From nobody Wed Aug 2 19:45:23 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E440A1321C6 for ; Wed, 2 Aug 2017 19:45:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.721 X-Spam-Level: X-Spam-Status: No, score=-3.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aoo9IfOhYMpu for ; Wed, 2 Aug 2017 19:45:16 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7E0D1321C0 for ; Wed, 2 Aug 2017 19:45:16 -0700 (PDT) Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v732jFPE017848 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 3 Aug 2017 02:45:15 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v732jF0L009206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 3 Aug 2017 02:45:15 GMT Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v732jFQG026955; Thu, 3 Aug 2017 02:45:15 GMT Received: from dhcp-tokyo-twvpn-1a-vpnpool-10-191-22-18.vpn.oracle.com (/10.191.22.18) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 Aug 2017 19:45:14 -0700 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Weijun Wang In-Reply-To: Date: Thu, 3 Aug 2017 10:45:11 +0800 Cc: kitten Content-Transfer-Encoding: quoted-printable Message-Id: <84A3DE01-19D1-49A0-BA08-C71FB96C20AB@oracle.com> References: <20170718002217.GL75962@kduck.kaduk.org> To: Eric Rescorla , Benjamin Kaduk X-Mailer: Apple Mail (2.3273) X-Source-IP: aserv0021.oracle.com [141.146.126.233] Archived-At: Subject: Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2017 02:45:19 -0000 Hi Ekr and Ben Thanks a lot for you careful review and great suggestions. I'll make the = following changes: 1. Append "(authentication tag)" after the first appearance of = "cryptographic checksum". 2. In S 4.9, append "and might not match the initiator-requested values" = after "These will reflect the actual attributes of the established = context." 3. Add Ben's suggested text on GSSName comparison into S 4.13, at the = end of the "GSSName objects can be compared..." paragraph. 4. And a clarification text "When neither of the methods is called, the = implementation should choose a default provider for each mechanism it = supports" to the introduction of addProviderAtFront() and = addProviderAtEnd(), at the end of S 6.1. I'll post a new draft soon. Thanks Max > On Jul 25, 2017, at 1:04 PM, Eric Rescorla wrote: >=20 >=20 >=20 > On Mon, Jul 17, 2017 at 5:22 PM, Benjamin Kaduk wrote: > On Fri, Jul 14, 2017 at 08:57:32AM -0700, Eric Rescorla wrote: > > On Wed, Jul 12, 2017 at 8:41 PM, Weijun Wang = wrote: > > > > > Hi Ekr > > > > > > Please read my answers below to your original questions. > > > > > > > On Jun 18, 2017, at 2:23 AM, Eric Rescorla wrote: > > > > > > > > This document seems generally sound. There are some things about = this > > > > API that confused/surprised me and seem perhaps unwise, but = given that > > > > this is a bis, I will mostly confine my review to mostly calling = them > > > > out and asking you to make sure I understand and that the = document is > > > > clear. > > > > > > > > OVERALL > > > > 1. What is a fatal error? > > > > The document describes exceptions as indicating "fatal errors". > > > > What does this mean for the state of the context. For instance, > > > > if I receive an exception from initSecContext(), does that mean > > > > that it is no longer possible to initiate it? Your example code > > > > seems to treat them as fatal for the context. What happens > > > > if I try to use a context after such an event? > > > > > > I=E2=80=99ll add a paragraph in "5.12. Error Reporting=E2=80=9D = explaining whether the > > > context is useable after an exception is thrown, for context = establishment > > > and per-message calls, respectively. Something like > > > > > > +If an exception is thrown during context establishment, the = context > > > +negotiation has failed and the GSSContext object must be = abandoned. > > > +If it is thrown in a per-message call, the context can remain = useful. > > > > > > > > > > > > > > > 2. How do I enforce properties for received messages? > > > > I see that I can request services for context initialization > > > > (requestConf), and that I can check whether a given message > > > > was encrypted (getPrivacy) but it's not clear to me if this > > > > causes the API to enforce these rules for tokens that I > > > > receive. Is that possible or do I just need to check? > > > > > > You would have to check. Even if an established security context = already > > > has its getConfState() being true, one can still wrap a message = with > > > privacy state set to false and the peer will unwrap it with = success. If the > > > peer insists only encrypted messages are allowed, she should = always check. > > > > > > This is already documented in 6.4.10. > > > > > > > > > > > 3. Are the request* flags() hard limits? E.g., if I do > > > > requestMutualAuth() do I get it or fail? > > > > > > The method does not fail itself (i.e. does not throws an = exception) and > > > you need to check the result with those getXyzState() methods = after the > > > context is established. > > > > > > I can add a paragraph in S 5.9, something like: > > > > > > +If any retrieved attribute does not match the desired value > > > +but it is necessary for the application protocol, the application = should > > > +destroy the security context and not use it for application = traffic. > > > +Otherwise, at this point, the context can be used by the = application to > > > +apply cryptographic services to its data. > > > > > > > Sorry, I mean does the handshake fail? Or do you just hace to check. >=20 > You have to check. The GSS-API has always been a request-and-check > type of API. >=20 > OK. I think that should be explicitly stated. > =20 >=20 > > > > > 4. It's a little unusual to have a structure where you keep > > > > calling initSecContext or acceptContext() repeatedly. In > > > > most APIs you would do like "setRole(Server)" or > > > > "setRoleClient(), and then "Handshake(). > > > > > > Sorry but this is how GSS-API works now. > > > > > > > > > > > DETAIL > > > > S 6.1.16. > > > > Can addProviderAtFront() be used to add new providers which > > > > the API would not normally use at all? > > > > > > No, 6.1.16 already had > > > > > > Only when the indicated provider does not support > > > the needed mechanism should the GSSManager move on to a = different > > > provider. > > > > > > I think this implies that a new provider added might be used at = all. > > > > > > > That doesn't seem very clear to me. My point is you might have = defaults and > > then add new omnes. >=20 > I think you could use this to slot in your custom provider that was = not > part of the system Java implementation, yes. > But I don't interact with the Java GSS stuff very much. >=20 > OK. This also needs to be explicit.=20 >=20 > > > > S 5.3. > > > > gss_release_cred() is just eager, right? In any case the data = will > > > > be cleaned up on GC? In any case you should make this clear. > > > > > > gss_release_cred() is eager, and there is no other guarantee the = data can > > > be automatically cleaned up. Even if GC cleaned up the = GSSCredential > > > object, there might be unreleased handles underneath. > > > > > > S 6.3 already has > > > > > > When the credential is no longer needed, the application should = call > > > the dispose (equivalent to gss_release_cred) method to release any > > > resources held by the credential object and to destroy any > > > cryptographically sensitive information. > > > > > > Do you think it=E2=80=99s necessary to append something like =E2=80=9C= An implementation > > > should not rely on garbage control or a finalize() method to = dispose a > > > credential=E2=80=9D? > > > > > > > Yes. > > > > > > > > > > > > > S 6.1.15. > > > > I wouldn't say you are "creating a previously exported context". = You > > > > are either importing it or creating a new context from a = previously > > > > exported one. > > > > > > Accepted. > > > > > > > > > > > S 6.2.1. > > > > > > > > // export and re-import the name > > > > byte[] exportName =3D mechName.export(); > > > > > > > > // create a new name object from the exported buffer > > > > GSSName newName =3D mgr.createName(exportName, > > > > GSSName.NT_EXPORT_NAME); > > > > > > > > This comment structure is confusing, because the first is just > > > > the export. I would change that. > > > > > > Accepted. > > > > > > > > > > > > > > > S 6.2.6. > > > > It's a bit unclear to me under what circumstances you can = compare GSS > > > > names. I see you can do .equals() and export/memcmp, but can you > > > > compare strings? Perhaps after you canonicalize them? > > > > > > As Ben and I explained this is quite complicated. Can we not touch = it in > > > this bis? > > > > > > The fact that it's complicated seems like more reason to explain it. >=20 > In some sense, you can always compare GSS names (in that the = compare-name > function will not throw an exception), but the results may not always > match the expected behavior. (It's too bad that RFC 6680 didn't take = the > time to summarize the state of affairs when adding naming extensions.) > I don't think we should try to provide a comprehensive review of the > state of affairs in this document, nor any normative statements (that = would > only apply to implementations of the Java bindings whereas the issues > apply to all GSS-API implementations). But perhaps something like the > following would be reasonable: >=20 > = %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >=20 > A full treatment of the behavior of GSS name comparison is outside the > scope of this work. However, applications should note that to avoid > surpising behavior, it is best to ensure that the names being compared > are either both mechanism names for the same mechanism, or both = internal > names that are not mechanism names. This holds whether the .equals() > method is used directly, or the .export() method is used to generate = byte > strings that are then compared byte-by-byte. >=20 > = %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >=20 > Yes, this seems fine. >=20 > -Ekr From nobody Thu Aug 3 17:40:44 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B867132017 for ; Thu, 3 Aug 2017 17:40:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFMcCx7CIM98 for ; Thu, 3 Aug 2017 17:40:40 -0700 (PDT) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 901AD13201F for ; Thu, 3 Aug 2017 17:40:40 -0700 (PDT) X-AuditID: 1209190c-1e5ff70000007641-f1-5983c287c98e Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 73.96.30273.782C3895; Thu, 3 Aug 2017 20:40:39 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v740ecxw015790; Thu, 3 Aug 2017 20:40:38 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v740eYXG001627 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 3 Aug 2017 20:40:36 -0400 Date: Thu, 3 Aug 2017 19:40:34 -0500 From: Benjamin Kaduk To: Weijun Wang Cc: Eric Rescorla , kitten Message-ID: <20170804004033.GB70977@kduck.kaduk.org> References: <20170718002217.GL75962@kduck.kaduk.org> <84A3DE01-19D1-49A0-BA08-C71FB96C20AB@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <84A3DE01-19D1-49A0-BA08-C71FB96C20AB@oracle.com> User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleLIzCtJLcpLzFFi42IR4hRV1m0/1BxpsHGRtMWK1+fYLY5uXsVi 8XXpBmYHZo8lS34yeXx8eovFY/LjNuYA5igum5TUnMyy1CJ9uwSujB83RAtu+FZsaDnH3MD4 xaqLkZNDQsBEov/ZFsYuRi4OIYHFTBILn/ZCORsYJa72PGCGcK4wSRw8fZYdpIVFQEXi0e/v YDYbkN3QfZkZxBYR0JBoeNAEZHNwMAtYSdzdmwASFhZwkNi+bDVYCS/Qtp6Tc5ggZn5kkmi+ Pp0RIiEocXLmExYQm1lAXeLPvEtQc6Qllv/jgAjLSzRvnQ02h1PATuLcvTtg5aICyhLz9q1i m8AoOAvJpFlIJs1CmDQLyaQFjCyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdA31cjNL9FJTSjcx ggNdkmcH45k3XocYBTgYlXh4DWY0RwqxJpYVV+YeYpTkYFIS5a0+1hQpxJeUn1KZkVicEV9U mpNafIhRgoNZSYS3+wBQOW9KYmVValE+TEqag0VJnFdCozFCSCA9sSQ1OzW1ILUIJivDwaEk wXvxIFCjYFFqempFWmZOCUKaiYMTZDgP0PBWkBre4oLE3OLMdIj8KUZFKXHetyBbBUASGaV5 cL2gRCSRvb/mFaM40CvCvMtA2nmASQyu+xXQYCagwX/qGkEGlyQipKQaGDMXsH9i2f+ebRLD k6b8tefeS1XPX7nTycWeW4LDqz1f6VzctAnaG9oCry1L+ae+tJZlophv35vk5rD6edd/Z5qw fL4TFqxiX941Idhs46G7eRYKuVXzt7QtXJX/k7Ns4l/d9EK7mVuzHJonGCyO/Pnn0vuAD4Yt z90Fq+quf6ie1/9v7gWLH0osxRmJhlrMRcWJADD7vEIfAwAA Archived-At: Subject: Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 00:40:42 -0000 Hi Max, I hope your vacation was relaxing! On Thu, Aug 03, 2017 at 10:45:11AM +0800, Weijun Wang wrote: > Hi Ekr and Ben > > Thanks a lot for you careful review and great suggestions. I'll make the following changes: > > 1. Append "(authentication tag)" after the first appearance of "cryptographic checksum". > > 2. In S 4.9, append "and might not match the initiator-requested values" after "These will reflect the actual attributes of the established context." > > 3. Add Ben's suggested text on GSSName comparison into S 4.13, at the end of the "GSSName objects can be compared..." paragraph. > > 4. And a clarification text "When neither of the methods is called, the implementation should choose a default provider for each mechanism it supports" to the introduction of addProviderAtFront() and addProviderAtEnd(), at the end of S 6.1. I'm not entirely sure that this addresses Ekr's concern. Laying it out (hopefully) more clearly, suppose that I have a java standard library that provides GSSAPI support, and supports the krb5 and ntlm mechanisms. It's clear that my application code could supply an alternate provider for the krb5 mech and have that used preferentially. But could my application code also supply a provider for, say, the IAKERB mech via addProviderAtFront, and have that used? Regardless, thanks for these edits -- I look forward to the new revision. -Ben > I'll post a new draft soon. > > Thanks > Max > > > > On Jul 25, 2017, at 1:04 PM, Eric Rescorla wrote: > > > > > > > > On Mon, Jul 17, 2017 at 5:22 PM, Benjamin Kaduk wrote: > > On Fri, Jul 14, 2017 at 08:57:32AM -0700, Eric Rescorla wrote: > > > On Wed, Jul 12, 2017 at 8:41 PM, Weijun Wang wrote: > > > > > > > Hi Ekr > > > > > > > > Please read my answers below to your original questions. > > > > > > > > > On Jun 18, 2017, at 2:23 AM, Eric Rescorla wrote: > > > > > > > > > > This document seems generally sound. There are some things about this > > > > > API that confused/surprised me and seem perhaps unwise, but given that > > > > > this is a bis, I will mostly confine my review to mostly calling them > > > > > out and asking you to make sure I understand and that the document is > > > > > clear. > > > > > > > > > > OVERALL > > > > > 1. What is a fatal error? > > > > > The document describes exceptions as indicating "fatal errors". > > > > > What does this mean for the state of the context. For instance, > > > > > if I receive an exception from initSecContext(), does that mean > > > > > that it is no longer possible to initiate it? Your example code > > > > > seems to treat them as fatal for the context. What happens > > > > > if I try to use a context after such an event? > > > > > > > > I’ll add a paragraph in "5.12. Error Reporting” explaining whether the > > > > context is useable after an exception is thrown, for context establishment > > > > and per-message calls, respectively. Something like > > > > > > > > +If an exception is thrown during context establishment, the context > > > > +negotiation has failed and the GSSContext object must be abandoned. > > > > +If it is thrown in a per-message call, the context can remain useful. > > > > > > > > > > > > > > > > > > > 2. How do I enforce properties for received messages? > > > > > I see that I can request services for context initialization > > > > > (requestConf), and that I can check whether a given message > > > > > was encrypted (getPrivacy) but it's not clear to me if this > > > > > causes the API to enforce these rules for tokens that I > > > > > receive. Is that possible or do I just need to check? > > > > > > > > You would have to check. Even if an established security context already > > > > has its getConfState() being true, one can still wrap a message with > > > > privacy state set to false and the peer will unwrap it with success. If the > > > > peer insists only encrypted messages are allowed, she should always check. > > > > > > > > This is already documented in 6.4.10. > > > > > > > > > > > > > > 3. Are the request* flags() hard limits? E.g., if I do > > > > > requestMutualAuth() do I get it or fail? > > > > > > > > The method does not fail itself (i.e. does not throws an exception) and > > > > you need to check the result with those getXyzState() methods after the > > > > context is established. > > > > > > > > I can add a paragraph in S 5.9, something like: > > > > > > > > +If any retrieved attribute does not match the desired value > > > > +but it is necessary for the application protocol, the application should > > > > +destroy the security context and not use it for application traffic. > > > > +Otherwise, at this point, the context can be used by the application to > > > > +apply cryptographic services to its data. > > > > > > > > > > Sorry, I mean does the handshake fail? Or do you just hace to check. > > > > You have to check. The GSS-API has always been a request-and-check > > type of API. > > > > OK. I think that should be explicitly stated. > > > > > > > > > > > 4. It's a little unusual to have a structure where you keep > > > > > calling initSecContext or acceptContext() repeatedly. In > > > > > most APIs you would do like "setRole(Server)" or > > > > > "setRoleClient(), and then "Handshake(). > > > > > > > > Sorry but this is how GSS-API works now. > > > > > > > > > > > > > > DETAIL > > > > > S 6.1.16. > > > > > Can addProviderAtFront() be used to add new providers which > > > > > the API would not normally use at all? > > > > > > > > No, 6.1.16 already had > > > > > > > > Only when the indicated provider does not support > > > > the needed mechanism should the GSSManager move on to a different > > > > provider. > > > > > > > > I think this implies that a new provider added might be used at all. > > > > > > > > > > That doesn't seem very clear to me. My point is you might have defaults and > > > then add new omnes. > > > > I think you could use this to slot in your custom provider that was not > > part of the system Java implementation, yes. > > But I don't interact with the Java GSS stuff very much. > > > > OK. This also needs to be explicit. > > > > > > > S 5.3. > > > > > gss_release_cred() is just eager, right? In any case the data will > > > > > be cleaned up on GC? In any case you should make this clear. > > > > > > > > gss_release_cred() is eager, and there is no other guarantee the data can > > > > be automatically cleaned up. Even if GC cleaned up the GSSCredential > > > > object, there might be unreleased handles underneath. > > > > > > > > S 6.3 already has > > > > > > > > When the credential is no longer needed, the application should call > > > > the dispose (equivalent to gss_release_cred) method to release any > > > > resources held by the credential object and to destroy any > > > > cryptographically sensitive information. > > > > > > > > Do you think it’s necessary to append something like “An implementation > > > > should not rely on garbage control or a finalize() method to dispose a > > > > credential”? > > > > > > > > > > Yes. > > > > > > > > > > > > > > > > > > S 6.1.15. > > > > > I wouldn't say you are "creating a previously exported context". You > > > > > are either importing it or creating a new context from a previously > > > > > exported one. > > > > > > > > Accepted. > > > > > > > > > > > > > > S 6.2.1. > > > > > > > > > > // export and re-import the name > > > > > byte[] exportName = mechName.export(); > > > > > > > > > > // create a new name object from the exported buffer > > > > > GSSName newName = mgr.createName(exportName, > > > > > GSSName.NT_EXPORT_NAME); > > > > > > > > > > This comment structure is confusing, because the first is just > > > > > the export. I would change that. > > > > > > > > Accepted. > > > > > > > > > > > > > > > > > > > S 6.2.6. > > > > > It's a bit unclear to me under what circumstances you can compare GSS > > > > > names. I see you can do .equals() and export/memcmp, but can you > > > > > compare strings? Perhaps after you canonicalize them? > > > > > > > > As Ben and I explained this is quite complicated. Can we not touch it in > > > > this bis? > > > > > > > > > The fact that it's complicated seems like more reason to explain it. > > > > In some sense, you can always compare GSS names (in that the compare-name > > function will not throw an exception), but the results may not always > > match the expected behavior. (It's too bad that RFC 6680 didn't take the > > time to summarize the state of affairs when adding naming extensions.) > > I don't think we should try to provide a comprehensive review of the > > state of affairs in this document, nor any normative statements (that would > > only apply to implementations of the Java bindings whereas the issues > > apply to all GSS-API implementations). But perhaps something like the > > following would be reasonable: > > > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > > > A full treatment of the behavior of GSS name comparison is outside the > > scope of this work. However, applications should note that to avoid > > surpising behavior, it is best to ensure that the names being compared > > are either both mechanism names for the same mechanism, or both internal > > names that are not mechanism names. This holds whether the .equals() > > method is used directly, or the .export() method is used to generate byte > > strings that are then compared byte-by-byte. > > > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > > > Yes, this seems fine. > > > > -Ekr > From nobody Fri Aug 4 02:45:25 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1587E131C7A for ; Fri, 4 Aug 2017 02:45:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eApD7p2SaDJz for ; Fri, 4 Aug 2017 02:45:22 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9763131C6C for ; Fri, 4 Aug 2017 02:45:21 -0700 (PDT) Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v749jKx2006642 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 09:45:21 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v749jKWG025236 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 09:45:20 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v749jK3f030181; Fri, 4 Aug 2017 09:45:20 GMT Received: from dhcp-tokyo-twvpn-1a-vpnpool-10-191-2-46.vpn.oracle.com (/10.191.2.46) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 04 Aug 2017 02:45:20 -0700 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Weijun Wang In-Reply-To: <20170804004033.GB70977@kduck.kaduk.org> Date: Fri, 4 Aug 2017 17:45:16 +0800 Cc: Eric Rescorla , kitten Content-Transfer-Encoding: quoted-printable Message-Id: <7F390190-DA68-4199-8FCF-537DE8FE37DC@oracle.com> References: <20170718002217.GL75962@kduck.kaduk.org> <84A3DE01-19D1-49A0-BA08-C71FB96C20AB@oracle.com> <20170804004033.GB70977@kduck.kaduk.org> To: Benjamin Kaduk X-Mailer: Apple Mail (2.3273) X-Source-IP: aserv0021.oracle.com [141.146.126.233] Archived-At: