0NQpw50QiIzGg1JNJlEvN9HRi+642OeeGG3AJZcqrR3RxpZfBvLEbJtEz1m/fs zIQvqO/mfsv+oAAKUqP/RdVB3mMVhg9AMOy4XzmU9cWcXnF5Tqqvf+MZkgrbbOOCqm4riN+w 2vU0dEwevb5QVUn1+3JwYD1evZdfmydmDsfUKOTcBuI0X20CfisqIN2c8KMSGGt+Ofxyrkfi TqLlPlDf6QKDTHCtJBonMBslNisgz66EGzQgpOb/ou/dXDIdkfK5ri1CLpYwEUKK+S1NUEuQ m5W+YfSrRd2C1zRXofqetdLQ63ztpS7RO1FuPAlr7fRNw7W3PE77vl/pe7DUSK6sUALPjn4i vGKFRLwmVJwOqzFd1/f+6AoxoxuhN/vE13OfQcpL5YK2vrtNSWXu6AxizYJ7rHAYBbYEGaTj X6Sjep/c57Z39xFNhAlbLT9UzTOrZHMnuyLlsxtNkGwXnssS+Oa/vdf54IhspBMOMY5M/KY0 Lmlc35FAjjv56rQflxybrE3d4RWP7Na0bOojgGk3ygwDjSCWAft8tOBVY/sNDYG2yvU1DWma Z3gjb1r/IL09KS5NeOhk7TFiFRLq6/sZqnO3548whZYVGul4nR1rnUXrZwbwxI7HNB5xn/g0 VLF1uA9Vx2KydF987bS6wxq/GvR3FkikMPjgDeMb0iZMLuiOr6lSFPHiLT8Ndhfx8BqS7N+L b+ylEVxQKHy3rneMIRSUNl519LXgxRXhiXd+qjw6lXwsz299pxyOPkucgiU4auUzT4KQhCsH kQW3LhDWPCr81ooCFQ27rVfBFziAGp+n2/lll7II4VJJVgO4X3uyUKGrfc+uJfl4upNZYxpH mudaqOII/5MTIYymCvadcHUtMzU/X4mPaio3XJrnR35mflMn8/yKHy78Ddy973zCPOrkadIg U7KllDY5e8SgGZGp2Xn69AVrEV6H51FWCB7ioCeVs4HWqaepGstc2Q1x+Oe+GumSdQS9PmkB UXTpaL4BgQVtUK1v3wILwpk6sCj5kpmXnLS1+aWb4sowAxIuJ06Sd5/JdA8v+Ur1hsIvYhEd aCGjJBNM37u4w7CQPxXEL20W4krxndnF083cBGedNfF5BYg0qjn6jW/ODcBJCAWMe+BGh0+a X7gJ5FhYyXfend7IDc3+mB7m3eH/llaZyBQGOh99FkWOb13J+eauBVDY1X8I9voyPSS79ikm F/7Qy1WLaqPE8uZn7zxoA4ZJLSWdf4koyDbhilXX+0XNWsHshYyWcPXwK1lxO+oJZX7T1iYK zwwWAei5frrFKRjQYMRglXKxFlb8WaVYzZrqDhIjLhfugPlpJnJzTTS5dXHaFGpsRFIDAZ7x u8G3VXWtGpeQ8FX6IZyxzRdFG+LQ+DdZe+vN99dLa6Atfb9PzmZkRw4kfFksyBZCDQ4M6Bd9 0b80YDVtOMdgnGN+hcGkh55yFVUyGDfdyeBpV1MbnJEyTMef2TFffp1VkKDpMSc5KE/t6y6N 324svuiU2INx1KnSIsF3sEwVhCKOG4FoRehLQ+uI+uZSF1DrnODzXAhNGGn6Sq6bE0Eb026N 9EqUpng6RHborQ99jxmuZt5Aow3I+MB3VznCNvquLymTIvl4eTT9w+KCm1nNRCjZLbTEibLy J6ZQKL8cIrxDOCR3dAER0yvVBWbaLc0jSNFEjFL/5yHHMs70LMLKrJufJiZttv2xSDtIz1Ot 6y+wLu4XhvpA3FzRfm/kCgTLFYimx7MQR2tFpRmnJT8DwSA32vO8RaowX5PA0jfy793xtPx4 nwTXE/Rig2nvo6UyhN6Piq6fo++o1T9hxVBhNiLDNZACItggw38K+IrhFlXyuGgC778larR/ yU4UsGLlzixYcz+QRmAWqZsU48TY2mKSz8kaG5I/owqLQyfQXRquKk5yRRHY5O5QO0UY76JR oh9Fvz/UqzvBndBS9Oz0mlGN7o/hJzff2RV0TXOSeS5Ppx8eV6nv5bXZrp49JAJ0rHBapxZ+ NG52Tgjuwu4Uyjv0aJ6f2G4tN+/HFLn5bvtYLdtO0cF2wsMaunUraMUzfffJKNyGRU/w5xIS I3fW6pcHWxE8Ir+wvZRB1oKDxfRZVZ/kEL4VkCu+KLkNhJH1WIAi2gUi9o44O8LUcNNY7/1k fbsIz3oU3f2QpLAcju7cre51Lb+ThdV2geIS7HvFBdUMnTsyKJ4Yf6W95CCujhvHCs4UyUuH jQ3b3s8I0qtGjLs+IroDWKaYHRfhhUo/5JhOnZHL0K7FXBEpSzrQ0migUDKyorrS9hcjHT5c ymt/gJgqpqtjQ8FufKOFb5DD5xZfgA9mPZ+wmtGPFN1qrmdNQv2VGDC/Gx939DX/97XA/fZK bfut6arh0od67Z6VG4QhhsQnzzp24sgcFFSCWY+ZMG4CCBiz6GWEpuudmByLQCOhOe6oKuuC wCT3F1zlW55fM9zTS99ZCpMOimalHOmh6zLzW4BtYy5CMeyfIGXUrel3RqDMFOtbyn3MxxFv wseDqOzsgj8xRXL1R6APYNt4UZmQNefTHrXTPJVPsnn5nfxokrQxU4teek5Q8W2O9t+wlh82 QV5UV/048n7BtQbzkshwUaqNbhUw2hsn82GzfbsRRVxbcyiBVPeCo1tR4NKf9TBVG7iO1DP6 q3/kZ6zRM0Z3qinLTSkTN+QAQTOL0MkRko2zOa1AgppPnlNSmy9bivjO474wOT7iej9R9Xyb FKavW8mXxm8dM8nKe4vMeT/M6L8JTU0cWKotoHeqkFyybczmwgbUynUFk27R6sIPWCrJtnQh o69rIXcYZNkeI7hDf2slIX1AT23WnrNNvw9zEUS4m6YkWymrbVVlJbe8sjpvPM18G/M/xRhl w2da65YWpcMKVaVVM7RnjmZroXM1U7b0zrQFoG3p+pr7MzG3OdnO0qcGhOVIuGSNxZ2ldXX5 4hvRDSPLbcOMRCX784gz15LX6WETsOsmb4SdtWW9DrN2n034TJ/hxKjO2BK+VuJbLLYpa/RY n9cclx6feKMzQGkR0QSyoBWMcOkyh4z4GXvUuP5eDIMjzcDY9tuaJDwrRBcVv8n5uTyNC1nG DvuFvHrisTVvrPedbAUOsX+TYawUj+VxwL0MXRdGQDDGdtU5tCIrgxgOnaRjl8GJZdDrl4lJ YiaW61HkdKVlEodH/89KjptMjclaNOI9mAomjtmPPFplLUoVC1OtTYR3UIHQ3hQkjet3H7s6 agHXKOoHpSkFAuqH2DiSNUFs61OxLr7IsCPKu951V86zWofhVl4wZv3MDIrbL+zR+aorCo0/ MD0XEnPrbbLxRMAvPxIqMlxb7t2ekgCB3Pi3PgXBrj5zSuYDP9upAwnHc5OOJEW3hd2ZY9ZP 17Z5CRPeOt3xMGFfpO6OHkNpJveizjeVDS7sJumWYz43MVpHJCEHKy7cR8IeZ6IZwF+MQZXp LURinqeePDrlnbd/oU8kGTpjLpfWTMuGWyPov19SDmOkDlzvThKENbr03LAoUbUvRPgUPZe9 aS7qcHpC80kmuJiAnisMKLkLawpAxLkSw4ndwcpVrNbqR/clhFc1SQ5x7wuz8lInY3mRtXVr Hu+gPb7Am8ecNhvO7djD4B3mzSvMMlSapONYOadbp/jp/9nVg2a15RJPP7ZKXmK+WHnV+enK DotJWTkrt/3nRULuKqNunF9SiooP10KyOcyd5KeApe8iH9CT2zCfFSwrB+lZHLlzrzJixHEH bwJ+N5UIwcplSmZ7N2fhicbPpE9HlYFUYiWYCjUVczjoK2ewayM4Fv3LCY0pTon3b514xS2V n71VZh8z5rjyY1W8m+ULoGshhCNnvTnJYZrEShDb9PYJMmO3t6sNEt+wzn+O/hSdc7Q2Merg L7XSTX6oeEdAydric8Tzu3l4MpRLZp65Cf8U+2rDXgRxNM4Hy9tAmE+f0CzmI4t5focT446/ IzPp5B0d+covvUWSNuwghgMj6qKW8uFoTAKjIL89wSndYxM84Xgctvyv+K48BV/iBK19sggQ imFOH6Y7m7vPrbjmHHM4q/k9qA/WI+CLlbJKV2B6Vu7IzkmHZRFuNYw0Eq9M6R3seRVjQR8D YU20aaVCa4DG6c6YE8wWP3hgEPlV5banqNZLSnLLBJlDbk+if1Sio27I9FGF7ZrqPqBqT9K9 xPDU83+yfcAYdNLrmE9aPyVqqFa7WuFYkOaMDhyOW+CCWKYLHpAb3C77hfjtqgqt+v5HbAUX cxA7d9IOUXa4J3S3eY5uyEXmaGsS+vA1SyYLZOkLolSw3RJnq5vW0SXv6O0CIwxE9usarqQR Rmxa9RIrkF09GmJ8RBsateXrtJAr4iDym7fGkrkv5qzBcD2GmtmMxgOSppDtY+0mUqI/z+Wd wSjWM6aVqpFn4W5YsqZZPn7ZkDNNU/Pa78QmMXQUKPoADBvBQB6WsLrW7C6ReEmkjvB+iXIP WtoiWfaPJjYwfeMQyiUt77L41UVpIu+iVuwWlnmJUDHGAh2gu7z5e8SRfI8KdlvjkDORvgIm nkldcNlALuODHHyNLO6xGvE02fBzuQPWRy89VNcUgZKA0U8zYTrhnRwEhEpYAPdSu+Tv812R 2paE8yu5m379kzCLZwMh/qabXSZwkEgmkfFWtsK3fVZ1nYTjtYQ9zzvfgvLIPoV8XqnEY7db d92N+q3d04OaacEWSuAYkCETVZyZmeynSFuqz+ZVy81TPKp5mdtXI65JqZiA/SVOWnlCN70Q z42zNZiJbw8p9vsmxx3et/OS8pRK3sbes4Oekic731JfedgccQsj9K1ipQC2M8TiIW22imOI sVwG1gpjua6N2t8bKb5weq+TvhOy4hPN1OVf45mhQtH5Qg4/Perc+CSLYl+w1/yMn5xojzo/ GMrYbU+dCW9RW/ueRG8cdn6O58zYeiNsfD/fr/LtgqzL7pN6WG5UWjbdRclpq2fkDUpUAt14 WmSjMvpmCoHsDFc6wo3M+DLxLDVMdXvTqcMR+v2eO4rGNTv6zB7QHV5gdC90VBTihSQarTWq om3UlkFVQyNMNG/B/bb2czNz317aBL5ObvqZcEkgC7YYC5WFhmIwfB9luuLHb/mU+61hjQxF l8W1ukNb6hC/7GJAun6JUJGZeioGGXynPNmgAr8nngHtszTVNUOpkTJzS//G3qApjpqA7OeT DgnmjEDSdhvSNo8F+Qc5M2UbFxsO/CgrM/v+xVWy7aZF7y7lHbxtvo1CeoEElOd5TQpq+yn7 NrKh8iHg1f4DaVipdc18dj9FbU/OypaYXx8/efUpBh4wdFquEtrHw8a0ykHisEkpdDD5i9P9 q7sIbfkJZ8vdNGDcC62t9RljU7K1NShHeHrsc+t+KxFuTp7jbbVoyvyIjGMWf/5SfOuuh2Wp VCBWHXza50vWLV4O3WcF3Uh2cXTpzPdvwWilgBno7quvGTas+RmzlzmjhbeeP2jggqtYiKq9 kKAjie1qy+lNKp/eKuKItiS/JYT01Zf+ct0OAMh8LcH/tuzZrWgcc/wLCoQt9DGFppHBUtw4 ikfsXtF/yrRq9A5KZvScvx84aLmZccKsyIwcFBrmmQGz1LZDUMpcyIHRaiaANx6opiDBSN4e rtSh+0i4GjOk/etxQcyBRU6PcRPA7aW5kJpJUeot8E0Hs6axQe6rvCgdaisVR3BUar+wav3A VyFhadZho7lHHy5Ue7SiJw3Z85kzpwSSR7l+8oWxIJZ5+HVZghlyhfGqQu0AnLEYt3dXGZIO Hw7E0qwdo6gVbawcy1moBJLshwQxRfq1VfiMnOGdPBxqR2Suc0o3tvxHVu0My1G8gKb7mHzb m3o17iHCm9MuPtD+DBtBuMcJ9jFtDLklpBC4tEXlCS9eV9DTNjC/ENAPMUYCznEsopSkIDz2 qMK7sLOYCPY7qX1/OBwvm8+eK43SQS38nqcockAIxfgZEs7C60fND4ubsOb/zZZ66aLyXZRt s5TbJVb7SMy3qHDapTms5PZqRWLg4OA0WQXOiEWPy2WzFx+kzxE52sWxG/+y4I0xFfzTlrux H0cqk1otZQDSS+96eZdg1djwUcl+R+FtAAQRvn7bq5Dox2FEc7y9kLpvkHx46VPr3XY9ftM5 S3IMZ2if3UPPDXGDZ7YphryEp7fP9SXz5T7pZeDGSi+HoCRuQeXh4fO/V9WDkeeEKejkxu8D lNmV1ZiXvzxMAcksJUrIFHG4vVffBGvEbBjKuJruu6icu/sNOaBHlm91J6D6/YvtHwKpoFZh UsXUe2/Zi5H3Oj1pRbecdNJ1sDjq8GWmilCSYrN96x9zYp5era4DL55toIJD8dFhS+wXqb/S rmz/LiPKpFm7r2Hpap259xEpPjXzX8d8Ls39iU5/GnC5T9ff8uAheeIeENR2KC/R+gGBFRml 4JoYeadVo9RrTvFHKqXNxUKqyVdgfJ/Fz3GmoSfzt5cI36JOpYwQWWQlybPgKv85ebbwrJPE Quq0zDUND4eHVXjHdg2/wEYDFzNuhRCjWUMPZD/HQGh9VD/ia/Ff1L/VR+xbkslX7MZPO3IU XE/2uEyCYwfHALSFVLOfpGjQo5SJghOyk40DO0u3V5siPLBtOO9M5TeH0O7pqSgrimf55Qtd I7/Ge2HJzUQ4p5TiMELCNO4DZw/Jm5abbx+x1faracZ15QZkBX/xTRAbMIxZiGVY8Zct5PQi 3I/zsFsGFSpp0p/AvrCvpiW4KbYX/UK9nmTijRjSgWL/SLNAejKzqO4bvRH0Ckcn+6nH3kXM KjpaNr+mJnXNmOb0zPr2fRuphl98N+3BRJqR+ENe9UPQR30ndezjxyohq3O1Ad7QC24Dr60F 1ob1F2FspzWo4ZT17JWY9t1xJdDsvOqHOWZ8YpmgcwjZ2zvpO5kqCvVxrQS3HNFUCZKeOKge uFotsnNpgI4VmYA1pPtxoRtokit0Y++zkVWI44GWmvJAH7QSWbaiXMfvnmSHI8vubQ7mKjJd wnFzbGmXG8U6dZuLdm7S6YKadDjGL8thtgcN4iifJFMuf0l3+DTXaojKL6mfCLOGHN7oofSo jFWGYI1GDIuAfiOsJZKmA7uzmNInD+kL04F2gBGJBpc+rjXOJbN9K0Rrj+wD73tkcyX9+mtJ +scOjU4LnTe+Uw8iBkNNMgjRBMHGN0hQb7vU5/ofIz7w7lDCVzmwh2N8hhbe7gqRJRDR9kKm 3xmYrR0+LtlEoGbKJX9WfPzYVbG8Q79T+Dm0xMnjTJQx7+mFItbmYce9N9iv86b2arWmnouE w9pPsN2ShjVK9yTWsKnzvrJPhP8wp0PhRgLVNpxhhTJPnhejQfyGCbOlMYN0qXK026tGaCIQ 9We1GJZvpSMFvN07FVf7lXEWfVWphZHkA90yDwNM+jeRTKOI7wlyaMbAYHXXMey+cq44PKzo thP6E8/MqD3+2d/XcVZT02i6rg+D+nAD4aqOyK0kMu8wI4WrJslyew+sPy/jQKz5oof+wHcn RzyJXaOkZhzSRvEjyhLweUFyS/IuO+d260KsLzT6sESlQrDjURvcy72MkG7E2TdSwKmjtH/r OtQVqcnTmEuxDGEoncGKKDJlPMhH1Ui8HVGqq8dKCOKPBV0DQmwnGoJrljkkzDttOzSMGtz2 iijmmrHwsbYTO9rCyiznelLiMEsX1gE+LWNONfPdADt3OZ7y94mscwabhJWCQ87x8PW2Yub0 DqIiHNhaN43iK9lFbp6x9RKXan60p0tR261nxavR42KXzFBDpQuKcm66H5wNY5meDPlCGGHr T3AcytyL8yWRzWCV58m7R5tXXg1RsdnLFXbWOzGvdqf0NoQPlkjTaxtZ7q98hbRgyi9n2PUZ g52u8CfZ4he6R6yhWLPcC3SKXOhMyFl+NJLxYl1dkGhMCnpV3jQLTWw2K2JM9OacCza4ww+y w2P45/SsEr0ik/wYxOyZzrRHloszwvsKhe8rsKzcY/OVrIrQ2Gsb390sO4ard7PnvHwjO/vb CzkxUouQJ+SBesa+luP5VAnFmCZ8CZ/Ht3KN4EeCdBMvL2c9c054vG+fyQBQVraviV0CXl+c qkiUSczN4ejgTS5b6kJaFTxvwwUDKLbPqnYxKdz0r/SEDczmOg+khwGgxcRfcj3GNd+vDrYB 07P3/ieBr67HIB+hngJRL4nv0xYC89ckM0ZGWTITK0nrxsYI6pOcFrfveINdtJpkgkHXfYEu S1QF9HiE20WmgFqIWfdPK0swBxXYZztCJPOZbqNRa+E5xLZDXKz0TrcHVuwfBWRRpRkeaUo5 F2e1TeKtYsxlza8yb7ytJgdfGqWDEXvqqwSe86/7xd6RdhN3BjjCmfe4eVzc8S5B0sqFxDhw 63DZnk0UK4XbM0KTt8CZMNlKIAFRAr6+fOGYZ7ds2y3GWSDPk3tag9pl5qMziqWYb6elxh11 6kfEfyggelH47mIYyFKqG+6CUhLWHr+gjoLexjSj4+nnZnBsus/RiaYu5oEeLaov6t+yeh7+ iKDBcn2Fgj4KTagUqv+BkiR3+1O5EKLQDKULUh2HWIVob4GvibqMcpVRNhqItSHd1XGaQTc0 UZZwRgsaF0GROJdK5c3G9fo6ZA4B/9cuHfUoewbB9ZBxo2lMsL9Zos8bHoEWDiQ1+YLb9Sy6 ohU7hmsnHHEPV8t0JCKJwUasO5wjdFEdkTAZ4xo9C2N7Z+8FTHCIjsGI+j7J2jA6DA6nutvK PmTBVstL9AXElWd+bfq3i2El0qMVGVVt8TBcYgKZ2yYCmyq2wWMx9TzCcFJdGMZVB93GE7Z2 Sn8pBR86oc8+GAHnoR+4WSLKvM+Emf8ffpD+/wL/nyhgYgM0cnQG2Ro5WiP9L1TvdHxlbmRz dHJlYW0KZW5kb2JqCjEyIDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMQov RW5jb2RpbmcgMTU3IDAgUgovRmlyc3RDaGFyIDExCi9MYXN0Q2hhciAxMjcKL1dpZHRocyAx NTggMCBSCi9CYXNlRm9udCAvV1lBRlFZK0NNUjkKL0ZvbnREZXNjcmlwdG9yIDEwIDAgUgo+ PiBlbmRvYmoKMTAgMCBvYmogPDwKL0FzY2VudCA2OTQKL0NhcEhlaWdodCA2ODMKL0Rlc2Nl bnQgLTE5NAovRm9udE5hbWUgL1dZQUZRWStDTVI5Ci9JdGFsaWNBbmdsZSAwCi9TdGVtViA3 NAovWEhlaWdodCA0MzEKL0ZvbnRCQm94IFstMzkgLTI1MCAxMDM2IDc1MF0KL0ZsYWdzIDQK L0NoYXJTZXQgKC9mZi9mZmkvcXVvdGVyaWdodC9wYXJlbmxlZnQvcGFyZW5yaWdodC9jb21t YS9oeXBoZW4vcGVyaW9kL3NsYXNoL3plcm8vb25lL3R3by90aHJlZS9mb3VyL2ZpdmUvc2l4 L3NldmVuL2VpZ2h0L25pbmUvc2VtaWNvbG9uL0EvQi9DL0QvRS9GL0cvSC9JL0ovSy9ML00v Ti9QL1IvUy9UL1UvVi9XL1gvWS9hL2IvYy9kL2UvZi9nL2gvaS9qL2svbC9tL24vby9wL3Ev ci9zL3QvdS92L3cveC95L3ovZW5kYXNoL2RpZXJlc2lzKQovRm9udEZpbGUgMTEgMCBSCj4+ IGVuZG9iagoxNTggMCBvYmoKWzYwMCAwIDAgODU2IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDI4NSA0MDAgNDAwIDAgMCAyODUgMzQzIDI4NSA1 MTQgNTE0IDUxNCA1MTQgNTE0IDUxNCA1MTQgNTE0IDUxNCA1MTQgNTE0IDAgMjg1IDAgMCAw IDAgMCA3NzEgNzI4IDc0MiA3ODUgNjk5IDY3MSA4MDYgNzcxIDM3MSA1MjggNzk5IDY0MiA5 NDIgNzcxIDAgNjk5IDAgNzU2IDU3MSA3NDIgNzcxIDc3MSAxMDU2IDc3MSA3NzEgMCAwIDAg MCAwIDAgMCA1MTQgNTcxIDQ1NyA1NzEgNDU3IDMxNCA1MTQgNTcxIDI4NSAzMTQgNTQyIDI4 NSA4NTYgNTcxIDUxNCA1NzEgNTQyIDQwMiA0MDUgNDAwIDU3MSA1NDIgNzQyIDU0MiA1NDIg NDU3IDUxNCAwIDAgMCA1MTQgXQplbmRvYmoKMTU3IDAgb2JqIDw8Ci9UeXBlIC9FbmNvZGlu ZwovRGlmZmVyZW5jZXMgWyAwIC8ubm90ZGVmIDExL2ZmIDEyLy5ub3RkZWYgMTQvZmZpIDE1 Ly5ub3RkZWYgMzkvcXVvdGVyaWdodC9wYXJlbmxlZnQvcGFyZW5yaWdodCA0Mi8ubm90ZGVm IDQ0L2NvbW1hL2h5cGhlbi9wZXJpb2Qvc2xhc2gvemVyby9vbmUvdHdvL3RocmVlL2ZvdXIv Zml2ZS9zaXgvc2V2ZW4vZWlnaHQvbmluZSA1OC8ubm90ZGVmIDU5L3NlbWljb2xvbiA2MC8u bm90ZGVmIDY1L0EvQi9DL0QvRS9GL0cvSC9JL0ovSy9ML00vTiA3OS8ubm90ZGVmIDgwL1Ag ODEvLm5vdGRlZiA4Mi9SL1MvVC9VL1YvVy9YL1kgOTAvLm5vdGRlZiA5Ny9hL2IvYy9kL2Uv Zi9nL2gvaS9qL2svbC9tL24vby9wL3Evci9zL3QvdS92L3cveC95L3ovZW5kYXNoIDEyNC8u bm90ZGVmIDEyNy9kaWVyZXNpcyAxMjgvLm5vdGRlZl0KPj4gZW5kb2JqCjggMCBvYmogPDwK L0xlbmd0aDEgMTk0NwovTGVuZ3RoMiAxNDI5NQovTGVuZ3RoMyA1MzIKL0xlbmd0aCAxNTM3 NyAgICAgCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42u23ZVSc3bZwiTvBHYK7 u7u7OwR3Kdzd3SG4u3vQ4K7BIbg7wYJD13vOd09yT//s/tWjKQaj5tr72WuubUWREyup0gub AozNJAD2LvTMDMw8RKLyKsxMRMwMTEwicOTkok5mRi5WAHsxIxczHiJmbm4WIgkzY+Ab4C8P OxsPOwscOZEowMHTycrC0oWISpT6n06cRMJ2Zk5WJkb2RPJGLpZmdsAxTIxsiVQBJlZmLp4M RMK2tkQq/zzhTKRi5mzm5GZmygDHzExkamXiQmRsZmFlD8f4j5K0vTmAiPPfYVNXh/9pcjNz cgZKEVH9S5OaCChpCrC39SQyNTOHY1QAALOZAV3+39D678ElXG1tFYzs/hn+n4n6vzUb2VnZ ev6fDgA7B1cXMycieYCpmZP9f3fVNPu3m7yZqZWr3X+3SrsY2VqZCNtb2JoRMf07ZOUsYeVh Zqpk5WJiSWRuZOts9q+4mb3pf0sAZ+5fCowiclqKKiq0/17Tf7UpGVnZu6h5Ovxn1H86/4uZ /zBwdpysPIh0mYDTywzsCHz9zzv9/8olbm8CMLWytyBiYecgMnJyMvKEA+4eILETeTMTWdmb mnkQmXkAhRkZ7AEuwEeIgHPiS2QOcIL7Z0GBa85o/q/Yv5EFiFZ/kBWItn+Q7Z/Of5pZ2YkY 7V3tjP/ZDRb2f8KcRIwOZk4mZvYuf2LcRIyOrgDgavxr0v8nzMYE7GrkZGZva2b+V5T5/0T/ qzMwvQnAzs7oTwQoYOnpYGn2Jzkbx7+SWwFM/4SAPs62Rs6WfyJcRIxeZk6APwGgHsDe7D/M DvRycf/Tzg40crF0Mvurxz8zBXB1+hP4Z66s3P7qAdR1Bq7ifxgo62zm9pcrcMUYzf5XiexA VXurv0W4/qnZFvDnIQ7gMMJ/CDiEyB8CPi76h4DPiv0hYIni/yFOYIESfwhYnuQfApYm9YeA dUn/IWBRMn8I6CL7h4Aucn8I6CL/h4AuCn8I6KL4H+ICuij9IWB2lT8EzK76h4DZ1f4QMLv6 HwJm1/hDwOya/yFuYH3GTkYmNmYu/2ujcbP+J/6/txrwqmL8s824gfLGfwgob/LnTDAB7U3/ QmAqs7/wn23yFwITWvyFwHos/0JgQX8dPiZgRdZ/IdDJ5i8ESv11NJmAVnZ/EHjdMNr/hUAr wF8ItHL4C4FWjn8h0MrpL/xn3/6FQCuXvxBo5foXAq3c/kKglftftwvQyuMvBFp5/oVAK6+/ EKhhZmf697llZgFmM7UyczJztvq30v/94hURAXh407MATyzwD9M/68NNxM3B7fu/epq4OgGv F5d/fa4B7+//YXMr4G1vZuZhZgK3ugQw4Q2x/toaVuEnXjRbCUkDKmLxLUGhqXe+Gz54JRHU tnRc1pFms1HruSoT7dMh5CGh+yuec1SXj/KUxFWgY0L64vuhm+Fhplc7ntZNprzngQPJQ/AZ Umfrwt05O6ji3OZERYp28VDOr+GzAiUqMbUj6HVikD5dt+a+rBAOTi2JTFv18NBGClZiFeR0 x4oItvANd+SUJIiNmWA/63CYNtqf14AuV9TnIpj85He9B4x4FJMuQlaVXRp0lSPB8/LicGSk ho/B0TqhLCILVSeiQ8g1GJVx6eBctLC6HC9ccYMfv7CmxSPk3a7o2ru0iN/IOfQ3S/cNWGkN LItlVkqYfiUVAapjKZ9gvN5PidIeuQu7ZJP9ybYDrnyQkl0KYjX0qHUgiRHbrUmxdIYys2bR vZg/3WWr4wr7wZE4CKZ8eLsKZeoL+5Y6w1ntIT9bi1C/+ikawyMNDvMpneRi5bZ8lpMdVMFy YvwcJ3S9IxLnyVC3raejNB+jgiL/OievBubTQ466gQKAMNkUUimrUW0VLvQL3A9M8QiZZjfH k8YQLMiFowlD8DZSD3Nk4j+shSr/pCD+CQvKze2ws5kmk6y6S6B+3NuL971c8YJ78sVOTbex azD3C+ZXU+iqnBR124VfMGRXmlmWIK3rPHUh8ILDQVROHHG8Ii4bUOMcdfEmEn14oiNOk2SM vMR0ssugsY4FZXKZKRcgySUvZpp3267IknXLROnnRaBttZYoSOmcaQeB11Do0spbuq4QLIVM b0UtrjpcLUdfaar6SKHycTNeH7FzHNt+3qUqdZxmX7f79IxMpknHTSZH42IhtzqY+Z6Qlmr/ DNdE90aHk4JypjraexrwxY5oDEkQBRVH2O7CuDwF2Y+ZMom4feW9WlkdBAHVNUNiVLUD16Bo +ICzWmYZKQi2M9Fj6rW5EKV0dqA+6NBiaj+OEiIbYLGeu1WUbJHkbo4grzHPePiBdSoncy4m 1GNXCZKx+cZizJ6mZ2LqSRwUfWN1PupFix9TY+vRemBUD/31O+3IOEuzqpDrb2m8E+0fv9kl BBwtclX8FcUB7rI0j++3K8O8jNEZ70jOHWJNMxilaJKfi0YKpjz4BZoJZaYPiFyzrOXEzHdX Pj2MhNnUQB1sQbDNDUO/Bo2dLawkMOzDuWEN1FZP+EyDMOdAuVfafdsmh1dOiE+zcu+OiYV+ 676b1RJT8PVN9Ig9zfD5DimewGCBI+tdNAV/p/ZaCp9JJGDTQjG32MLyeSd2Lr/hi2pX2942 skXTp7kNuvZ6O2aSMk5RVcgF+pPhVvQkmzexLeQfYmBnFx/w6LL4WXP0zp4qxu+n78yjZcT9 C9b5CMiWeBVfEWGvTxULNGzSdonDZMQLZdbOTX7j5/0IdpvPRdrYe1Hs2rD2NoeKypjHv5db 3iIxXkucHKGKHC+lJQAQq0/GpcDRsa9MCYyoUmDH0TMhJ9zitiAxVbvPDYp3PLCwRgrZipni 8Tj120wViyjJg9uSFHXgWh08+hWDKOHysjDvA9KqeWw/ySgCiLcbv1+pbmPeyjuAsxP+IONQ gaUYZiEOQWbPfPrAdFean0as5k1sQh7UFGKAHMC8AyGzjeFqjxkFR3JElh18hoRsuSq+H8pV LPQR8ES0CktgNVZb3hNTPkyqJe0xeKnuvhUgZ8+aqz/KtzQH04gedSG5JQubUHK39as8uu7x aKQaZ1FThlLlN7EsTtczuC+OusLcqXJcnqYzl76ZkaXyXHiGIOFugXiKmHs59uEdCTnQjdsD 4LVcob9pcYyLxaHlPr6TfA7yhYIpbf8EM3Enw2SeebeLsNg7Con9rU6x/94Koj8kzx+yO1eJ unUkh3xPARvLmlJ9nCr0649J7BUMlBPB4+iUtQmLW9TidMDWKhqmzBzVPRHhNkPp0IegDd5y 0ktGYC55pPerl4pfxhs+iskP+OBuo+WJNDqFUr8I/47QzaLGAqsY60iTiL2JAp4zylgwdnl9 oQvxcptaADEX1ElJ+kvSB0O8dHQFxex6HKY3y0azr44jMd2wwG4HGksjn5Qo70MMyUG+Ercr 2kh7hVojDGjNMee605cDLvG18hztwUmyp1FpON8ND5iDPSz1aUCk5phBawRp+5NYx2QcNpMP 8smi+Y+l4u/lhUwHAxcB7d1INEy32QkGKCE82bzhgkRKYPpzX3/j+oqVRJv0xWAOdm/+LOP2 rMHv70fZ+SLyu47nXdbSNjdfq7WIqS6jE8qZVbBXYUnvTrfuKB47Y8uDsX+7D07cmJJIzeBk W37AQfDROCOHaMqmK1Ls4epzucJxZpjg1Vw2g9FIoVgludw3cJwhf+/Bo3M8v9nd7e8v3lWl ooZW8CybeasYsbU4XRqQtSBQpegLe8vgxA7R+Zn37vIKvxl6bLd+uKmwWNu8XfSnd1XWN4LB 1rXRre5XmnzXq0FXr8wZWsJCsvKDiZoAVO6JePNQbK/M7khbjjmPI0aPIYl4NHTXW1SxUTlm naaWxyX/YIMtzKfx63XnW1Vc4CCvgCcWpmXD1w7HCWZPQ4fJUknq78zGljEQTAxPj1I0pxwW POlBRa2QxzY4Bj9sNxMnO7CqaSQ93gzIFfvpSYAvUbfbHcqgGtSUFtPuRnvrxWVszaVvAL6U ndCQnlufYXv5Cd/rdgMn5h5u+GuTVF4PSl5/ksipDgDsGwQ2K5gvi19bRe0JleXn35SFlSuf LQMHrFZ78+pmtkiGIDB9FgfDsvHQCnqV0UcFb+Gbe5x2ltqk9fok4Ettuu1jj7QwHheQW5Zd ebVUjwCwTrijS91w2A95xquZ1PJ87oU5G1QhVG2tbMwEowNI27setnuDjdeGclc/LCpUwm1c +D0LVTUsUz3bD18btlndoY11O5lmy2yHl7yprDrr/auy41BdCqW1RO8dh3hdEMgoBszO4Mxl rfEbyhHoJu2/q3Pyn3t0mO/6diYMMAy9kBaL3ECshr5xCIrtAbritxUDYovkN3M5K6d/Viy3 zS4UM7lcgY0OFutY8a9+69y72lYqSBCXC+KzcTPSO/nmn0FOo275k96xOnzXEFRHo+5CdyCP QlWqhFpgg0QZwBTKv1/X8MqqxL2OskodZuzwBnpKDF1n1FUa6LxejL0gxSkPYwiqMMu+muXQ zxCE7/Z4PmSAfX6CHZJ0XQoy+ykQZ2Z1Bo5TN0v+4YZW+Ea8kZw8Dm+xalxIeFGQrlc65X2m myO1Kx324SBmAvdF3HtEQMHdh+oFC7TfAY9MHjad15W+FdQugzO+Ztl9yhrmtlvOWNFFFKK2 XrqLyhQe76YEl1B0InElqQrx2NMLlrww9Ubbx4GJis2La9H3dzulPzkRLkpGThdWTJCSpHXe +KB0DPuBWohVPnJSM0vdEI06X3lb5frdFNYRwTg+W9ivKgjpG1NXHHHRIXyytvABsxJrOQlH njhDsswY0TSNSLW7QXLqevzh3e4vDnHOG2KB8fhfnbDGepuecpGVg3I/w+pYnjdyTnPFWKmX 5khy3svukcgPnGvr44CzPlOZH+yaIdyi5daJyAdGQ/Nd0ubmaBhUby5d1oTWqqlPS0PEV5Ud nVU0ee1RhWpTRkHVpF/yIao0huZqPuRUFMg1zT05ZfVFabHXGD+ODpJs987ulZc+WHGrmSUY GZJNcuJiTqCmcoNwNM70QlTfg0+3k01OzW6dT/x4Pvuo16e9vumyX1vGqJAJxKs3XLFDaVD2 bdle7xe1vft4WzxT8jJS3LdotOVwctUdvenHE1ntDF6LfCMuykucsHqEjWaBS8n/6BaRKPpW hNnCcCOuHyQ1Wyr5YITShTOY9P6auAXVafTh6JLzjFUj2iNfdU2MUEbhWGlZZmbcoCMonhPg s594X/pLSlfhdvg9CSSZgxu7E0JV8qHPJY4W8kDWlZdmn0lcRehSLCpByKqL00zhRFlmNe+O rymRwfcRvqOCFwkbH3T8J5K2LftnBE2wWrnT+HIcCugk6yzLaH1OQthhfJ526YBEZusJ0CM9 1C/cmLkw12qk5j+PZPphWr9NH/qWbPn3aZhK1pGZ7Hd4fwylJV6vC72QNkQ3rXrsYNHQmuBB wkFYcmSmHqT32p3zekEMh0UKhLJv7xVeYY6fzpJF99/iiAnk/oRmzrLEXUwNLVtDrKkgFO/3 PYVJCVJsZIQ/l0mB8sYR5JFxjeZwrL79KJhlXdcZY4V+zEEX8dZo8xJLH5EHLWTRbO89JuyY EhL2rRDLPYY6ErfDOTW8KLtCKR03HiGTn5lY5S2fh2gL+olCvIU7nQLzqkuz3Tfjju/e1Hdm WdOmu2//dD8mlT5l95vNv0C+nibshRznxJWPpD1RGD1Sr6ufJTBSYlU02zQ0lGeY7wRXjI+d Oz0ntBftKRymA4zQNOWxedKZOtloS/an6EDKksiAnXM3bZGp1rg0N0gKuT35ahlF751hVLHP kk6J4uZ7sCtfI5jLW+254tFcNDL3T7xIHZ23JGi24viM8p5rEh6cZpJrFcll8xoYlufO2nXF 8A9b9TVZV5rBPPYE4VYXxW6Sqt/JjXLsORIbVop+3gRR6PdwXiZmoEFVVwibWT6/3NqCp3hL rQTyzSj19CiN0Zu2ZVsNSEp9m0cMbTjji+ah4+dtyr9iDOzx3wZACaAneb1NDarJchNEKSZS 7dXhBXH0MJYqRYdwaLJGaJ7/7qG0Rd5mwHwabqF8E/8NfRHvRQkBXwZt237EAmp+HopiCs7V o4KfJE5QViTk+EuBst2FnM1QoL0An5UeBNwnhJmdgLJ0Cs1FYS0sMbweXSfEmc6dxX4HtpDA ddgIYmA8G8kfFRy3MBHDfgOT8e7Z/XgNNMjfRC8OTtljMEzQ4FjyEEnj9GexCZnShFIbmFfA k58jbEA2C+eV+4hMCdZ74jK8iVJ+/fkJ3iRPYRbHsDsmts13eB9qsHI+igwyTL7ihBpxrdj3 zVmosuc4ruqJ7m8a2WwK9fBM2p+s9cn89g6tylWMGK+Tf/UkZPasTMP2kbUEeMqn6hFG0o+b rNEokaRnd7v7K0nBMYdSgSJDIi5c171hG/td83zf3DfXJrN4LlZb+yJ92SxK3zQsyYCEuInV cWB5++FsvIY76vi2//WU2buUbd3b7qgu6CotPwFZOCAVs/IX0xELu2sdvs++AT9EMO15Fb2p cYuPLtK48fMErkkzpp0RTKyC7aags+M976QgajULjA4xr8iCE4HUZs9yOp4iGdx+Xlma+Qrj xM0du8M8pM+424gIziVDlZd6iWZLAPjwKQxznaNnQJP2iFeQiJiCLrGiup7nSKy8W50oZ18e xyJzB2fkR469e/qW0EDId5EZMEEUONmmqc+vFlCOs1WySXjQ1JAC519w7REI2Cjeail/o7E9 5Adc8MsKlNJ0pB37mIDdqmnlX0m+pnRY6XO7209ljRa/viG2SWPdcJm4YMb4C9Tt6ex+6+g2 wPCMzs3pPkzLAFMWa+8vm6gaiPZ6GrEOjVUJd19AQDb8FrndbBlcmnCK+6s8cGDFjIwz8uS8 qGSLcQqrcLfC3fgbrj99MslPZZMwVgE/7os3Zau4cThjKXGaMj+rDDOvuRMLLwAltIYEQ9su XR/TdkfxOkmgtEGnSkZcIgTsFqu7ZczCHFV2CRLE6TCDYZ3Ok5EahFFaIXI+CEiPl0jIwqW+ bjGvRRLaz6GaCmfjQt8IUHe5u+NEumdid1dSJlJ9HOiFmD1bOcSphlAAzyTDYGVECKUic5Ea S8wWIovzKcA5LFKDYrHm3bxQUxlvj1ZnRPzRpToNGdaj0laQouCojiaP9W7Q52WhfNqeTV4J u862GmwgzG4XbzrITKDNPuFLVcjUGaiXLuJrXDcpLueTLz5qdpQKbeVZL5dAer3zEkkIUQZK AZM0GnLX60b3YSicoJkj08ZiNddnNL57CcHvatnNy93aMZFkPcJvvcy4pHAVlx1bSlrJfjT8 HP0csZgVm+qqx1RKwS7t1VRjXyJ0PTtnxtzbeCJsVl2vqUJEpb1vntfuP44F0DJzizfPDvWs t6hWntekDoNR5GZodtyQBpW7Ji7ZUXfQDHWfwfwHZdO/M6svdQgkx8KjSDFLN1iOmAnVBm5K MB1NxnbWWNf2RjuIdEIJNDN6qoqXD1/Pir9lhqEJF6oUNKhBFwCEVqWYciRCZOHsoyB8U7Mw MPDJuVq/3LY8cPjqUOqTEK6V6+5wwd96YNl+iCxJ319lh4iAsrPo9DDn/YKFO7c8YJBRAn5K knL0rYWgWliBs6pPHrRoVxpXcfHUpDX9in2K8aJV2NFBaL6O25DHqJhc9n4Wz/ZyMEp8BNWp cQgFT0GFat+6Uz8ndXFoidsU9j8hHDpN2UI4af22ND1QXkTXFuC0cI9FUrx4Tb0YeFPIfwdH ZxEq6Z2kSw/9hpr4yid3TC/LwpNUmrpNBUe5aEIiX0zqXvYBw7ef/5sHx8hmDpPdCzFekbjp Y7pACTpgSsClUCz3EQULIym8x0Zq3dwFiV7qeDztG/lMgzDl4pSu3o43Task+5vREvvRTTgD WKrjJ8odd6fUgD4HmwxRzt6dl1KvOG6SirtOWvFJ9jY6EZ9fkiNixV6ZDWPlIO/XmcScjPvT t/ZgfffbuLr1lXeat97PTobp2raLW5dCXx++RBK64G0FYjYXOdWEBzWstzTWuC50uS/N9Y4U 4I3YsJuGEdNOU+CK2AZiMn+pnG2rrIhdjqTahbcRYtl4XYxHuP5SpsLAQxzl6GnstsUIi/4l 7iQrm7nY45GT5MiORy1d5s4V0h5ZFtPQ3NTCo7XdpYyGvjgXC11fOpJpHnW6alTUssTadJsV e2JBwLuYXXOuklBxXnUdi/ExaksTF1ZS+G6GJefKI38l6clHqVlPLrbPkcKXkkPVZNxa7718 MF3fgAn4xVZTOgfrIjPYjeuIyAM5qnF0N3gp3Q1e36oLblUkpolDOzdIpgb1ZJMp4GrwzP7c 3hz+CIT7C+N4/TpylqP+TNNdT28cHd8FKkCnBe4tpNCYg7fS3frG5ZXywiB+MjWo+8IuRWrp +NvyZXjFJj5Kro7C4A8mKQIrw4+5JTlS9Ev55vnpxqQata5nc8jR49ce1khrNPP1uV139rii m0YL1OAX6EeN1x666nXqys+rqPPDUJwl0/WgrduxBFjRA/XEyxVEkvNG1MrgJDdlE66CxiN3 hJt+FLMsAl2OdTfN/tyZx5UogQBxmUut5+W5a+qUEE8ZsAu/M6+Mjk8GGS1TXiU9Cass9nqJ 3x1hTHYElqO+vzkAAuYXiHFVUjTe83IqrsGOLa/cYdWmKpc5QyV23AXBRlntT5AQz1BvyrAd eYTA878QXKAeEtPCR+ennmc+ShRC487vXMs55oYwU47vd89L06phOMAS5TWORe7b/hKevX3x gTClTr2EOhFVncMl4klZc4jAWVkAuQv4+mYEKNDU8hNlSYCDLB8b4xqTQVg792pcw0jIbIfC CK5KJC6Jocdu6fBuZZu2dbqegXN3KLtTKQlaQNNFGa/cahxUKLexFi92hId6cDcyQ0wfAgOR /PZja0l3peSJlg+SJI7xfMSWLMmgRGL6gdF5tN8Xry9ZjaJ7iXKL8rG2mTmapSbX2dTJLsw7 VLJ3gtPtBiHUU/eGAGMe0ZWTtYLPdzLv0xF3HDpLQAWg9yviimwwmvpQd0jcd0XV8q4jkyqM 7bECxT74ggl6ZWyk83ScyQFcqXTQBvxWzJscb3tqDOIZVIZU/3EGbUnOnRWVziGHmrT1TK1x hqhePJUNodPjD6yr/K4y/JH9y55ui0HEIpBgZfTSp8W16iLVouLHlM9LQgzqPMO2OZo7ZLPw o69hukOn9+SEyCLcCYXIrs+DWKRlCKuJhzprGKwZ68oY9lqeUBZKvwtDp0cgp/2cUOVdUnOD HxnanvIoSlUhlpOaCgvKs/ENDb1K0RhHITTtbgQI3O1lImZZwN5Aelh+ySF8QzyXrBB9Egu9 tDQ+VOeEoqmJ3Nwwjn6SFhY4mw5Lf1HWpLqyvJrKcVSEqBB2WXOzoLkAtWrs+TwSFzGUdtPw G6oDgjbONSMhITkX4Zua0I9XS5jYDUcPLiM6EGM3QfumNF4lwaoyBpxvMjGw4f4MqgPo63UK LnnqnVkOjzFdfABf2lx5p/rkPPQupmGSso875lmqaR6FWzA4VCyM+Oif8sglcKAvEfoI5Coy OP7jaGrs5WOMbb8OqCMEf8Bt/RJv0xxFzf2lcUoOLuEJVmDEXIyrL1ohloDMNVx8UDvnGGzP 432rnT2EZb0cvgIIX0kEVeKTMUVRJsan7wohiLnmUBDsDF1yF7+4pngWVFq6jLZTCEOIr0Tw rvG7vbErRzIC/qcYIL0jJxypbtspgBS0cpUAk2/9GUVSTNnPVvfu1soUxiaID9ByOoSBI9+s Z8Sevo33/ZqqBSbHAfbLiEhUMLYZ65jeO11Zz+S5wF4UnTWsOlX8E0zggNDn1seEyteJCie3 9S0V3RUOzhHKqDMu3JifyYxvyEkgXESf9Q/5qv2f+t7Rrz2GBvoIc14lwqROTB0tGhiFgnl0 x2yOBW5UZ85Yw7rQb/dyN3J0s76VPu58/Ha1wvCfDlGeFkaqUsflZf+aH+Nsm+3M+1r71usp gsYDF0PNNlCBvy9YJSG72gAf74z2lq513Fy8MxvXkwFFw6QEEXGPqlqSOs9oXs++acgG7nq1 MhOxSjLAk+AO84DAQpY24/O2rSg3qiEOOyxlsfb4mXzogL6hjMFySsthxfU1tOJaErIdgkmi oGJy/dKxJS/vfVDrfSGvGRkzWkZVPxivxbIL2TDguwuYj/7kojuLHFQwb7TRcNcZdtIbycLe wto+58829hX66s7ASvM6Xtk0dqEI6IbvjaCa5QP9kvJSBWJrAYwhw4AJymzq8ayUfk0jSmp0 ldTvhZKIVjOYfWhoj0Xj5OtZVlpsU+u4Tz40FblCwxmnn9A0+ebzmgXOsY49wqblY1Y22wNe pr7TY3/M+RDKp9l4ZZ5vR/2sq+aGZTauVxAPToyr+2pc13daoAb9Kyn2axn4GqalUEUz5WJi GfR2KeT8qc83vM3EOpJBguC+lbOjTh7xK82ObEbs5iBMTVcU+bztC6bnRSQV7xFrnJk9D7BQ 2ZzP4HI5FgkeuVcAhvOR7FOUrloFPLCbAr1CM/ZUDEEVolzQ3huDnMyfFpCEL1SRS+oSqAQx 74TaFvU4l/FbqzGyxCeSRyZDFtgzLcz+DEP6scoPGuLwxkqpjmXJdyRJ8ks2+9kug/mP3RUU GqnBprvRzcLyFKmJrUvrm9rMkqIstPAhRlHEL9T5GmE+KT104QlYa5AbDc/OUO9rUfilGXfr uffw7Bpnzb+mOvd/toZh93Vhsa9q1arfH6snc/OUkZOJf8gpFqzQtLZlYOcHMeB93cWm+aLO MvK22WFqzxdx55aRwnt9wHA5i+YfY6/VtkWOw2TnQWVv/MnDcIPmWft34xLbmSo9yUeifm5n puJC2PduYX652iKd1j1UDc7D5LP2lFieYcm5JMp7Ma9MOUiVfrh1DGCVXxD2UTP2XUwbwqXw MBn5w/mYkJN79VfL5Oqdeyb6hKFMbkuPF+e/bTGwbGodxiJ8Iye0pJLnQaYZ8lpRNXk35ycM CWJCaVb7lgGi9pGEF4+IKO5RVNf/XAGWshV9uvHdZxchOH8jPhSa/UVCMompP7IMFUseQeZr /vkl4SoKmXCdnztzQHRQIqJNt0VZ+SNqx6nXE1qgVT0I3vM8ukuJnYONuzA9fGtXoNuYHQCa 1o3lixGKglbE5KEF+6I7uDW/rFYsR5myibx8xOhoyWXfZyzIkLMzxXbFnT2a8EhyGKtKFTh8 7Net/dzDm1OrUVbcDw4VKMFrtxri08852fegN3o3kyIJSaB+0JAiTT19ZvxEYuaaPKtcUlND Q+BiBxsZjZ8+02TO5GGKvPIWhdabyJW3xaaYZPV2aQUxb2K4OLkb5kZRWUz92M1WNa9cY9nU ViToydh2AeuKmWWA8xFDY2YHZVcbJDqJ7kqwI3x/ym3F1NAeXV1cO6/f6rOp95ofsQPTArf7 cqPtg/NUijOaMPYaMW5YUfWN5NLcTxvkCCZZWWsGHRr/EISKZmwNh0uOvX2uvyqyI5QeXcBD gfkIXGmyiWkQrBpkPRwbn7ikUVN1wleMjYM/XM4O9Rmt1U+nGwAb81ityG73NpE7+tKuUCHF w5yK5MpwLS1DP85fzK/68qAfqyvyY/RQX5px0sraZRaGAg1vzV+MN/kQQJcZLRt0qeWmdpIP 1uGSNvsxVPPE01Q5gLzzCTf1TR293Y77tmAd0p9Lak8Yu6Fu6cAuj5MYI+AU9WG8DslHnHBJ djzoY8agpuU2dNq/evbHKXkxoJxzYNvTmsf+BXuniv5J055OLZkFPhbbG+aCPqwLbscGrMXm 9ZNQZ9cvyBEkSZHYwXe4rWhj26FIcBHl7ol6H1VihNDVLQ3UXsiT2qRleq/nUSGFr7NSMqF3 gSnBik7lCZjIatSWF27qPvm59uEQapFSTdKZ921oNBZTTdmuw9xHXlVf0rOHeZhB09o3rvgq 9rSHg4pR5BEeWWSI1xEdjRKFdcIuoJ/MXMnar9gNbgl9CqGj4ZR1TPpuH+CmsHuZfBGnjyB9 6fcY1Z2J5nAX7153DOZNR9Zv3ijrKG5LZ7dMto7r0mTyB0xq1UYlwJFADLeoO9Xpchmsu0ZY T9d9meMXmnrPHwrYtvI36z0ElAYeXIQTB+Z5Jt5ZVt6oYwQnKjtusYbN8Ae+lMzDoOp83Tko X7PCsWYRmeVt9j9K7CwsIRrNkqYXzpBkE3D+IaIquAMLHTpJmknEB2Xm92tmj1MF03OqH9JN iV5SThikcGABzN6uGZ/UmDadBC5kMw6m0iH604WeudcUuamXXNoCeVUi51CzbWB91qtPJEPn UkUDhiKSKH/I2MKZSsTcOMI8x3umk7bXlrGm8V5VwjA+TcHUOR+Zx5078r7DsGNDsTUPfYSE QJlemgvjVwqCKOhsFtqxTT75D2swaCikyE6balmq6i+xJS9y0om34/ATpWU/Vc+x666025j7 Lj0TvNsM9bS2BKNRP8ptMHX8PQ8S9hyYCNp0c8al1jhQLm56Kx0mKRa33VyO8Lcam7vyGxfF E/q9jg/4l4NnjpfKv/YPtCbwIByls7vLoAbf0MgXXRUsCc8xZ35CucHglwM53dzzjWpWAsvo v/Zyru8VhiJNHZMslqn8yY/HjQVhu3FZhz0C3Y5fV/HFwKHAMOoeQoixV2HpKrw+a9L6gy7M W/wIgz8XH1Bck0fp9AjGpcGcXvhiFku0LCKiFaa8r+onP3kvmc9kyh05yE0vHvpNS0nE+WfK Ju+P4/JJXD0tcpbhNVeDr4WQVMVwvN+FoS7lu+zWc2r25Zfxoz9z1d5ZES95FOVDoN3TZIoI 7k8n+KR3y2w36tZ+6YQ0sDUL78CNNw2uLcfd1PydaEDMBuMly0VD/wQ6z+uJFSU5p+hVzD3q KvlRZmz7brLawVDkcz1loESNvgPJa0BLY+exY6Jr0kHM1xLsKn9/7wjeQEbOzxfFEkHw021k IiSYWemEixmXHU6ckRUpRTb1BfRzt/fh2s7J5An00cX9L5JgM0TY1AwF/6pLCATKbkfxMfLT n7xxcd9iZfQ6MYwawDW+1dSWQZo7fMn9zvgwQvF2pk+lUdooRxxF+TDt2VThfDCaF3dOzZYZ pNFayCSYA93Ad7PeY1f7Omd71/fbC0T16wW1/+01KTGoXEdXXQ8VFBype050xdPP5v0WMPo8 TZf+zFcSsvRA6w9/Qm7DXBVCqJdkO1kWyjzLlGQ3MpZ6mIMZcHqX8Y1MfBhksSBwvzsAqtlQ bWffUfnpDS58le2gZhj7MpafIljI40lZ0PYZ1xKPy5mwfgLfT/23joywkGvfVh/VKpjfd0OF 3umIvNTUylaj6LGYELL1stCA4iLa/uWbKvtuVTXmSpv2Z1jaVBCPHNpzFEiF2hRC500LVh+R s+Lh0bfxIjxfrfOQI4rv3lK3zAa6sKfDTJMiCxCfuFyE8qIB+UofpnQFtjVz2ypb80/YBvZQ HBRLd0XPtFlJD7xZkKdJMJTfxWB38ApPbsFINwjN1/tvTUCw7gVN01jPTlmxYo6ZM2Wsi5+R pJ6VQ3foZc7qE9GGSfELwT0UZUfS+x1MiG5IW5lq5CZJUUDFmTDnw5wvNbNc22GZi2okkBDx EfwBg3mbR3XiTRB7Wu/FMU589CA+DvwjGyWwc3bCZEe7hqk+X29NyiQPSvCV9Kx+HcWCNJB1 /eDaBpWJ8mxEZgvRN+dmfg423uG1hUNT8hrkFPytpZneS+MOfjUPclxkr3yDFO7yxFf8/UIj aSdRVkEMsBvcmZ1aFqabIsy1MSeaWKD8JPJ0nS7a93nwNIFv0TeHWHjR5sVcOUnbZZvsjISU j+gCyeF8Day+3nu/w+BOFjF8Nzn10J1SOapxJ6PhRM7DLrLwGgnrzMzyOwYEbZLHuL5CcaPy fQ/o9nejfEGmPvZZXBBUu4rt5mywW5SKhT02bUTCorVjxF+fmby2lXfyKZ4gTBYLf0+wvTwY Glht8pd27gocZTy0+1DxviGZdfu9U2bqUxWLsQxwRKqUv9JBFCKvVpE6nS8lh9gzznKKdYni UBt/Rz+Xv2oum3i0s5YtWxJ3apmwLR17XtGTTPGx47/iFrimjxLvrLIxV8IboZyJZM4hRlEt Ruj7xMWVPbwO4j3f9YCakecGUaw/9FATEgSe+BXiq4f++wpEC/5lRR9fVdJrkyuihG7Kt+2E vF7sGo8H+69Tk+r8PUYfXwIjC0V+tIgQzmRT3KdvyYuZHdvU6v3ms/samDjSYJom5jkT28Ur WW1EmdPJ049THqh7qfVy0ckxQOcGyUpJSEQwZ4eOcv0E2AdbjEKHoOMOu29UYvweS0heiN8U isrzKSOTjCks+Hu/BA/HPaPbSbUiwSa37Bqu5vQcO659D+PPnfZo7x8U0Rf6U8aBcbI7UyNX 7M/kizncX2ytcfLGsA7JEbHnEvSaX6Yud98AuUryCEh17shGPnhNykYxoz2PzKKyOI+vdCfF J7A7nbynTV/xrNG52uy7Whw0q33LtwTCmLHAYXpeK8qWoiiJInVwbOw08InxJNc8HMa1A+FC oNw9cfKx2gUc+sPYDlJhnT59F5l2ixSx5sF3xB4jtI12JyEi2m+3jJGyOGgS4WKh+7n3Qso9 I/2VSIL2ZTQn6gCXD2WY/A2TWf/mPYwF2ehhU7BT5ge/mFiMcGmYM7WKHhyXFZQS1HUUuVVe ksdhDW4jjN2PZ9pQXXVlpZ8Yv3zD/NjBUy93k0Mw+tqjYbl8G+7Xg8AP5r6R7mHWsrnSWIZC eQU7zC/VTn3ZvHk6JCv+SkHvOHwk7cCJzT+nOiF5TABoC28jFSIq4hSvqxnsaoOG1lz1bKou ROlOB1DKWNlWhww5yjUJid/YMXWLZdSTEOB/ypilUID2Iw+Fj89OglqT+EpJntHFJSqp2Xvg 5yo/mQ4+1P3cRDtVjFeJW/BrGqrB6LyucM9uwp+EaJ5cKYSQKSvyxYiXuJqlUn+NuZzIYO31 Ubzyc7GqHopfWG7/1S355nOyNuMekpR+iRPGSne3kKFmXXeB9VRdu0aZW+wAZMMorflWVK+I f+TFtPkvBoVKZAcSCkfVe3OAVzUE5DV2Q+BJr7Nu5PJQtWtajGawg92PUuYSba5mLpaxeat3 AzlteMXknqd7WPay1GphgW68qAnTtwTdiB8M4SRmyC2/E9rRbTPrJG5YYOozPEDNLVI2rglt Xnn8v92sogY21PD/OoXR6vpUQquBN7C7idqxuM7PWO4RxEtsN7a3yvO0ywoWdoaOVtPX7zhA RHBcbxUr4bBbt0h7X6OYR+fx49Mwhz60QmqRmxPzE+zyBLeo6Cm0Z2qUzmPVSKNJDNissnYD cgnyWXlAGWYgzQVNmJjIDA9kZ8dA4ILUWB7SHMZ35TT/7z5OlMf7imKxMj3+yD+d/dffBSqS C2g/tSBkx0IINeASpPI6ZG2D7LFnxQVwaHXrXlmT59VAgA0idOPXTsI/zO/u/cimj/UFucy3 nex/HRM28GVjK90LUrU+gv0VrFMAwZR5cr6p+SKzG81BHi8pEMx5luCEUEjo9kmWdZGmRbYp ri5bGtI9EarYkjT1DnSKQ1AiBbs7F/KoxbDyvv66+lnx5fNepABGRFY6ThD+gzvY531exGFf 7LgMCaxjAoiGp18Eim0LSUtcrTV3n0B6N0crCHIZ7OVZK62Srfwlm5OeZqqH8umxuLJQfB0y +ARwzujvhuU+7d6+gTxgT+dyS/6CCjrNusI7OLD4bd9gxYAWcv/YOl1H7ARDDt1YesB5dbjW lKowm4fVELivVZbfqoVgFQ4TGUPW3Tq5WTxYkDCQsD+6CQshgPNCUWJEmDgIlnNq18ipn7Q7 