Subject: Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 09:45:24 -0000 > On Aug 4, 2017, at 8:40 AM, Benjamin Kaduk wrote: >=20 > Hi Max, >=20 > I hope your vacation was relaxing! Mentally yes, physically not really. >=20 > On Thu, Aug 03, 2017 at 10:45:11AM +0800, Weijun Wang wrote: >> Hi Ekr and Ben >>=20 >> Thanks a lot for you careful review and great suggestions. I'll make = the following changes: >>=20 >> 1. Append "(authentication tag)" after the first appearance of = "cryptographic checksum". >>=20 >> 2. In S 4.9, append "and might not match the initiator-requested = values" after "These will reflect the actual attributes of the = established context." >>=20 >> 3. Add Ben's suggested text on GSSName comparison into S 4.13, at the = end of the "GSSName objects can be compared..." paragraph. >>=20 >> 4. And a clarification text "When neither of the methods is called, = the implementation should choose a default provider for each mechanism = it supports" to the introduction of addProviderAtFront() and = addProviderAtEnd(), at the end of S 6.1. >=20 > I'm not entirely sure that this addresses Ekr's concern. Laying it = out (hopefully) > more clearly, suppose that I have a java standard library that = provides GSSAPI > support, and supports the krb5 and ntlm mechanisms. It's clear that = my > application code could supply an alternate provider for the krb5 mech = and > have that used preferentially. But could my application code also = supply > a provider for, say, the IAKERB mech via addProviderAtFront, and have = that used? Yes, you can. That said, it's not easy. The Java bindings of GSS-API do not contain = public available interfaces for mechanism providers, and each GSS-API = implementation defines its own interfaces. So if you want to write a = IAKERB provider for Oracle's Java (or OpenJDK), you need to extend = Oracle's interfaces. If you want to write one for IBM's Java, you extend = IBM's interfaces. At least for Oracle JDK, these interfaces are internal = so you end up releasing your own fork of JDK. >=20 > Regardless, thanks for these edits -- I look forward to the new = revision. Working on it. Thanks Max >=20 > -Ben >=20 >=20 >=20 >> I'll post a new draft soon. >>=20 >> Thanks >> Max >>=20 >>=20 >>> On Jul 25, 2017, at 1:04 PM, Eric Rescorla wrote: >>>=20 >>>=20 >>>=20 >>> On Mon, Jul 17, 2017 at 5:22 PM, Benjamin Kaduk = wrote: >>> On Fri, Jul 14, 2017 at 08:57:32AM -0700, Eric Rescorla wrote: >>>> On Wed, Jul 12, 2017 at 8:41 PM, Weijun Wang = wrote: >>>>=20 >>>>> Hi Ekr >>>>>=20 >>>>> Please read my answers below to your original questions. >>>>>=20 >>>>>> On Jun 18, 2017, at 2:23 AM, Eric Rescorla wrote: >>>>>>=20 >>>>>> This document seems generally sound. There are some things about = this >>>>>> API that confused/surprised me and seem perhaps unwise, but given = that >>>>>> this is a bis, I will mostly confine my review to mostly calling = them >>>>>> out and asking you to make sure I understand and that the = document is >>>>>> clear. >>>>>>=20 >>>>>> OVERALL >>>>>> 1. What is a fatal error? >>>>>> The document describes exceptions as indicating "fatal errors". >>>>>> What does this mean for the state of the context. For instance, >>>>>> if I receive an exception from initSecContext(), does that mean >>>>>> that it is no longer possible to initiate it? Your example code >>>>>> seems to treat them as fatal for the context. What happens >>>>>> if I try to use a context after such an event? >>>>>=20 >>>>> I=E2=80=99ll add a paragraph in "5.12. Error Reporting=E2=80=9D = explaining whether the >>>>> context is useable after an exception is thrown, for context = establishment >>>>> and per-message calls, respectively. Something like >>>>>=20 >>>>> +If an exception is thrown during context establishment, the = context >>>>> +negotiation has failed and the GSSContext object must be = abandoned. >>>>> +If it is thrown in a per-message call, the context can remain = useful. >>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> 2. How do I enforce properties for received messages? >>>>>> I see that I can request services for context initialization >>>>>> (requestConf), and that I can check whether a given message >>>>>> was encrypted (getPrivacy) but it's not clear to me if this >>>>>> causes the API to enforce these rules for tokens that I >>>>>> receive. Is that possible or do I just need to check? >>>>>=20 >>>>> You would have to check. Even if an established security context = already >>>>> has its getConfState() being true, one can still wrap a message = with >>>>> privacy state set to false and the peer will unwrap it with = success. If the >>>>> peer insists only encrypted messages are allowed, she should = always check. >>>>>=20 >>>>> This is already documented in 6.4.10. >>>>>=20 >>>>>>=20 >>>>>> 3. Are the request* flags() hard limits? E.g., if I do >>>>>> requestMutualAuth() do I get it or fail? >>>>>=20 >>>>> The method does not fail itself (i.e. does not throws an = exception) and >>>>> you need to check the result with those getXyzState() methods = after the >>>>> context is established. >>>>>=20 >>>>> I can add a paragraph in S 5.9, something like: >>>>>=20 >>>>> +If any retrieved attribute does not match the desired value >>>>> +but it is necessary for the application protocol, the application = should >>>>> +destroy the security context and not use it for application = traffic. >>>>> +Otherwise, at this point, the context can be used by the = application to >>>>> +apply cryptographic services to its data. >>>>>=20 >>>>=20 >>>> Sorry, I mean does the handshake fail? Or do you just hace to = check. >>>=20 >>> You have to check. The GSS-API has always been a request-and-check >>> type of API. >>>=20 >>> OK. I think that should be explicitly stated. >>>=20 >>>=20 >>>>=20 >>>>> 4. It's a little unusual to have a structure where you keep >>>>>> calling initSecContext or acceptContext() repeatedly. In >>>>>> most APIs you would do like "setRole(Server)" or >>>>>> "setRoleClient(), and then "Handshake(). >>>>>=20 >>>>> Sorry but this is how GSS-API works now. >>>>>=20 >>>>>>=20 >>>>>> DETAIL >>>>>> S 6.1.16. >>>>>> Can addProviderAtFront() be used to add new providers which >>>>>> the API would not normally use at all? >>>>>=20 >>>>> No, 6.1.16 already had >>>>>=20 >>>>> Only when the indicated provider does not support >>>>> the needed mechanism should the GSSManager move on to a = different >>>>> provider. >>>>>=20 >>>>> I think this implies that a new provider added might be used at = all. >>>>>=20 >>>>=20 >>>> That doesn't seem very clear to me. My point is you might have = defaults and >>>> then add new omnes. >>>=20 >>> I think you could use this to slot in your custom provider that was = not >>> part of the system Java implementation, yes. >>> But I don't interact with the Java GSS stuff very much. >>>=20 >>> OK. This also needs to be explicit.=20 >>>=20 >>>>>> S 5.3. >>>>>> gss_release_cred() is just eager, right? In any case the data = will >>>>>> be cleaned up on GC? In any case you should make this clear. >>>>>=20 >>>>> gss_release_cred() is eager, and there is no other guarantee the = data can >>>>> be automatically cleaned up. Even if GC cleaned up the = GSSCredential >>>>> object, there might be unreleased handles underneath. >>>>>=20 >>>>> S 6.3 already has >>>>>=20 >>>>> When the credential is no longer needed, the application should = call >>>>> the dispose (equivalent to gss_release_cred) method to release any >>>>> resources held by the credential object and to destroy any >>>>> cryptographically sensitive information. >>>>>=20 >>>>> Do you think it=E2=80=99s necessary to append something like =E2=80=9C= An implementation >>>>> should not rely on garbage control or a finalize() method to = dispose a >>>>> credential=E2=80=9D? >>>>>=20 >>>>=20 >>>> Yes. >>>>=20 >>>>=20 >>>>=20 >>>>>=20 >>>>>> S 6.1.15. >>>>>> I wouldn't say you are "creating a previously exported context". = You >>>>>> are either importing it or creating a new context from a = previously >>>>>> exported one. >>>>>=20 >>>>> Accepted. >>>>>=20 >>>>>>=20 >>>>>> S 6.2.1. >>>>>>=20 >>>>>> // export and re-import the name >>>>>> byte[] exportName =3D mechName.export(); >>>>>>=20 >>>>>> // create a new name object from the exported buffer >>>>>> GSSName newName =3D mgr.createName(exportName, >>>>>> GSSName.NT_EXPORT_NAME); >>>>>>=20 >>>>>> This comment structure is confusing, because the first is just >>>>>> the export. I would change that. >>>>>=20 >>>>> Accepted. >>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> S 6.2.6. >>>>>> It's a bit unclear to me under what circumstances you can compare = GSS >>>>>> names. I see you can do .equals() and export/memcmp, but can you >>>>>> compare strings? Perhaps after you canonicalize them? >>>>>=20 >>>>> As Ben and I explained this is quite complicated. Can we not touch = it in >>>>> this bis? >>>>=20 >>>>=20 >>>> The fact that it's complicated seems like more reason to explain = it. >>>=20 >>> In some sense, you can always compare GSS names (in that the = compare-name >>> function will not throw an exception), but the results may not = always >>> match the expected behavior. (It's too bad that RFC 6680 didn't = take the >>> time to summarize the state of affairs when adding naming = extensions.) >>> I don't think we should try to provide a comprehensive review of the >>> state of affairs in this document, nor any normative statements = (that would >>> only apply to implementations of the Java bindings whereas the = issues >>> apply to all GSS-API implementations). But perhaps something like = the >>> following would be reasonable: >>>=20 >>> = %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >>>=20 >>> A full treatment of the behavior of GSS name comparison is outside = the >>> scope of this work. However, applications should note that to avoid >>> surpising behavior, it is best to ensure that the names being = compared >>> are either both mechanism names for the same mechanism, or both = internal >>> names that are not mechanism names. This holds whether the = .equals() >>> method is used directly, or the .export() method is used to generate = byte >>> strings that are then compared byte-by-byte. >>>=20 >>> = %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >>>=20 >>> Yes, this seems fine. >>>=20 >>> -Ekr From nobody Fri Aug 4 03:15:41 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4949B131FC7 for ; Fri, 4 Aug 2017 03:15:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oPRziieIHwMC for ; Fri, 4 Aug 2017 03:15:38 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9E4131CE8 for ; Fri, 4 Aug 2017 03:15:38 -0700 (PDT) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v74AFbXM021195 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 10:15:37 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v74AFbF2012573 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 10:15:37 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v74AFalg017472; Fri, 4 Aug 2017 10:15:37 GMT Received: from dhcp-tokyo-twvpn-1a-vpnpool-10-191-2-46.vpn.oracle.com (/10.191.2.46) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 04 Aug 2017 03:15:36 -0700 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Weijun Wang In-Reply-To: <20170804004033.GB70977@kduck.kaduk.org> Date: Fri, 4 Aug 2017 18:15:33 +0800 Cc: Eric Rescorla , kitten Content-Transfer-Encoding: quoted-printable Message-Id: <599ED5F5-E418-4F92-A9F4-E3AFE7B67718@oracle.com> References: <20170718002217.GL75962@kduck.kaduk.org> <84A3DE01-19D1-49A0-BA08-C71FB96C20AB@oracle.com> <20170804004033.GB70977@kduck.kaduk.org> To: Benjamin Kaduk X-Mailer: Apple Mail (2.3273) X-Source-IP: userv0022.oracle.com [156.151.31.74] Archived-At: Subject: Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 10:15:40 -0000 > On Aug 4, 2017, at 8:40 AM, Benjamin Kaduk wrote: >=20 >> 4. And a clarification text "When neither of the methods is called, = the implementation should choose a default provider for each mechanism = it supports" to the introduction of addProviderAtFront() and = addProviderAtEnd(), at the end of S 6.1. >=20 > I'm not entirely sure that this addresses Ekr's concern. Laying it = out (hopefully) > more clearly, suppose that I have a java standard library that = provides GSSAPI > support, and supports the krb5 and ntlm mechanisms. It's clear that = my > application code could supply an alternate provider for the krb5 mech = and > have that used preferentially. But could my application code also = supply > a provider for, say, the IAKERB mech via addProviderAtFront, and have = that used? I think this is already covered in = https://tools.ietf.org/html/draft-ietf-kitten-rfc5653bis-04#page-34: > 3) The application wants to use the locally configured providers as > far as possible, but if support is missing for one or more > mechanisms, then it wants to fall back on its own provider. Here, support for the IAKERB mech "is missing", and user provides "its = own provider". Of course in this case, calling addProviderAtFront or = addProviderAtEnd makes no difference. Thanks Max From nobody Fri Aug 4 04:08:47 2017 Return-Path: X-Original-To: kitten@ietf.org Delivered-To: kitten@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1382D13206D; Fri, 4 Aug 2017 04:08:39 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: kitten@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.58.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150184491887.18675.15977987876006416661@ietfa.amsl.com> Date: Fri, 04 Aug 2017 04:08:38 -0700 Archived-At: Subject: [kitten] I-D Action: draft-ietf-kitten-rfc5653bis-05.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 11:08:39 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Common Authentication Technology Next Generation WG of the IETF. Title : Generic Security Service API Version 2: Java Bindings Update Authors : Mayank D. Upadhyay Seema Malkani Wang Weijun Filename : draft-ietf-kitten-rfc5653bis-05.txt Pages : 94 Date : 2017-08-04 Abstract: The Generic Security Services Application Program Interface (GSS-API) offers application programmers uniform access to security services atop a variety of underlying cryptographic mechanisms. This document updates the Java bindings for the GSS-API that are specified in "Generic Security Service API Version 2 : Java Bindings Update" (RFC 5653). This document obsoletes RFC 5653 by adding a new output token field to the GSSException class so that when the initSecContext or acceptSecContext methods of the GSSContext class fails it has a chance to emit an error token which can be sent to the peer for debugging or informational purpose. The stream-based GSSContext methods are also removed in this version. The GSS-API is described at a language-independent conceptual level in "Generic Security Service Application Program Interface Version 2, Update 1" (RFC 2743). The GSS-API allows a caller application to authenticate a principal identity, to delegate rights to a peer, and to apply security services such as confidentiality and integrity on a per-message basis. Examples of security mechanisms defined for GSS- API are "The Simple Public-Key GSS-API Mechanism" (RFC 2025) and "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2" (RFC 4121). The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc5653bis/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-kitten-rfc5653bis-05 https://datatracker.ietf.org/doc/html/draft-ietf-kitten-rfc5653bis-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-rfc5653bis-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Aug 4 04:15:55 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6863B132033 for ; Fri, 4 Aug 2017 04:15:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKxn8z2tvK6A for ; Fri, 4 Aug 2017 04:15:50 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 484DA132145 for ; Fri, 4 Aug 2017 04:15:50 -0700 (PDT) Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v74BFmbT010897 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 11:15:49 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v74BFl4w021618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 11:15:48 GMT Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v74BFlYb012543; Fri, 4 Aug 2017 11:15:47 GMT Received: from dhcp-tokyo-twvpn-1a-vpnpool-10-191-2-46.vpn.oracle.com (/10.191.2.46) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 04 Aug 2017 04:15:47 -0700 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Weijun Wang In-Reply-To: <20170804004033.GB70977@kduck.kaduk.org> Date: Fri, 4 Aug 2017 19:15:36 +0800 Cc: kitten Content-Transfer-Encoding: 7bit Message-Id: References: <20170718002217.GL75962@kduck.kaduk.org> <84A3DE01-19D1-49A0-BA08-C71FB96C20AB@oracle.com> <20170804004033.GB70977@kduck.kaduk.org> To: Benjamin Kaduk , Eric Rescorla X-Mailer: Apple Mail (2.3273) X-Source-IP: userv0021.oracle.com [156.151.31.71] Archived-At: Subject: Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 11:15:53 -0000 > On Aug 4, 2017, at 8:40 AM, Benjamin Kaduk wrote: > > Regardless, thanks for these edits -- I look forward to the new revision. Just posted https://tools.ietf.org/html/draft-ietf-kitten-rfc5653bis-05. Thanks Max From nobody Sun Aug 13 12:24:24 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D961326B8 for ; Sun, 13 Aug 2017 12:24:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.636 X-Spam-Level: X-Spam-Status: No, score=-1.636 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sd3rPq9uSRbp for ; Sun, 13 Aug 2017 12:24:22 -0700 (PDT) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 032A21326AC for ; Sun, 13 Aug 2017 12:24:21 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 47DB8C8E49 for ; Sun, 13 Aug 2017 19:24:21 +0000 (UTC) Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo01-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6fgpCNxwRk_K for ; Sun, 13 Aug 2017 19:24:21 +0000 (UTC) Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 12095C8B0A for ; Sun, 13 Aug 2017 19:24:20 +0000 (UTC) From: "Henry B (Hank) Hotz, CISSP" Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> Date: Sun, 13 Aug 2017 12:24:19 -0700 To: "kitten@ietf.org " Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) Archived-At: Subject: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Aug 2017 19:24:23 -0000 First of all, I find the content compelling and I support moving = forward. This draft seems to have been =E2=80=9Cworked over=E2=80=9D = pretty well. The precise form of pake specified is apparently unique in some details. = I wonder if we should get the cfrg to review and comment on it.=20 There are a number of TBDs which need finalizing. (pp 6, 9, 12, & 16) Section3 should include pointers to where the prerequisites are = specified. In the case of PA-FX-COOKIE and = KDC_ERR_MORE_PREAUTH_DATA_REQUIRED that is rfc6113, section 5.2. = PA-ETYPE-INFO2 is rfc4120, section 3.1.3. [NIT] Section 4.3, para 2: Delete the word =E2=80=9CNext=E2=80=9D. On my = first reading that led me to think it was describing what to do after = =E2=80=9Cthe client completes. . .=E2=80=9D. It actually describes the = *first* thing to do (in the third pass). I=E2=80=99ve now read it enough = times that I=E2=80=99m no longer qualified to say how important that is. Personal email. hbhotz@oxy.edu From nobody Mon Aug 14 08:13:31 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19619132357 for ; Mon, 14 Aug 2017 08:13:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJtyL4BZbMoa for ; Mon, 14 Aug 2017 08:13:28 -0700 (PDT) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B661C13234E for ; Mon, 14 Aug 2017 08:13:28 -0700 (PDT) X-AuditID: 12074424-ee3ff70000005919-41-5991be178e3b Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id B3.00.22809.71EB1995; Mon, 14 Aug 2017 11:13:27 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7EFDROa019782; Mon, 14 Aug 2017 11:13:27 -0400 Received: from [18.101.8.96] (VPN-18-101-8-96.MIT.EDU [18.101.8.96]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7EFDOQt005800 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 14 Aug 2017 11:13:26 -0400 To: "Henry B (Hank) Hotz, CISSP" References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> From: Greg Hudson Cc: "kitten@ietf.org" Message-ID: <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> Date: Mon, 14 Aug 2017 11:13:24 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixG6noiu+b2KkwbFvRhYf7y1ksTi6eRWL A5PHkiU/mTy2Nv1lDmCK4rJJSc3JLEst0rdL4Mo41H6KpeCaQMXniQ2MDYxLebsYOTkkBEwk /rz6wdbFyMUhJLCYSeJey3tmCGcjo8SJLc3sEM5BJomT/1YzdjFycAgLeEhc+SEE0i0iYCgx feVEVhBbSMBKYvbqb2A2m4CyxPr9W1lAbGYBdYmjz5vYQGxeoJrp026CxVkEVCV27dwJZosK REg87NzFDlEjKHFy5hOwOKeAtUTHpk9wc/7Mu8QMYctLNG+dzTyBUWAWkpZZSMpmISlbwMi8 ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdcLzezRC81pXQTIzhQXVR2MHb3eB9iFOBgVOLhnXF9 QqQQa2JZcWXuIUZJDiYlUd4En95IIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8Se0TI4V4UxIr q1KL8mFS0hwsSuK84hqNEUIC6YklqdmpqQWpRTBZGQ4OJQneY3uAGgWLUtNTK9Iyc0oQ0kwc nCDDeYCGq+wFGV5ckJhbnJkOkT/FqCglztsK0iwAksgozYPrBSeSVI6EV4ziQK8I81qCtPMA kxBc9yugwUxAg/tAPuItLklESEk1MEbLW1bzXN7HxHJmz6yNbJGl67LXn1OWTHqidIXnC+Pp /4xTKvTmRkzzeGizW3vGogm1Lss6uX/mPQpvvnGl/k2V/zzV0nK3hHsG7NWfz4bar9GuuCJb +f80z/2njhWya139g3KjmkM+NG/Ycfe+mquaZl5k3URh6wgfl7WvH2pvqvmwp4HprRJLcUai oRZzUXEiAP7f23b/AgAA Archived-At: Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 15:13:30 -0000 Thanks very much for the review. I know that this draft is a bit denser than some. On 08/13/2017 03:24 PM, Henry B (Hank) Hotz, CISSP wrote: > There are a number of TBDs which need finalizing. (pp 6, 9, 12, & 16) I can assign padata and key usage numbers, but if the draft changes incompatibility they might then need to be reassigned. So I plan to wait until it looks like there is working group consensus on the substantive parts of the document. > Section3 should include pointers to where the prerequisites are specified. In the case of PA-FX-COOKIE and KDC_ERR_MORE_PREAUTH_DATA_REQUIRED that is rfc6113, section 5.2. PA-ETYPE-INFO2 is rfc4120, section 3.1.3. I will add those. In the first prereq, this is a little awkward--ETYPE-INFO2 support is old hat, but we require the relatively new behavior (from RFC 6113) of sending only a single entry. My proposed new text for that prereq is: This mechanism requires the initial KDC pre-authentication state to contain a singular reply key. Therefore, a KDC which offers SPAKE pre-authentication as a stand-alone mechanism MUST supply a PA-ETYPE-INFO2 value containing a single ETYPE-INFO2-ENTRY, as described in [RFC6113] section 2.1. PA-ETYPE-INFO2 is specified in [RFC4120] section 5.2.7.5. > [NIT] Section 4.3, para 2: Delete the word “Next”. On my first reading that led me to think it was describing what to do after “the client completes. . .”