JWXUlytPo8TOMlm2UWX8+gJuzOVSvk4b7CvKu0/EVdEeXeI8gKdkmKOnWOr6azDR2c6ssRzv h1M7LgeIpCtxXg/K53nixUthJjpIlcRGWR3aZcaQn+mHalQ8d5GHGJa3qjBOB86wpu/1eXUw HcFcIwMRFbWfp+lTC8ksS8lj4yqCbvV7E9fhOCc5X5nNawKucACzzeMYyZPs/Fss7MISncR0 Jd+8El0TUwDdO3YUvbO/QUrm9KeCmjeZ8B6tAUyvSGKm+FuJ3rqa4cKp2ACMQNIl2OugdM7M pR7OTWa4tCk1GiOasfjsaFK8piS47NZCMYiF2gYVicMBOESoFZ4We6iP23gyDBHRmjaFHVac xFKRj2qHVZlm+23RlOZvbLUB41Qe7UPq3Ds/+kpM49+CTqgwyx7Gh+JTiFtnny9G+jccl0P0 mW9Nm4fQuAtlJyosbsHTvfoFeKUnNwrry6fym0Eh0P1dl1lZLLrkuKu4M2bDD7KkWeCl5M1S LqA44vQwkoaQZ2YaO+kwsHz2EDPBqAtrVldo3iU66+YsJQ+vanp2LzOthEXDE+8LoKwRPyZf hsywM0TR7l4SB7+HXylhF0RER/OHFT9CLhi/HwT8QAj66ZA0mVyboN8cUQPHkr5JAahYbelE kCvy2lTEJPukMc8zbcHhWeTmEpTCPZSOqYk4cRm/rL0c4VI4y6Z6RCPBzOokWJ8O1VOo6jIa 7xcACLFTOVPyt0MZTWNefB06PSBbjTYR11RxIIBmI1JyWE0cOIoeZaDmiQHEw+96ZxIwrzFe iqHoGV6D4f+AX6F90yCFa7sIqPr+gyeCpImy7ywFg/X6tF0S9B4TLFUsQSo5ZkAWLp2EjSJA kYCwwzhkc4tEVYAkiwntxcQe2SaHuXNMgQdH2TfOrBQKKuN6/B1TTSJY+R0cyk6pAOQrj9Nv JlvcgOb0n4ts7ELi2yk/a7GDNwT5G7MvzGnG2/s6Y39bBAVzksZxav1I2cQpMU9X35ZfMWV4 gE/fFlPPokxTwFZNIzxbwIy7e+O4u/yZIQsnWsncmv2iIykpS9gdNt2tb6QUiZ+yvF8LU/8a TMSit3IWfb0howwOriv09HDL+LvguG0zzvS+Ka6zQKwrOMoHsyODfh9z+Ej7fE+YjKR7fHkO 9Bd5z0501uuTW6SjhhB8AcfhGNp2nJNFJVWwdwJRMKvBBvRW2U9wCtY04YAUmiXM3rgU8xjC CivwCFQsHHj2xq9FfjDmoqC2bUZkpMjJ8AbV9V4FSLBHpHdr0xZlVzHUYi9xeU7r1L6/kb+d XZJww0D/rqlZtFqwEr7UbA0vqYxuh07pdcWNu+NPDel2jMh4nTJDR3UvbQIYWPD1osLQ9cBh kezYS3V6ZJqNC/k4sv/iz/upYbPLMlTwnt26Nari22gcq3anxyNq+OP2GPFRbm9avQlbb424 cZssnRacrAISr+LT3eI7SiXiPIbjzM9PbXIi8jZDzwvt7j58vEJ8WdSEo2NTHB8V0b5iqm+A oXIX9Rse2NNVb0Q7NFGyF9OD5dXPsjEM2azHwcI5G10XIj8gT0GtXjpexiSFkjB+84Bv53mE C3iXSkY5929PU7oCXn24RkqteeFh+5968mxRCFO+nuJVgTeUltBQDR8FEoJ2sS7rHhtCSJWY IflDK+IE6NTZ1P1OHX2VUjtwEKabedzi1YUQZsp030z2NXXpZKAMH9b13h5x4RdcPp3SfeN0 HQeYNbMYcdChSVvdEV0p+1aqQi98kRjDkgplhAj+wHfn5dcNGW8c4yN3IWVxqLhU7brMFbmV fVCwDWwnDp2i/i2yw3OXQw6leMxuQfoZJm3HgdRrl9jVETG3z8ckQTq9HqMew58j1KvalxHe sqqd66NMo7dBerAT1BssCFXU+dWxpalzfWzL5xIDPUidsv2mVExQ8LQU6dw+S29w74yoPRIP IiSBzyrS5pb4lyF+sDblRdYRrsj71xM4h+iSwCP97k+Q69Tqq7OUi4gPe4+lv4KlCyUUohhY ifE3DHMu4JTsylp7NCD1zMQkQ9gx2VKp7pBLhhgrxpMrK3+TADDIJxc31sQde0spL8aUOKLs hLACSXPr1OvVJWYM7zfVQ0i/feo2aewAQb+7BE+8/X6a3cXMfLV1lsdPMNI7OuPSuqFVJExB 1rb5KWJ95r5hspOotKmOZPR+xGxeVZZDS+NQd9ptaM9WJGFZBfysAym0TL4pQpc3Orwzi5bS FY/9Y20MZdaq3W07zoDZBr4o11GqDjSjXcve5uD6UlxCPsK8a3Sa2Wd5p5+54zMZ8Tksbo0V ymX357unHJDdO+uD9dyxOz0b9k1cjjCV76ALkVT+TOlnkTj4wV++oZxdCHmX0AaW3frn8n8K AszhhK9UGc9JjSZSRcB8FySQSd/l+GYBHpycgwLBrxlMSBC6NgYtD/HakXAxQ5m3kDPZN6Zr c0JFjCd4IiRu1E4Q4Mbos8wNNf3bHkU0XpW3W1EZCj3Q9XNutbrKpBzfRYb+mtE+hArZZ8H4 q7j82vZ+0y+3+xUrjcwVDPG5iP7KVy8NjG6S7VubN0bLHhQpnwWlxfEn4ijXZ3tzf/9+EL7T 0oZKqxcwHRnf4p3oVfxyuD4iuCO09inQIw8HlM1tsSzreMUJ20g5Fsn7SqYVNPcQxPX5beKq k2PeMNPWaWERlCVy+zu7uLxExq9BkN741MplkRGMq0cftVkjKVWT2I7Fu1vm0Rmv7RknkfH7 a8SoWsK6WniGOdktcmyTozaKLj5jGYeX04jAgM6WQXBesExrNxHZ47r30irA8FzuPaoLH693 EYvylLh5RQ8PcRlKqb8iNSaOwFCeM7wQhPm4W9KmctNIYDJcyuGG9rwwgeKEfdSyY70NoDTp ZK/lOezxwS5kMXM9ccPA+dO3g8pa61FQKMJxrsv1r6lBqNKcCcsiZ31FYQ8V9ccCmVREDZ+n 24LqDXeeewnzDB/kuk5uhOCoLnsZxUCN2LG8INUitPnEeL3JmF8mSBXr4hKKo6VV6cn995Ll aD0OAN90T04meWUeV7SGxz/UpIPklUf79/A7+9/WI7/kdQ8SCOkVcZ8uGFpc8H4hpaPAe7qt it5TXQFBGNYxmcTrRfEaTz+iW4jj5pC+r207I7GbJleLwKv5QlC0/PF6rDIvQyXZtOtk2UB0 VsStWFxARs7AEwlntRW/Li+p6b4U1h1JRwKyE2flcRAdZv4eULt3DPt88yjs7RvPGMk+LX4O cppbPQD1rLX/fOXSRRRk73KqRYcyGENFhO540UskCf8UUEjUIk8dVnF5rwWtX8jhjKWHmyyu QQvRmTnhZvTgKp/ckh9Q19t2Lb0h/BM0+BxpUsY7G/QsSVsPp/Ixht0sTC8s4Jevb5sj/Vly 41OoZFy8Epr8CvqMfeMlNS0ZtdZhikvAPX17/ee3oqUAzh5TDGQkVtqm8tvknCz92o7q4SNE OzvI+vtUmphOF91OxqoZBDSwGIM6VKsxjfvAFGgS9JJ7F/EGLk6ae0DBZ5kq0CY9jBO/x1mQ 0ltWBxZTP047yjuUzZodvDS9MUYlL+/ZmmvHwTgtdPPMmIttUHjWu6kY8SYDN9Myd4dWnXTE vZNvq0RaiXWANPA6dWHyjKL4DaWTs5jDVg3W+CfpAnYB5FeHg91VEGUqQZx0kefG+vBfSAtM dAcbK6wRX/zcoJ9utS0WSn91c8gNXJhPz6wqvdTUZTvfMvPwRquO7jE539iQXae1CBbczT3g XNuofcOooCs6OnyQBR5S/Y+6y/ZGG9AplRh9OjHxZW6nYvAh6RNrm8CfzXxl2U8/eF/PGN2Z J77w1K2CS9tQwxwbmpjG0VRs8PjEQqIjTGKyiHigHN41ugvSttw6r0+SiOdDec2a4itdE9cs gQg0Mnhqz+UmMjwGL4Wruye1P9GlBCc80KyA2LwWbqdAsWaEPghX4H6ctPbBK2zvPMEc5hzc KMN6P4cHL4mt7lXSGW1O1FEwexFYG55iMxt9ggkDRFma8dujsG3uf9tofzXQZjWrtp486SLW J1q2OSufeJk7nvfDUOAaiXR1fcgidXduKvZwsZ6afBIi+Ea7xo7lAy2a2wvrgb7Yg8UvphMo H0X0u8NJevZUhkf5wTAtG8vdG1D+8gog9YyIV3fjFN6ajg3i7jNoyLVeTgwm7EWDQ/GHEbrt 44GuPkuKb87mjmlM3jEi45wF9DbvhVSz5yThog2vJLLmSLuSwEj8th9mzQCdtXcLIbdRUBAv W8eu/o5TPnW95Xunv0GpjqCz6v5mUZOtk0NLMfn5ibT9K86vC5dbjlkvwpWFNTu8gOjS3bTB 3wSoUNaFR2Tgb1H0maJjFmBOinWfpGDqyrTLKIw8ofHJrS5HV6Y67JqTJMMZ91y+BMseji5Q o7JnU3LFrv0muG3RqLYmpVMndlyi2C6sR5n5fm/2m5bkOKCZNZNAdCOIL+5qdU7XXfXtI4sM dy1Np3Q7TCLBZqb386F/skdeJdYgXb5eqazGIea5L6PTXKtJ0dZEL5ShpLDmsI5lGzkzY8wO ZVG+JdSCwDwYofhqnoIA1ngLA4YEJyzs9e5XuorWjIZhGChlJ252UzLVfiMysIYo7HMe6H3L T5AmV0XL+zZ6cbg/6XNkrijQfE5YKxh6Ux82tbI8eLTlJ77I8IDw+4CU25eqmqVafjD9P/yB +/8H+P/EACa2ZkZOLgA7IycbuP8Lx6BytWVuZHN0cmVhbQplbmRvYmoKOSAwIG9iaiA8PAov VHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTEKL0VuY29kaW5nIDE1OSAwIFIKL0ZpcnN0Q2hh ciAxMQovTGFzdENoYXIgMTI3Ci9XaWR0aHMgMTYwIDAgUgovQmFzZUZvbnQgL0JMWE9SUitD TVIxMAovRm9udERlc2NyaXB0b3IgNyAwIFIKPj4gZW5kb2JqCjcgMCBvYmogPDwKL0FzY2Vu dCA2OTQKL0NhcEhlaWdodCA2ODMKL0Rlc2NlbnQgLTE5NAovRm9udE5hbWUgL0JMWE9SUitD TVIxMAovSXRhbGljQW5nbGUgMAovU3RlbVYgNjkKL1hIZWlnaHQgNDMxCi9Gb250QkJveCBb LTI1MSAtMjUwIDEwMDkgOTY5XQovRmxhZ3MgNAovQ2hhclNldCAoL2ZmL2ZpL2ZsL2ZmaS9u dW1iZXJzaWduL3BlcmNlbnQvcXVvdGVyaWdodC9wYXJlbmxlZnQvcGFyZW5yaWdodC9jb21t YS9oeXBoZW4vcGVyaW9kL3NsYXNoL3plcm8vb25lL3R3by90aHJlZS9mb3VyL2ZpdmUvc2l4 L3NldmVuL2VpZ2h0L25pbmUvY29sb24vQS9CL0MvRC9FL0YvRy9IL0kvSi9LL0wvTS9OL08v UC9SL1MvVC9VL1YvVy9icmFja2V0bGVmdC9icmFja2V0cmlnaHQvYS9iL2MvZC9lL2YvZy9o L2kvai9rL2wvbS9uL28vcC9xL3Ivcy90L3Uvdi93L3gveS96L2VtZGFzaC9kaWVyZXNpcykK L0ZvbnRGaWxlIDggMCBSCj4+IGVuZG9iagoxNjAgMCBvYmoKWzU4MyA1NTYgNTU2IDgzMyAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgODMzIDAgODMzIDAgMjc4 IDM4OSAzODkgMCAwIDI3OCAzMzMgMjc4IDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1 MDAgNTAwIDUwMCA1MDAgMjc4IDAgMCAwIDAgMCAwIDc1MCA3MDggNzIyIDc2NCA2ODEgNjUz IDc4NSA3NTAgMzYxIDUxNCA3NzggNjI1IDkxNyA3NTAgNzc4IDY4MSAwIDczNiA1NTYgNzIy IDc1MCA3NTAgMTAyOCAwIDAgMCAyNzggMCAyNzggMCAwIDAgNTAwIDU1NiA0NDQgNTU2IDQ0 NCAzMDYgNTAwIDU1NiAyNzggMzA2IDUyOCAyNzggODMzIDU1NiA1MDAgNTU2IDUyOCAzOTIg Mzk0IDM4OSA1NTYgNTI4IDcyMiA1MjggNTI4IDQ0NCAwIDEwMDAgMCAwIDUwMCBdCmVuZG9i agoxNTkgMCBvYmogPDwKL1R5cGUgL0VuY29kaW5nCi9EaWZmZXJlbmNlcyBbIDAgLy5ub3Rk ZWYgMTEvZmYvZmkvZmwvZmZpIDE1Ly5ub3RkZWYgMzUvbnVtYmVyc2lnbiAzNi8ubm90ZGVm IDM3L3BlcmNlbnQgMzgvLm5vdGRlZiAzOS9xdW90ZXJpZ2h0L3BhcmVubGVmdC9wYXJlbnJp Z2h0IDQyLy5ub3RkZWYgNDQvY29tbWEvaHlwaGVuL3BlcmlvZC9zbGFzaC96ZXJvL29uZS90 d28vdGhyZWUvZm91ci9maXZlL3NpeC9zZXZlbi9laWdodC9uaW5lL2NvbG9uIDU5Ly5ub3Rk ZWYgNjUvQS9CL0MvRC9FL0YvRy9IL0kvSi9LL0wvTS9OL08vUCA4MS8ubm90ZGVmIDgyL1Iv Uy9UL1UvVi9XIDg4Ly5ub3RkZWYgOTEvYnJhY2tldGxlZnQgOTIvLm5vdGRlZiA5My9icmFj a2V0cmlnaHQgOTQvLm5vdGRlZiA5Ny9hL2IvYy9kL2UvZi9nL2gvaS9qL2svbC9tL24vby9w L3Evci9zL3QvdS92L3cveC95L3ogMTIzLy5ub3RkZWYgMTI0L2VtZGFzaCAxMjUvLm5vdGRl ZiAxMjcvZGllcmVzaXMgMTI4Ly5ub3RkZWZdCj4+IGVuZG9iago1IDAgb2JqIDw8Ci9MZW5n dGgxIDEzMjMKL0xlbmd0aDIgNzI3MAovTGVuZ3RoMyA1MzIKL0xlbmd0aCA4MDcxICAgICAg Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp42u2WZViUbffu6VJKUFIYWpQacpSS 7m6QZoCBYQaGlu7ulG6RRloaJKSkG6SlQxoF9jzP+38f3e/7ce9P+9j3fLl/61rXuc57XXEM E52qBruYBdwMLA2HObEDOYCvABJK4rpAbgCQgwuPiUkCATZ1gsBhkqZO4FcA4MuXQICYsxWA mwsA5H/Fw/uKjxePCSABt3dHQKysnQDPJFj/ShIAiNmBERBzUxhAydTJGmyH1DA3hQI04OYQ sJM7B0AMCgWo/zXDEaAOdgQjXMAWHHhAIMACYu4EMANbQWB4nH85koNZwgEC/wpbONv/e8gF jHBEmgI8Q5pkBSAtWsBhUHeABdgSj1MZjqwFRjr5v2HqP8WlnaFQZVO7v+T/7tJ/jZvaQaDu /5MBt7N3dgIjAEpwCzAC9p+pOuB/mROHQ/+rjJyTKRRiLgazgoIBXP8KQRylIW5gC1WIk7k1 wNIU6gj+Ow6GWfynBWTb/jbAqagmramj9uJ/1vPvQVVTCMxJ093+H9m/sv9m4G9GdgcBcQMY cHFwcQGRicjfv98M/6OYFMwcbgGBITcEHz/AFIEwdcdD7gwk8QE8gAAIzALsBgC7IR1zcsDg TsgpAGRLvACWcATeX8vJ+xLACYeB/wr+zXxcAE4nV/hvBiLZGgH+I4MbwGkJd0b8DvAgAxCX PzJ4AZyOSPv/MB+SwS5g2D8RfmRE7DcJADglfhPSkdQ/JICsJvubkKXkfhNyntJvAgE4lf8h EPI7VH8TUkX9NyFVNH4TUkXnH0LuUU7T34T0Yv4PAbmQohZ/ILI34D/wr8b8gcgqVn8gsinW fyCyA5A/EFnW9g9Efgv0D0TasPuNQKQN2B+ItAH/A5E27P9AZF3EH/jXWvyB/Mjl/QORNpz/ QKQNlz8QacP1NyJvIE63PxBpw/1v/O/TIC4Od/NgR24Udm7khgICeV4CBPi4vP63RHNnBAIM c/r7okGeqX+zJQR5AsFgN7A53tw03Fww0CalPviDt1T+aAnmc1Rxq4ZY5ZqOidYHAbNxqNCi AQWH58sfdW9K00gItjC3aF1/UTmGt3iqDUsf+TnEpk7dbbmYbKW9baLS/ZGm5L5pT38ZsEfY XD95ts+HqjK+PPghUa+gJ/O4dy9X9Zmk5nfsRTqUTgOX2s70QH4BXek0qFZI0EdmHjp1olSH D6G8IUuuRInxGEtfA7xtQnAaXyycwFucH93k4+Qk3BmjWwxrm1wqHCa746/r38QOXT6q9jUs Dl93zlF6pxdd/svMYJE2A2gA/RGZPslyyub05l1Fm/18xWRWgf61Cg4Fb4lMmLwAPiT8U2sB nRZKdWwls8/XhqW8FmsTfeULmqH8aWprBZn7utC3ggcrtRME0Z/aAakPGYDM5HsElc/SWRnv 5XkUguZipoOkbstrfd7ROMZWE2zbSBdWhlp2ENGrMk5tBrPLLdfN7g8mzYkH9ODxC1sXxDpI ahMdC62b4EoRh9t21JRIJRApI++U3kh5mSvcGW/FHx78fhf1p2Vy0VL8VNcrtJVaLOfrQ+74 XIFWCiLMrHARdG6qN1qGjLo64WHf2YGW+T0zr2tKq1m+ij8E2l3rhAjnKB4vML3ncypY5lBh N1SOfiCBpfnVh5eSakGE2bUz0UW5XLcn6CzrBEfiDo0w+9scSpQl/uaD9Jm8YsS7FmCW5Ywf EVWT9jqWRG56Qn+yN+WGQzbXgztdy+PpeaMeIzJKxokG7KN8pkkfGQGLnfT+aqIovzc/yspv oNLm21xBhlZCO+ENMcb+2T55zKU6xx4iXsqe6wQTDXv4XHw9pFHFcze8srykt8Xri1lQmSyR wzTiHE2fLzjGBeaUYxk7/Ct60cAUgM/7ZpjW16kjREUne1qyMyP1WwegLQdp1Fqu4wt+FqKs AulBboLmte/+fsPHYQQciHoHEr4gHxoGHk/n76z2NAlTbR3mDxd9lJMQPPu412SbA/ZC3gmB j1MJHANFe00zV8j6ZV7ZUb3YJGXfywtqiskdMrIYL2/y25JhdQgMVMuTWrooEfRn2imLluaq uueedt9nKSsP6n2pXHRJxFBvchgqHGFlLbCzV7DxovgULPEqlvBp94fj7XBmbjiKIizPO+v2 vp+UyX5jYUq8PscEN5oeF1fnGwdb7RBYdmafa9bdVRRIaNMqwoDnlaE60XHAdObRUj6R6rQq Uz0yM/uWpqIGcD40rxDwaSnhl5UVR2IS7mmejJ4iPZjbOibpbHw8TJ453rsgJQl7dUvJQqMh kJKNgXgk0yEXBw+PQZS/cspQs/+GuCJSGC++prI60meD54muwZFUk8/SSiBITpZeq3XyAurc hYApJGvzhHTj0PUEjN+TBpriuWOroREG+zlp3cWZSJ/HxHwMW5nOWo6iNLiqfPGpxpAZxUpZ WAF1RydENXJuKKKfXFBt+hzzdtP5Q3pug1k4llbIC8OuWePGoOAKhW3bw3gjXRpeYzdrprwG Mw4ykaLJdiO1TfsG6HRjWpEfsEjs6cGPcBuSVg92cUO2kTWqidAF7izfNt7AyxzvOvJTvRny B3uBMyB4iD0E56i0l0iA9JFXsvztVxSG2lsWAKTqgxIasdRAlQ7EVdkdVwoznR+OX6Taut43 yZ5Msgm2aRSI/PHi9iDHIi8Hj5BvDAPtGfPXszh8O4WNmXceQkHL4NpK4vanazhiGiz3IKVY oQFcM1u1HHR950V4uGvYh/1P2b0YEezdtsq704NPQi5lUeuP6yaHCop0ybQScOaK8iOWSG2o cM8ZLCB6aCtDlbMCM+DnzERRY2X7D+82Lb/m5ZPhFXRoBcHg2Anp+7TXHditUkKehJ6KYsXY ImqJavZBF40zHzixl4bSOicRKXGp6+1DOMlaBBQaenaFrTrJICyTpYH0kdBkRDQDdmGY7wvA xat6GmUSV6f4KjWOjbLu3WSP2srogTdq/hqR/I17Ygf4/oHF+yOkovvogoUd8YtHArMlxwTr d199UfiZVOxA3b1qFTbFMtPb/lylg+K5P9ix2vYhl+fhXp/zPVQlZoLRFL/KUmfyIv9v9pmP 99D3o2M1p63AQCi9prY/PwuG5QIubK5nmflP9U0+RB9hlhHQ1kx21GjOc28dKCYdpCIkCg0m ZA4gvhynISLDGir3ENnJRbcGoRdKAp+cYdrWwwhfvh4KSnG1pMNsYuIjG1BZQNkp//0HA9JK /wF06NFyA8t4vUn29JDeN3b9ZbTXL08eG6yMLyy+1bMyCDQlorKljL3hQTFkRQfRN+dR0bMV PA7R97XR7HSHYzyMpzrzIK8e7TvHfMjZcdPn7MDSmKTqhl93ixquyjR3l8XEBlOQpRoI1zgx O9XTj/PpkxtpQAvjV4gUZMHBFHSw6t1+Qqm1W9lpwGKASpCXY0XmyHRKCfK+PeXOvhnStTt4 GjvyZYERULPerc+Rwdte+VGOAru3aJhAAgWaJGzzdGvx8er1xLvEzOcyxW8o/A7EVPvtEiyD fVtugXbJ6TdQ/R7avY/tv5752zW85mdIze97XS4dhCAw9AaBzg7rzqXxFmLfutqwVNRLMyUG 2HJbuo8rG0Qx+ntkN7dPuyq40KfkB5fjdjCnbo6p3YoFLsR2GuGgi3dmumAeW2uN8ZXZE+rr b7Tuk+Vcy0uHG45SYf4svAokxJ25QxhKq0CWXb2dyocIL9mdwNPm8V36EeoqIEZ9n9xxka/2 E7o423ch758fS1K1sPTo3QW1rZBzdy/E+T4q7iPn0pW2+M5V/rGozXJ9igxnn0O2zJQ6vI+a e0MHtH+aut7zyBB7OuHaILBlNHIhr2HWtkiSb5hMm442kq5n+MkG/zuZWlnhLnhY/WiL5I16 0kcs9fCUrpAMgsVYWL4na2Id1XCu6lRyOxS1hLCJMYhc0kDx4g5c9br1lTCM3KJUB4PBKBg2 iS4kkMIFWMMRBXTIYifIDPACzwPhAPafc2yVeGAvgoVaPjRJkWkWcnCFst52FENObCA8UTYc jRY0f3Ho7bO36mGpbYgxn69mDkL1jzFVpRds2ICdJM7MrL8YuMDDthhgvcR2c/iCLda884mU kW9fr8PHN7eA+lv1g5c0lGE/xwRo6kY9oEqzg0FE1WNbU+yaWvcnqOGI/V/em8sK50eI5GK/ 2jAq7QKOnOPCLn7uaqGHmB3t+YH6R2AsnzHdeZqi4vyDHCNd/2x3OptDfBowjddj19itXnXT CkzZ9cQHFRXSEsCTdSft6jWVAOOKuOu6sjcBe2haz3Y/v/xCRPv88hPN9KKDQcCX5ZHpjwFb KY1bXCRAPXiSyBqXRJes94IFxcju5+VQXIeFNW/s5SdmaLFz14Ik8l4Kj3vcZb8Ext7ikRXO rDBj/fKqNtMwGXBglYkzxKhU8sfht+gzT9EbajhtPRWz2fXaHT99qH+C/TXS9UDTvzZf95c5 k6bvrzu1YHsJAscptZO7b0SHTWQz3QL5tVS9O7rozWdj6ShPnblFPGXjJoZQsXxrjVyVXW5s k+81Nh+OBk3kRga8bgyiA7TQdGLJL0re6HVajxFxRVA/xTbZSy3G5svrX0jNhi2bCD0TEy9X eCcnz90xWxG66DSRGMR+4dYLtT2zf2XkrqaSqAuCkNVe783j1/e/fCaVhJfP30QJzRPEnB4x vS69WT3O9fZsYtjPEjukUHEuTFTcdxPjTmmNUtXaopZwJmlnu9te9G1fejBnMaJ43Gel82Pl u6JUtrPJVIwla8Udfc3MD6N8Dr1Fr7eUDRFB5WbvcrrmUeAbI7a5U+N4Vq35xD4SkdYtuRcc ybQ7fT5gjQeSX062ZsmuSs3piI/VHTg/nhGssczkGKyFyllqEGyVopvqtZDaEF6+CfqGu9s1 8d2GNQPFCK75bNW69OcqQi/EUdvjVgeDxTUKrCHa2vZ6jdv+B9uLRdRayMThONAEWwa1iQ1v vOqcCv048Txi+VsGypqcE4eblQxfCTO4xDUhyIwF1YnGq15xalvNvVBiCUKvfIdnKjpw5hqR GCeP/nJS7zELI8tD1bzqcn+KwQcY6gsaA6RlZXssRxIDQvS8js/BjSOrpF4b7c0yZEOErhIb 5IoBDAUjw08obvBbQq9xNT8bt/K1ndHlhEItxbSE+i6wlte2Nr/Xs+pc8L8mTK0DV9Sm15YK 57x9VP0M/8q4rNGFpWpHl8/NtfMLd+AAkylWPql4QhhoBH7M4Li5nipgRN2udW3skRQxTr+u jnj01LY1SJhFGrii/7aDFvIxX3x7z/qM8h01aZ16BV5qfmrzo7UEyVFhQ4GP7jfS62vRsC28 bexMwcQyKS5a+Uc/ID6GY+65Vf1fQLdfRPj89+REcOWyiw8+VSgF96zq7zzB/CJJ93A7o7QL ZDNGTt6Taajt7yLaUtylSW+iRyFP+bDY6tcnegyyVx8wz8zimVBDv1UuEahQtE+WaNJ6PV9f 4wMI/Gq/KNtX8IsMy5/r2R1yFCvhTjhwuf1WVTytBtiQVh1s19J+c9MftT9lEzEdlYW7qnVJ UzzLmZJk2VGr+SMH26ppwinO+5ogeDyQ45i95odOP5Xl4SgE3b2ceLpfumpduPxwV3j+F5rg 2GEtu/rnD9UdQyIq1/WIlrFJT+eJdyE4BH5cCZcul7k49Iye1ze0CugpWLWzO4StCnaAdCbq tUo3MRH5o8OBtquilaVE41JPX/9Qs343OupnirRPvj0Zcz7z9fs8VXNMwGrzaK7zlbF08Hap tF2pTV7UbBaqaZVp15MCgeGD2g68zR0lHn3eQ+YTEZ+lZbXW0gnBHxiQsWa88WourQAK4gE9 zOLaeQW5LJdOwis5Lv48l6AaLyUduWIBHeES4pkEhi+MQVmf5X9dBxN80mhGmXhR/Cjydlri ugOlIvczC2v6J6UIseYVLYGMkPvMCVKMUrKfXGboJCQzoUIkXEuyspxbRtFvwptFRC/sUp+i 5c1h5wTyodX5PyYV8vE+OCRICh4QL1msiFtE81ZO9yzjoQHtlwdGHtWZEgteeXp6VdwrlV7p fpI1yBQMGbktzDTFluiIUGNn7X5QOU6DTr50uNx2kS8ZHGvsdE8qt7EaHnDwVOlZPiNq4wAs Pf4m5h3V3KrTgNywLgh9rp5p/GzT3rbaLD1YfdzP4taaPCaVka9AKWoA/TTXFTzO+xoPi0gF QvUavCEvdD74BAKujeMoO7nQbuZfda/KRP/8iXpzonABBimknGwsNGpnYM7oRCdTq9bkNABp Fy2mj/MPJHq8AUm5cQ9a6kxcLXkRoEPlI6G+OPV6O3HXQMbEjsvyAULgEWaj+M7kVSJ0hlD/ SL41ASeajo025Ww4PG0Tl4TKRGByBhWbVrKIIYaANuX98ZMqIeo+ZqooBhJJChyhudoAEYfu l+wzFLRAmT7/al2RXpQ3K9PxKUSehWYquJtkA2LnrOgOzl0vOwLLG3NxW3WZsSvLv3CKcMeE pR5qma+/JwVll/iKvohAwCxZeFBZqQ9PU6feBpfvZdl69WVeFh35IXgdfSaORWgX9A/fq5qI XODH2PK9W8YNMF/5Op/hmJ0n7B12zAI+nDBDpzwkFvXQbtWS/hneJYV16Oq/ZiBdumstIDSc M+fo7jNcQ/ZCvDoH9U6hPtH/om591mn3sajXnlqjrDyq+hBH6Cu5I0FfnXsiN6+MQCFe+KGF BNUvMXTo2s1KcHpV73mEyO70Z9ofzAmU+iFtaoJpajMP3wqsY3C0GqPgg/piUWXb9FsXlPpO vS4xXRxDJ0W/uVrnWdOnue9CBSEmZvzKI7pX7sMi6YnZmOWFMclf+h8Q19hq+BNYUeEfUO3E MGR6fFYp+mCzOABoaI0LaVWTCoA8VPgSyp9Gm9/A8ejmiqBN+PVlgbIpUM7jp6PpXfv3H8GB 446chxFv+alfFcrvWHh74EZgz9fLrKa6ISTfxyftuhowJ78fEyMcAnRK3YVHtpmWgX1t34wk qmyY9ERU5k0Jpxq+iYKw9tSKCmef5mfklKNH1zV/9++U0xNoq+HITS7IQZdOnuA8yTAoSIxd laBvUBO4F+3oL1mu0vQu+A6m0eUj4ZdMC/CCZmOy42pWef0ofB7GMC4SrrEPZs+s5hpNmZIT 8rrdvd/E+qI6a8fH5OhGw1avNMmPzfL+20G3Bupnt+8u5Ws0V6fz38/0gFEM41iYGAjp7y+u n7LnEoDkC9RumH9qqgXhrCSfq3+hz5aS+vCJ+U4/olAvhppPEIhubBJ1pUVuD74ptRV8nnA1 KYiK0QCofaqS1UDb8t5qUewqbtn10fzgfnffGW2ac31PyUtmLaVkSFnCgeKqVksXuHTy0f5D 0d64WeFiB6hcdQDm581tqSS+etF9/QAaJo80FpIaiZkzrRNncbAne3fGAtYVewThTvD4jonr p/r8FU4IaxmhsuZUjzd28c42t6JnzhT9M/8X79lG+r88/REgMFVfANJYdHDZ3iXyyalsMCN9 TPqaYOaW5+MGjlIUlEEwQutxvLZTzae3J5EM9AWl3OCguU6KW+YjLvShASzcIHzhjUnP2EXA 4r3foe7it58nBXnSR8pTWYHwg8GjzKv2wRrsmGZ0942qo/zox27bBFN0qeyp+8/2Vm1fviTG aKLt6Pketo6pu+BbQWJ8xi4l1Sws0XPyTM3rMznX0Yb9d3TZZJYb3qGYbZl9O4bpMOareQ54 Hk07ZL04sSokhzzgPNQFXeXoUnE0hlgt89YH3EVLBM3asUzSuaRNzAvhUyLYtvL2yNCp9UyH Yekm3TTa+Bwxk0gpNRrUedq4fzfqrGx668DSK3P7C6A6b56eThuivIplPaOSAbM3UGcwZpOB UV27Kvb6bK9S7pl/y0j2UvJtFPjVmubPx//2VgT9F5fIoA/qab8LRzeu4Sx111szGmqhHCed aLvIdSUUubP5nMLXXXtSrmUq2n0+l9ZcJYxNl80gz/t4Wj1m+6iv5Tyj529Wii3oS6qDjlfp b4hjPoC+2gVsrK72dGi3y2CZFsVKJBLyaX64ut33PKgrMX3Yms3fR1b1OThtzLD9zavwGl3H RTH0jFzqBeuolj3dRlDa6Pzl9TJ9Kzz3c6v1T++5tM2sXXlMqegTJvnhdo5nEz44fThjGsFn zw9bLeYqyI2U0eSVq3bF31fo8WbZYpqLV/nu69CVg1cv/XPotYea6eTzCJKZmsUYXUDQgkIV sk842U1KJItEozVFJ3ZWCzun8bonzxVtaOh23NKGTLdfY46PuXDbs7Fn8eQT+oAyo1phHzK+ fsEnQuNzex6LtuDxXgyKnUdGpxj0RK4gzVCktS2OEZvfP7d+zCnMx6VLhdv5NXrfLeYX1qz2 Tp6KWGNLfs79Z4KpKYK2O0Jq8sVDL+spBNpLDhZnsB95GtUuoSzEB/5EBTNbhsnld2qWTzSZ BxlZsVtv9O8PR/AJhHo4170ntWLlqyaPWMTf31Sr69kwVQTyCpYTs3eMjB/5M1wpzev9mpRD G4v9uRC4YJzi/67TtCX8oPFN4dJhVElbZVt8ZWiDpNfyr2gMNkl0yCnfcU4+7GLk04UfpP+d 5q+98PWGKGWOd5uOD3bIPr5a9sfP5wto+5EqjdAEedOwY4j5GqcvCh8OVy5ktTYYeTd8YAE9 yeB/oWFeMmoA3CtUFhLBSiTZ/hbShXHZOS/T8HDrit6R6MljArFyahPWwUfTTwr8rMurgtI8 anGw/efpyus1r5oCXgQV8jyfhtySLXk9foK3Sp1yb4wxJ18MCmHWZHl6tKNhj9tx/zJX1Oya NsAeg7jKxvWXcrg/JgciNPaDqRHZIIMrfYST0eIR4ULh+nFX7msfdWwV0oC+Y7i427xh2QUu 7Zz1oRKe3ahtyyBM/1VGXymks2Dey7GeQmPwqK083HRzZLAqJ2sHHuFwCpebMeMWiz04f0w3 X/Ukt3U7vnZL335XuSGlqH/2qE28NErdPmZwwy7Q+ymz8Edy0Us9aZk2klZuU42AORTUcBfC /cFoyPnt9/TKNUtPdyMLc8PIHWjcUmN/kWlwUGoIosn8faY2P+LiJRRjwi29sVh4qUqZw0fb 8p7xTYZHOoNo4qrfvserUJ73B18tVyYOyydpirodHs9kayhg/9QI1AKdJg0vavucNnl22TOF V7TkXV4EWnaXK0m93C3KSLMhHLSJASpSbRXutN/c9nY/eqgjesQsujj/OWHO1/chWzUswaNl TtE73YO9KuWhckGu7YS+HmWGI+wEBJ5JY/DJZzNM0/6G58s/sDB7X3Vf7rvsaP70R9QjMlRz XAMsX5k0hm6uOxNpT/4hd/Iqm9b+vGHyNzk3nMcXwnlBvkvUWOmnJXHrouWXFeLMp9OLr6lp rAyWRPMnx7EP3CvcYPInKNMhtw/siuu5SCLvri4xaeWzjg0SUje736lo2DStLKEd25WL39/H gMs+suGNRckSlDMH3ekMAgEUaM+Pso51Trtjvv5iAEs2eVqvp88dS4MeK6tPWrPO4SfPPePU nXfaUclyrvgoMF8D2HfA/HjNchtpwkZ+xCPGdpnkydtc5z9y13Ck+szkOlKkUhx8RNYVzSg3 XLroc5V+2WseGkkK8tKgu2BH2UVpweX149ngqZRN+Pn+uMExa+DaxY3IkI1A+Qf6PgltdcyM FK71F9pq/vds2RZrnxNirnHO155byvnuKGQrrtiE7V4AtEOcXZhIhgM34+U7nehW37y9LvXY R91IVuzHqMKsa2e1OMMKfr29mGNUhnlCkdLRmtqk9lC3eWGPTf7WODcVtiWROxjJhTdGwnP7 6Dt6Zn0Wy3Lq/oDdYn55Z3g8a2jDe69x9nlDp1zuVlBPOFaeDk73zuJTpQlVBJ1dcstMpgsd 9B1e1dcHU0+zJvECzdAj7UCiuAaQx5gxMmE+mN8eeN7QRJxtujZ8yYUUcKiiYjcVcr0PmEoP 955leG60VaLjyd8nNCqS/iTekLwkjKfqace8tHkggjUiWuwSAnCitsTC+gY7AfY/kN0ywA5R 1Tr1ym43fuL5WCCDOM5mODXTtlHL0jyUs+obfy747K1fnLbyCz9ZoZsbYTUn+kjUUVVDdpke 7RcWmkHzoV0eCHMKvBsH+jfbl931hL7gA3Uq+ckp7msu2OcZ0FtVgzEXopEI1tEB4rax2VV8 vFrUl6zUvXLU2PA17/lRzahOcGtxLa7o9crF1CiWegArr4crR535BGYRgwEz/xGNvnMwIqUu XMZ60I10/3RW6OtqjLoGcPvR4GrlDesDoqR7w6vMR1IPiEVh0CbGgXSDRDOipSgaSRHBxKqG 6fHRsmA8YW4TY22QiOS3mwcDCs2VQjxald3JGANgfI41Ydn7Pvri+yG5APacJusJChvXveZP 4+Zf41EysbgxhO1SXa+9wH1o22+OlWqO444iTX9tYXnervLEKx+/hi2zJ2ubmKUPgmHq1xGU 3BoJca4Xx5TZ1hVO7iRgaUrDI/yASXXNU0jCotlMUKEoldRWkHx6SHXGYWI5di2moFJiEQrX XBJZPSMn5D66iahLe8PSp7UnObRU+dOLutbQhn3oOoUJVa0O5nE7b4MDflm86shUqdpsUzc5 Ht9onvSNZrnlqzGRTxI+6E4z39TY1ncpJGTwyEUWcHoFv00ITuRyCKebT6W+7elXJ393Bdnx hYAZDDLnkjGxbn94rz/3E2fuo4x/GK/fyxP+BkHJ+oHD8lxzWP3ZoMej5G0KDY4V1PPM+a3d l4cLjpdBUgmrqetJ9zKoLl1JDQwShj24xkSbCzdc/4cP3v8X+H9CwBwKNkU4we1MEbZ4/wuE 