. It actually describes the *first* thing to do (in the third pass). I’ve now read it enough times that I’m no longer qualified to say how important that is. The word "Next" is intended, but I can see that "will complete its part of the SPAKE process" is too vague--it is not clear that it is describing a computation step with no protocol messages. I propose this wording, combining the first two paragraphs: Upon receipt of the challenge message, the client will complete its part of of the SPAKE algorithm, generating a public key and computing the shared secret K. Next, the client chooses one of the second factor types [...] From nobody Mon Aug 14 10:30:31 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D60613226B for ; Mon, 14 Aug 2017 10:30:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.535 X-Spam-Level: X-Spam-Status: No, score=-3.535 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVRet-mKa9cG for ; Mon, 14 Aug 2017 10:30:28 -0700 (PDT) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C14921323B5 for ; Mon, 14 Aug 2017 10:30:27 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id DD6E1297EA; Mon, 14 Aug 2017 17:30:26 +0000 (UTC) Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZiXynmrAeRuv; Mon, 14 Aug 2017 17:30:26 +0000 (UTC) Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 28087297E4; Mon, 14 Aug 2017 17:30:24 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: "Henry B (Hank) Hotz, CISSP" In-Reply-To: <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> Date: Mon, 14 Aug 2017 10:30:23 -0700 Cc: "kitten@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu> References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> To: Greg Hudson X-Mailer: Apple Mail (2.2104) Archived-At: Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 17:30:30 -0000 > On Aug 14, 2017, at 8:13 AM, Greg Hudson wrote: >=20 > Thanks very much for the review. I know that this draft is a bit = denser > than some. The density is whatever it needs to be for the subject. The material is = well organized, and clear per se, but the reader needs to know that some = material needed to appreciate the early sections is in later sections.=20= If we can get someone else new to go through it and see if more forward = references are needed . . . I do not think this issue justifies holding up publication. This is just = wordsmithing and clarity, not substance. > On 08/13/2017 03:24 PM, Henry B (Hank) Hotz, CISSP wrote: >> There are a number of TBDs which need finalizing. (pp 6, 9, 12, & 16) >=20 > I can assign padata and key usage numbers, but if the draft changes > incompatibility they might then need to be reassigned. So I plan to > wait until it looks like there is working group consensus on the > substantive parts of the document. No prob. I=E2=80=99m sure the RFC editor will hold your feet to the fire = on that one. ;-) >> Section3 should include pointers to where the prerequisites are = specified. In the case of PA-FX-COOKIE and = KDC_ERR_MORE_PREAUTH_DATA_REQUIRED that is rfc6113, section 5.2. = PA-ETYPE-INFO2 is rfc4120, section 3.1.3. >=20 > I will add those. In the first prereq, this is a little > awkward--ETYPE-INFO2 support is old hat, but we require the relatively > new behavior (from RFC 6113) of sending only a single entry. My > proposed new text for that prereq is: >=20 > This mechanism requires the initial KDC pre-authentication state > to contain a singular reply key. Therefore, a KDC which offers > SPAKE pre-authentication as a stand-alone mechanism MUST supply > a PA-ETYPE-INFO2 value containing a single ETYPE-INFO2-ENTRY, > as described in [RFC6113] section 2.1. PA-ETYPE-INFO2 is > specified in [RFC4120] section 5.2.7.5. Good. Thanks. >> [NIT] Section 4.3, para 2: Delete the word =E2=80=9CNext=E2=80=9D. On = my first reading that led me to think it was describing what to do after = =E2=80=9Cthe client completes. . .=E2=80=9D. It actually describes the = *first* thing to do (in the third pass). I=E2=80=99ve now read it enough = times that I=E2=80=99m no longer qualified to say how important that is. >=20 > The word "Next" is intended, but I can see that "will complete its = part > of the SPAKE process" is too vague--it is not clear that it is > describing a computation step with no protocol messages. I propose = this > wording, combining the first two paragraphs: >=20 > Upon receipt of the challenge message, the client will complete > its part of of the SPAKE algorithm, generating a public key and > computing the shared secret K. Next, the client chooses one of the > second factor types [...] Hmmm. I still wasn=E2=80=99t interpreting it right. If you say = =E2=80=9Cnext=E2=80=9D I wonder what the preceding =E2=80=9Cfirst=E2=80=9D= or =E2=80=9Cnext=E2=80=9D was. I didn=E2=80=99t have an explicit = referent to halt my mental search. In this case I think it=E2=80=99s: Upon receipt of the challenge message, the client will first complete its part of of the SPAKE algorithm in accordance with section 7,=20 generating a public key and computing the shared secret K.=20 Next, the client chooses one of the second factor types [=E2=80=A6] ??? Personal email. hbhotz@oxy.edu From nobody Mon Aug 14 11:01:55 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2A81323F7 for ; Mon, 14 Aug 2017 11:01:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AiC8hadyP5mE for ; Mon, 14 Aug 2017 11:01:52 -0700 (PDT) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A28461323CA for ; Mon, 14 Aug 2017 11:01:52 -0700 (PDT) X-AuditID: 12074423-757ff700000014c4-6a-5991e58f58db Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id C7.5B.05316.F85E1995; Mon, 14 Aug 2017 14:01:51 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7EI1omQ013113; Mon, 14 Aug 2017 14:01:51 -0400 Received: from [18.101.8.96] (VPN-18-101-8-96.MIT.EDU [18.101.8.96]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7EI1mOo031805 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 14 Aug 2017 14:01:49 -0400 To: "Henry B (Hank) Hotz, CISSP" References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu> Cc: "kitten@ietf.org" From: Greg Hudson Message-ID: Date: Mon, 14 Aug 2017 14:01:48 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixG6notv/dGKkwbZN8hYf7y1ksTi6eRWL A5PHkiU/mTy2Nv1lDmCK4rJJSc3JLEst0rdL4MpYe2kve0EXX8Wnv+vZGhgncXcxcnJICJhI bLjdx9bFyMUhJLCYSWLds9usEM5GRokD3SdYIJyDTBLPrr9l7GLk4BAW8JC48kMIpFtEwFBi +sqJUA1zGCWeLJ3PApJgFlCXOPq8iQ3EZhNQlli/fytYnFfASuLk1WuMIDaLgKrE+kvLwWpE BSIkHnbuYoeoEZQ4OfMJWD2ngLXE4ylP2WBm/pl3iRnClpdo3jqbeQKjwCwkLbOQlM1CUraA kXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrplebmaJXmpK6SZGcKi6KO9gfNnnfYhRgINRiYeX 48LESCHWxLLiytxDjJIcTEqivAk+vZFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHiT2oHKeVMS K6tSi/JhUtIcLErivOIajRFCAumJJanZqakFqUUwWRkODiUJ3g+PgRoFi1LTUyvSMnNKENJM HJwgw3mAhss8ARleXJCYW5yZDpE/xagoJc5rApIQAElklObB9YJTSSpHwitGcaBXhHmvglTx ANMQXPcroMFMQIP7QD7iLS5JREhJNTByuYZNj8xckG73T+JWhhl/hqfbL41jD/4vlwm0PKrk 8TXnqqDZOx/ujRPZvm50CORqDDZsTNH80DyVa1t8TO1j0f+Mv2ZtVdkWO1HCpqLX49kane55 a4LXOze6PNZ963Fxjt5pJlb2d1Pec8b8W3pd5M0Zkw3dGz9ziM3YrHvb6Hq2TWlrd6YSS3FG oqEWc1FxIgDOtLf0AAMAAA== Archived-At: Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 18:01:54 -0000 On 08/14/2017 01:30 PM, Henry B (Hank) Hotz, CISSP wrote: >>> [NIT] Section 4.3, para 2: Delete the word “Next”. On my first reading that led me to think it was describing what to do after “the client completes. . .”. It actually describes the *first* thing to do (in the third pass). I’ve now read it enough times that I’m no longer qualified to say how important that is. >> >> The word "Next" is intended, but I can see that "will complete its part >> of the SPAKE process" is too vague--it is not clear that it is >> describing a computation step with no protocol messages. I propose this >> wording, combining the first two paragraphs: >> >> Upon receipt of the challenge message, the client will complete >> its part of of the SPAKE algorithm, generating a public key and >> computing the shared secret K. Next, the client chooses one of the >> second factor types [...] > > Hmmm. I still wasn’t interpreting it right. If you say “next” I wonder what the preceding “first” or “next” was. I didn’t have an explicit referent to halt my mental search. In this case I think it’s: Perhaps using "then" instead of next will help? Current proposed wording (with some minor edits to the later sentences): Upon receipt of the challenge message, the client will complete its part of of the SPAKE algorithm, generating a public key and computing the shared secret K. The client will then choose one of the second factor types listed in the factors field of the challenge message and gather whatever data is required for the chosen second factor type, possibly using the associated challenge data. Finally, the client will send an AS-REQ containing a PA-SPAKE PA-DATA element using the response choice. From nobody Mon Aug 14 14:39:55 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854EF132431 for ; Mon, 14 Aug 2017 14:39:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.535 X-Spam-Level: X-Spam-Status: No, score=-3.535 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 992TbepEHaKp for ; Mon, 14 Aug 2017 14:39:51 -0700 (PDT) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9BFD13243A for ; Mon, 14 Aug 2017 14:39:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id D16BFC8BBB; Mon, 14 Aug 2017 21:39:50 +0000 (UTC) Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo01-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqNqmM8EC6Ka; Mon, 14 Aug 2017 21:39:50 +0000 (UTC) Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id AE845C8864; Mon, 14 Aug 2017 21:39:41 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: "Henry B (Hank) Hotz, CISSP" In-Reply-To: Date: Mon, 14 Aug 2017 14:39:40 -0700 Cc: "kitten@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <118501F3-DE77-42C9-9895-A4B10C49AB00@oxy.edu> References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu> To: Greg Hudson X-Mailer: Apple Mail (2.2104) Archived-At: Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 21:39:53 -0000 > On Aug 14, 2017, at 11:01 AM, Greg Hudson wrote: >=20 > On 08/14/2017 01:30 PM, Henry B (Hank) Hotz, CISSP wrote: >>>> [NIT] Section 4.3, para 2: Delete the word =E2=80=9CNext=E2=80=9D. = On my first reading that led me to think it was describing what to do = after =E2=80=9Cthe client completes. . .=E2=80=9D. It actually describes = the *first* thing to do (in the third pass). I=E2=80=99ve now read it = enough times that I=E2=80=99m no longer qualified to say how important = that is. >>>=20 >>> The word "Next" is intended, but I can see that "will complete its = part >>> of the SPAKE process" is too vague--it is not clear that it is >>> describing a computation step with no protocol messages. I propose = this >>> wording, combining the first two paragraphs: >>>=20 >>> Upon receipt of the challenge message, the client will complete >>> its part of of the SPAKE algorithm, generating a public key and >>> computing the shared secret K. Next, the client chooses one of the >>> second factor types [...] >>=20 >> Hmmm. I still wasn=E2=80=99t interpreting it right. If you say = =E2=80=9Cnext=E2=80=9D I wonder what the preceding =E2=80=9Cfirst=E2=80=9D= or =E2=80=9Cnext=E2=80=9D was. I didn=E2=80=99t have an explicit = referent to halt my mental search. In this case I think it=E2=80=99s: >=20 > Perhaps using "then" instead of next will help? Current proposed > wording (with some minor edits to the later sentences): >=20 > Upon receipt of the challenge message, the client will complete > its part of of the SPAKE algorithm, generating a public key and > computing the shared secret K. The client will then choose one of > the second factor types listed in the factors field of the = challenge > message and gather whatever data is required for the chosen second > factor type, possibly using the associated challenge data. Finally, > the client will send an AS-REQ containing a PA-SPAKE PA-DATA > element using the response choice. That=E2=80=99s good.=20 I did put the forward reference in because of what I said at the = beginning of my last email, but I=E2=80=99m not hard over. I=E2=80=99m = also no longer the best judge. Any other opinions? Personal email. hbhotz@oxy.edu From nobody Wed Aug 16 18:48:32 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECEEB132419 for ; Wed, 16 Aug 2017 18:48:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMCQGMn9ZxM4 for ; Wed, 16 Aug 2017 18:48:29 -0700 (PDT) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25C26132416 for ; Wed, 16 Aug 2017 18:48:29 -0700 (PDT) X-AuditID: 1209190e-d91ff70000000ad1-87-5994f5eb3035 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 99.72.02769.BE5F4995; Wed, 16 Aug 2017 21:48:28 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v7H1mQ7u017528; Wed, 16 Aug 2017 21:48:27 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7H1mM8a025818 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 16 Aug 2017 21:48:25 -0400 Date: Wed, 16 Aug 2017 20:48:22 -0500 From: Benjamin Kaduk To: Greg Hudson Cc: "Henry B (Hank) Hotz, CISSP" , "kitten@ietf.org" Message-ID: <20170817014822.GV70977@kduck.kaduk.org> References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpkleLIzCtJLcpLzFFi42IR4hRV1n3zdUqkwZzHLBYf7y1ksTi6eRWL A5PHkiU/mTy2Nv1lDmCK4rJJSc3JLEst0rdL4MrY3fuBteCKYEX/yn6WBsY3vF2MHBwSAiYS q287dDFycQgJLGaSWPv2ECuEs5FR4u+c1WwQzlUmiYVPNrN0MXJysAioSkxc8oAJxGYTUJFo 6L7MDGKLCChKPFs1F6yGWSBe4knTeRaQDcICHhJXfgiBmLxAyx71ZECMPMsoMffPD7ByXgFB iZMzn0C1qkv8mXeJGaSeWUBaYvk/DoiwvETz1tlgmzgFrCUaG7pZQWxRAWWJeftWsU1gFJyF ZNIsJJNmIUyahWTSAkaWVYyyKblVurmJmTnFqcm6xcmJeXmpRbrGermZJXqpKaWbGMEhLcm3 g3FSg/chRgEORiUe3oi8KZFCrIllxZW5hxglOZiURHl/zwIK8SXlp1RmJBZnxBeV5qQWH2KU 4GBWEuFNewGU401JrKxKLcqHSUlzsCiJ84prNEYICaQnlqRmp6YWpBbBZGU4OJQkeB99AWoU LEpNT61Iy8wpQUgzcXCCDOcBGq74FWR4cUFibnFmOkT+FKOilDivFEizAEgiozQPrheUciSy 99e8YhQHekWYVwWknQeYruC6XwENZgIafKV9EsjgkkSElFQD42q5zqStt1Zpl8hbTbZ0uT+9 8K3/xjmmy6bPPbyms2aTjAnX5pyikHQJkQCHc2r7iu7HGAeueNSTdY5N6uOM+ssWi+8GeB8S eVwUtHJ6qsbXiTqKrZ4LH1/hOLnpVjajAJs1l+PeRZmFHJ1ro1Ofbbj89N57V7+XCQ5Htrxa JBerJauyOrBaWImlOCPRUIu5qDgRALsAuToUAwAA Archived-At: Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 01:48:31 -0000 On Mon, Aug 14, 2017 at 02:01:48PM -0400, Greg Hudson wrote: > On 08/14/2017 01:30 PM, Henry B (Hank) Hotz, CISSP wrote: > >>> [NIT] Section 4.3, para 2: Delete the word “Next”. On my first reading that led me to think it was describing what to do after “the client completes. . .”. It actually describes the *first* thing to do (in the third pass). I’ve now read it enough times that I’m no longer qualified to say how important that is. > >> > >> The word "Next" is intended, but I can see that "will complete its part > >> of the SPAKE process" is too vague--it is not clear that it is > >> describing a computation step with no protocol messages. I propose this > >> wording, combining the first two paragraphs: > >> > >> Upon receipt of the challenge message, the client will complete > >> its part of of the SPAKE algorithm, generating a public key and > >> computing the shared secret K. Next, the client chooses one of the > >> second factor types [...] > > > > Hmmm. I still wasn’t interpreting it right. If you say “next” I wonder what the preceding “first” or “next” was. I didn’t have an explicit referent to halt my mental search. In this case I think it’s: > > Perhaps using "then" instead of next will help? Current proposed > wording (with some minor edits to the later sentences): I don't think "next" vs. "then" is a big difference, it's more a question of whether the first sentence is giving an overview of what will happen in the section, or just the first step in what happens. (When Henry first mentioned it, I thought it was the former, but now see it's the latter.) > Upon receipt of the challenge message, the client will complete > its part of of the SPAKE algorithm, generating a public key and > computing the shared secret K. The client will then choose one of > the second factor types listed in the factors field of the challenge > message and gather whatever data is required for the chosen second > factor type, possibly using the associated challenge data. Finally, > the client will send an AS-REQ containing a PA-SPAKE PA-DATA > element using the response choice. I think that's more clear, thanks. -Ben From nobody Wed Aug 16 18:51:48 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E92C713240C for ; Wed, 16 Aug 2017 18:51:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMvub4f9VJ-r for ; Wed, 16 Aug 2017 18:51:44 -0700 (PDT) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 327A5132407 for ; Wed, 16 Aug 2017 18:51:43 -0700 (PDT) X-AuditID: 12074424-39dff70000005ed3-ab-5994f6ae208d Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id D2.33.24275.EA6F4995; Wed, 16 Aug 2017 21:51:42 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v7H1pfs2017759; Wed, 16 Aug 2017 21:51:41 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7H1pbKm026728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 16 Aug 2017 21:51:39 -0400 Date: Wed, 16 Aug 2017 20:51:37 -0500 From: Benjamin Kaduk To: "Henry B (Hank) Hotz, CISSP" Cc: Greg Hudson , "kitten@ietf.org" Message-ID: <20170817015136.GW70977@kduck.kaduk.org> References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu> User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRmVeSWpSXmKPExsUixCmqrLvu25RIg53dChYf7y1ksTi6eRWL A5PHkiU/mTy2Nv1lDmCK4rJJSc3JLEst0rdL4Mo4OekKW8FdjooPl3YyNjA+YOti5OSQEDCR uDzpEHMXIxeHkMBiJom5MyaDJYQENjJKfFmuDZG4yiRxYPVeoAQHB4uAqsTGPfYgNWwCKhIN 3ZeZQWwRAUOJ6SsnsoLYzAJuEl8aZrOAlAsLeEhc+SEEYvIC7Vp+hxNi4hxGiSdL57OAlPMK CEqcnPmEBaJVS+LGv5dMIPXMAtISy/9xgIQ5BawlHk95CnaZqICyxLx9q9gmMArMQtI9C0n3 LITuBYzMqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3TN9XIzS/RSU0o3MYIClN1FZQdjd4/3IUYB DkYlHt6IvCmRQqyJZcWVuYcYJTmYlER5f88CCvEl5adUZiQWZ8QXleakFh9ilOBgVhLhTXsB lONNSaysSi3Kh0lJc7AoifOKazRGCAmkJ5akZqemFqQWwWRlODiUJHizvwI1ChalpqdWpGXm lCCkmTg4QYbzAA1XBKnhLS5IzC3OTIfIn2JUlBLnnQmSEABJZJTmwfWCEohE9v6aV4ziQK8I 884BqeIBJh+47ldAg5mABl9pnwQyuCQRISXVwBh+5thDk1Pa34vFJ9W8XXrvwz4+ne0XV53J Yl0lsF6L6ZRQjDLvR2etBo3Jvd+OHd+mxuj2KYX3+j+7kKniHhfW7WG6Xb7r5bIY2dNWlaYO WY+ic08LMy54rLNps83mY+26H/1XMmc6RLvunxk3OWXtu3ecNRG/F3N9vFHx2qSQyb0weXFO zDIlluKMREMt5qLiRABKwg7i+wIAAA== Archived-At: Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 01:51:46 -0000 On Mon, Aug 14, 2017 at 10:30:23AM -0700, Henry B (Hank) Hotz, CISSP wrote: > > > On Aug 14, 2017, at 8:13 AM, Greg Hudson wrote: > > > > Thanks very much for the review. I know that this draft is a bit denser > > than some. > > The density is whatever it needs to be for the subject. The material is well organized, and clear per se, but the reader needs to know that some material needed to appreciate the early sections is in later sections. > > If we can get someone else new to go through it and see if more forward references are needed . . . I marked up a few more places in addition to the couple you mentioned already, in my first pass through it. (Actual review email to come soon, I hope.) [in separate mail] > The precise form of pake specified is apparently unique in some details. I > wonder if we should get the cfrg to review and comment on it. I do plan to mention it to Kenny Paterson, as we had talked about this work in a general sense previously. He is of course well-qualified to assess whether seeking full CFRG input is merited. -Ben From nobody Fri Aug 18 05:36:06 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902E8124E15 for ; Fri, 18 Aug 2017 05:36:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvE6U4br1Z1n for ; Fri, 18 Aug 2017 05:36:01 -0700 (PDT) Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3941126B7E for ; Fri, 18 Aug 2017 05:36:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=3C2Gy1JZy72k0SVabfjvk9+4rcVHPSiifL/VyHNq+t8=; b=JPYMHJ6t2EFl6DMQxUcvQVimzO CwlSG4zfc2diPNFOkmjsgsFwqGzhNZSHA67fK8lk6f6vcDS0THi/UXItifnZlQJoUKalFhuTDtoML bgabI6un7KbtM5wCPFxDMMf20BTYBvz4hOyIUnXCnHhJB8y6au6Ar045XP1saKl83bNQ=; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1digVJ-0004JQ-0Q; Fri, 18 Aug 2017 12:35:57 +0000 To: "heimdal-discuss@sics.se" , "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical From: Stefan Metzmacher Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4 Message-ID: Date: Fri, 18 Aug 2017 14:35:51 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="03BqOnf8cxPdiniASotk7IcXE6xi411Ft" Archived-At: Subject: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2017 12:36:04 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --03BqOnf8cxPdiniASotk7IcXE6xi411Ft Content-Type: multipart/mixed; boundary="NcOxn9IoQ1euGiL204E1L9Mnxav2qrTfp"; protected-headers="v1" From: Stefan Metzmacher To: "heimdal-discuss@sics.se" , "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Message-ID: Subject: Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... --NcOxn9IoQ1euGiL204E1L9Mnxav2qrTfp Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi, I'm currently researching on how I can implement S4U2Self in Samba's winbindd in order to get the PAC with the full Windows authorization token in a reliable way for any user within an active directory forest as well across transitive forest trusts. The only thing that should be required is a service (computer) account in the primary domain/realm. But in practice I'm facing several problems: Heimdal (at least the copy of ~ 1.5 within Samba) doesn't support S4U2Self for cross-realm trusts. MIT (tested with 1.14.3) supports S4U2Self for cross-realm trusts, which are in simple hierarchy. Otherwise it complains and returns KRB5KRB_AP_ERR_ILL_CR_TKT. That can be fixed if I add the correct magic to the [capaths] section of krb5.conf. The problem happens when you have 2 tree root domains within an active directory forest together with a forest trust. In my case I have a forest called W4EDOM-L4.BASE with a single domain and a forest called BLA.BASE with a 2nd domain BLA2.BASE. So trust path between W4EDOM-L4.BASE and BLA2.BASE goes via BLA.BASE. In an active directory environment domain members just delegate authentication to the domain controllers, so they trust their DCs to do the correct things, e.g. applying SID-Filtering for the PAC within the tickets. So the service can just verify the PAC was correctly signed by a KDC of it's own realm and everything else shouldn't matter, it doesn't have to know about the full trust topology! While thinking about this I can't see any value in checking the transited list of the ticket. As that list is always under the control of the KDC that issued the ticket. And the service trusts it's own KDC anyway, as well as any KDC in the trust chain trusts the next hop. The only reason for this list might be debugging. The thing is that KDC's should apply some policies of which client realms can come over which direct trust. As KDC's have some knowledge about the trust topology. This is basically what the SID-Filtering in active directory is for, it prevents DCs from other domains/realms to impersonate principals of the local realm. Is there any reason to keep the krb5_check_transited() (in Heimdal) and krb5_check_transited_list() (in MIT) is their current form? If a KDC checks something it should be checking the PA-TGS-REQ, and verify the client realm is allowed to transit via the realm of the (cross-realm) tgt. But