1jLiZW5kc3RyZWFtCmVuZG9iago2IDAgb2JqIDw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9U eXBlMQovRW5jb2RpbmcgMTYxIDAgUgovRmlyc3RDaGFyIDQ5Ci9MYXN0Q2hhciAxMjEKL1dp ZHRocyAxNjIgMCBSCi9CYXNlRm9udCAvTFFGVFdRK0NNQlgxMgovRm9udERlc2NyaXB0b3Ig NCAwIFIKPj4gZW5kb2JqCjQgMCBvYmogPDwKL0FzY2VudCA2OTQKL0NhcEhlaWdodCA2ODYK L0Rlc2NlbnQgLTE5NAovRm9udE5hbWUgL0xRRlRXUStDTUJYMTIKL0l0YWxpY0FuZ2xlIDAK L1N0ZW1WIDEwOQovWEhlaWdodCA0NDQKL0ZvbnRCQm94IFstNTMgLTI1MSAxMTM5IDc1MF0K L0ZsYWdzIDQKL0NoYXJTZXQgKC9vbmUvdHdvL3RocmVlL2ZvdXIvZml2ZS9zaXgvc2V2ZW4v QS9DL0UvSC9JL00vTi9QL1IvUy9XL2EvYy9kL2UvZi9nL2gvaS9rL2wvbS9uL28vcC9yL3Mv dC91L3Yvdy94L3kpCi9Gb250RmlsZSA1IDAgUgo+PiBlbmRvYmoKMTYyIDAgb2JqCls1NjIg NTYyIDU2MiA1NjIgNTYyIDU2MiA1NjIgMCAwIDAgMCAwIDAgMCAwIDAgODUwIDAgODEyIDAg NzM4IDAgMCA4ODAgNDE5IDAgMCAwIDEwNjcgODgwIDAgNzY5IDAgODM5IDYyNSAwIDAgMCAx MTYyIDAgMCAwIDAgMCAwIDAgMCAwIDU0NyAwIDUwMCA2MjUgNTEzIDM0NCA1NjIgNjI1IDMx MiAwIDU5NCAzMTIgOTM3IDYyNSA1NjIgNjI1IDAgNDU5IDQ0NCA0MzcgNjI1IDU5NCA4MTIg NTk0IDU5NCBdCmVuZG9iagoxNjEgMCBvYmogPDwKL1R5cGUgL0VuY29kaW5nCi9EaWZmZXJl bmNlcyBbIDAgLy5ub3RkZWYgNDkvb25lL3R3by90aHJlZS9mb3VyL2ZpdmUvc2l4L3NldmVu IDU2Ly5ub3RkZWYgNjUvQSA2Ni8ubm90ZGVmIDY3L0MgNjgvLm5vdGRlZiA2OS9FIDcwLy5u b3RkZWYgNzIvSC9JIDc0Ly5ub3RkZWYgNzcvTS9OIDc5Ly5ub3RkZWYgODAvUCA4MS8ubm90 ZGVmIDgyL1IvUyA4NC8ubm90ZGVmIDg3L1cgODgvLm5vdGRlZiA5Ny9hIDk4Ly5ub3RkZWYg OTkvYy9kL2UvZi9nL2gvaSAxMDYvLm5vdGRlZiAxMDcvay9sL20vbi9vL3AgMTEzLy5ub3Rk ZWYgMTE0L3Ivcy90L3Uvdi93L3gveSAxMjIvLm5vdGRlZl0KPj4gZW5kb2JqCjIyIDAgb2Jq IDw8Ci9UeXBlIC9QYWdlcwovQ291bnQgNgovUGFyZW50IDE2MyAwIFIKL0tpZHMgWzIgMCBS IDI1IDAgUiAzNSAwIFIgNTYgMCBSIDYyIDAgUiA2OCAwIFJdCj4+IGVuZG9iago3NiAwIG9i aiA8PAovVHlwZSAvUGFnZXMKL0NvdW50IDYKL1BhcmVudCAxNjMgMCBSCi9LaWRzIFs3MSAw IFIgODIgMCBSIDEwNSAwIFIgMTEzIDAgUiAxMjAgMCBSIDEyMyAwIFJdCj4+IGVuZG9iagox NjMgMCBvYmogPDwKL1R5cGUgL1BhZ2VzCi9Db3VudCAxMgovS2lkcyBbMjIgMCBSIDc2IDAg Ul0KPj4gZW5kb2JqCjE2NCAwIG9iaiA8PAovVHlwZSAvQ2F0YWxvZwovUGFnZXMgMTYzIDAg Ugo+PiBlbmRvYmoKMTY1IDAgb2JqIDw8Ci9Qcm9kdWNlciAocGRmZVRlWC0xLjIxYSkKL0Ny ZWF0b3IgKFRlWCkKL0NyZWF0aW9uRGF0ZSAoRDoyMDA2MDUyMTAwMTAxMiswMicwMCcpCi9Q VEVYLkZ1bGxiYW5uZXIgKFRoaXMgaXMgcGRmZVRlWCwgVmVyc2lvbiAzLjE0MTU5Mi0xLjIx YS0yLjIgKFdlYjJDIDcuNS40KSBrcGF0aHNlYSB2ZXJzaW9uIDMuNS40KQo+PiBlbmRvYmoK eHJlZgowIDE2NgowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDI4OTMgMDAwMDAgbiAKMDAw MDAwMjc4OCAwMDAwMCBuIAowMDAwMDAwMDA5IDAwMDAwIG4gCjAwMDAxNjczNjIgMDAwMDAg biAKMDAwMDE1OTAxNCAwMDAwMCBuIAowMDAwMTY3MjA0IDAwMDAwIG4gCjAwMDAxNTc2MDkg MDAwMDAgbiAKMDAwMDE0MTk1NSAwMDAwMCBuIAowMDAwMTU3NDUyIDAwMDAwIG4gCjAwMDAx NDA2NzkgMDAwMDAgbiAKMDAwMDEyNzEwMSAwMDAwMCBuIAowMDAwMTQwNTIxIDAwMDAwIG4g CjAwMDAxMjY3NTAgMDAwMDAgbiAKMDAwMDEyNTAwMiAwMDAwMCBuIAowMDAwMTI2NTkwIDAw MDAwIG4gCjAwMDAxMjQyMzAgMDAwMDAgbiAKMDAwMDExODAwOSAwMDAwMCBuIAowMDAwMTI0 MDcxIDAwMDAwIG4gCjAwMDAxMTcxMzUgMDAwMDAgbiAKMDAwMDEwOTg3OSAwMDAwMCBuIAow MDAwMTE2OTc2IDAwMDAwIG4gCjAwMDAxNjgyNTYgMDAwMDAgbiAKMDAwMDAwNTExMyAwMDAw MCBuIAowMDAwMDA3MDY5IDAwMDAwIG4gCjAwMDAwMDUwMDUgMDAwMDAgbiAKMDAwMDAwMzAx OSAwMDAwMCBuIAowMDAwMDA2Mjk0IDAwMDAwIG4gCjAwMDAwMDY1NDMgMDAwMDAgbiAKMDAw MDAwNjY0NSAwMDAwMCBuIAowMDAwMDA2NzMyIDAwMDAwIG4gCjAwMDAwMDY3NTIgMDAwMDAg biAKMDAwMDAwNjkxMCAwMDAwMCBuIAowMDAwMDA5OTg0IDAwMDAwIG4gCjAwMDAwMTE5NzEg MDAwMDAgbiAKMDAwMDAwOTg3NiAwMDAwMCBuIAowMDAwMDA3MTk5IDAwMDAwIG4gCjAwMDAx MDk1NzUgMDAwMDAgbiAKMDAwMDEwNzcwNyAwMDAwMCBuIAowMDAwMTA5NDE4IDAwMDAwIG4g CjAwMDAxMDY3NDYgMDAwMDAgbiAKMDAwMDA5Njc3NyAwMDAwMCBuIAowMDAwMTA2NTg2IDAw MDAwIG4gCjAwMDAwOTYwNTQgMDAwMDAgbiAKMDAwMDA4OTA2MCAwMDAwMCBuIAowMDAwMDk1 ODk0IDAwMDAwIG4gCjAwMDAwODg3NTYgMDAwMDAgbiAKMDAwMDA4Njg4NyAwMDAwMCBuIAow MDAwMDg4NTk5IDAwMDAwIG4gCjAwMDAwMTExOTYgMDAwMDAgbiAKMDAwMDAxMTQ0NSAwMDAw MCBuIAowMDAwMDExNTQ3IDAwMDAwIG4gCjAwMDAwMTE2MzQgMDAwMDAgbiAKMDAwMDAxMTY1 NCAwMDAwMCBuIAowMDAwMDExODEyIDAwMDAwIG4gCjAwMDAwMTUyNDkgMDAwMDAgbiAKMDAw MDAxNTE0MSAwMDAwMCBuIAowMDAwMDEyMTM3IDAwMDAwIG4gCjAwMDAwODU5NzAgMDAwMDAg biAKMDAwMDA3NzY4MCAwMDAwMCBuIAowMDAwMDg1ODEwIDAwMDAwIG4gCjAwMDAwMTg1OTIg MDAwMDAgbiAKMDAwMDAxODQ4NCAwMDAwMCBuIAowMDAwMDE1MzY0IDAwMDAwIG4gCjAwMDAw NzcyMDUgMDAwMDAgbiAKMDAwMDA3NDg5MSAwMDAwMCBuIAowMDAwMDc3MDQ1IDAwMDAwIG4g CjAwMDAwMjE4NjYgMDAwMDAgbiAKMDAwMDAyMTc1OCAwMDAwMCBuIAowMDAwMDE4NzA3IDAw MDAwIG4gCjAwMDAwMjU3MzIgMDAwMDAgbiAKMDAwMDAyNTYyNCAwMDAwMCBuIAowMDAwMDIy MDA1IDAwMDAwIG4gCjAwMDAwNzQyMzUgMDAwMDAgbiAKMDAwMDA3MDg3MSAwMDAwMCBuIAow MDAwMDc0MDc2IDAwMDAwIG4gCjAwMDAxNjgzNjUgMDAwMDAgbiAKMDAwMDAyNzQ3MSAwMDAw MCBuIAowMDAwMDMwNTkyIDAwMDAwIG4gCjAwMDAwMzM3MDEgMDAwMDAgbiAKMDAwMDAzNjc5 MiAwMDAwMCBuIAowMDAwMDM5OTQyIDAwMDAwIG4gCjAwMDAwMjczNjMgMDAwMDAgbiAKMDAw MDAyNTg3MiAwMDAwMCBuIAowMDAwMDcwNTQzIDAwMDAwIG4gCjAwMDAwNjg5OTIgMDAwMDAg biAKMDAwMDA3MDM4NCAwMDAwMCBuIAowMDAwMDMwMjMzIDAwMDAwIG4gCjAwMDAwMzA0NTQg MDAwMDAgbiAKMDAwMDAzMDUwMCAwMDAwMCBuIAowMDAwMDMwNTcxIDAwMDAwIG4gCjAwMDAw MzMzNDAgMDAwMDAgbiAKMDAwMDAzMzU2MyAwMDAwMCBuIAowMDAwMDMzNjA5IDAwMDAwIG4g CjAwMDAwMzM2ODAgMDAwMDAgbiAKMDAwMDAzNjQzMiAwMDAwMCBuIAowMDAwMDM2NjU0IDAw MDAwIG4gCjAwMDAwMzY3MDAgMDAwMDAgbiAKMDAwMDAzNjc3MSAwMDAwMCBuIAowMDAwMDM5 NTc5IDAwMDAwIG4gCjAwMDAwMzk4MDEgMDAwMDAgbiAKMDAwMDAzOTg0OCAwMDAwMCBuIAow MDAwMDM5OTIwIDAwMDAwIG4gCjAwMDAwNDI0MDkgMDAwMDAgbiAKMDAwMDA0NTc1MSAwMDAw MCBuIAowMDAwMDQyMjk4IDAwMDAwIG4gCjAwMDAwNDAxNDUgMDAwMDAgbiAKMDAwMDA0NTM5 MyAwMDAwMCBuIAowMDAwMDQ1NjEwIDAwMDAwIG4gCjAwMDAwNDU2NTcgMDAwMDAgbiAKMDAw MDA0NTcyOSAwMDAwMCBuIAowMDAwMDQ4MTYxIDAwMDAwIG4gCjAwMDAwNTAzNjMgMDAwMDAg biAKMDAwMDA0ODA1MCAwMDAwMCBuIAowMDAwMDQ1ODk2IDAwMDAwIG4gCjAwMDAwNTAwMDcg MDAwMDAgbiAKMDAwMDA1MDIyMiAwMDAwMCBuIAowMDAwMDUwMjY5IDAwMDAwIG4gCjAwMDAw NTAzNDEgMDAwMDAgbiAKMDAwMDA1MzY4OCAwMDAwMCBuIAowMDAwMDUzNTc3IDAwMDAwIG4g CjAwMDAwNTA1MjAgMDAwMDAgbiAKMDAwMDA1NzA3MiAwMDAwMCBuIAowMDAwMDU2OTYxIDAw MDAwIG4gCjAwMDAwNTM3OTIgMDAwMDAgbiAKMDAwMDA2ODA5MyAwMDAwMCBuIAowMDAwMDU5 NTQxIDAwMDAwIG4gCjAwMDAwNjc5MzIgMDAwMDAgbiAKMDAwMDA1OTE5MSAwMDAwMCBuIAow MDAwMDU3MTkwIDAwMDAwIG4gCjAwMDAwNTkwMzEgMDAwMDAgbiAKMDAwMDA1OTQzNCAwMDAw MCBuIAowMDAwMDU5NDA0IDAwMDAwIG4gCjAwMDAwNjg2MTggMDAwMDAgbiAKMDAwMDA2ODM4 MCAwMDAwMCBuIAowMDAwMDcwNzc5IDAwMDAwIG4gCjAwMDAwNzA3NTUgMDAwMDAgbiAKMDAw MDA3NDY1OCAwMDAwMCBuIAowMDAwMDc0NDY2IDAwMDAwIG4gCjAwMDAwNzc1NTcgMDAwMDAg biAKMDAwMDA3NzQxNSAwMDAwMCBuIAowMDAwMDg2NTI4IDAwMDAwIG4gCjAwMDAwODYyNjYg MDAwMDAgbiAKMDAwMDA4ODk3NiAwMDAwMCBuIAowMDAwMDg4OTUyIDAwMDAwIG4gCjAwMDAw OTY0ODQgMDAwMDAgbiAKMDAwMDA5NjMwMiAwMDAwMCBuIAowMDAwMTA3MzIyIDAwMDAwIG4g CjAwMDAxMDcwNTYgMDAwMDAgbiAKMDAwMDEwOTc5NSAwMDAwMCBuIAowMDAwMTA5NzcxIDAw MDAwIG4gCjAwMDAxMTc2NDkgMDAwMDAgbiAKMDAwMDExNzQxOCAwMDAwMCBuIAowMDAwMTI0 NzQxIDAwMDAwIG4gCjAwMDAxMjQ0OTkgMDAwMDAgbiAKMDAwMDEyNjk5OCAwMDAwMCBuIAow MDAwMTI2OTcwIDAwMDAwIG4gCjAwMDAxNDE1MDcgMDAwMDAgbiAKMDAwMDE0MTExMCAwMDAw MCBuIAowMDAwMTU4NDkyIDAwMDAwIG4gCjAwMDAxNTgwODQgMDAwMDAgbiAKMDAwMDE2Nzkw MyAwMDAwMCBuIAowMDAwMTY3NjU1IDAwMDAwIG4gCjAwMDAxNjg0NzkgMDAwMDAgbiAKMDAw MDE2ODU0NyAwMDAwMCBuIAowMDAwMTY4NjAwIDAwMDAwIG4gCnRyYWlsZXIKPDwKL1NpemUg MTY2Ci9Sb290IDE2NCAwIFIKL0luZm8gMTY1IDAgUgovSUQgWzxENTlDNEUzOEVCNUIxNUQ2 QkE2MzFBQkRDOTJCMzREOD4gPEQ1OUM0RTM4RUI1QjE1RDZCQTYzMUFCREM5MkIzNEQ4Pl0K Pj4Kc3RhcnR4cmVmCjE2ODgwNAolJUVPRgo= --H1spWtNR+x+ondvy Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms --H1spWtNR+x+ondvy-- From isms-bounces@lists.ietf.org Sun May 28 16:29:58 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FkRtJ-0007Wa-KS; Sun, 28 May 2006 16:29:37 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FkRtI-0007WS-75 for isms@ietf.org; Sun, 28 May 2006 16:29:36 -0400 Received: from kyoto.netlab.nec.de ([195.37.70.21]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FkRtF-0003YL-U5 for isms@ietf.org; Sun, 28 May 2006 16:29:36 -0400 Received: from [192.168.1.130] (HSI-KBW-085-216-002-068.hsi.kabelbw.de [85.216.2.68]) by kyoto.netlab.nec.de (Postfix) with ESMTP id C73ED1BAC4D for ; Sun, 28 May 2006 22:20:24 +0200 (CEST) Date: Sun, 28 May 2006 22:29:25 +0200 From: Juergen Quittek To: isms@ietf.org Subject: [Isms] draft agenda for Montreal meeting Message-ID: <83D211300393FD2B04839C39@[192.168.1.130]> X-Mailer: Mulberry/3.1.6 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Spam-Score: 0.0 (/) X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: isms-bounces@lists.ietf.org Dear all, Below please find a draft of the agenda for our meeting in Montreal. If you have any comments or requests for changes, please contact Juergen Schoenwaelder and myself. Thanks, Juergen Q. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Integrated Security Model for SNMP WG (isms) IETF #66, Montreal =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =B4 CHAIRS: Juergen Schoenwaelder Juergen Quittek AGENDA: 1) Agenda bashing, WG status ( 5 min) 2) Discussion of TMSM open issues (20 min) - draft-ietf-isms-tmsm-02.txt 3) Discussion of SSHSM open issues (20 min) - draft-ietf-isms-secshell-02.txt 4) Discussion of radius integration issues (10 min) - draft-ietf-isms-radius-00.txt? 5) Wrap up ( 5 min) - review of action points INTERNET DRAFTS: - Transport Mapping Security Model (TMSM) for SNMP - Secure Shell Security Model (SSHSM) for SNMP _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms From isms-bounces@lists.ietf.org Tue May 30 11:51:37 2006 Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fl6VI-0007dL-Sv; Tue, 30 May 2006 11:51:32 -0400 Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fl6VH-0007dF-K0 for isms@ietf.org; Tue, 30 May 2006 11:51:31 -0400 Received: from rwcrmhc14.comcast.net ([204.127.192.84]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fl6VG-00084F-Na for isms@ietf.org; Tue, 30 May 2006 11:51:31 -0400 Received: from harrington73653 (c-24-128-66-70.hsd1.nh.comcast.net[24.128.66.70]) by comcast.net (rwcrmhc14) with SMTP id <20060530155128m1400kua0te>; Tue, 30 May 2006 15:51:28 +0000 From: "David Harrington" To: "'Sumanth Channabasappa'" , Subject: RE: [Isms] Comments: draft-ietf-isms-tmsm-02 Date: Tue, 30 May 2006 11:50:34 -0400 Message-ID: <0d9701c68400$c9e9ffa0$0400a8c0@china.huawei.com> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: Importance: Normal X-Spam-Score: 0.0 (/) X-Scan-Signature: 935fcc3d6c448ae30077dce3cfc94471 Cc: X-BeenThere: isms@lists.ietf.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0022224532==" Errors-To: isms-bounces@lists.ietf.org This is a multi-part message in MIME format. --===============0022224532== Content-Type: multipart/alternative; boundary="----=_NextPart_000_0D98_01C683DF.42D85FA0" This is a multi-part message in MIME format. ------=_NextPart_000_0D98_01C683DF.42D85FA0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Hi, =20 Thank you for the review. These comments look very good. I will address them in the next revision. =20 dbh -----Original Message----- From: Sumanth Channabasappa [mailto:sumanth@cablelabs.com]=20 Sent: Thursday, May 25, 2006 5:52 PM To: isms@ietf.org Subject: [Isms] Comments: draft-ietf-isms-tmsm-02 Folks, =20 As a follow-up to volunteering for the review of draft-ietf-isms-tmsm-xx, here are a set of preliminary comments, some questions and requested clarifications.=20 =20 They are mostly a collective effort (most of them are from Josh Littlefield and some from myself, as indicated in []). =20 regards Sumanth =20 =20 - [C#1] 2.2.1=20 [Sumanth] Are TMSM TMSP and TMSM MPSP really independent as defined in the figure? =20 Also see: comments on 2.2.2.2 (C#5) and 4.2 (C#8) =20 =20 - [C#2] 2.3.1=20 [Sumanth] This leaves a lot to the security model definitions. Can we make it a requirement for the security models to define constraints listed here. =20 - [C#3] 2.3.3, 1st para (pg 19): =20 "The cryptographic protocols used to establish keys for a TMSM-based security model session SHOULD ensure that fresh new session keys are generated for each session." =20 [Josh] Would this rule out TLS session resumption, which uses an abbreviated handshake to resume a cached session? Shouldn't this be a transport protocol security issue, not a TMSM issue? =20 [Sumanth] My assumption is that 'session resumption' should be allowed (e.g. TLS). Can we include this explicitly and have some considerations (when to use and when not to). =20 =20 =20 - [C#4] 2.2.2.1, 4th para (pg 14): =20 "Hence, the authentication of a transport layer identity plays an important role and must be considered by any TMSM, and user authentication must be available via the transport layer security protocol." =20 [Josh] Should avoid talking about "user authentication." There are no "users" in the abstract model, only securityNames. Perhaps the requirement is for of some form of peer principal authentication. =20 =20 - [C#5] 2.2.2.2, final para (pg 15): "This may be highly undesirable, however, if it creates a dependency between a security model and an access control model, just as it is undesirable that the TMSM approach creates a dependency between a TMSP and an MPSP." =20 [Josh, Sumanth] While I agree that interdependence between a security model and an access control model is undesirable, I don't equate that with the dependency between a TMSP and an MPSP. I think the latter is unavoidable in cases where the transport provides all security functions, even though SNMP expects them to come from the message processor. The SM-specific MPSP would seem to have to be tailored to the TMSP capabilities in all cases. In fact, they might be bound together, even though they provide two separate abstract interfaces. =20 - [C#6] 2.3, 3rd para (pg 17): =20 "It is important to note that the architecture described in [RFC3411] does not include a session selector in the Abstract Service Interfaces, and neither is that done for this architectural extension, so an SNMP application cannot select the session except by passing a unique combination of securityName, securityModel, and securityLevel." =20 [Josh, Sumanth] Add "transport address" to the list of items used to select the session. This would then be consistent with the text in 2.3.1. =20 - [C#7] 4.2 (pg 25): =20 [Josh] The TMSM is described as an entity with an (abstract) interface with a specific TMSM-based security model below it, but in general the TMSM isn't otherwise described as a component. It would seem more clear to talk about the TMSP here, or perhaps the TMSM TMSP, with the TMSP providing sendMessage() and recvMessage(), and a security-model-specific TMSP instance providing txMessage(), rxMessage(), openSession(), etc. =20 =20 [Josh] The value of the layering between sendMessage() and txMessage(), and between recvMessage() and rxMessage() (the layering between a generic TMSP and a SM-specific TMSP) is not obvious. It would seem, at the least, that the securityModel would need to be passed to sendMessage() in order to allow this generic layer to locate the specific TMSP. If this is retrieve by the generic TMSP from the tmStateReference (implied by section 7), then section 7 must be normative about some of the required content of tmStateReference. =20 [Josh] Since the recvMessage() ASI is implemented by the Dispatcher and called by the TMSP, it doesn't seem to make sense that tmStateReference is an OUTPUT. It should be an INPUT, since I believe it is produced by the TMSP and provided to the Dispatcher, as is also true for the incomingMessage. The same would seem to be true for the tmStateReference argument in rxMessage(). Similarly, why would sessionID be an OUTPUT, indicating it is produced by the Dispatcher? =20 - [C#8] 4.2 (pg 26): If the use of sessions is hidden by the TMSP, then it isn't clear why the ASI to the SM-specific TMSP provides openSession() and closeSession() mechanisms. Further, the sessionID is not INPUT to any ASI other than closeSession(), so what is the point of allowing one to open a specific session? Similarly, what is the point of producing sessionID from the sendMessage() call? The Dispatcher has no obvious use for a sessionID (and no ASI to close a session). =20 - [C#9] 6.2, para 4 (pg 28): =20 "[discuss] We need to discuss what the meaning of authoritative would be in a TMSM environment, whether the specific services provided in USM security from msgSecurityParameters still are needed, and how the Message Processing model provides this information to the security model via generateRequestMsg() and processIncomingMsg() primitives." =20 [Josh] While "authoritative", as relates to the setting of securityEngineID is defined clearly in RFC 3412, I don't think TMSM can make any blanket statements about whether securityEngineID (the authoritative SNMP entity) is needed by the underlying security model. There may be TMSM-based security models that model themselves on USM for authentication of the connection originator (client), while using transport mechanisms for authentication of the server, and require securityEngineID to be used in a way similar to USM. If it isn't used, then it would be up to each specific TMSM model to state that.=20 Likewise, I think it's up to the specific TMSM model to define the use of msgSecurityParameters. =20 [Josh]=20 Regarding "authoritative", this has been discussed on the mailing list and this is in agreement with the current consensus (?) -- refer issue #1 on the mailing list =20 Regarding "msgSecurityParameters', this has been discussed on the mailing list and this is in agreement with the current consensus (?) -- refer issue #2 on the mailing list =20 =20 -- [C#10] 8 & 9 (pg 29+): =20 [Josh] How does the tmStateReference get into and out of the MPSP? Are the Dispatcher to MP ASIs augmented to pass this reference? =20 =20 -- [C#11] 9 (pg 30): =20 [Josh] Now this text makes me think that the openSession() and closeSession() ASIs were between the MPSP and the TMSP. Or, does the MPSP accomplish the actions described here against the TMSP by internal interfaces? =20 -- [C#12] 11 (Page 33, 34) [sumanth] =20 "tmsmSessionSpinLock" - usage is not very clear =20 "tmsmSessionMaxSupported" - given the interpretation of zero is 'dynamic', what about the case when the max is zero (resource constraints). Recommend changing to it a MAX value for dynamic or something else =20 "tmsmSessionEngineID" -- implies that there is one Engine ID per session. Do we need to make this clear elsewhere? ------=_NextPart_000_0D98_01C683DF.42D85FA0 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Message
Hi,
 