checking the transited field of the ticket seems pointless to me. If there's however a good reason to keep the checks for non active directory realms, I'd propose to add something like gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to Heimdal and MIT in order to allow applications to avoid the pointless checks. Comments on this would be highly appreciated! If you're not so familiar with active directory domains, please have a look at: https://www.samba.org/~metze/presentations/2017/SambaXP/StefanMetzmacher_= sambaxp2017_windows_authentication-rev1-handout.pdf Thanks! metze --NcOxn9IoQ1euGiL204E1L9Mnxav2qrTfp-- --03BqOnf8cxPdiniASotk7IcXE6xi411Ft Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJZlt8sAAoJEA219WEoab1WukIQAKuXHZipLlGFqVjCPm3Cuoge GNpTwms574qsjSLKFL25R6tLK7vCu1KYuwFmzCbL3Wc3e7/O3QG2u9SHU8XEfHWp bn7xg9Y5PX8iDhNUPtaIe6Ciw9fe51iL2aBHiIRyCw8LLi7FXmarGkowACL0qDGY GQkzu9j4XhBOGEqGvyQpPjBh19M/egEY+Nt+BNFOeBJX9KQTHJPNMORUtxF4HGMB s/dJCnRm/t6g5k6dg4dfqmBALganQbTCpWOsLACLZ8pYZ17C4yw/uweH+bhfT+gI HG6qga0ygmI9KoTQb7hbiKKANixJZ3IP+yhQDKF0r8EbUwPeqL/gOpLV6qCsQbJt rnqMb6YvDl0OKTalb7VyRVdyVyaz8czOcSemjY2OwVLC+K9pbFklNDiNujmYR1bh dcqpmAYNxF+BDzZqAxvQKLwsKLxqk42S+NTpIuun2hWnkattRoSy1t8H1FWwrFHq 9yytWUZgMdvsmor3YKy/tvJiBvnExi7Dm3OvYnAqh2H2jATsOIaxj32UuWb9drSM WoZcYG2ruyhe8KPSIo759jNsD3F6CP+u8OSv5d6NIgG8W9KiZ4AW7tFjBJ1r1MMz qlbD/dHMrrxvuG2Ndk3PWzN/y6LJ0tetKffQGTM7wJ6mjS5GIpWx1xmR6x2HpRIo LRv5jgZC34DpwuJKEpF6 =dYvT -----END PGP SIGNATURE----- --03BqOnf8cxPdiniASotk7IcXE6xi411Ft-- From nobody Fri Aug 18 06:22:34 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55F8F1323AC for ; Fri, 18 Aug 2017 06:22:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDg_93HBUT2r for ; Fri, 18 Aug 2017 06:22:26 -0700 (PDT) Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9879013235B for ; Fri, 18 Aug 2017 06:22:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=14dAxMkz1ul2BMV3x2sYwi9+mZqt8QR8cUg0czqSJDc=; b=KAeBjnmsfgPaXONB/S7tuzGql7 e4wnKtnZFClXvtFzfHTjsQ/717BImQnAz822FEt6ubE3edaFKd72tl+6aaghV1wdskcv8hUJTw5ML 0CS6VbjFICWs6BUHu3cZA81UmWIt9E2vj9o2hi7enCskHB3wht7tr71j7oWt5xzUehaE=; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1dihDz-00059Q-Ve; Fri, 18 Aug 2017 13:22:08 +0000 To: "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical , "heimdal-discuss@h5l.org" References: From: Stefan Metzmacher Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4 Message-ID: Date: Fri, 18 Aug 2017 15:22:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI" Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2017 13:22:29 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI Content-Type: multipart/mixed; boundary="7qMqI6IB7IdHBMHJTBmsJ81MSe8HQMfPC"; protected-headers="v1" From: Stefan Metzmacher To: "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical , "heimdal-discuss@h5l.org" Message-ID: Subject: Re: Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... References: In-Reply-To: --7qMqI6IB7IdHBMHJTBmsJ81MSe8HQMfPC Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Moving this from heimdal-discuss@sics.se to heimdal-discuss@h5l.org, sorry... Am 18.08.2017 um 14:35 schrieb Stefan Metzmacher via samba-technical: > Hi, >=20 > I'm currently researching on how I can implement S4U2Self in > Samba's winbindd in order to get the PAC with the full > Windows authorization token in a reliable way for any user > within an active directory forest as well across transitive > forest trusts. >=20 > The only thing that should be required is a service (computer) account > in the primary domain/realm. >=20 > But in practice I'm facing several problems: >=20 > Heimdal (at least the copy of ~ 1.5 within Samba) > doesn't support S4U2Self for cross-realm trusts. >=20 > MIT (tested with 1.14.3) supports S4U2Self for > cross-realm trusts, which are in simple hierarchy. > Otherwise it complains and returns KRB5KRB_AP_ERR_ILL_CR_TKT. > That can be fixed if I add the correct magic to the [capaths] section > of krb5.conf. >=20 > The problem happens when you have 2 tree root domains within an > active directory forest together with a forest trust. >=20 > In my case I have a forest called W4EDOM-L4.BASE with a single domain > and a forest called BLA.BASE with a 2nd domain BLA2.BASE. >=20 > So trust path between W4EDOM-L4.BASE and BLA2.BASE goes via BLA.BASE. >=20 > In an active directory environment domain members just delegate > authentication to the domain controllers, so they trust > their DCs to do the correct things, e.g. applying SID-Filtering > for the PAC within the tickets. >=20 > So the service can just verify the PAC was correctly signed by > a KDC of it's own realm and everything else shouldn't matter, > it doesn't have to know about the full trust topology! >=20 > While thinking about this I can't see any value in checking the > transited list of the ticket. As that list is always under the > control of the KDC that issued the ticket. And the service > trusts it's own KDC anyway, as well as any KDC in the trust > chain trusts the next hop. The only reason for this list > might be debugging. >=20 > The thing is that KDC's should apply some policies > of which client realms can come over which direct trust. > As KDC's have some knowledge about the trust topology. > This is basically what the SID-Filtering in active directory > is for, it prevents DCs from other domains/realms to impersonate > principals of the local realm. >=20 > Is there any reason to keep the krb5_check_transited() (in Heimdal) > and krb5_check_transited_list() (in MIT) is their current form? >=20 > If a KDC checks something it should be checking the PA-TGS-REQ, > and verify the client realm is allowed to transit via the > realm of the (cross-realm) tgt. But checking the transited field > of the ticket seems pointless to me. >=20 > If there's however a good reason to keep the checks for non > active directory realms, I'd propose to add something like > gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) > to Heimdal and MIT in order to allow applications to avoid > the pointless checks. >=20 > Comments on this would be highly appreciated! >=20 > If you're not so familiar with active directory domains, > please have a look at: > https://www.samba.org/~metze/presentations/2017/SambaXP/StefanMetzmache= r_sambaxp2017_windows_authentication-rev1-handout.pdf >=20 > Thanks! > metze >=20 --7qMqI6IB7IdHBMHJTBmsJ81MSe8HQMfPC-- --sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJZlun/AAoJEA219WEoab1WVjEQAJckqMOIjULNVC8aj4V7Zxpo 0TXoSOvtC++n/dTRNJ3sUmn+qHOEVpvBCcjTslciC+5RKsdZNPk6pkvcOX6s2tmQ tBjQ76O9SOZBJ3z0wjsqTIuBGx6Yg3+piUcNOaGqezRMd2wtjhrz1ziKxKcKgMZP qfVVZiSOJKkN407hj1EWeyQ5aGyv9cmchpzY01hSiWdDn/o252PccLIfwbAWl0UI TcfG+kzVSmIfz0qBR+5O11lBknXez7CDPEK+8IX411byIj32YVYOBOZhSKxESYUk B8L31km4lPZfbwXTipxqA2ssLCGYIZgAGG8MGPrdprM70fXHuQTmL1nTu22FnzZu bWwMl2Ooxb5EjLoL1OEkxov2T1Rc8dStLHqXXoVj2qHjj7hsic67wyd8rHF1o7WM +v0nmBTaEVXfm0E1yYMEZRrDUXiXeP9VCE7u3RvhXUKGSy0Jl9wmwMZSCjsAgnfc V6Uueah6a7q3UJWQL5/4zFI6zU6FZFgjIn0N6qmGRIJjroVET53ZQQ4wF0CirxeR DYuFqczx9Lx1Q04G/6+pfRWAQAUL1AIAc2J7Vst0xQEYR7l9aofrNtTxA5CbihHi gj2gEBB/8WYih1Iw61sXHQHw92iZIAzRS3hwIHXXuADLFEGxYZfqOzgtbsCJmYkO q3LJXY7bpTErOblgjt2q =/udw -----END PGP SIGNATURE----- --sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI-- From nobody Fri Aug 18 11:10:57 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02FA5126B71; Fri, 18 Aug 2017 11:10:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6BFmleC71kV; Fri, 18 Aug 2017 11:10:52 -0700 (PDT) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5393A120727; Fri, 18 Aug 2017 11:10:49 -0700 (PDT) X-AuditID: 1209190d-cb3ff700000030cd-d9-59972da7ca0e Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id CF.FC.12493.7AD27995; Fri, 18 Aug 2017 14:10:47 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v7IIAkjn002617; Fri, 18 Aug 2017 14:10:47 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7IIAh2q029231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 18 Aug 2017 14:10:45 -0400 Date: Fri, 18 Aug 2017 13:10:43 -0500 From: Benjamin Kaduk To: kitten@ietf.org Cc: draft-ietf-kitten-krb-spake-preauth@ietf.org Message-ID: <20170818181043.GC35188@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrLIsWRmVeSWpSXmKPExsUixG6nrrtcd3qkwbluQ4vHWz4zWhzdvIrF gcljyZKfTAGMUVw2Kak5mWWpRfp2CVwZvy4/Zip45lPx+HNFA+MUuy5GTg4JAROJU4/62LsY uTiEBBYzSfQ0HYRyNjJKnP38hwXCucok8b31IiNIC4uAqsTd5onsIDabgIpEQ/dlZhBbREBY YvfWd2A2s4CBxL6mOWwgtrCApcTuV01gcV6gdYsXbmGHsAUlTs58wgJRryVx499Lpi5GDiBb WmL5Pw6QsKiAssS8favYJjDyzULSMQtJxyyEjgWMzKsYZVNyq3RzEzNzilOTdYuTE/PyUot0 jfRyM0v0UlNKNzGCQo1TkncH47+7XocYBTgYlXh4X/ycFinEmlhWXJl7iFGSg0lJlPf3rCmR QnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4U7WnRwrxpiRWVqUW5cOkpDlYlMR5xTUaI4QE0hNL UrNTUwtSi2CyMhwcShK8s3SAGgWLUtNTK9Iyc0oQ0kwcnCDDeYCG+4DU8BYXJOYWZ6ZD5E8x KkqJ80aDJARAEhmleXC9oFQgkb2/5hWjONArwrw7Qap4gGkErvsV0GAmoMGGrdNABpckIqSk GhjdA6M4Trt4zraSDO95Z7srYM9myd0Xd5+ot9ix6e7v2zMZQ06XMdWsNwxzktL4n71qegun +BQLxRMVem+PZJ+rebZL6O08be0O3qssD76mmRm3pmrHWD58zpFc+NAzaPXCN4XC9j66Ftsf aC7rPlfkeZXx0j4XZmG29pmJOptaGOexGhuWLVJiKc5INNRiLipOBABelHS74AIAAA== Archived-At: Subject: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2017 18:10:55 -0000 Hi all, With no hats. Big-picture questions: Our transcript hash covers just the SPAKE negotiation messages (and excludes the rest of the AS-REQ/AS-REP bodies, even the SPAKE second factor messages as well?!), though the final KDC-REQ-BODY does get included in the key derivation. I haven't thought too hard about whether this is potentially problematic, but are there reasons why it would be difficult to hash everything for the transcript? Oh, or is the claim that since the KDC-REQ-BODY goes into the K' calculation that we get confirmation of "everything" anyway? We do reply key strengthening with K'[0] at present. It seems like using K'[last-n-of-proper-parity] would include more transcript checksum and thus nominally be "better"; is that flawed reasoning? We should have test vectors before final publication. I'm not sure that the registry policies make sense, most notably with respect to marking things as Required (to implement). That would seem to be effectively updating this document, and as such require standards action. In a weaker sense, anything adding values in these registries could be seen as adding to the ASN.1 module, but since it does so in a way that is clearly intended to be extensible this seems less problematic to me. Do we want to add padding to any of the ASN.1 structures to provide a way to limit side channels, or leave that to the specifications of individual factors? General review comments: In section 1.1, item (4) (either side can store password or equivalent) makes it sound like only one side needs to store anything. Maybe it's supposed to say that "Each side has freedom to pick whether to store a password or password-equivalent"? I'll also note that OpenSSL has recently changed its documentation to refer to the more-vague "randomness" since it can be hard to use "entropy" in a technically correct way. But that decision seems to fall squarely within editorial discretion, even if I had a strong opinion about it (which I don't). I wonder to some extent whether all of section 1.2 is needed for a final document. Perhaps a shorter statement noting that there are multiple different PAKEs available, DH-EKE's requirement for indistinguishable-from-random keys makes it unsuitable, and JPAKE is less preferred due to the extra round trip and server computation would suffice, before launching into the description of the actual PAKE being used. Section 1.2 should probably compare the single-round-trip nature of SPAKE against the round-trip count of ENC_TIMESTAMP. Section 1.3 notes that we allow secure transfer of material from client to KDC for verification; while reviewing I noted that (the initial challenge) from KDC to client remains unauthenticated; do we want to mention that limitation explicitly here? The last paragraph of section 1.4 left me a little puzzled, possibly just because of the word "also". It seems like we're mostly just justifying the scheme here, using a parallel to the normal RFC3961 key derivation, as well as a (not-very-clear) reference to the key derivation scheme used in the original SPAKE2 draft which is where the term "K'" originates. So, I think this could be reworded some, assuming I am understanding it properly. (We could also call out that this derivation is step (3) of the list.) In section 3.1, should we give a RFC+section reference for the "initail KDC preauthentication state" we are relying on? I thought a little bit about proposing to exclude the ASN.1 extension marker from PA-SPAKE, but the argument for doing so is fairly weak and it doesn't really have a downside, so I guess it should stay. (We could perhaps be clear that an "empty" value is a zero-length OCTET STRING.) Section 4.1 seems like it could be read as saying that the client should send an AS-REQ with no PA-DATA, and then the KDC responds with a KRB-ERROR and only the PA-SPAKE METHOD-DATA (and no others), so that a clilent that doesn't support SPAKE is stuck. We should probably clarify that METHOD-DATA is expected to contain other things, too. We could also justify the SHOULD with a claim that this preauth scheme is currently believed to be the best/strongest one that is possible when passwords are used. (PKINIT could be argued to be stronger; is there anything else for which we could make that claim?) Section 4.2 lets ("MAY") the KDC pick a group not listed by the client; do we ever expect this to result in a working connection? In section 4.6, a forward reference to section 6 when mentioning the transcript hash could be helpful. At the end of section 5 we prevent certain reuse of x and y values; it might be nice if the security considerations were subsectioned so that this could have a forward reference to the justification for this restriction. I would consider moving the note that the PRF+ used here is the RFC6113 one earlier, perhaps even to the introduction if not the start of section 7 where we talk about "PRF+ input". Should section 8 note that the value 0 is reserved? Section 9 fourth paragraph could perhaps say a bit more about why the client cannot be a signing oracle. Also in section 9, now on page 14, second paragraph, I'm not entirely sure what is at risk of compromise, which also leaves me confused as to whether the "non-" part of "non-negligible" is correct. Just below, for the paragraph after the list of forbidden checksum types, we talk of the EncryptedData messages having potential side channels. It seems that this may apply to both the encdata arm of the PA-SPAKE CHOICE and the SpakeResponse factor; should we make this more explicti? The next paragraph talks of an attacker being able to replay the final message to any of the realm's KDCs, but does not comment on whether multiple replays are possible at a given KDC. (As I understand it, MIT's lookaside cache would be expected to trigger and not incur additional authentication being logged, but I don't know that that's universal.) In section 11, I think you're not supposed to mention a list that doesn't exist yet, at least without asking for a list to be created and suggesting a name. While here, "end of the review" could get "period" after it, and "the list" could be expanded out as to the review list or kitten or other, as well as clarifying the expected membership of the review list (i.e., public or just the experts). Also, the URI or unique identifier should probably specifically be stable as well. The ASN.1 module includes an OID for spake; is that officially assigned? Some nits appear below. Thanks, Ben Nits: In the abstract, "secure second factor" is really vague about what the "secure" means. Perhaps it's best to just drop it, or otherwise clarify. The wording of Section 1 could probably be tightened up some -- "this method" (PA-ENC-TIMESTAMP) is not the only thing vulnerable to passive brute-forcing, what the passive attacker needs to see can be clarified, and we could emphasize that the offline attacks require comparatively modest effort (in the face of weak passwords): When a client uses PA-ENC-TIMESTAMP (or similar schemes, or the KDC does not require preauthentication), a passive attacker that observes either the AS-REQ or AS-REP can perform an offline brute-force attack against the transferred ciphertext. When the client principal's long-term key is based on a password, especially a weak password, offline dictionary attacks can successfuly recover the key, with only modest effort needed in the case of a weak password. In section 1.2, we say "markedly smaller key sizes with equiavlent security to a finite-field Diffie-Hellman key exchange", which is somewhat awkward. It might be better to say something like ", which is believed to provide equivalent security levels as finite-field DH key exchange at much smaller key sizes". In section 1.3, first sentence, we talk about being "coupled with" 2FA. But PAKE is one of the two factors, so it's probably better to say "part of 2FA" or "along with additional authentication factor(s). Section 1.3, second paragraph says that protectiong the OTP ("second") factor "has been mitigated" via FAST; I might consider using a less complex verb tense like "is" or "was". Later in the same paragraph, maybe s/instead/in contrast/, and specify that the key exchange is an asymmetric one, since we do a lot of symmetric key exchange in Kerberos. In section 2, when mentioning ASN.1 and DER, please add ", respectively" to bind the term to the document in question. In section 4, first pargaraph, please note that the indicated facilities are FAST facilities. The first paragraph/sentence of section 5 is rather ungainly; could it be reworded and/or split in twain? Also in section 5, I'd consider adding an "as" before "defined" in item 1 and before "a big-endian" in item 2. Item 2 should probably also clarify that there is no trailing 0 included. The phrase "registry created by this document" could change to "registry (created by this document)" in multiple places. But maybe we should just leave that to the RFC Editor's stylebook. In section 6, the initial transcript checksum is said to contain "all zero values"; would something like "the initial value consists of of all bits set to zero" be better? Page 15, second-to-last paragraph, "is weaker than the secret key" could include a secret key derived from a weak password, whose brute-force resistance is quite low (and part of the justification for this behavior). It's probably better to talk about the key size of the secret key and the strength attributed to keys of that size, than just the strength of the key itself. From nobody Sat Aug 19 11:17:55 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B715F1329B5; Sat, 19 Aug 2017 11:17:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YexbllKKz7cn; Sat, 19 Aug 2017 11:17:51 -0700 (PDT) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E91561329B2; Sat, 19 Aug 2017 11:17:50 -0700 (PDT) X-AuditID: 1209190e-501ff70000006646-03-599880cc6d88 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 25.58.26182.CC088995; Sat, 19 Aug 2017 14:17:48 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v7JIHllR020989; Sat, 19 Aug 2017 14:17:47 -0400 Received: from [18.101.8.183] (VPN-18-101-8-183.MIT.EDU [18.101.8.183]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7JIHi4F010204 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 19 Aug 2017 14:17:46 -0400 To: Benjamin Kaduk , kitten@ietf.org References: <20170818181043.GC35188@kduck.kaduk.org> Cc: draft-ietf-kitten-krb-spake-preauth@ietf.org From: Greg Hudson Message-ID: <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> Date: Sat, 19 Aug 2017 14:17:44 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170818181043.GC35188@kduck.kaduk.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgleLIzCtJLcpLzFFi42IR4hTV1j3TMCPSYOFkLYvHWz4zWhzdvIrF gcljyZKfTAGMUVw2Kak5mWWpRfp2CVwZC65/ZSw40sJYcWr3AdYGxoasLkZODgkBE4kDa58y g9hCAouZJBb/9eli5AKyNzJKzLn7lwnCOcokceR9P1iVsICtxLFpN8FsEQFjibs/b7BAdJtI 9P2bxA5iMwsYSOxrmsMGYrMJKEus378VrIZXwEri8bsdTCA2i4CqxP4PcxlBbFGBCImHnbvY IWoEJU7OfAJWzylgKrG94wULxEw9iR3Xf7FC2PIS29/OYZ7AKDALScssJGWzkJQtYGRexSib klulm5uYmVOcmqxbnJyYl5dapGusl5tZopeaUrqJERygknw7GCc1eB9iFOBgVOLhdfgzLVKI NbGsuDL3EKMkB5OSKO/vWVMihfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nwhsTOiBTiTUmsrEot yodJSXOwKInzims0RggJpCeWpGanphakFsFkZTg4lCR4ZeuBGgWLUtNTK9Iyc0oQ0kwcnCDD eYCGf6kDGV5ckJhbnJkOkT/FaMnR9P3jdyaOpom/fjFx9IFIIZa8/LxUKXFeR5AGAZCGjNI8 uJnghJPKsf0VozjQi8K800FW8wCTFdzUV0ALmYAWGrZOA1lYkoiQkmpg3PnXVelBulhESYKu SCf7C+PXjVu7jrYY5XQ2vQ5K/SywSDNukcg3g6syfK/Wx/6U+xe0xHrJUeNTM94fWM9VPWHe Fy+hxLDt34sufE073swU9GVqy28dRrPK843lrq+UC57XBt4/+9zkhE1CptzUuzU3/i35tO0u +75aobN3uF7zG6oHHNi4SImlOCPRUIu5qDgRAP6VP5ITAwAA Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Aug 2017 18:17:54 -0000 On 08/18/2017 02:10 PM, Benjamin Kaduk wrote: > Our transcript hash covers just the SPAKE negotiation messages (and > excludes the rest of the AS-REQ/AS-REP bodies, even the SPAKE second > factor messages as well?!), though the final KDC-REQ-BODY does get > included in the key derivation. I haven't thought too hard about > whether this is potentially problematic, but are there reasons why > it would be difficult to hash everything for the transcript? > Oh, or is the claim that since the KDC-REQ-BODY goes into the K' > calculation that we get confirmation of "everything" anyway? The transcript checksum is a vehicle for key derivation. The primary requirement for key derivation (from the SPAKE2 algorithm) is that it must take into account the identities of both parties, both public values, the initial secret, and the computed shared group element. The final KDC-REQ-BODY gives us the party identities (with the ancillary bonus of including other request parameters), and the transcript checksum includes the public values (with the ancillary bonus of including the advertised group numbers from the client if a SPAKESupport message was part of the exchange, in case there was a downgrade attack). Things we could include in the transcript checksum but currently do not include: * Other pa-data values in the request. Including these would be difficult to implement, and would present a chicken-and-egg problem if other pa-data types want to do the same thing. * KDC-REQ-BODY encodings other than the final one. I don't see a problem with including these in the transcript hash, but I don't see an advantage either. * More parts of intermediate KRB-ERRORs than the SPAKE pa-data. The only part of an intermediate KRB-ERROR used by the client is the error code (PREAUTH_REQUIRED or MORE_PREAUTH_DATA_REQUIRED), and I don't see any wiggle room for the attacker in manipulating that. * Second-factor messages. In the current design, the same transcript checksum is used for all K'[n] derivations, and the first derivation is used to encrypt the first SPAKESecondFactor, before any other second-factor messages are created. Changing the design to include a variable transcript hash would, I think, make the standard harder to understand and implement. * Parts of the AS-REP. No SPAKE message accompanies the AS-REP, so this could only be used for the derivation of the final reply key used to encrypt the enc-part. As for the previous bullet, including any part of the AS-REP would require changing the transcript checksum for different key derivations. Most of the AS-REP contents (everything but the ticket) are redundant or couldn't be included in the derivation for one reason or another anyway. > We do reply key strengthening with K'[0] at present. It seems like > using K'[last-n-of-proper-parity] would include more transcript > checksum and thus nominally be "better"; is that flawed reasoning? As noted above, the transcript checksum does not depend on n. n is just a numeric parameter that feeds into the key derivation function. Obviously this aspect of the design needs to be more explicit. I propose to add this sentence to section 6 after the sentence beginning "It therefore incorporates...": Once the transcript checksum is finalized, it is used without change for all key derivations (section 7). > We should have test vectors before final publication. Agreed. I have the ability to generate test vectors (using a separate Python implementation, not the C implementation for MIT krb5), but they will change when key usage values are assigned, so I haven't included any in the draft yet. > I'm not sure that the registry policies make sense, most notably > with respect to marking things as Required (to implement). I tend to agree that any mandatory-to-implement policy should be written into this draft, and not be part of the registry. > In a weaker sense, anything adding values > in these registries could be seen as adding to the ASN.1 module To my mind, the ASN.1 module only defines the wire encoding of particular data inputs. That encoding does not change when new groups are added. > Do we want to add padding to any of the ASN.1 structures to provide > a way to limit side channels, or leave that to the specifications of > individual factors? The latter, I think. > In section 1.1, item (4) (either side can store password or equivalent) > makes it sound like only one side needs to store anything. Maybe it's > supposed to say that "Each side has freedom to pick whether to store > a password or password-equivalent"? I am not personally sure what this bullet point means; I will make a note to discuss it. > I'll also note that OpenSSL has recently changed its documentation to > refer to the more-vague "randomness" since it can be hard to use "entropy" > in a technically correct way. But that decision seems to fall squarely > within editorial discretion, even if I had a strong opinion about it > (which I don't). I have seen people quibble with using "entropy" the way that some cryptographic documents do (very roughly, to mean the number of equally likely values a state variable could have given all of the information available to an attacker), but I never saw how "randomness" was better. > I wonder to some extent whether all of section 1.2 is needed for a final > document. This section hasn't necessarily aged well, as there are other PAKE algorithms not described within. I would be okay with shortening it, perhaps not to name any specific alternatives. > Section 1.2 should probably compare the single-round-trip nature of > SPAKE against the round-trip count of ENC_TIMESTAMP. I am not sure there's any concise comparison to be made for this section. The way we are using SPAKE (with the KDC presenting the initial public value) means we might use one more round trip than encrypted timestamp, or we might use the same number if one of the described optimizations is used. > Section 1.3 notes that we allow secure transfer of material from client > to KDC for verification; while reviewing I noted that (the initial > challenge) from KDC to client remains unauthenticated; do we want to > mention that limitation explicitly here? It is pointed out in the security considerations. I can see how section 1.3 as currently written could be a little deceptive; however, at this point the text is speaking generally about how a PAKE can be used in the design of Kerberos two-factor authentication. As we haven't even started talking concretely about the SPAKE preauth mech, I'm not comfortable adding that caveat here. > The last paragraph of section 1.4 left me a little puzzled, possibly > just because of the word "also". I will take it out. > It seems like we're mostly just justifying the scheme here We currently refer normatively to the CFRG SPAKE2 document. Someone who has read that document needs to know how this protocol relates to it. Here we are saying that we use a custom key derivation function, as allowed by that draft. (As the CFRG draft hasn't advanced for many months, Nathaniel and I have discussed the possibility of not using it normatively, and describing the algorithm in this document instead. But that's a wider topic.) > In section 3.1, should we give a RFC+section reference for the > "initail KDC preauthentication state" we are relying on? It would just be another reference to RFC 6113 section 2.1. > I thought a little bit about proposing to exclude the ASN.1 extension > marker from PA-SPAKE, but the argument for doing so is fairly weak > and it doesn't really have a downside, so I guess it should stay. > (We could perhaps be clear that an "empty" value is a zero-length > OCTET STRING.) I'm a bit paranoid about tricking implementors into putting 04 00 into the padata-value, rather than using 04 00 as the padata-value. In my mental model, RFC 4120 already specifies that padata-value is a non-optional OCTET STRING, and that's not really within the purview of this document. I know that other people have their own models, but I am not really worried about an implementor leaving out the padata-value entirely as that would quickly be discovered in interop testing. > Section 4.1 seems like it could be read as saying that the client > should send an AS-REQ with no PA-DATA, and then the KDC responds with > a KRB-ERROR and only the PA-SPAKE METHOD-DATA (and no others) I will add a parenthetical "(possibly in addition to other PA-DATA elements)". > Section 4.2 lets ("MAY") the KDC pick a group not listed by the client; > do we ever expect this to result in a working connection? I can bring that up again for discussion; I know I've talked about it with Nathaniel before, but I can't remember the details. One possible use is to communicate to the client what it would have to implement/enable to interop with the KDC, even if we don't expect it to work for this particular exchange. > In section 4.6, a forward reference to section 6 when mentioning the > transcript hash could be helpful. We have a forward reference in the first use of "transcript checksum" in section 4.2, and not for the second use in section 4.2 or the use in section 4.3. As section 4.6 describes a modification of 4.1/4.2/4.3, I'm not sure we need another forward reference. I did note that we inconsistently use "transcript hash" and "transcript checksum". I will standardize on "transcript checksum". > At the end of section 5 we prevent certain reuse of x and y values; > it might be nice if the security considerations were subsectioned > so that this could have a forward reference to the justification for > this restriction. Agreed, but breaking down the security considerations into units requires some thought. I might or might not do this. > I would consider moving the note that the PRF+ used here is the > RFC6113 one earlier, perhaps even to the introduction if not the > start of section 7 where we talk about "PRF+ input". We use PRF+ in two places (section 5 and section 7). In both places, we refer to RFC 6113 right after we use the function. It is true that in section 7 we talk at some length about the PRF+ input string before actually invoking PRF+ and including the reference, but I don't see that as a problem--it would be pretty hard for an implementor to miss the reference and use the wrong PRF+. I would be okay with just defining the "input string" without referencing PRF+ until afterwards, if that would be clearer. > Should section 8 note that the value 0 is reserved? It is reserved in section 11.1. I don't see a need to echo that in section 8. > Section 9 fourth paragraph could perhaps say a bit more about why > the client cannot be a signing oracle. Can you be more specific or propose text? I don't know how to act on this feedback item. > Also in section 9, now on page 14, second paragraph, I'm not > entirely sure what is at risk of compromise, which also leaves me > confused as to whether the "non-" part of "non-negligible" is > correct. That paragraph seems vague and could possibly be removed. If an implementation doesn't derive the right encryption keys, it won't interop or match the (forthcoming) test vectors anyway. > Just below, for the paragraph after the list of forbidden checksum > types, we talk of the EncryptedData messages having potential side > channels. It seems that this may apply to both the encdata arm of > the PA-SPAKE CHOICE and the SpakeResponse factor; should we make > this more explicti? Both of those use EncryptedData (and are the only uses of EncryptedData in the spec), so yes, it's intended to apply to both. I'll propose this text: Both the size of the EncryptedData and the number of EncryptedData messages used for second-factor data (including the factor field of the SPAKEResponse message and messages using the encdata PA-SPAKE choice) may reveal information about the second factor used in an authentication. > The next paragraph talks of an attacker being able to replay the > final message to any of the realm's KDCs, but does not comment > on whether multiple replays are possible at a given KDC. (As I > understand it, MIT's lookaside cache would be expected to trigger > and not incur additional authentication being logged, but I don't > know that that's universal.) I think this was my text, and my intent was to include both the same KDC and other KDCs. I wouldn't expect the lookaside cache to be much protection, as the attacker could probably make small manipulations to the request so that it doesn't match byte-for-byte. I'm not sure the text needs to make that any more explicit. > The ASN.1 module includes an OID for spake; is that officially > assigned? Yes. > In the abstract, "secure second factor" is really vague about what the > "secure" means. Perhaps it's best to just drop it, or otherwise clarify. I will drop the word "secure" (and also fix the typo for "achieved" nearby). [Proposed wording:] > When a client uses PA-ENC-TIMESTAMP (or similar schemes, or the KDC > does not require preauthentication), a passive attacker that observes > either the AS-REQ or AS-REP can perform an offline brute-force attack > against the transferred ciphertext. When the client principal's long-term > key is based on a password, especially a weak password, offline dictionary > attacks can successfuly recover the key, with only modest effort needed > in the case of a weak password. Accepted, with "especially a weak password" removed and with "if the password is weak" at the end. > In section 1.2, we say "markedly smaller key sizes with equiavlent security > to a finite-field Diffie-Hellman key exchange", which is somewhat awkward. > It might be better to say something like ", which is believed to provide > equivalent security levels as finite-field DH key exchange at much smaller > key sizes". Accepted, with "equivalent... as" changed to "equivalent... to". > In section 1.3, first sentence, we talk about being "coupled with" 2FA. > But PAKE is one of the two factors, so it's probably better to say > "part of 2FA" or "along with additional authentication factor(s). I will change this to "when used as a component of two-factor authentication". > Section 1.3, second paragraph says that protectiong the OTP ("second") > factor "has been mitigated" via FAST; I might consider using a less > complex verb tense like "is" or "was". I will use "is". > Later in the same paragraph, maybe > s/instead/in contrast/, and specify that the key exchange is an > asymmetric one, since we do a lot of symmetric key exchange in Kerberos. I will use "in contrast", but I'm not sure it would add clarity to say that the SPAKE key exchange is asymmetric--it does, after all, result in a symmetric key. > In section 2, when mentioning ASN.1 and DER, please add ", respectively" > to bind the term to the document in question. Accepted. > In section 4, first pargaraph, please note that the indicated facilities > are FAST facilities. I will add a reference to RFC 6113 section 3. > The first paragraph/sentence of section 5 is rather ungainly; could > it be reworded and/or split in twain? I will just remove the middle part, so that it says: Group elements are converted to octet strings using the serialization method defined in the IANA "Kerberos SPAKE Groups" registry created by this document. > Also in section 5, I'd consider adding an "as" before "defined" in > item 1 and before "a big-endian" in item 2. Accepted. > Item 2 should probably also clarify that there is no trailing 0 included. Disagree. It would be very noisy to explicitly disclaim trailing 0 bytes every time IETF standards talk about strings. > In section 6, the initial transcript checksum is said to contain > "all zero values"; would something like "the initial value consists > of of all bits set to zero" be better? Accepted. > Page 15, second-to-last paragraph, "is weaker than the secret key" > could include a secret key derived from a weak password, whose > brute-force resistance is quite low (and part of the justification > for this behavior). It's probably better to talk about the key size > of the secret key and the strength attributed to keys of that size, > than just the strength of the key itself. I propose: The selected group's resistance to offline brute-force attacks may not correspond to the size of the reply key. For performance reasons, a KDC MAY select a group whose brute-force work factor is less than the reply key length. [...] From nobody Mon Aug 21 07:06:00 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA7913202D for ; Mon, 21 Aug 2017 07:05:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMoYHstvuVTc for ; Mon, 21 Aug 2017 07:05:51 -0700 (PDT) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCAA7132646 for ; Mon, 21 Aug 2017 07:05:51 -0700 (PDT) X-AuditID: 12074424-16fff70000006ae1-f9-599ae8be1549 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id BF.49.27361.EB8EA995; Mon, 21 Aug 2017 10:05:50 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v7LE5md4019326; Mon, 21 Aug 2017 10:05:49 -0400 Received: from [18.101.8.158] (VPN-18-101-8-158.MIT.EDU [18.101.8.158]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7LE5jCB026736 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 21 Aug 2017 10:05:47 -0400 To: Stefan Metzmacher , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical References: From: Greg Hudson Message-ID: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> Date: Mon, 21 Aug 2017 10:05:45 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrMIsWRmVeSWpSXmKPExsUixCmqrLvvxaxIg2l9KharejvYLI5uXsVi cXHZTxaLP0v2szuweBz7fIXRY8mSn0we82fPYvKYu6uPMYAlissmJTUnsyy1SN8ugSvjwJcX rAWnOCvuL//H2sB4g72LkZNDQsBE4m/LeqYuRi4OIYHFTBJ3Zn1lBUkICWxklGi5HAKROMok cWHnRqAODg5hgXKJW5tCQeIiAg8ZJRqeL2WGaLCR+H7mL5jNJqAssX7/VhYQm1fASmLnzhuM IDaLgKrEspunmEBsUYEIiYedu9ghagQlTs58wgIyn1PAVqL9D9gYZgE9iR3Xf7FC2PIS29/O YZ7AyD8LSccsJGWzkJQtYGRexSibklulm5uYmVOcmqxbnJyYl5dapGuul5tZopeaUrqJERS2 7C4qOxi7e7wPMQpwMCrx8N7InxUpxJpYVlyZe4hRkoNJSZR3QypQiC8pP6UyI7E4I76oNCe1 +BCjBAezkgjvwT1AOd6UxMqq1KJ8mJQ0B4uSOK+4RmOEkEB6YklqdmpqQWoRTFaGg0NJgjfy OVCjYFFqempFWmZOCUKaiYMTZDgP0HB+kBre4oLE3OLMdIj8KUZFKXHeDpCEAEgiozQPrhec VlI55r1iFAd6RZj3DkgVDzAlwXW/AhrMBDTYsHUayOCSRISUVAPj3LN8Mc6OVZwxTSXrZkRo K0/UfRcvxtn08UQNs0v4X66F7nJFScJ3yzftuH8pKTJL8fivhdsdb/POq86o4QsPN+R31Tgr 97JwSqjbWpN7L0zfy4V1b+F4rbI8bdNs/YDD1008orbNXX0ny3Jra2NLytm2j69eaXRftC0S 2bq5cULSlt2226SVWIozEg21mIuKEwEPQsfLBgMAAA== Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2017 14:05:58 -0000 On 08/18/2017 08:35 AM, Stefan Metzmacher wrote: > While thinking about this I can't see any value in checking the > transited list of the ticket. As that list is always under the > control of the KDC that issued the ticket. And the service > trusts it's own KDC anyway, as well as any KDC in the trust > chain trusts the next hop. The only reason for this list > might be debugging. I'm not sure about "any KDC in the trust chain trusts the next hop." RFC 4120 doesn't think about cross-realm relationships in terms of trust. Simply having cross-realm keys with another realm doesn't necessarily imply that the other realm is trustworthy. > Is there any reason to keep the krb5_check_transited() (in Heimdal) > and krb5_check_transited_list() (in MIT) is their current form? Well, it's mandatory in RFC 4120 section 2.7: Application servers MUST either do the transited-realm checks themselves or reject cross-realm tickets without TRANSITED-POLICY-CHECKED set. It would be okay to skip this check on application servers if the ticket has the TRANSITED-POLICY-CHECKED flag. Heimdal appears to do this but MIT krb5 does not; I'm not sure why as that behavior dates to before my time. From nobody Mon Aug 21 11:02:57 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFF0132403 for ; Mon, 21 Aug 2017 11:02:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.535 X-Spam-Level: X-Spam-Status: No, score=-3.535 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4ObPjGXEMHQ for ; Mon, 21 Aug 2017 11:02:54 -0700 (PDT) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C04FC1323C9 for ; Mon, 21 Aug 2017 11:02:48 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 9CAE6298FA; Mon, 21 Aug 2017 18:02:47 +0000 (UTC) Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMt6XIUOjMPI; Mon, 21 Aug 2017 18:02:47 +0000 (UTC) Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 90FCC29C09; Mon, 21 Aug 2017 18:02:38 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: "Henry B (Hank) Hotz, CISSP" In-Reply-To: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> Date: Mon, 21 Aug 2017 11:02:37 -0700 Cc: Stefan Metzmacher , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Content-Transfer-Encoding: quoted-printable Message-Id: References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> To: Greg Hudson X-Mailer: Apple Mail (2.2104) Archived-At: Subject: [kitten] Tangent from: Checking the transited list . . . X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2017 18:02:56 -0000 > On Aug 21, 2017, at 7:05 AM, Greg Hudson wrote: >=20 > I'm not sure about "any KDC in the trust chain trusts the next hop." > RFC 4120 doesn't think about cross-realm relationships in terms of > trust. Simply having cross-realm keys with another realm doesn't > necessarily imply that the other realm is trustworthy. That=E2=80=99s always been a slippery distinction in practice. Trust = depends on =E2=80=9Clocal policy=E2=80=9D which may be determined by = many things that are orthogonal to what the crypto can actually provide. = Unless you=E2=80=99re writing the code yourself, I would presume that = anything with an exchanged set of keys is trusted for authentication. = Authorization is, of course, outside the scope of Kerberos. Personal email. hbhotz@oxy.edu From nobody Tue Aug 22 04:22:35 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01CB113296D for ; Tue, 22 Aug 2017 04:22:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qM789L_-QQIZ for ; Tue, 22 Aug 2017 04:22:28 -0700 (PDT) Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00A52132983 for ; Tue, 22 Aug 2017 04:22:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=IMtXt/cOv+uupWL3wvT4Xy0fB5v8zkCdeRIrwO3CQyk=; b=E6zInAqzF8JJ3nsDdjDb7SQD+2 ssAzoVYHpB5XL6XQ01/kdFjMZc9dfBWRpaHbLTFzIr+ejiArSUkaL85XMuB31ZSh5zO7itMtnb/j2 d13z3Q47fZIcqttxdmoBL9udrD9cMP4E0lcL2cLlWovVUkExTc3fb2iP7kjELZ3dvo7A=; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1dk7GK-0000Ff-Nk; Tue, 22 Aug 2017 11:22:24 +0000 To: Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> From: Stefan Metzmacher Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4 Message-ID: <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> Date: Tue, 22 Aug 2017 13:22:20 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ekBvUkojEbgPnP1TM4GaMURMxphjcdcDG" Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 11:22:34 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ekBvUkojEbgPnP1TM4GaMURMxphjcdcDG Content-Type: multipart/mixed; boundary="1Jq3uhOUVJeqdDqdtiu1CHtnVVjhmLVNO"; protected-headers="v1" From: Stefan Metzmacher To: Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Message-ID: <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> In-Reply-To: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> --1Jq3uhOUVJeqdDqdtiu1CHtnVVjhmLVNO Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Am 21.08.2017 um 16:05 schrieb Greg Hudson: > On 08/18/2017 08:35 AM, Stefan Metzmacher wrote: >> While thinking about this I can't see any value in checking the >> transited list of the ticket. As that list is always under the >> control of the KDC that issued the ticket. And the service >> trusts it's own KDC anyway, as well as any KDC in the trust >> chain trusts the next hop. The only reason for this list >> might be debugging. >=20 > I'm not sure about "any KDC in the trust chain trusts the next hop." > RFC 4120 doesn't think about cross-realm relationships in terms of > trust. Simply having cross-realm keys with another realm doesn't > necessarily imply that the other realm is trustworthy. At least it allows the other realm to issue cross-realm referral tickets, which the local realm will most likely convert into service tickets which can be used by a principal of the other realm to access services in the local realm. And the client principal names (including client realm) in the cross-realm ticket can contain any value, which is fully controlled by the other realms KDCs. I guess that's what RFC 4120 means by "The presence of trusted KDCs in this list does not provide any guarantee; an untrusted KDC may have fabricated the list." >> Is there any reason to keep the krb5_check_transited() (in Heimdal) >> and krb5_check_transited_list() (in MIT) is their current form? >=20 > Well, it's mandatory in RFC 4120 section 2.7: >=20 > Application servers MUST either do the transited-realm checks > themselves or reject cross-realm tickets without > TRANSITED-POLICY-CHECKED set. >=20 > It would be okay to skip this check on application servers if the ticke= t > has the TRANSITED-POLICY-CHECKED flag. Heimdal appears to do this but > MIT krb5 does not; I'm not sure why as that behavior dates to before my= > time. The fact that it's mandatory according to the RFC doesn't mean it gains anything for the application server. But if other's believe that the check helps, I'm fine with that. Would be acceptable then if I implement gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) for MIT and Heimdal in order to let an application service to skip the check if they know what they're doing by checking trusting there KDC and doing the PAC verification. metze --1Jq3uhOUVJeqdDqdtiu1CHtnVVjhmLVNO-- --ekBvUkojEbgPnP1TM4GaMURMxphjcdcDG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJZnBPwAAoJEA219WEoab1W7ZkP/R4ybDP/6hHErWxelv6iWg/p WJGqKTuR3b91apRwylE3eu/lKvxmJWYsWTe00LiwS0fXX7JoIMrCvDXnDs0vzZ7f Y7ZFXlJQZR2ufbljEBW5KX7e4Q67APE1SrOGN0QNSlGdnRRDNGZQkO9c5StfCbyg CY3LARkSpKdxNZTQVWbdXZsOoIMXPD6MW+QVxmPNhrNnPzXBygdxKAdDMlzybStw 8yU0/4w200DL7oNBx9N6nJjH6StMY9hp3Y8L7SFr6l6m2/g7HuhvIJEepetdmDLD Hxb6Cp6Kerfw/iGUh7eliLY7zNP3UsHr8Rxc3XKFu1pz7wiJw4kgCYR2/xWQxWPr 2TPNv98z1MBCrlZdZF+iO1bLkO7ofBRP+uTHfVUurZcvveX0fAnQqVCBUcIcLxsz nJZzTUTljKKHmjGiyl86jFHULv+PCe9qi8WOfI2M+a7YuWTeRmT4Ku5ff9MwN7yS Ff9SfpT5GkBq3lQg8HMuueCffApYn38E8y9ij6fmykxzXe3otCftUBsBHm79JM/U fYRStFTchxlsjMmZFbmje1PitAk0iTJ3itFADBOoXddIiIdq7T6RgegKySvwuf+X euqExik6WkNAybGcJSDeTGiKM+hfwA+USwgJysA1LkHr88AWZYWxjzYQizRKnNta kMrqvJG/CLNJi3APvUFj =8r6C -----END PGP SIGNATURE----- --ekBvUkojEbgPnP1TM4GaMURMxphjcdcDG-- From nobody Tue Aug 22 08:02:50 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7561321A8 for ; Tue, 22 Aug 2017 08:02:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0uOdZqKQ7-c for ; Tue, 22 Aug 2017 08:02:47 -0700 (PDT) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B291320CC for ; Tue, 22 Aug 2017 08:02:47 -0700 (PDT) X-AuditID: 12074423-c75ff7000000725a-30-599c47964206 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 6B.B1.29274.6974C995; Tue, 22 Aug 2017 11:02:46 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v7MF2iEV003126; Tue, 22 Aug 2017 11:02:45 -0400 Received: from [18.101.8.135] (VPN-18-101-8-135.MIT.EDU [18.101.8.135]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7MF2f4t031525 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 22 Aug 2017 11:02:42 -0400 To: Stefan Metzmacher , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> From: Greg Hudson Message-ID: <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> Date: Tue, 22 Aug 2017 11:02:40 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixCmqrTvNfU6kwe41IharejvYLI5uXsVi cXHZTxaLP0v2szuweBz7fIXRY8mSn0we82fPYvKYu6uPMYAlissmJTUnsyy1SN8ugSvjSc90 toLVIhXPnzxjaWA8JdDFyMkhIWAi8WzfbuYuRi4OIYHFTBKrjr1gh3A2MkrsPzuHEcI5yiQx 8WoTSxcjB4ewQLnErU2hIHERgYeMEg3PlzKDjBISWMAoMf+OHojNJqAssX7/VhYQm1fASuLl pgZWEJtFQFVi0tw17CC2qECExMPOXewQNYISJ2c+AavnFLCV2Nh7lgnEZhbQk9hx/RcrhC0v sf3tHOYJjPyzkLTMQlI2C0nZAkbmVYyyKblVurmJmTnFqcm6xcmJeXmpRbpmermZJXqpKaWb GEGhy+6ivIPxZZ/3IUYBDkYlHl4L6zmRQqyJZcWVuYcYJTmYlER5J3+fHSnEl5SfUpmRWJwR X1Sak1p8iFGCg1lJhNfLCaicNyWxsiq1KB8mJc3BoiTOK67RGCEkkJ5YkpqdmlqQWgSTleHg UJLg7XcDahQsSk1PrUjLzClBSDNxcIIM5wEavgSkhre4IDG3ODMdIn+KUVFKnHebK1BCACSR UZoH1wtOLakc7a8YxYFeEebdCtLOA0xLcN2vgAYzAQ02bJ0GMrgkESEl1cCotkZgh0lnyeqF nL8m1i5dztg+++C1zXcs5J7eU7bzWqq+7N+RENepbdLzdTaavWmZJLXpSvJzpbUtTgcm3Gg4 NXPNdumYrvwg1men+6Uqsle81rU99/fU+Qf9BXYB/1ZbnlAQf1Px/sKcSwq/ZPe7f7hf4/vs kM5JI9YNq2MiJ0wPKDPcV8YRr8RSnJFoqMVcVJwIAIzy1FwIAwAA Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 15:02:49 -0000 On 08/22/2017 07:22 AM, Stefan Metzmacher wrote: >> I'm not sure about "any KDC in the trust chain trusts the next hop." >> RFC 4120 doesn't think about cross-realm relationships in terms of >> trust. Simply having cross-realm keys with another realm doesn't >> necessarily imply that the other realm is trustworthy. > At least it allows the other realm to issue cross-realm referral > tickets, which the local realm will most likely convert into service > tickets which can be used by a principal of the other realm to > access services in the local realm. To authenticate, yes; whether that provides any access depends on the services in the local realm. > And the client principal names (including client realm) in the > cross-realm ticket can contain any value, which is fully controlled > by the other realms KDCs. Yes, which makes it the local realm's job (either at the KDC or the application server) to decide whether the other realm's KDC should be able to claim that client realm name. Completely trusting the foreign realm is one option, but that option mostly restricts cross-realm relationships to foreign realms of equal or greater privilege. (I say "mostly" because a KDC can trivially deny a ticket from the foreign realm which purport to authenticate a client in the local realm. So one might be willing to trust a foreign realm to authenticate clients in all non-local realms if one doesn't grant much privilege to any non-local user anyway.) > Would be acceptable then if I implement > gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) for > MIT and Heimdal in order to let an application service to skip the check > if they know what they're doing by checking trusting there KDC and doing > the PAC verification. I think we should first consider whether it would be sufficient for MIT krb5 to suppress the rd_req transited check if the TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and Heimdal KDCs both appear to perform the transited check and set the flag by default. An application server always trusts its local KDC, but that trust isn't useful for cross-realm relationships if the TRANSITED-POLICY-CHECKED flag isn't in the ticket. Clients can, in general, suppress the KDC transited check with the DISABLE-TRANSITED-CHECK flag; therefore, a ticket issued by the local KDC without the TRANSITED-POLICY-CHECKED flag asserts nothing about the acceptability of the KDC path. I am not sufficiently familiar with PACs to know whether PAC verification is a fitting alternative to a transited policy check. From nobody Tue Aug 22 09:45:57 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EFAB1323AB for ; Tue, 22 Aug 2017 09:45:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwLzcvkLenYr for ; Tue, 22 Aug 2017 09:45:53 -0700 (PDT) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A2E813239C for ; Tue, 22 Aug 2017 09:45:53 -0700 (PDT) X-AuditID: 12074425-3fdff70000003a01-60-599c5fc062fd Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 25.94.14849.0CF5C995; Tue, 22 Aug 2017 12:45:52 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7MGjpKw009938 for ; Tue, 22 Aug 2017 12:45:52 -0400 Received: from localhost (EQUAL-RITES.MIT.EDU [10.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7MGjosZ002405 for ; Tue, 22 Aug 2017 12:45:51 -0400 From: Greg Hudson To: kitten@ietf.org Date: Tue, 22 Aug 2017 12:45:50 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsUixG6nonsgfk6kwbf3UhZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxtnV89gKWrgr/p1sZWlgfMLRxcjJISFgIvGmax9bFyMXh5DA YiaJ3j1TWCCc44wS+7++YoRwOpgkZk2eywjSwiagLLF+/1YWEFtEQFhi99Z3zCC2sIC2xOKb V8HiLAKqErPObGcFsXkFDCW+fW1khLAFJU7OfAJWwywgIXHwxQvmCYzcs5CkZiFJLWBkWsUo m5JbpZubmJlTnJqsW5ycmJeXWqRroZebWaKXmlK6iREcBi6qOxjn/PU6xCjAwajEw2thPSdS iDWxrLgy9xCjJAeTkijv5O+zI4X4kvJTKjMSizPii0pzUosPMUpwMCuJ8MrHApXzpiRWVqUW 5cOkpDlYlMR5xTUaI4QE0hNLUrNTUwtSi2CyMhwcShK88+KAGgWLUtNTK9Iyc0oQ0kwcnCDD eYCGx4DU8BYXJOYWZ6ZD5E8xSkqJ8x4F2SoAksgozYPrfcUoDvSCMG88SBsPMKbhul4BDWQC GmjYOg1kYEkiQkqqgXH6q5d7Dpz5Z71ffuvNqzoRDKt/t+5+Etp0a7ZqzVyGjI/r9/5p32bq daLk6V4r+b8+McKvfR7dnfZHsEdT+q1N5uVrWass+oP9v7UGJC/rux1w2MRgGwPLE/0c4Wds W1meynv9jkl8f1Wbj8FEfY4cl/FKLw/Fix7/p3NouEzzY8qUPbPuiKoSS3FGoqEWc1FxIgCi b6fcpgIAAA== Archived-At: Subject: [kitten] SPAKE and not replying to requests X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 16:45:55 -0000 The SPAKE draft currently says: If decryption is successful, the first factor is successfully validated. The KDC then validates the second factor. If either factor fails to validate, the KDC responds with an appropriate KRB-ERROR message. Nathaniel and I recently discussed some scenarios where the KDC might want to drop the request without replying: 1. The second-factor implementation is stateful, and the KDC which received the request doesn't have the requisite state. 2. The second-factor type isn't recognized by the KDC, but another KDC in the realm running a more recent version of the KDC code might be able to handle it. 3. A KDC might not want to reveal timing information to an attacker, for the purposes of indistinguishability (making it difficult to tell whether the first factor validated). On further consideration, (3) is a bit unlikely--it would yield a bad user experience whenever a user mistypes their password. Doing (1) or (2) without (3) also breaks indistinguishability, but KDCs aren't required to implement indistinguishability. I propose to change this text to: [...] If either factor fails to validate, the KDC SHOULD respond with an appropriate KRB-ERROR message. The KDC MAY choose not to respond to the request, with the expectation that the client will retry against other KDC servers within the realm. From nobody Tue Aug 22 11:16:31 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F351323C0 for ; Tue, 22 Aug 2017 11:16:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ins8fxiNL0JL for ; Tue, 22 Aug 2017 11:16:27 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CED52132192 for ; Tue, 22 Aug 2017 11:16:27 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7590A488; Tue, 22 Aug 2017 18:16:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7590A488 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=rharwood@redhat.com Received: from localhost (ovpn-66-195.rdu2.redhat.com [10.10.66.195]) by smtp.corp.redhat.com (Postfix) with ESMTP id 48A6960C96; Tue, 22 Aug 2017 18:16:27 +0000 (UTC) From: Robbie Harwood To: Greg Hudson , kitten@ietf.org In-Reply-To: References: Date: Tue, 22 Aug 2017 14:16:57 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 22 Aug 2017 18:16:27 +0000 (UTC) Archived-At: Subject: Re: [kitten] SPAKE and not replying to requests X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 18:16:30 -0000 --=-=-= Content-Type: text/plain Greg Hudson writes: > The SPAKE draft currently says: > > If decryption is successful, the first factor is successfully > validated. The KDC then validates the second factor. If either > factor fails to validate, the KDC responds with an appropriate > KRB-ERROR message. > > Nathaniel and I recently discussed some scenarios where the KDC might > want to drop the request without replying: > > 1. The second-factor implementation is stateful, and the KDC which > received the request doesn't have the requisite state. > > 2. The second-factor type isn't recognized by the KDC, but another KDC > in the realm running a more recent version of the KDC code might be > able to handle it. > > 3. A KDC might not want to reveal timing information to an attacker, > for the purposes of indistinguishability (making it difficult to tell > whether the first factor validated). > > On further consideration, (3) is a bit unlikely--it would yield a bad > user experience whenever a user mistypes their password. Doing (1) or > (2) without (3) also breaks indistinguishability, but KDCs aren't > required to implement indistinguishability. > > I propose to change this text to: > > [...] If either factor fails to validate, the KDC SHOULD respond > with an appropriate KRB-ERROR message. The KDC MAY choose not to > respond to the request, with the expectation that the client will > retry against other KDC servers within the realm. I wonder if we should be more explicit about what the client should do if it doesn't get a reply from the server here. Maybe something like, e.g., "The KDC MAY choose not to respond to the request, at which point the client SHOULD retry against other KDC servers within the realm." or so? Thanks, --Robbie --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlmcdRoACgkQJTL5F2qV pEIjxg//RquxiGd5BYfW0lkfu37uGup6y0qtZ1WzyNzHl476mZXMhXKFLbCUg4vs LJumIR28z/FagV6Qf1sbIIA3xJxF+YtWhRQzIduZ4t1b3oERr9eg4MOq32qfts2f P0hvrlbRU0EA0vHDYNFDYTAdOjcWSNjd31xANtR1slLF0WZbZqCV8ltmKP0F/xMK mbny7WLi4EGtLlndyTeV+WUWkM6UjLVU/b+o2MgFobbC8OV81pgssNgosjw75H47 8YS9MDTjVPJXeYHrNaatydkOWE+2KlPYYQjRaUbTPDaLuWI0Ju+1RnEKtppVYJDZ hCSlBCuy4M8otABfM8KXRYjxOq4JhLHiPBoj+Ki7D5t9IY7j9mUNZuoTXbgHnpKW iH+743zyhwO6+Jhz9bRZLFKzivTchXVSpnpxnzDHDy0vg96ACOKwcG+rnGAvP85v 8Tt4HQ67g9/4CSG04sjFdlANZqZJ72Thvio+x7ReOnghwF2w6TZL0AwATvKDcL14 +7WXurpQR6TT549NXM3Qi0WkwStQf1tTVKt2GULfBgR5S2aj/2Gc5TEATG8RJgDH ddyHVM8vTKD+KO8qLnOum9AoaO6tG+U+Be3ydQLEYtEIW3v7kn2FOWuHUF96u009 YV6LOyLYiuPKLNWoWDrYCDX2BYefPGOEeNNS9vWmkf/E2uIdIpE= =fg0U -----END PGP SIGNATURE----- --=-=-=-- From nobody Tue Aug 22 15:38:20 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74CA1132A8B; Tue, 22 Aug 2017 15:38:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KN0g6469YA6L; Tue, 22 Aug 2017 15:38:17 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFCCC1329F0; Tue, 22 Aug 2017 15:38:17 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 75E2213A97; Tue, 22 Aug 2017 22:30:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 75E2213A97 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=rharwood@redhat.com Received: from localhost (ovpn-66-195.rdu2.redhat.com [10.10.66.195]) by smtp.corp.redhat.com (Postfix) with ESMTP id 43B12614D3; Tue, 22 Aug 2017 22:30:24 +0000 (UTC) From: Robbie Harwood To: Greg Hudson , Benjamin Kaduk , kitten@ietf.org Cc: draft-ietf-kitten-krb-spake-preauth@ietf.org In-Reply-To: <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> Date: Tue, 22 Aug 2017 18:30:54 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 22 Aug 2017 22:30:24 +0000 (UTC) Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 22:38:19 -0000 --=-=-= Content-Type: text/plain Greg Hudson writes: > On 08/18/2017 02:10 PM, Benjamin Kaduk wrote: > >> I'm not sure that the registry policies make sense, most notably with >> respect to marking things as Required (to implement). Sure, I'm happy to discuss the registry policy. To be clear: are you suggesting that the "Required" should disappear as an option, or that the whole "Implementation Requirements" section should disappear? (And is this for both registries, or just one of them?) > I tend to agree that any mandatory-to-implement policy should be > written into this draft, and not be part of the registry. The disadvantage of having mandatory-to-implement items defined but not in the registry is that it fragments the numbering. For example, in our Kerberos SPAKE Groups registry, currently P-256 is required, and assigned ID Number: 1. If we remove it from the registry, it won't have an ID Number. (Unless we give it one a different way.) Thanks, --Robbie --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlmcsJ4ACgkQJTL5F2qV pEK8Ig//WazDMAxx5oOxplW/Dbw7ldKyEaE0pcNVcrLcp1P2S2kTlvxaD0Qe32nh dNhWVRxHnUDoSK79NISYKP/WT7xAROEHom9lPjwI3f7BCjazOJUbP5iYgl1MsRuL FXELl/FUNT9/ZKek0JlU03rOXTusDmRDgXSrDQwwfRrLD5o6OcyA9SJFtaZg0bUg yCljGBR+1fOQZjDaeZ1oBVn2MOwN1hGRiar9RKpnOjeu9TIU5ubLSn6YW78p7rvE xurSh6Gkuqf6CTEAiWaU/kpYc1H/HV62d/SepyntUpbwN/beXCNBDdA3ZViX03Ry qtKD71W1Y+A4/s4pemT7qpNxwfmxTw3Kw2+4029/CvZ7Mie96Kmccq8Xffu85EmC JNgNrCCq+N8ULxGKIDF1IovjTmfkJMXwrC9kiXzdW3TA/A1AW3BZDXQqSCvkfcwA DEr4RepHfpwON7jvNWJ6+oKiS9I3NjFiprhaAMfBSDnsez16bSZ6yrzE5JGpSG48 RzFJ6hkYqTslFMkn6OWhQ88dxXC906Po+d9uzDF2B/kXbgfTmmnfabb8vzP7vLGd fGvVJ8emJrRTHGpXP4+fShsXL507TpJjAs7x22DBU4x5ZwZwP0GEIrWodnDo9W53 ZzTNV6avwcW6iCkVwHnXtKkTkYzCSx0P0DZhqhBS+t1CMM4SjWg= =EQuk -----END PGP SIGNATURE----- --=-=-=-- From nobody Tue Aug 22 15:50:07 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF10132A94; Tue, 22 Aug 2017 15:50:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azd034iszUdN; Tue, 22 Aug 2017 15:50:04 -0700 (PDT) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AF7B1329DF; Tue, 22 Aug 2017 15:50:04 -0700 (PDT) X-AuditID: 1209190c-493ff70000004f92-50-599cb51b788c Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id F1.B0.20370.B15BC995; Tue, 22 Aug 2017 18:50:03 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7MMo203027579; Tue, 22 Aug 2017 18:50:02 -0400 Received: from [18.101.8.135] (VPN-18-101-8-135.MIT.EDU [18.101.8.135]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7MMnx8O024648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 22 Aug 2017 18:50:00 -0400 To: Robbie Harwood , Benjamin Kaduk , kitten@ietf.org References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> Cc: draft-ietf-kitten-krb-spake-preauth@ietf.org From: Greg Hudson Message-ID: Date: Tue, 22 Aug 2017 18:49:58 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHIsWRmVeSWpSXmKPExsUixG6noiu9dU6kwfNvfBaPt3xmtDi6eRWL xc6eJlYHZo8lS34yebzfd5UtgCmKyyYlNSezLLVI3y6BK+NwVwdbwV3Win/vGpkbGM+wdDFy ckgImEj8eHiTGcQWEljMJLFylkUXIxeQvZFR4tCmg2wQzlEmiZevJrOBVAkLuElcWr+ECcQW EUiSWHbzPjNEUROjRMe/K4wgCWYBA4l9TXPAGtgElCXW798Kto5XwEriSe98sBoWAVWJp3Mm soLYogIREg87d7FD1AhKnJz5BKyeU0BT4tfaYywQM/Ukdlz/xQphy0tsfzuHeQKjwCwkLbOQ lM1CUraAkXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrqFebmaJXmpK6SZGUNBySvLsYDzzxusQ owAHoxIPr4X1nEgh1sSy4srcQ4ySHExKorxu2UAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrzK LUA53pTEyqrUonyYlDQHi5I4r4RGY4SQQHpiSWp2ampBahFMVoaDQ0mCV2cLUKNgUWp6akVa Zk4JQpqJgxNkOA/QcH6QGt7igsTc4sx0iPwpRl2Opg9bvjAJseTl56VKifMu3wxUJABSlFGa BzcHnGxSOdpfMYoDvSXMGwQyigeYqOAmvQJawgS0xLB1GsiSkkSElFQD47SKmb8+qS+29tZi 3LOt790B/zelNhl2PbmPbF+HcIV69pk1zZAxfH7XMPlTGl85o1hHCY/bS8FbFhqpHzbwFhwy q3Xbd3lSaFfoJ67y9au+P6s+pHZS1t3xr4GGvcSahUevSTrZPd6psiPqPt9myeXrjPvFLy5a /oFp458LWz7s3mBSeqcxUYmlOCPRUIu5qDgRAP94zsURAwAA Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2017 22:50:06 -0000 On 08/22/2017 06:30 PM, Robbie Harwood wrote: >> I tend to agree that any mandatory-to-implement policy should be >> written into this draft, and not be part of the registry. > > The disadvantage of having mandatory-to-implement items defined but not > in the registry is that it fragments the numbering. For example, in our > Kerberos SPAKE Groups registry, currently P-256 is required, and > assigned ID Number: 1. If we remove it from the registry, it won't have > an ID Number. (Unless we give it one a different way.) I think I miscommunicated. P-256 should be in the registry, but if we want to specify that it is mandatory-to-implement, I believe we should say that in the RFC outside of the IANA registry. From nobody Wed Aug 23 08:58:55 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 428441329CC for ; Wed, 23 Aug 2017 08:58:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vf9KstYYnFsY for ; Wed, 23 Aug 2017 08:58:53 -0700 (PDT) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3470126BF0 for ; Wed, 23 Aug 2017 08:58:52 -0700 (PDT) X-AuditID: 12074423-c77ff70000004615-e6-599da63ab990 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id E7.B4.17941.A36AD995; Wed, 23 Aug 2017 11:58:50 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v7NFwnmD007657; Wed, 23 Aug 2017 11:58:49 -0400 Received: from [18.101.8.119] (VPN-18-101-8-119.MIT.EDU [18.101.8.119]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7NFwk2x027336 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 23 Aug 2017 11:58:48 -0400 To: Robbie Harwood , kitten@ietf.org References: From: Greg Hudson Message-ID: <3be44bb4-270e-64b7-4987-450c36885425@mit.edu> Date: Wed, 23 Aug 2017 11:58:46 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPIsWRmVeSWpSXmKPExsUixCmqrGu1bG6kwcuHPBZHN69isdjZ08Tq wOSxZMlPJo/3+66yBTBFcdmkpOZklqUW6dslcGWc6WljLXjJVTFnXwd7A+Muji5GTg4JAROJ Nw0fWboYuTiEBBYzSTz79ZwdwtnIKLHifhszhHOUSWLNkevsIC3CAhYSay7/ZwWxRQQsJb4c bWAGsYUE/CSWHpoMFmcTUJZYv38rC4jNK2AlsfnwKjCbRUBV4vupB0wgtqhAhMTDzl3sEDWC EidnPgGr4RTQlPi89wPYTGYBPYkd13+xQtjyEtvfzmGewMg/C0nLLCRls5CULWBkXsUom5Jb pZubmJlTnJqsW5ycmJeXWqRrppebWaKXmlK6iREUkuwuyjsYX/Z5H2IU4GBU4uHVWDI3Uog1 say4MvcQoyQHk5Ior6YOUIgvKT+lMiOxOCO+qDQntfgQowQHs5II73yQct6UxMqq1KJ8mJQ0 B4uSOK+4RmOEkEB6YklqdmpqQWoRTFaGg0NJgldiKVCjYFFqempFWmZOCUKaiYMTZDgP0PBg kBre4oLE3OLMdIj8KUZ7jqaJv34xcfSBySdvtv9m4mh5CySFWPLy81KlxHnfLgZqEwBpyyjN g5sMTjepHOWvGMWBHhXmVQQZzgNMVXCzXwGtZQJaO+nEHJC1JYkIKakGRp/dF4Jbjn/5FSy/ 6sW8p1GZTDfylm9oaL3y2iO8uXji7EDJw7GWL5j3//5fx/c3+9qD8g2nLW39Ju66H+9xZHYH tz9DaoKGhLvjVd+eJ5xyOdeqa8JqFqnObdvH8PXqG6kJD8JUt2pxMF+SFpj74Z7hhSenT/5X PBb7fGLm27fbvhy6G6AxJUeJpTgj0VCLuag4EQBv+5YzEgMAAA== Archived-At: Subject: Re: [kitten] SPAKE and not replying to requests X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2017 15:58:54 -0000 On 08/22/2017 02:16 PM, Robbie Harwood wrote: >> I propose to change this text to: >> >> [...] If either factor fails to validate, the KDC SHOULD respond >> with an appropriate KRB-ERROR message. The KDC MAY choose not to >> respond to the request, with the expectation that the client will >> retry against other KDC servers within the realm. > > I wonder if we should be more explicit about what the client should do > if it doesn't get a reply from the server here. Maybe something like, > e.g., "The KDC MAY choose not to respond to the request, at which point > the client SHOULD retry against other KDC servers within the realm." or > so? I would prefer that this document not get into the weeds of client-KDC network communication, but looking at RFC 4120, I think you are right that nothing really says what the client should do in the face of a timeout. There are also cases where a client might not be able to reach all KDC processes for a realm (network load balancers, MIT krb5 KDC worker processes, etc.), so perhaps black-holing requests is a hack we shouldn't encourage in the standard. With that in mind, I guess I just want the text to say: If either factor fails to validate, the KDC SHOULD respond with an appropriate KRB-ERROR message. with no further discussion of what a KDC might choose to do instead. From nobody Wed Aug 23 13:33:26 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2BA713264C for ; Wed, 23 Aug 2017 13:33:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHdvWW6wTnkH for ; Wed, 23 Aug 2017 13:33:23 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E19931321C0 for ; Wed, 23 Aug 2017 13:33:23 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8EED44ACC7; Wed, 23 Aug 2017 20:33:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 8EED44ACC7 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=rharwood@redhat.com Received: from localhost (ovpn-66-132.rdu2.redhat.com [10.10.66.132]) by smtp.corp.redhat.com (Postfix) with ESMTP id 583E068B19; Wed, 23 Aug 2017 20:33:23 +0000 (UTC) From: Robbie Harwood To: Greg Hudson , kitten@ietf.org In-Reply-To: <3be44bb4-270e-64b7-4987-450c36885425@mit.edu> References: <3be44bb4-270e-64b7-4987-450c36885425@mit.edu> Date: Wed, 23 Aug 2017 16:33:44 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 23 Aug 2017 20:33:23 +0000 (UTC) Archived-At: Subject: Re: [kitten] SPAKE and not replying to requests X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2017 20:33:26 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Greg Hudson writes: > On 08/22/2017 02:16 PM, Robbie Harwood wrote: >>> I propose to change this text to: >>> >>> [...] If either factor fails to validate, the KDC SHOULD respond >>> with an appropriate KRB-ERROR message. The KDC MAY choose not to >>> respond to the request, with the expectation that the client will >>> retry against other KDC servers within the