Thank=20 you for the review. These comments look very good.
I will=20 address them in the next revision.
 
dbh
-----Original Message-----
From: = Sumanth=20 Channabasappa [mailto:sumanth@cablelabs.com]
Sent: = Thursday, May=20 25, 2006 5:52 PM
To: isms@ietf.org
Subject: [Isms] = Comments: draft-ietf-isms-tmsm-02

Folks,
 
As a=20 follow-up to volunteering for the review of draft-ietf-isms-tmsm-xx, = here are=20 a set of preliminary comments, some questions and requested = clarifications.=20
 
They are=20 mostly a collective effort (most of them are from Josh Littlefield and = some=20 from myself, as indicated in []).
 
regards
Sumanth
 
 

- [C#1] 2.2.1=20

[Sumanth] Are = TMSM TMSP=20 and TMSM MPSP really independent as defined in the=20 figure?

 

Also see: = comments on=20 2.2.2.2 (C#5) and 4.2 (C#8)

 

 

- [C#2] 2.3.1=20

[Sumanth] This leaves a lot to the = security=20 model definitions. Can we make it a requirement for the security = models to=20 define constraints listed here.

 

- [C#3] 2.3.3, = 1st para=20 (pg 19):

 

"The = cryptographic=20 protocols used to establish keys for a TMSM-based security model = session=20 SHOULD ensure that fresh new session keys are generated for each=20 session."

 

[Josh] Would = this rule out=20 TLS session resumption, which uses an abbreviated handshake to resume = a cached=20 session?  Shouldn't this = be a=20 transport protocol security issue, not a TMSM = issue?

 

[Sumanth] My = assumption is=20 that 'session resumption' should be allowed (e.g. TLS). Can we include = this=20 explicitly and have some considerations (when to use and when not=20 to).

 

 

 

- [C#4] 2.2.2.1, = 4th para=20 (pg 14):

 

"Hence, the = authentication=20 of a transport layer identity plays an important role and must be = considered=20 by any TMSM, and user authentication must be available via the = transport layer=20 security protocol."

 

[Josh] Should = avoid=20 talking about "user authentication." =20 There are no "users" in the abstract model, only = securityNames.  Perhaps the requirement is = for of some=20 form of peer principal authentication.

 

 

- [C#5] 2.2.2.2, = final=20 para (pg 15):

"This may be = highly=20 undesirable, however, if it creates a dependency between a security = model and=20 an access control model, just as it is undesirable that the TMSM = approach=20 creates a dependency between a TMSP and an = MPSP."

 

[Josh, Sumanth] = While I=20 agree that interdependence between a security model and an access = control=20 model is undesirable, I don't equate that with the dependency between = a TMSP=20 and an MPSP.  I think = the latter=20 is unavoidable in cases where the transport provides all security = functions,=20 even though SNMP expects them to come from the message processor.  The SM-specific MPSP would = seem to=20 have to be tailored to the TMSP capabilities in all cases.  In fact, they might be bound = together,=20 even though they provide two separate abstract=20 interfaces.

 

- [C#6] 2.3, 3rd = para (pg=20 17):

 

"It is important = to note=20 that the architecture described in [RFC3411] does not include a = session=20 selector in the Abstract Service Interfaces, and neither is that done = for this=20 architectural extension, so an SNMP application cannot select the = session=20 except by passing a unique combination of securityName, securityModel, = and=20 securityLevel."

 

[Josh, Sumanth] = Add=20 "transport address" to the list of items used to select the = session.  This would then be = consistent with the=20 text in 2.3.1.

 

- [C#7] 4.2 (pg=20 25):

 

[Josh] The TMSM = is=20 described as an entity with an (abstract) interface with a specific = TMSM-based=20 security model below it, but in general the TMSM isn't otherwise = described as=20 a component.  It would = seem more=20 clear to talk about the TMSP here, or perhaps the TMSM TMSP, with the = TMSP=20 providing sendMessage() and recvMessage(), and a = security-model-specific TMSP=20 instance providing txMessage(), rxMessage(), openSession(),=20 etc.

 

 

[Josh] The value = of the=20 layering between sendMessage() and txMessage(), and between = recvMessage() and=20 rxMessage() (the layering between a generic TMSP and a SM-specific = TMSP) is=20 not obvious.  It would = seem, at=20 the least, that the securityModel would need to be passed to = sendMessage() in=20 order to allow this generic layer to locate the specific TMSP.  If this is retrieve by the = generic=20 TMSP from the tmStateReference (implied by section 7), then section 7 = must be=20 normative about some of the required content of=20 tmStateReference.

 

[Josh] Since the = recvMessage() ASI is implemented by the Dispatcher and called by the = TMSP, it=20 doesn't seem to make sense that tmStateReference is an OUTPUT.  It should be an INPUT, since = I believe=20 it is produced by the TMSP and provided to the Dispatcher, as is also = true for=20 the incomingMessage.  = The same=20 would seem to be true for the tmStateReference argument in = rxMessage().  Similarly, why would = sessionID be an=20 OUTPUT, indicating it is produced by the = Dispatcher?

 

- [C#8] 4.2 (pg=20 26):

If the use of = sessions is=20 hidden by the TMSP, then it isn't clear why the ASI to the SM-specific = TMSP=20 provides openSession() and closeSession() mechanisms.  Further, the sessionID is = not INPUT to=20 any ASI other than closeSession(), so what is the point of allowing = one to=20 open a specific session? =20 Similarly, what is the point of producing sessionID from the=20 sendMessage() call?  The = Dispatcher has no obvious use for a sessionID (and no ASI to close a=20 session).

 

- [C#9] 6.2, = para 4 (pg=20 28):

 

"[discuss] We = need to=20 discuss what the meaning of authoritative would be in a TMSM = environment,=20 whether the specific services provided in USM security from=20 msgSecurityParameters still are needed, and how the Message Processing = model=20 provides this information to the security model via = generateRequestMsg() and=20 processIncomingMsg() primitives."

 

[Josh] While=20 "authoritative", as relates to the setting of securityEngineID is = defined=20 clearly in RFC 3412, I don't think TMSM can make any blanket = statements about=20 whether securityEngineID (the authoritative SNMP entity) is needed by = the=20 underlying security model.  = There=20 may be TMSM-based security models that model themselves on USM for=20 authentication of the connection originator (client), while using = transport=20 mechanisms for authentication of the server, and require = securityEngineID to=20 be used in a way similar to USM. =20 If it isn't used, then it would be up to each specific TMSM = model to=20 state that.

Likewise, I = think it's up=20 to the specific TMSM model to define the use of=20 msgSecurityParameters.

 

[Josh]=20

Regarding = "authoritative",=20 this has been discussed on the mailing list and this is in agreement = with the=20 current consensus (?) -- refer issue #1 on the mailing=20 list

 

Regarding=20 "msgSecurityParameters', this has been discussed on the mailing list = and this=20 is in agreement with the current consensus (?) -- refer issue #2 on = the=20 mailing list

 

 

-- [C#10] 8 = & 9 (pg=20 29+):

 

[Josh] How does = the=20 tmStateReference get into and out of the MPSP?  Are the Dispatcher to MP = ASIs=20 augmented to pass this reference?

 

 

-- [C#11] 9 (pg=20 30):

 

[Josh] Now this = text makes=20 me think that the openSession() and closeSession() ASIs were between = the MPSP=20 and the TMSP.  Or, does = the MPSP=20 accomplish the actions described here against the TMSP by internal=20 interfaces?

 

-- [C#12] 11 = (Page 33,=20 34)

[sumanth]

 

"tmsmSessionSpinLock" -=20 usage is not very clear

 

"tmsmSessionMaxSupported"=20 - given the interpretation of zero is 'dynamic', what about the case = when the=20 max is zero (resource constraints). Recommend changing to it a MAX = value for=20 dynamic or something else

 

"tmsmSessionEngineID" --=20 implies that there is one Engine ID per session. Do we need to make = this clear=20 = elsewhere?

------=_NextPart_000_0D98_01C683DF.42D85FA0-- --===============0022224532== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms --===============0022224532==--