realm. >>=20 >> I wonder if we should be more explicit about what the client should do >> if it doesn't get a reply from the server here. Maybe something like, >> e.g., "The KDC MAY choose not to respond to the request, at which point >> the client SHOULD retry against other KDC servers within the realm." or >> so? > > I would prefer that this document not get into the weeds of client-KDC > network communication, but looking at RFC 4120, I think you are right > that nothing really says what the client should do in the face of a > timeout. There are also cases where a client might not be able to reach > all KDC processes for a realm (network load balancers, MIT krb5 KDC > worker processes, etc.), so perhaps black-holing requests is a hack we > shouldn't encourage in the standard. > > With that in mind, I guess I just want the text to say: > > If either factor fails to validate, the KDC SHOULD respond with an > appropriate KRB-ERROR message. > > with no further discussion of what a KDC might choose to do instead. Agreed, that makes sense to me. Thanks, =2D-Robbie --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlmd5qgACgkQJTL5F2qV pEKn2hAAq44OYeQFH6bKkE0k80E3rRtawyUXZxaiTR5oGYzt/Wx+90POC2sZsVqw PGW3ICCN7m69GbBgjOKKz4r3e7NeRrJiBt5v5pY3Ed+JDZi6IAciVPfGpJXtU5Ph UMPkrs+2Fe9Tl+KggqJikeuhOPU344rTkoSRD5cMpcYcCa/fwhQgBBygkeJDmLGW pNtY1NKy1Z1aGpWZwhGecD2ZY0+eNyL6f4cG7s1y0sXwsXU7LZsfDapS9Lkwu/+d jD77No6MOKH//3033AghFlVLM94pqCpn5OCvMdpyIkRMit/8HTkZujDyHZ1ErTgP w+25b4nBcd3YYG8EokvxSMognK0XxXEchwSdsI2sW6LbSVu4tNObVGG62bBnvShA fr+pKIz3cSCD/ylbAby36igH6WQ7zdgdzlcZcAl22JnF3c1acBdAbtZq+SXSEfvq tHwie4RsOhkW24Dnf/ONb+6Wu2TS8J5ooUexak4+lJdd4CnuQIN3zhtVSBq2TSLs n7LttH7wSNq6sjdSng/Y4mp4OrFES2XuUnlNZzqttbSs6pP9hlnvzek0rMfV3PNb 5z69L3w3y06qurAfGuHdKEu2Y/8PHC0BfEvDg+nGCakPiDI8XCoGzBKtTPEIugyl oWHfis2lFznlm7RsY1jYXTOlKpFkkKy7HjXUbvMkJ5LPc+TixsQ= =dXxR -----END PGP SIGNATURE----- --=-=-=-- From nobody Wed Aug 23 16:02:00 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95FE31326DF for ; Wed, 23 Aug 2017 16:01:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h59hxJt28oX4 for ; Wed, 23 Aug 2017 16:01:56 -0700 (PDT) Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD81132328 for ; Wed, 23 Aug 2017 16:01:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=M5i5/E69OiUx2bsJShvXFwAuZPTGvCEnfTcLv2vojUg=; b=iPn4+7Zv1CxQ94SKCDDLNJiKYS E9etuUoB/Ka6UNLWuhlTKt51YIDaVRRbFMh4+xleCcwRvOH+IqUfSI/TTvS+VQXLPAyzUyoAZhWH0 y4budvsIGLbdfJXknctBtvwVOSVw9w2NfBYLB7Pm8jRgziw4mxddq5T+c9SE7s3ACcZA=; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1dkeei-0004KW-7L; Wed, 23 Aug 2017 23:01:51 +0000 To: Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> From: Stefan Metzmacher Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4 Message-ID: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> Date: Thu, 24 Aug 2017 01:01:44 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="djj89QPn1Uuhprxagavw4fjXIuCkt3fmg" Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2017 23:01:58 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --djj89QPn1Uuhprxagavw4fjXIuCkt3fmg Content-Type: multipart/mixed; boundary="cCt1DiXAlsJnrld8FJAiN1TfASCRHLIfn"; protected-headers="v1" From: Stefan Metzmacher To: Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Message-ID: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> In-Reply-To: <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> --cCt1DiXAlsJnrld8FJAiN1TfASCRHLIfn Content-Type: multipart/mixed; boundary="------------D1BADEF6B8D80BB51268BC0C" Content-Language: en-US This is a multi-part message in MIME format. --------------D1BADEF6B8D80BB51268BC0C Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Am 22.08.2017 um 17:02 schrieb Greg Hudson: > On 08/22/2017 07:22 AM, Stefan Metzmacher wrote: >>> I'm not sure about "any KDC in the trust chain trusts the next hop." >>> RFC 4120 doesn't think about cross-realm relationships in terms of >>> trust. Simply having cross-realm keys with another realm doesn't >>> necessarily imply that the other realm is trustworthy. >=20 >> At least it allows the other realm to issue cross-realm referral >> tickets, which the local realm will most likely convert into service >> tickets which can be used by a principal of the other realm to >> access services in the local realm. >=20 > To authenticate, yes; whether that provides any access depends on the > services in the local realm. >=20 >> And the client principal names (including client realm) in the >> cross-realm ticket can contain any value, which is fully controlled >> by the other realms KDCs. >=20 > Yes, which makes it the local realm's job (either at the KDC or the > application server) to decide whether the other realm's KDC should be > able to claim that client realm name. Completely trusting the foreign > realm is one option, but that option mostly restricts cross-realm > relationships to foreign realms of equal or greater privilege. (I say > "mostly" because a KDC can trivially deny a ticket from the foreign > realm which purport to authenticate a client in the local realm. So on= e > might be willing to trust a foreign realm to authenticate clients in al= l > non-local realms if one doesn't grant much privilege to any non-local > user anyway.) >=20 >> Would be acceptable then if I implement >> gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) for >> MIT and Heimdal in order to let an application service to skip the che= ck >> if they know what they're doing by checking trusting there KDC and doi= ng >> the PAC verification. >=20 > I think we should first consider whether it would be sufficient for MIT= > krb5 to suppress the rd_req transited check if the > TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and Heimdal > KDCs both appear to perform the transited check and set the flag by def= ault. But Windows KDCs doesn't set this bit (I guess because it's just not useful). > An application server always trusts its local KDC, but that trust isn't= > useful for cross-realm relationships if the TRANSITED-POLICY-CHECKED > flag isn't in the ticket. Clients can, in general, suppress the KDC > transited check with the DISABLE-TRANSITED-CHECK flag; therefore, a > ticket issued by the local KDC without the TRANSITED-POLICY-CHECKED fla= g > asserts nothing about the acceptability of the KDC path. >=20 > I am not sufficiently familiar with PACs to know whether PAC > verification is a fitting alternative to a transited policy check. I've attached network caputures with a keytab that allows wireshark to decrypt the messages. We have the computer FD23-73$@W4EDOM-L4.BASE (fd3a:aaa3:ee87:ff09:200:ff:fe09:73) that tries to do S4U2Self for administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE. W4EDOM-L4.BASE (fd3a:aaa3:ee87:ff09:200:ff:fe09:133) is it's own forest. It trusts the forest W2012R2-L4.BASE (fd3a:aaa3:ee87:ff09:200:ff:fe09:183) which has subdomains S1-W2012-L4.W2012R2-L4.BASE (fd3a:aaa3:ee87:ff09:200:ff:fe09:181) and S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE (fd3a:aaa3:ee87:ff09:200:ff:fe09:182) The interesting parts are the ticket returned in frames 218 it is a normal cross-realm ticket with transited =3D W2012R2-L4.BASE. Frame 242, 285 and 352 are the S4U2Self (reverse) referrals with more values in the transited field. Note the cname is still fd23-73$@W4EDOM-L4.BASE, but the PAC within the authorization-data already belongs to administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE (e.g. see the Client Info Type). The final S4U2Self ticket in frame 377 has also 3 domains (with a different encoding compared to 285). In the final ticket the Client Info Name need to match exactly the cname of the ticket and the Client Info time the authtime of the ticket, that's verified by krb5_pac_verify(). The 2nd example uses a forest trust from W4EDOM-L4.BASE to BLA.BASE (fd3a:aaa3:ee87:ff09:200:ff:fe09:219) which has a 2nd tree root domain in the same forest called BLA2.BASE (fd3a:aaa3:ee87:ff09:200:ff:fe09:194). We try S4U2Self for administrator@BLA2.BASE here. There we have transited =3D BLA.BASE in frame 231, which is the first S4U2Self (reverse) referral. The final ticket in frame 323 has BLA.BASE and BLA2.BASE in the transited field, which causes the transited verification to fail unless I manually configure a [capaths] section. Each KDC applies some SID-Filtering to the group memberships of the Logon Info field in the PAC. Which prevents impersonation of local principals via cross-realm tickets. The PAC contains to signatures one using the long term key that belongs to the sname@realm of the ticket (either the cross-realm key or the key of the final service). This service signature is checksummed by local krbtgt long term key. So that the service itself can't fool the KDC and generate it's own PAC. See [MS-PAC] 4.1.2 Authorization Validation and Filtering https://msdn.microsoft.com/en-us/library/cc237938.aspx to get more details. Windows and also Samba basically use the Logon Info part of the PAC to form the authorization token for the client. Which means the verification of the PAC service signature is enough in order to trust our KDC, which already applied the required SID-Filtering for us. I hope I was able to bring some light into this complex topic. In order to work without manual configuration, we need a way to disable the transited check when we're the service. If you have wireshark with kerberos decryption support you can use: wireshark -K all-domains.keytab net-ads-kerberos-pac-fd23-73\@W4EDOM-L4-impersonate-administrator\@S2-W20= 12-L4.S1-W2012-L4.W2012R2-L4.BASE-ok02.pcap.gz and wireshark -K all-domains.keytab net-ads-kerberos-pac-fd23-73\@W4EDOM-L4-impersonate-administrator\@BLA2.B= ASE-fail-transit-03.pcap.gz metze --------------D1BADEF6B8D80BB51268BC0C Content-Type: application/gzip; name="net-ads-kerberos-pac-fd23-73@W4EDOM-L4-impersonate-administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE-ok02.pcap.gz" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename*0="net-ads-kerberos-pac-fd23-73@W4EDOM-L4-impersonate-administr"; filename*1="ator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE-ok02.pcap.gz" 1MOyoQIABAAAAAAAAAAAAP//AAABAAAAzfOdWbPXAABWAAAAVgAAAAAAAAkBMwAAAAkBY4bd YAAAAAAgOv/+gAAAAAAAAAIAAP/+CQFj/oAAAAAAAAACAAD//gkBM4cAc9EAAAAA/oAAAAAA AAACAAD//gkBMwEBAAAACQFjzfOdWbzYAABWAAAAVgAAAAAAAAkBYwAAAAkBM4bdYAAAAAAg Ov/+gAAAAAAAAAIAAP/+CQEz/oAAAAAAAAACAAD//gkBY4gAEgFgAAAA/oAAAAAAAAACAAD/ /gkBMwIBAAAACQEzzfOdWTmYAQCaAAAAmgAAAAAAAAkAAQAAAAkBlQgARQAAjEuoAACAEXmO rB8JwzLOjHoRlBGUAHhodAAAAACvBM/SXBopqd9AprqJQ3DDCBAFAbHrgtIAAABsbTQCqyU3 NOvtSsYCAZk+qy9V/3BlmP2ZVcr+MkfnCv9jj1gOfed7+RkaIVMxl9o3cWWRNWYdgXJ5hzWP 1TbfqLhpXWD5KiifTfw2wp7qm9TN851ZodEBACoAAAAqAAAAAAAACQGVAAAACQABCAYAAQgA BgQAAQAAAAkAAawfCQEAAAAAAACsHwnDzfOdWTLSAQAqAAAAKgAAAAAAAAkAAQAAAAkBlQgG AAEIAAYEAAIAAAAJAZWsHwnDAAAACQABrB8JAc3znVmKbQQAmgAAAJoAAAAAAAAJAZUAAAAJ AAEIAEUAAIxeQEAANBFy9jLOjHqsHwnDEZQRlAB476MAAAAArwTP0lwaKanfQKa6iUNwwwgQ BQF+nVdCAAAAbDBkUlms3K1YIN4JgjPAzpTFrVj16l4YvFkVOL4U3zFmRAeTshEn+egw/A08 p7xVOKbv3GckhvSCSigyJq++7dvD/dgEbTvYX7vUn29A37mLzvOdWSvTAgArAAAAKwAAAAAA AAkAAQAAAAkBlQgARQIAHUuAAAD/EfsirB8JwzLOjHoRlBGUAAkAAP/P851ZwiYFAG0AAABt AAAAAAAACQABAAAACQBzht1gAAAAADcRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAA AAABjbIANQA3wsDXAgEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHAJVzRFRE9NLUw0BEJBU0UA ACEAAc/znVkMKAUAWQAAAFkAAAAAAAAJAWMAAAAJAAEIAEUAAEuZ3kAAQBE14awfCQGsHwmj jr8ANQA3ayvj0gEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEA Ac/znVlCKAUAdQAAAHUAAAAAAAAJAAEAAAAJAWMIAEXAAGd3JQAAQAGXzqwfCaOsHwkBAwNz WwAAAABFAABLmd5AAEARNeGsHwkBrB8Jo46/ADUAN2sr49IBAAABAAAAAAAACV9rZXJiZXJv cwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZZigFAFkAAABZAAAAAAAACQEzAAAACQAB CABFAABLuN5AAEARFv+sHwkBrB8JhY6/ADUAN2sN49IBAAABAAAAAAAACV9rZXJiZXJvcwRf dWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZVisFACoAAAAqAAAA////////AAAACQEzCAYA AQgABgQAAQAAAAkBM6wfCYUAAAAAAACsHwkBz/OdWYcrBQAqAAAAKgAAAAAAAAkBMwAAAAkA AQgGAAEIAAYEAAIAAAAJAAGsHwkBAAAACQEzrB8Jhc/znVkBLAUADAEAAAwBAAAAAAAJAAEA AAAJATMIAEUAAP57ZAAAgBFTxqwfCYWsHwkBADWOvwDq1dDj0oWAAAEAAgAAAAQJX2tlcmJl cm9zBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEAAcAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQt MTYzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAAlgAIgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVk b20tbDQEYmFzZQDAQQABAAEAAAOEAASsHwmjwEEAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkB Y8BuAAEAAQAADhAABKwfCYXAbgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzz/OdWVIsBQAg AQAAIAEAAAAAAAkAcwAAAAkAAYbdYAAAAADqEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkC AAD//gkAcwA1jbIA6iIV1wKFgAABAAIAAAAECV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARC QVNFAAAhAAHADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQDA DAAhAAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAD hAAErB8Jo8BBABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWPAbgABAAEAAA4QAASsHwmFwG4A HAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8/znVneLAUAbQAAAG0AAAAAAAAJAAEAAAAJAHOG 3WAAAAAANxFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGVVAA1ADfaHbkEAQAA AQAAAAAAAAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWcEtBQBZAAAA WQAAAAAAAAkBYwAAAAkAAQgARQAAS5nfQABAETXgrB8JAawfCaMgswA1ADdrKyj2AQAAAQAA AAAAAAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWektBQB1AAAAdQAA AAAAAAkAAQAAAAkBYwgARcAAZ3cmAABAAZfNrB8Jo6wfCQEDA51FAAAAAEUAAEuZ30AAQBE1 4KwfCQGsHwmjILMANQA3ayso9gEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0 BEJBU0UAACEAAc/znVn2LQUAWQAAAFkAAAAAAAAJATMAAAAJAAEIAEUAAEu430AAQBEW/qwf CQGsHwmFILMANQA3aw0o9gEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJB U0UAACEAAc/znVk5LwUADAEAAAwBAAAAAAAJAAEAAAAJATMIAEUAAP57ZUAAgBETxawfCYWs HwkBADUgswDq/7oo9oWAAAEAAgAAAAQJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UA ACEAAcAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMAMACEA AQAAAlgAIgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQDAQQABAAEAAAOEAASs HwmjwEEAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY8BuAAEAAQAADhAABKwfCYXAbgAcAAEA AA4QABD9Oqqj7of/CQIAAP/+CQEzz/OdWdsvBQAgAQAAIAEAAAAAAAkAcwAAAAkAAYbdYAAA AADqEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1lVQA6jlyuQSFgAABAAIA AAAECV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAOEACEAAABk AFgKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQDADAAhAAEAAAJYACIAAABkAFgLdzIwMDhy Mi0xMzMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAADhAAErB8Jo8BBABwAAQAAA4QAEP06qqPu h/8JAgAA//4JAWPAbgABAAEAAA4QAASsHwmFwG4AHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkB M8/znVmWMwUAaQAAAGkAAAAAAAAJAAEAAAAJAHOG3WAAAAAAMxFA/Tqqo+6H/wkCAAD//gkA c/06qqPuh/8JAAAAAAAAAAHmwgA1ADOnCmqmAQAAAQAAAAAAAAp1YjE0MDQtMTYzCXc0ZWRv bS1sNARiYXNlAAAcAAHP851ZcjQFAFUAAABVAAAAAAAACQFjAAAACQABCABFAABHmeBAAEAR NeOsHwkBrB8Jo9dcADUAM2snER4BAAABAAAAAAAACnViMTQwNC0xNjMJdzRlZG9tLWw0BGJh c2UAABwAAc/znVmdNAUAcQAAAHEAAAAAAAAJAAEAAAAJAWMIAEXAAGN3JwAAQAGX0KwfCaOs HwkBAwPOcAAAAABFAABHmeBAAEARNeOsHwkBrB8Jo9dcADUAM2snER4BAAABAAAAAAAACnVi MTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAABwAAc/znVmqNAUAVQAAAFUAAAAAAAAJATMAAAAJ AAEIAEUAAEe44EAAQBEXAawfCQGsHwmF11wANQAzawkRHgEAAAEAAAAAAAAKdWIxNDA0LTE2 Mwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWdQ1BQBxAAAAcQAAAAAAAAkAAQAAAAkBMwgARQAA Y3tmQACAERRfrB8JhawfCQEANddcAE+yfBEehYAAAQABAAAAAAp1YjE0MDQtMTYzCXc0ZWRv bS1sNARiYXNlAAAcAAHADAAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjz/OdWds2BQCFAAAA hQAAAAAAAAkAcwAAAAkAAYbdYAAAAABPEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD/ /gkAcwA15sIAT4f1aqaFgAABAAEAAAAACnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAABwA AcAMABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWPP851ZtTcFAB4BAAAeAQAAAAAACQFjAAAA CQBzht1gAAAAAOgRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQFj52AAWADoKMVq gd0wgdqhAwIBBaIDAgEKow4wDDAKoQQCAgCVogIEAKSBvTCBuqAHAwUAQIEAAKEVMBOgAwIB AaEMMAobCEZEMjMtNzMkohAbDlc0RURPTS1MNC5CQVNFoyMwIaADAgECoRowGBsGa3JidGd0 Gw5XNEVET00tTDQuQkFTRaURGA8yMDE3MDgyNDIxMjk1MVqmERgPMjAxNzA5MjIyMTI5NTFa pwYCBEoJH56oFDASAgESAgERAgEQAgEXAgEZAgEaqR0wGzAZoAMCARShEgQQRkQyMy03MyAg ICAgICAgIM/znVkWOAUATgEAAE4BAAAAAAAJAHMAAAAJAWOG3WAAAAABGDpA/Tqqo+6H/wkC AAD//gkBY/06qqPuh/8JAgAA//4JAHMBBF2xAAAAAGAAAAAA6BFA/Tqqo+6H/wkCAAD//gkA c/06qqPuh/8JAgAA//4JAWPnYABYAOgoxWqB3TCB2qEDAgEFogMCAQqjDjAMMAqhBAICAJWi AgQApIG9MIG6oAcDBQBAgQAAoRUwE6ADAgEBoQwwChsIRkQyMy03MySiEBsOVzRFRE9NLUw0 LkJBU0WjIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFpREYDzIwMTcwODI0 MjEyOTUxWqYRGA8yMDE3MDkyMjIxMjk1MVqnBgIESgkfnqgUMBICARICARECARACARcCARkC ARqpHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAgz/OdWTo5BQBqAAAAagAAAAAAAAkA AQAAAAkAc4bdYAAAAAA0EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAYdvADUA NN6B5OoBAAABAAAAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAHP851ZBDoF AFYAAABWAAAAAAAACQFjAAAACQABCABFAABImeFAAEARNeGsHwkBrB8Jo6ZzADUANGsodM8B AAABAAAAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAHP851ZMjoFAHIAAABy AAAAAAAACQABAAAACQFjCABFwABkdygAAEABl86sHwmjrB8JAQMD7hAAAAAARQAASJnhQABA ETXhrB8JAawfCaOmcwA1ADRrKHTPAQAAAQAAAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQE YmFzZQAAHAABz/OdWUI6BQBWAAAAVgAAAAAAAAkBMwAAAAkAAQgARQAASLjhQABAERb/rB8J AawfCYWmcwA1ADRrCnTPAQAAAQAAAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAA HAABz/OdWZ07BQByAAAAcgAAAAAAAAkAAQAAAAkBMwgARQAAZHtnQACAERRdrB8JhawfCQEA NaZzAFAGgnTPhYAAAQABAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABwAwA HAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8/znVk+PAUAhgAAAIYAAAAAAAAJAHMAAAAJAAGG 3WAAAAAAUBFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANYdvAFDz0eTqhYAA AQABAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqq o+6H/wkCAAD//gkBM8/znVn0PAUAHgEAAB4BAAAAAAAJATMAAAAJAHOG3WAAAAAA6BFA/Tqq o+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JATPWhgBYAOg5z2qB3TCB2qEDAgEFogMCAQqj DjAMMAqhBAICAJWiAgQApIG9MIG6oAcDBQBAgQAAoRUwE6ADAgEBoQwwChsIRkQyMy03MySi EBsOVzRFRE9NLUw0LkJBU0WjIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNF pREYDzIwMTcwODI0MjEyOTUxWqYRGA8yMDE3MDkyMjIxMjk1MVqnBgIESgkfnqgUMBICARIC ARECARACARcCARkCARqpHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAgz/OdWRxlBQBW AAAAVgAAADMz/wkAcwAAAAkBM4bdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQEz/wIAAAAAAAAA AAAB/wkAc4cASU4AAAAA/Tqqo+6H/wkCAAD//gkAcwEBAAAACQEzz/OdWYllBQBWAAAAVgAA AAAAAAkBMwAAAAkAc4bdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkB M4gAT6JgAAAA/Tqqo+6H/wkCAAD//gkAcwIBAAAACQBzz/OdWRFmBQASAQAAEgEAAAAAAAkA cwAAAAkBM4bdYAAAAADcEUD9Oqqj7of/CQIAAP/+CQEz/Tqqo+6H/wkCAAD//gkAcwBY1oYA 3I6efoHRMIHOoAMCAQWhAwIBHqQRGA8yMDE3MDgyMzIxMjk1MVqlBQIDCn7mpgMCARmpEBsO VzRFRE9NLUw0LkJBU0WqIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFrGwE ajBoMEWhAwIBE6I+BDwwOjAxoAMCARKhKhsoVzRFRE9NLUw0LkJBU0Vob3N0ZmQyMy03My53 NGVkb20tbDQuYmFzZTAFoAMCARcwCaEDAgECogIEADAJoQMCARCiAgQAMAmhAwIBD6ICBADP 851Z0GYFAHQAAAB0AAAAAAAACQABAAAACQBzht1gAAAAAD4RQP06qqPuh/8JAgAA//4JAHP9 Oqqj7of/CQAAAAAAAAABwOkANQA+koTcLgEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRf dWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZOGcFAGAAAABgAAAAAAAACQFjAAAACQABCABF AABSmeJAAEARNdasHwkBrB8Jo580ADUAPmsyEGcBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0 ZXIEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWVVnBQB8AAAAfAAAAAAAAAkAAQAAAAkB YwgARcAAbncpAABAAZfDrB8Jo6wfCQEDAz55AAAAAEUAAFKZ4kAAQBE11qwfCQGsHwmjnzQA NQA+azIQZwEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNF AAAhAAHP851ZaGcFAGAAAABgAAAAAAAACQEzAAAACQABCABFAABSuOJAAEARFvSsHwkBrB8J hZ80ADUAPmsUEGcBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlXNEVET00tTDQE QkFTRQAAIQABz/OdWR5oBQCpAAAAqQAAAAAAAAkAAQAAAAkBMwgARQAAm3toQACAERQlrB8J hawfCQEANZ80AIdiqxBnhYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAJVzRFRE9N LUw0BEJBU0UAACEAAQl3NGVkb20tbDQEYmFzZQAABgABAAAOEAAvC3cyMDA4cjItMTMzwDYK aG9zdG1hc3RlcsA2AAAaKgAAA4QAAAJYAAFRgAAADhDP851ZZWgFAL0AAAC9AAAAAAAACQBz AAAACQABht1gAAAAAIcRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXA6QCH s5XcLoWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNFAAAh AAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIyLTEzM8A2Cmhvc3RtYXN0ZXLA NgAAGioAAAOEAAACWAABUYAAAA4Qz/OdWSaNBQBtAAAAbQAAAAAAAAkAAQAAAAkAc4bdYAAA AAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAeo1ADUAN9BDbPwBAAABAAAA AAAACV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851Z1Y0FAFkAAABZAAAA AAAACQFjAAAACQABCABFAABLmeVAAEARNdqsHwkBrB8Jo/liADUAN2sreh4BAAABAAAAAAAA CV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851Z+I0FAHUAAAB1AAAAAAAA CQABAAAACQFjCABFwABndyoAAEABl8msHwmjrB8JAQMDcmwAAAAARQAAS5nlQABAETXarB8J AawfCaP5YgA1ADdrK3oeAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFT RQAAIQABz/OdWRiOBQBZAAAAWQAAAAAAAAkBMwAAAAkAAQgARQAAS7jlQABAERb4rB8JAawf CYX5YgA1ADdrDXoeAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAA IQABz/OdWYqPBQAMAQAADAEAAAAAAAkAAQAAAAkBMwgARQAA/ntpQACAERPBrB8JhawfCQEA NfliAOrA83oehYAAAQACAAAABAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQAB wAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAA A4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMBBAAEAAQAADhAABKwfCYXA QQAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzwG8AAQABAAADhAAErB8Jo8BvABwAAQAAA4QA EP06qqPuh/8JAgAA//4JAWPP851Z6I8FACABAAAgAQAAAAAACQBzAAAACQABht1gAAAAAOoR QP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXqNQDqG6ps/IWAAAEAAgAAAAQJ X2tlcmJlcm9zBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEAAcAMACEAAQAAAlgAIgAAAGQAWAt3 MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQDADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0LTE2 Mwl3NGVkb20tbDQEYmFzZQDAQQABAAEAAA4QAASsHwmFwEEAHAABAAAOEAAQ/Tqqo+6H/wkC AAD//gkBM8BvAAEAAQAAA4QABKwfCaPAbwAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjz/Od WXOQBQBtAAAAbQAAAAAAAAkAAQAAAAkAc4bdYAAAAAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqq o+6H/wkAAAAAAAAAAYCLADUANwBNp54BAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURP TS1MNARCQVNFAAAhAAHP851Z0JAFAFkAAABZAAAAAAAACQFjAAAACQABCABFAABLmeZAAEAR NdmsHwkBrB8Jo++QADUAN2sriYoBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1M NARCQVNFAAAhAAHP851Z85AFAFkAAABZAAAAAAAACQEzAAAACQABCABFAABLuOZAAEARFves HwkBrB8Jhe+QADUAN2sNiYoBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARC QVNFAAAhAAHP851ZdpEFAAwBAAAMAQAAAAAACQABAAAACQEzCABFAAD+e2pAAIARE8CsHwmF rB8JAQA175AA6rxaiYqFgAABAAIAAAAECV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNF AAAhAAHADAAhAAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwAwA IQABAAADhAAhAAAAZABYCnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAOEAAE rB8JhcBBABwAAQAADhAAEP06qqPuh/8JAgAA//4JATPAbwABAAEAAAOEAASsHwmjwG8AHAAB AAADhAAQ/Tqqo+6H/wkCAAD//gkBY8/znVmukQUAIAEAACABAAAAAAAJAHMAAAAJAAGG3WAA AAAA6hFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANYCLAOpLs6eehYAAAQAC AAAABAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABwAwAIQABAAACWAAiAAAA ZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAA4QAIQAAAGQAWAp1YjE0 MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMBBAAEAAQAADhAABKwfCYXAQQAcAAEAAA4QABD9Oqqj 7of/CQIAAP/+CQEzwG8AAQABAAADhAAErB8Jo8BvABwAAQAAA4QAEP06qqPuh/8JAgAA//4J AWPP851ZUJIFAGoAAABqAAAAAAAACQABAAAACQBzht1gAAAAADQRQP06qqPuh/8JAgAA//4J AHP9Oqqj7of/CQAAAAAAAAABrfUANQA0jNUQEQEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRl ZG9tLWw0BGJhc2UAABwAAc/znVnKkgUAVgAAAFYAAAAAAAAJAWMAAAAJAAEIAEUAAEiZ50AA QBE126wfCQGsHwmj4IMANQA0ayiYWwEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0 BGJhc2UAABwAAc/znVnekgUAVgAAAFYAAAAAAAAJATMAAAAJAAEIAEUAAEi450AAQBEW+awf CQGsHwmF4IMANQA0awqYWwEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UA ABwAAc/znVlXkwUAcgAAAHIAAAAAAAAJAAEAAAAJATMIAEUAAGR7a0AAgBEUWawfCYWsHwkB ADXggwBQqOWYW4WAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAcAM ABwAAQAADhAAEP06qqPuh/8JAgAA//4JATPP851ZkJMFAIYAAACGAAAAAAAACQBzAAAACQAB ht1gAAAAAFARQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWt9QBQoiUQEYWA AAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAcAMABwAAQAADhAAEP06 qqPuh/8JAgAA//4JATPP851Z2JMFAG4BAABuAQAAAAAACQEzAAAACQBzht1gAAAAATgRQP06 qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzxYgAWAE4oOtqggEsMIIBKKEDAgEFogMC AQqjXDBaMEyhAwIBAqJFBEMwQaADAgESojoEOJvjxM2SYi486Li2jdP7n5wMmik3vD3PymNB ZdpQj7r6/yZkDe08NGRCB5Uk7YvKFQ8wtSu4LwqKMAqhBAICAJWiAgQApIG9MIG6oAcDBQBA gQAAoRUwE6ADAgEBoQwwChsIRkQyMy03MySiEBsOVzRFRE9NLUw0LkJBU0WjIzAhoAMCAQKh GjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFpREYDzIwMTcwODI0MjEyOTUxWqYRGA8yMDE3 MDkyMjIxMjk1MVqnBgIEb7oeEqgUMBICARICARECARACARcCARkCARqpHTAbMBmgAwIBFKES BBBGRDIzLTczICAgICAgICAgz/OdWUuXBQCiAAAAogAAAAAAAAkAcwAAAAkBM4bdYAAAAABs EUD9Oqqj7of/CQIAAP/+CQEz/Tqqo+6H/wkCAAD//gkAcwBYxYgAbIhafmIwYKADAgEFoQMC AR6kERgPMjAxNzA4MjMyMTI5NTFapQUCAwp+5qYDAgE0qRAbDlc0RURPTS1MNC5CQVNFqiMw IaADAgECoRowGBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRc/znVkCmAUAdAAAAHQAAAAAAAAJ AAEAAAAJAHOG3WAAAAAAPhFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAHA2QA1 AD5BuS0KAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAJVzRFRE9NLUw0BEJBU0UA ACEAAc/znVmQmAUAYAAAAGAAAAAAAAAJAWMAAAAJAAEIAEUAAFKZ6EAAQBE10KwfCQGsHwmj YvMANQA+azKnswEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARC QVNFAAAhAAHP851ZtZgFAGAAAABgAAAAAAAACQEzAAAACQABCABFAABSuOhAAEARFu6sHwkB rB8JhWLzADUAPmsUp7MBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlXNEVET00t TDQEQkFTRQAAIQABz/OdWa6ZBQCpAAAAqQAAAAAAAAkAAQAAAAkBMwgARQAAm3tsQACAERQh rB8JhawfCQEANWLzAIcHoKezhYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAJVzRF RE9NLUw0BEJBU0UAACEAAQl3NGVkb20tbDQEYmFzZQAABgABAAAOEAAvC3cyMDA4cjItMTMz wDYKaG9zdG1hc3RlcsA2AAAaKgAAA4QAAAJYAAFRgAAADhDP851ZFJoFAL0AAAC9AAAAAAAA CQBzAAAACQABht1gAAAAAIcRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXA 2QCHYsotCoWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNF AAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIyLTEzM8A2Cmhvc3RtYXN0 ZXLANgAAGioAAAOEAAACWAABUYAAAA4Qz/OdWZiaBQBtAAAAbQAAAAAAAAkAAQAAAAkAc4bd YAAAAAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAdx3ADUANz6nDVgBAAAB AAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZBZsFAFkAAABZ AAAAAAAACQFjAAAACQABCABFAABLmelAAEARNdasHwkBrB8JoxUyADUAN2srLbYBAAABAAAA AAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZHJsFAFkAAABZAAAA AAAACQEzAAAACQABCABFAABLuOlAAEARFvSsHwkBrB8JhRUyADUAN2sNLbYBAAABAAAAAAAA CV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851Z7psFAAwBAAAMAQAAAAAA CQABAAAACQEzCABFAAD+e21AAIARE72sHwmFrB8JAQA1FTIA6gZ8LbaFgAABAAIAAAAECV9r ZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAOEACEAAABkAFgKdWIx NDA0LTE2Mwl3NGVkb20tbDQEYmFzZQDADAAhAAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJ dzRlZG9tLWw0BGJhc2UAwEEAAQABAAADhAAErB8Jo8BBABwAAQAAA4QAEP06qqPuh/8JAgAA //4JAWPAbgABAAEAAA4QAASsHwmFwG4AHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8/znVlB nAUAIAEAACABAAAAAAAJAHMAAAAJAAGG3WAAAAAA6hFA/Tqqo+6H/wkAAAAAAAAAAf06qqPu h/8JAgAA//4JAHMANdx3AOqd+w1YhYAAAQACAAAABAlfa2VyYmVyb3MEX3RjcAlXNEVET00t TDQEQkFTRQAAIQABwAwAIQABAAADhAAhAAAAZABYCnViMTQwNC0xNjMJdzRlZG9tLWw0BGJh c2UAwAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAMBBAAEA AQAAA4QABKwfCaPAQQAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjwG4AAQABAAAOEAAErB8J hcBuABwAAQAADhAAEP06qqPuh/8JAgAA//4JATPP851Z2JwFAGkAAABpAAAAAAAACQABAAAA CQBzht1gAAAAADMRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABhzgANQAzfgLz OAEAAAEAAAAAAAAKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWS+dBQBVAAAA VQAAAAAAAAkBYwAAAAkAAQgARQAAR5nqQABAETXZrB8JAawfCaNHvwA1ADNrJ3rZAQAAAQAA AAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAAAcAAHP851ZTJ0FAFUAAABVAAAAAAAA CQEzAAAACQABCABFAABHuOpAAEARFvesHwkBrB8JhUe/ADUAM2sJetkBAAABAAAAAAAACnVi MTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAABwAAc/znVm3nQUAcQAAAHEAAAAAAAAJAAEAAAAJ ATMIAEUAAGN7bkAAgBEUV6wfCYWsHwkBADVHvwBP2F562YWAAAEAAQAAAAAKdWIxNDA0LTE2 Mwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY8/znVny nQUAhQAAAIUAAAAAAAAJAHMAAAAJAAGG3WAAAAAATxFA/Tqqo+6H/wkAAAAAAAAAAf06qqPu h/8JAgAA//4JAHMANYc4AE9e7fM4hYAAAQABAAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARi YXNlAAAcAAHADAAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjz/OdWUGeBQBeAAAAXgAAAAAA AAkBYwAAAAkAc4bdYAAAAAAoBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBY6tt AFjYUa4vAAAAAKACcIAu9wAAAgQFoAQCCAoCX7uaAAAAAAEDAwfP851ZX54FAEoAAABKAAAA AAAACQBzAAAACQFjht1gAAAAABQGQP06qqPuh/8JAgAA//4JAWP9Oqqj7of/CQIAAP/+CQBz AFirbQAAAADYUa4wUBQAAC7jAADP851Z154FAGoAAABqAAAAAAAACQABAAAACQBzht1gAAAA ADQRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABzBMANQA0nVfhcAEAAAEAAAAA AAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAc/znVlRnwUAVgAAAFYAAAAAAAAJ AWMAAAAJAAEIAEUAAEiZ60AAQBE116wfCQGsHwmjNhUANQA0ayisjgEAAAEAAAAAAAALdzIw MDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAc/znVlknwUAVgAAAFYAAAAAAAAJATMAAAAJ AAEIAEUAAEi460AAQBEW9awfCQGsHwmFNhUANQA0awqsjgEAAAEAAAAAAAALdzIwMDhyMi0x MzMJdzRlZG9tLWw0BGJhc2UAABwAAc/znVnvnwUAcgAAAHIAAAAAAAAJAAEAAAAJATMIAEUA AGR7b0AAgBEUVawfCYWsHwkBADU2FQBQPyGsjoWAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRl ZG9tLWw0BGJhc2UAABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JATPP851ZLKAFAIYA AACGAAAAAAAACQBzAAAACQABht1gAAAAAFARQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIA AP/+CQBzADXMEwBQsqfhcIWAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UA ABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JATPP851ZeaAFAF4AAABeAAAAAAAACQEz AAAACQBzht1gAAAAACgGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzlrcAWG0/ VN4AAAAAoAJwgC7HAAACBAWgBAIICgJfu5oAAAAAAQMDB8/znVkXoQUAXgAAAF4AAAAAAAAJ AHMAAAAJATOG3WAAAAAAKAZA/Tqqo+6H/wkCAAD//gkBM/06qqPuh/8JAgAA//4JAHMAWJa3 XYMeJ20/VN+gEiAAbwMAAAIEBaABAwMIBAIICgxq6yoCX7uaz/OdWT2hBQBWAAAAVgAAAAAA AAkBMwAAAAkAc4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBM5a3 AFhtP1TfXYMeKIAQAOEuvwAAAQEICgJfu5oMausqz/OdWUyhBQCKAQAAigEAAAAAAAkBMwAA AAkAc4bdYAAAAAFUBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBM5a3AFhtP1Tf XYMeKIAYAOEv8wAAAQEICgJfu5oMausqAAABMGqCASwwggEooQMCAQWiAwIBCqNcMFowTKED AgECokUEQzBBoAMCARKiOgQ4m+PEzZJiLjzouLaN0/ufnAyaKTe8Pc/KY0Fl2lCPuvr/JmQN 7Tw0ZEIHlSTti8oVDzC1K7gvCoowCqEEAgIAlaICBACkgb0wgbqgBwMFAECBAAChFTAToAMC AQGhDDAKGwhGRDIzLTczJKIQGw5XNEVET00tTDQuQkFTRaMjMCGgAwIBAqEaMBgbBmtyYnRn dBsOVzRFRE9NLUw0LkJBU0WlERgPMjAxNzA4MjQyMTI5NTFaphEYDzIwMTcwOTIyMjEyOTUx WqcGAgRvuh4SqBQwEgIBEgIBEQIBEAIBFwIBGQIBGqkdMBswGaADAgEUoRIEEEZEMjMtNzMg ICAgICAgICDP851ZkKUFAOoFAADqBQAAAAAACQBzAAAACQEzht1gAAAABbQGQP06qqPuh/8J AgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiWt12DHihtP1YTgBABALN+AAABAQgKDGrrKgJf u5oAAAX/a4IF+zCCBfegAwIBBaEDAgELokIwQDA+oQMCAROiNwQ1MDMwMaADAgESoSobKFc0 RURPTS1MNC5CQVNFaG9zdGZkMjMtNzMudzRlZG9tLWw0LmJhc2WjEBsOVzRFRE9NLUw0LkJB U0WkFTAToAMCAQGhDDAKGwhmZDIzLTczJKWCBBlhggQVMIIEEaADAgEFoRAbDlc0RURPTS1M NC5CQVNFoiMwIaADAgECoRowGBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRaOCA9EwggPNoAMC ARKhAwIBAqKCA78EggO7oPPW1f2cc6s/43tWxBth8GqjOKoTcFFiWowaGSiX04Y41Id/tF9o IcaxrpARjCE0MJ6UUSTABD+4EAu7rOLwRQttLEEIRjkHD+RIC/1epSt2tc5cCnWC3Zuovahj YBn2/cjhLN9clf5ysiViy/czKphxSBQ3kAfg1iwJL3bBFSuKmx1tD8WUrLPADrrEHeS3r5QV JdwTOPBW3y5C7u6UPTJXTBJsoZ2ws+CGvG4sBiv73Wsk1AWlaFJP58IEQB3dpN2rMqRd/Pg7 GGMb1zwFHeMwvMmc1mxnjKk9dnVDD4Y43pBXmA6pPfImQ9Z9/q+DRmW2jspDnquUOyBOIK// iXGJI8ukcPeMRp5bCeCUuRQC4E/xTATYQ5iJEWd4XAv5QN6pI3cPeZPzbQ9xKUfGxVZJR0RY KDlqc8n8vawmDY2vdje3rETBcaHgLOyuIbWX4MZ+oNKsaoHT3N/9KJKO72wUw5FfnqgnBpzm 9LRJ7cg/JDABxGT8wik7a8wgc4NsFmcrbD5kbVJ4ovHY9YC6vO5LGX7fODMmXtMFbH1PFsye ZZUHm9xOdJhnKpgIHpOVBa176ruYjhTlV6gMO64LUdouD+8ohk8AIAczt9fqndoTpPkWVleL YFuVKVUAa/H8UadLKTqF+f0aOx5ue9widYb9eL6SN+dmFGXSSqtNEj7KwrhXKYgzbWpOURhj C6coQlcxWuECWlbqY/az0X3nyuzkEyL9xJ8mV9LCOc/5ReltjHcmHPzhM08eApEXqEKCmMiH jaTtB0wKKAM02mfgoRuStZ8O0liwoSvPl9MQhmo8ZPY7zmxkGe7U1Jt4pvaAop8A3+AFP3cF HWzjpAdR0Pp4jTPwjwii86C3EXUrf1dgG/Qql0JDjiKuDLEua//H2DJIb39VS7vNyiA47JyV //W9FMbIeJowPIhe0vV7iOLhcq0traucfcU0fBlWhhLt0AzSAfA/hY17AJRPX3YltH+dNoaJ G4h71/FhgrOaJNkuApvGFkCO8QtekKP67xTGbH2pCv5oOPqiOcWvY7P6SYNMUSEZWurjaJMQ Ya+6TRb2kpC6gzVHEfEcBCMUFkjY34DFVc29dJqhdhiP9Vj3n02nCSRM4/SDrxzUU8znAULx cuMgIciRri7UJspJ7lUsWsJyGJ8yCxCpRudkWEAgDbmaH4q2KWmlKafFxrFkB7fEL3GPPuLA 2r8IBy0EWCNuGRPp3UNBswnUNvMO9gHWVE8yTQSeBYkWDijnuJSsUoBCg20obsK3jrWxpaaC AV8wggFboAMCARKhAwIBU6KCAU0EggFJZpckK9KBz8GnBWKfu4pB92QfTJcUCX+rte89NB9V rLpUZa1LoZ9Z1cOzZNKmEDoF/XFjnHbjaAenfJVJuGxGw2hnxl5Ta+DVjxomy27KTgI5mWOA 6tLHz4TaZr02u5BbRD0ZGofkUi6s7cU56ZRaaHkDqOR8iHRZOhTMh5GPBDqvqO7Amhu/WaMR oQYcDvIxQcQGdMcHO/y/3w0HbvYc6szFWYl4feaWlQoUmnx/eV66AtR0wQNARpNRNzvtc7Km 4CPXwM0qT0fknLgs4IMGGtIZHCx3oj728ljP851ZyaUFAFYAAABWAAAAAAAACQEzAAAACQBz ht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzlrcAWG0/VhNdgyO8 gBAA+C6/AAABAQgKAl+7mgxq6yrP851ZQKYFAMUAAADFAAAAAAAACQBzAAAACQEzht1gAAAA AI8GQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiWt12DI7xtP1YTgBgBADl+ AAABAQgKDGrrKgJfu5olTYid0Ec/AnfEVzGSwJm5ecym3GbIOPA3I7AFUb563ReCN+lD409b 0gEA5zX2Valq6iZAjnLEy3yuCbbtG0xTnmMlXUUh76EOJfeb73ag9iKImXIqjWIt0xZgteXO F8AoJWMg6StX1mxFvivwSHrP851ZXaYFAFYAAABWAAAAAAAACQEzAAAACQBzht1gAAAAACAG QP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzlrcAWG0/VhNdgyQrgBAA+C6/AAAB AQgKAl+7mgxq6yrP851ZeaYFAFYAAABWAAAAAAAACQEzAAAACQBzht1gAAAAACAGQP06qqPu h/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzlrcAWG0/VhNdgyQrgBEA+C6/AAABAQgKAl+7 mgxq6yrP851Z2qYFAFYAAABWAAAAAAAACQBzAAAACQEzht1gAAAAACAGQP06qqPuh/8JAgAA //4JATP9Oqqj7of/CQIAAP/+CQBzAFiWt12DJCttP1YUgBABALWEAAABAQgKDGrrKgJfu5rP 851ZIKcFAHQAAAB0AAAAAAAACQABAAAACQBzht1gAAAAAD4RQP06qqPuh/8JAgAA//4JAHP9 Oqqj7of/CQAAAAAAAAABzEIANQA+rhK2SAEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRf dGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZWacFAEoAAABKAAAAAAAACQBzAAAACQEzht1g AAAAABQGQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiWt12DJCttP1YUUBQA AKUmAADP851Zr6cFAGAAAABgAAAAAAAACQFjAAAACQABCABFAABSmexAAEARNcysHwkBrB8J o4bXADUAPmsy9WUBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcAlXNEVET00tTDQE QkFTRQAAIQABz/OdWcunBQBgAAAAYAAAAAAAAAkBMwAAAAkAAQgARQAAUrjsQABAERbqrB8J AawfCYWG1wA1AD5rFPVlAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF90Y3AJVzRFRE9N LUw0BEJBU0UAACEAAc/znVnRqAUAqQAAAKkAAAAAAAAJAAEAAAAJATMIAEUAAJt7cEAAgBEU HawfCYWsHwkBADWG1wCHlwr1ZYWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNwCVc0 RURPTS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIyLTEz M8A2Cmhvc3RtYXN0ZXLANgAAGioAAAOEAAACWAABUYAAAA4Qz/OdWT2pBQC9AAAAvQAAAAAA AAkAcwAAAAkAAYbdYAAAAACHEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1 zEIAh88jtkiFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcAlXNEVET00tTDQEQkFT RQAAIQABCXc0ZWRvbS1sNARiYXNlAAAGAAEAAA4QAC8LdzIwMDhyMi0xMzPANgpob3N0bWFz dGVywDYAABoqAAADhAAAAlgAAVGAAAAOEM/znVk9qwUAbQAAAG0AAAAAAAAJAAEAAAAJAHOG 3WAAAAAANxFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGvrgA1ADfcb5tXAQAA AQAAAAAAAAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWbGrBQBZAAAA WQAAAAAAAAkBYwAAAAkAAQgARQAAS5ntQABAETXSrB8JAawfCaO0QgA1ADdrK9CYAQAAAQAA AAAAAAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWdurBQBZAAAAWQAA AAAAAAkBMwAAAAkAAQgARQAAS7jtQABAERbwrB8JAawfCYW0QgA1ADdrDdCYAQAAAQAAAAAA AAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWZ2sBQAMAQAADAEAAAAA AAkAAQAAAAkBMwgARQAA/ntxQACAERO5rB8JhawfCQEANbRCAOrDh9CYhYAAAQACAAAABAlf a2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABwAwAIQABAAADhAAhAAAAZABYCnVi MTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAwAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMz CXc0ZWRvbS1sNARiYXNlAMBBAAEAAQAAA4QABKwfCaPAQQAcAAEAAAOEABD9Oqqj7of/CQIA AP/+CQFjwG4AAQABAAAOEAAErB8JhcBuABwAAQAADhAAEP06qqPuh/8JAgAA//4JATPP851Z 46wFACABAAAgAQAAAAAACQBzAAAACQABht1gAAAAAOoRQP06qqPuh/8JAAAAAAAAAAH9Oqqj 7of/CQIAAP/+CQBzADWvrgDqO8SbV4WAAAEAAgAAAAQJX2tlcmJlcm9zBF91ZHAJVzRFRE9N LUw0BEJBU0UAACEAAcAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARi YXNlAMAMACEAAQAAAlgAIgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQDAQQAB AAEAAAOEAASsHwmjwEEAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY8BuAAEAAQAADhAABKwf CYXAbgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzz/OdWZetBQBtAAAAbQAAAAAAAAkAAQAA AAkAc4bdYAAAAAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAbPZADUAN/go fHQBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZV64F AFkAAABZAAAAAAAACQFjAAAACQABCABFAABLme5AAEARNdGsHwkBrB8Jo9uuADUAN2srixUB AAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851Zg64FAFkA AABZAAAAAAAACQEzAAAACQABCABFAABLuO5AAEARFu+sHwkBrB8JhduuADUAN2sNixUBAAAB AAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZXa8FAAwBAAAM AQAAAAAACQABAAAACQEzCABFAAD+e3JAAIARE7isHwmFrB8JAQA1264A6s6xixWFgAABAAIA AAAECV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAJYACIAAABk AFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwAwAIQABAAADhAAhAAAAZABYCnViMTQw NC0xNjMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAOEAAErB8JhcBBABwAAQAADhAAEP06qqPu h/8JAgAA//4JATPAbwABAAEAAAOEAASsHwmjwG8AHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkB Y8/znVmMrwUAIAEAACABAAAAAAAJAHMAAAAJAAGG3WAAAAAA6hFA/Tqqo+6H/wkAAAAAAAAA Af06qqPuh/8JAgAA//4JAHMANbPZAOpDj3x0hYAAAQACAAAABAlfa2VyYmVyb3MEX3RjcAlX NEVET00tTDQEQkFTRQAAIQABwAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRv bS1sNARiYXNlAMAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNl AMBBAAEAAQAADhAABKwfCYXAQQAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzwG8AAQABAAAD hAAErB8Jo8BvABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWPP851ZV7AFAGkAAABpAAAAAAAA CQABAAAACQBzht1gAAAAADMRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB6X8A NQAzmGN2kAEAAAEAAAAAAAAKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWQGx BQBVAAAAVQAAAAAAAAkBYwAAAAkAAQgARQAAR5nvQABAETXUrB8JAawfCaNdpwA1ADNrJw/B AQAAAQAAAAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAAAcAAHP851ZJbEFAFUAAABV AAAAAAAACQEzAAAACQABCABFAABHuO9AAEARFvKsHwkBrB8JhV2nADUAM2sJD8EBAAABAAAA AAAACnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAABwAAc/znVnysQUAcQAAAHEAAAAAAAAJ AAEAAAAJATMIAEUAAGN7c0AAgBEUUqwfCYWsHwkBADVdpwBPLY8PwYWAAAEAAQAAAAAKdWIx NDA0LTE2Mwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkB Y8/znVkrsgUAhQAAAIUAAAAAAAAJAHMAAAAJAAGG3WAAAAAATxFA/Tqqo+6H/wkAAAAAAAAA Af06qqPuh/8JAgAA//4JAHMANel/AE95TnaQhYAAAQABAAAAAAp1YjE0MDQtMTYzCXc0ZWRv bS1sNARiYXNlAAAcAAHADAAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjz/OdWWOyBQAwBwAA MAcAAAAAAAkBYwAAAAkAc4bdYAAAAAb6EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD/ /gkBY73cAFgG+jXUbIIG7jCCBuqhAwIBBaIDAgEMo4IGLTCCBikwggUGoQMCAQGiggT9BIIE +W6CBPUwggTxoAMCAQWhAwIBDqIHAwUAAAAAAKOCBBlhggQVMIIEEaADAgEFoRAbDlc0RURP TS1MNC5CQVNFoiMwIaADAgECoRowGBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRaOCA9EwggPN oAMCARKhAwIBAqKCA78EggO7oPPW1f2cc6s/43tWxBth8GqjOKoTcFFiWowaGSiX04Y41Id/ tF9oIcaxrpARjCE0MJ6UUSTABD+4EAu7rOLwRQttLEEIRjkHD+RIC/1epSt2tc5cCnWC3Zuo vahjYBn2/cjhLN9clf5ysiViy/czKphxSBQ3kAfg1iwJL3bBFSuKmx1tD8WUrLPADrrEHeS3 r5QVJdwTOPBW3y5C7u6UPTJXTBJsoZ2ws+CGvG4sBiv73Wsk1AWlaFJP58IEQB3dpN2rMqRd /Pg7GGMb1zwFHeMwvMmc1mxnjKk9dnVDD4Y43pBXmA6pPfImQ9Z9/q+DRmW2jspDnquUOyBO IK//iXGJI8ukcPeMRp5bCeCUuRQC4E/xTATYQ5iJEWd4XAv5QN6pI3cPeZPzbQ9xKUfGxVZJ R0RYKDlqc8n8vawmDY2vdje3rETBcaHgLOyuIbWX4MZ+oNKsaoHT3N/9KJKO72wUw5Ffnqgn Bpzm9LRJ7cg/JDABxGT8wik7a8wgc4NsFmcrbD5kbVJ4ovHY9YC6vO5LGX7fODMmXtMFbH1P FsyeZZUHm9xOdJhnKpgIHpOVBa176ruYjhTlV6gMO64LUdouD+8ohk8AIAczt9fqndoTpPkW VleLYFuVKVUAa/H8UadLKTqF+f0aOx5ue9widYb9eL6SN+dmFGXSSqtNEj7KwrhXKYgzbWpO URhjC6coQlcxWuECWlbqY/az0X3nyuzkEyL9xJ8mV9LCOc/5ReltjHcmHPzhM08eApEXqEKC mMiHjaTtB0wKKAM02mfgoRuStZ8O0liwoSvPl9MQhmo8ZPY7zmxkGe7U1Jt4pvaAop8A3+AF P3cFHWzjpAdR0Pp4jTPwjwii86C3EXUrf1dgG/Qql0JDjiKuDLEua//H2DJIb39VS7vNyiA4 7JyV//W9FMbIeJowPIhe0vV7iOLhcq0traucfcU0fBlWhhLt0AzSAfA/hY17AJRPX3YltH+d NoaJG4h71/FhgrOaJNkuApvGFkCO8QtekKP67xTGbH2pCv5oOPqiOcWvY7P6SYNMUSEZWurj aJMQYa+6TRb2kpC6gzVHEfEcBCMUFkjY34DFVc29dJqhdhiP9Vj3n02nCSRM4/SDrxzUU8zn AULxcuMgIciRri7UJspJ7lUsWsJyGJ8yCxCpRudkWEAgDbmaH4q2KWmlKafFxrFkB7fEL3GP PuLA2r8IBy0EWCNuGRPp3UNBswnUNvMO9gHWVE8yTQSeBYkWDijnuJSsUoBCg20obsK3jrWx paSBvjCBu6ADAgESooGzBIGwQCL71jzLSY0q6HT06OHXgjf6aS0KKvRjTX97OdWVHckuyNb5 SvYW7U9X24ZVOzGUsOzdDPDYHrM5NiEiqAOdWX2GbHzCPlkNuFfsdutsrEtubE9jRPBYamCm 6Iynvps2SljH6x0NpWC7vEYBrd7ZoXSrYxwGegCZ2ex0w8GKtrAhCaFDQTec/cryB1QYkQVm D2z7WLDq+Ge/B+7+hrAxZ1PCSOXBo/kUjyPuLAJnULswggEboQQCAgCIooIBEQSCAQ2gggEJ MIIBBaEXMBWgAwIBEKEOBAy7zagml17JdRlFkRmigekwgeagAwIBEqKB3gSB2zbQgewBYSoS nPF+nxOe+AcliAKeDZqACGeYyRhTnzoTRgs3y0IQ7KrrsKVORHBoszNMPCQICu5xY7HEKmVb Sdeemvw8WXKbKFVNfIU2hhwKo0R3ASNnJVX0BpbuAotVOimGrTPrX08eqQo0WV3UeYB2T2mD DC461r+8SibMATvd0VCjRy3wjB7z73e0Clvd57ZemlW0EAGrrBXwnthgL+BF3JCBjG7t3biq 3HltTpygItpTo+jAs9hoWJybXE3u5uuT5czjDVoIo309BZFnDieBvzPnCI5gxyEiWaSBrDCB qaAHAwUAQIEAAKIQGw5XNEVET00tTDQuQkFTRaM8MDqgAwIBAqEzMDEbBmtyYnRndBsnUzIt VzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFpREYDzIwMTcwODI0MDcyOTUx WqcGAgRZnfPPqBQwEgIBEgIBEQIBEAIBFwIBGQIBGqkdMBswGaADAgEUoRIEEEZEMjMtNzMg ICAgICAgICDP851Zj7IFAA4FAAAOBQAAAAAACQBzAAAACQFjht1gAAAABNg6QP06qqPuh/8J AgAA//4JAWP9Oqqj7of/CQIAAP/+CQBzAQRZsQAAAABgAAAABvoRQP06qqPuh/8JAgAA//4J AHP9Oqqj7of/CQIAAP/+CQFjvdwAWAb6NdRsggbuMIIG6qEDAgEFogMCAQyjggYtMIIGKTCC BQahAwIBAaKCBP0EggT5boIE9TCCBPGgAwIBBaEDAgEOogcDBQAAAAAAo4IEGWGCBBUwggQR oAMCAQWhEBsOVzRFRE9NLUw0LkJBU0WiIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1M NC5CQVNFo4ID0TCCA82gAwIBEqEDAgECooIDvwSCA7ug89bV/Zxzqz/je1bEG2HwaqM4qhNw UWJajBoZKJfThjjUh3+0X2ghxrGukBGMITQwnpRRJMAEP7gQC7us4vBFC20sQQhGOQcP5EgL /V6lK3a1zlwKdYLdm6i9qGNgGfb9yOEs31yV/nKyJWLL9zMqmHFIFDeQB+DWLAkvdsEVK4qb HW0PxZSss8AOusQd5LevlBUl3BM48FbfLkLu7pQ9MldMEmyhnbCz4Ia8biwGK/vdayTUBaVo Uk/nwgRAHd2k3asypF38+DsYYxvXPAUd4zC8yZzWbGeMqT12dUMPhjjekFeYDqk98iZD1n3+ r4NGZbaOykOeq5Q7IE4gr/+JcYkjy6Rw94xGnlsJ4JS5FALgT/FMBNhDmIkRZ3hcC/lA3qkj dw95k/NtD3EpR8bFVklHRFgoOWpzyfy9rCYNja92N7esRMFxoeAs7K4htZfgxn6g0qxqgdPc 3/0oko7vbBTDkV+eqCcGnOb0tEntyD8kMAHEZPzCKTtrzCBzg2wWZytsPmRtUnii8dj1gLq8 7ksZft84MyZe0wVsfU8WzJ5llQeb3E50mGcqmAgek5UFrXvqu5iOFOVXqAw7rgtR2i4P7yiG TwAgBzO31+qd2hOk+RZWV4tgW5UpVQBr8fxRp0spOoX5/Ro7Hm573CJ1hv14vpI352YUZdJK q00SPsrCuFcpiDNtak5RGGMLpyhCVzFa4QJaVupj9rPRfefK7OQTIv3EnyZX0sI5z/lF6W2M dyYc/OEzTx4CkReoQoKYyIeNpO0HTAooAzTaZ+ChG5K1nw7SWLChK8+X0xCGajxk9jvObGQZ 7tTUm3im9oCinwDf4AU/dwUdbOOkB1HQ+niNM/CPCKLzoLcRdSt/V2Ab9CqXQkOOIq4MsS5r /8fYMkhvf1VLu83KIDjsnJX/9b0Uxsh4mjA8iF7S9XuI4uFyrS2tq5x9xTR8GVaGEu3QDNIB 8D+FjXsAlE9fdiW0f502hokbiHvX8WGCs5ok2S4Cm8YWQI7xC16Qo/rvFMZsfakK/mg4+qI5 xa9js/pJg0xRIRla6uNokxBhr7pNFvaSkLqDNUcR8RwEIxQWSNjfgMVVzb10mqF2GI/1WPef TacJJEzj9IOvHNRTzOcBQvFy4yAhyJGuLtQmyknuVSxawnIYnzILEKlG52RYQCANuZofirYp aaUpp8XGsWQHt8QvcY8+4sDavwgHLQRYI24ZE+ndQ0GzCdQ28w72AdZUTzJNBJ4FiRYOKOe4 lKxSgEKDbShuwreOtbGlpIG+MIG7oAMCARKigbMEgbBAIvvWPMtJjSrodPTo4deCN/ppLQoq 9GNNf3s51ZUdyS7I1vlK9hbtT1fbhs/znVn4sgUAagAAAGoAAAAAAAAJAAEAAAAJAHOG3WAA AAAANBFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAHUgQA1ADRVACFaAQAAAQAA AAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWZCzBQBWAAAAVgAAAAAA AAkBYwAAAAkAAQgARQAASJnwQABAETXSrB8JAawfCaMwRgA1ADRrKKu7AQAAAQAAAAAAAAt3 MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWb6zBQBWAAAAVgAAAAAAAAkBMwAA AAkAAQgARQAASLjwQABAERbwrB8JAawfCYUwRgA1ADRrCqu7AQAAAQAAAAAAAAt3MjAwOHIy LTEzMwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWSu0BQByAAAAcgAAAAAAAAkAAQAAAAkBMwgA RQAAZHt0QACAERRQrB8JhawfCQEANTBGAFBFw6u7hYAAAQABAAAAAAt3MjAwOHIyLTEzMwl3 NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8/znVlXtAUA hgAAAIYAAAAAAAAJAHMAAAAJAAGG3WAAAAAAUBFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8J AgAA//4JAHMANdSBAFBqUCFahYAAAQABAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFz ZQAAHAABwAwAHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8/znVmNtAUAMAcAADAHAAAAAAAJ ATMAAAAJAHOG3WAAAAAG+hFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JATOJ3wBY Bvo1pGyCBu4wggbqoQMCAQWiAwIBDKOCBi0wggYpMIIFBqEDAgEBooIE/QSCBPluggT1MIIE 8aADAgEFoQMCAQ6iBwMFAAAAAACjggQZYYIEFTCCBBGgAwIBBaEQGw5XNEVET00tTDQuQkFT RaIjMCGgAwIBAqEaMBgbBmtyYnRndBsOVzRFRE9NLUw0LkJBU0WjggPRMIIDzaADAgESoQMC AQKiggO/BIIDu6Dz1tX9nHOrP+N7VsQbYfBqoziqE3BRYlqMGhkol9OGONSHf7RfaCHGsa6Q EYwhNDCelFEkwAQ/uBALu6zi8EULbSxBCEY5Bw/kSAv9XqUrdrXOXAp1gt2bqL2oY2AZ9v3I 4SzfXJX+crIlYsv3MyqYcUgUN5AH4NYsCS92wRUripsdbQ/FlKyzwA66xB3kt6+UFSXcEzjw Vt8uQu7ulD0yV0wSbKGdsLPghrxuLAYr+91rJNQFpWhST+fCBEAd3aTdqzKkXfz4OxhjG9c8 BR3jMLzJnNZsZ4ypPXZ1Qw+GON6QV5gOqT3yJkPWff6vg0Zlto7KQ56rlDsgTiCv/4lxiSPL pHD3jEaeWwnglLkUAuBP8UwE2EOYiRFneFwL+UDeqSN3D3mT820PcSlHxsVWSUdEWCg5anPJ /L2sJg2Nr3Y3t6xEwXGh4CzsriG1l+DGfqDSrGqB09zf/SiSju9sFMORX56oJwac5vS0Se3I PyQwAcRk/MIpO2vMIHODbBZnK2w+ZG1SeKLx2PWAurzuSxl+3zgzJl7TBWx9TxbMnmWVB5vc TnSYZyqYCB6TlQWte+q7mI4U5VeoDDuuC1HaLg/vKIZPACAHM7fX6p3aE6T5FlZXi2BblSlV AGvx/FGnSyk6hfn9GjsebnvcInWG/Xi+kjfnZhRl0kqrTRI+ysK4VymIM21qTlEYYwunKEJX MVrhAlpW6mP2s9F958rs5BMi/cSfJlfSwjnP+UXpbYx3Jhz84TNPHgKRF6hCgpjIh42k7QdM CigDNNpn4KEbkrWfDtJYsKErz5fTEIZqPGT2O85sZBnu1NSbeKb2gKKfAN/gBT93BR1s46QH UdD6eI0z8I8IovOgtxF1K39XYBv0KpdCQ44irgyxLmv/x9gySG9/VUu7zcogOOyclf/1vRTG yHiaMDyIXtL1e4ji4XKtLa2rnH3FNHwZVoYS7dAM0gHwP4WNewCUT192JbR/nTaGiRuIe9fx YYKzmiTZLgKbxhZAjvELXpCj+u8Uxmx9qQr+aDj6ojnFr2Oz+kmDTFEhGVrq42iTEGGvuk0W 9pKQuoM1RxHxHAQjFBZI2N+AxVXNvXSaoXYYj/VY959NpwkkTOP0g68c1FPM5wFC8XLjICHI ka4u1CbKSe5VLFrCchifMgsQqUbnZFhAIA25mh+KtilppSmnxcaxZAe3xC9xjz7iwNq/CAct BFgjbhkT6d1DQbMJ1DbzDvYB1lRPMk0EngWJFg4o57iUrFKAQoNtKG7Ct461saWkgb4wgbug AwIBEqKBswSBsEAi+9Y8y0mNKuh09Ojh14I3+mktCir0Y01/eznVlR3JLsjW+Ur2Fu1PV9uG VTsxlLDs3Qzw2B6zOTYhIqgDnVl9hmx8wj5ZDbhX7HbrbKxLbmxPY0TwWGpgpuiMp76bNkpY x+sdDaVgu7xGAa3e2aF0q2McBnoAmdnsdMPBirawIQmhQ0E3nP3K8gdUGJEFZg9s+1iw6vhn vwfu/oawMWdTwkjlwaP5FI8j7iwCZ1C7MIIBG6EEAgIAiKKCAREEggENoIIBCTCCAQWhFzAV oAMCARChDgQMu82oJpdeyXUZRZEZooHpMIHmoAMCARKigd4Egds20IHsAWEqEpzxfp8TnvgH JYgCng2agAhnmMkYU586E0YLN8tCEOyq67ClTkRwaLMzTDwkCArucWOxxCplW0nXnpr8PFly myhVTXyFNoYcCqNEdwEjZyVV9AaW7gKLVTophq0z619PHqkKNFld1HmAdk9pgwwuOta/vEom zAE73dFQo0ct8Iwe8+93tApb3ee2XppVtBABq6wV8J7YYC/gRdyQgYxu7d24qtx5bU6coCLa U6PowLPYaFicm1xN7ubrk+XM4w1aCKN9PQWRZw4ngb8z5wiOYMchIlmkgawwgamgBwMFAECB AACiEBsOVzRFRE9NLUw0LkJBU0WjPDA6oAMCAQKhMzAxGwZrcmJ0Z3QbJ1MyLVcyMDEyLUw0 LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaURGA8yMDE3MDgyNDA3Mjk1MVqnBgIEWZ3z z6gUMBICARICARECARACARcCARkCARqpHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAg z/OdWRe8BQDIBQAAyAUAAAAAAAkAcwAAAAkBM4bdYAAAAAWSEUD9Oqqj7of/CQIAAP/+CQEz /Tqqo+6H/wkCAAD//gkAcwBYid8FktOAbYIFhjCCBYKgAwIBBaEDAgENoxAbDlc0RURPTS1M NC5CQVNFpBUwE6ADAgEBoQwwChsIZmQyMy03MySlggQOYYIECjCCBAagAwIBBaEQGw5XNEVE T00tTDQuQkFTRaIkMCKgAwIBAqEbMBkbBmtyYnRndBsPVzIwMTJSMi1MNC5CQVNFo4IDxTCC A8GgAwIBF6EDAgEDooIDswSCA68J6hxBWWjhGeAYM6U9vitpHA8OP/lMYqd4+B8FJXKWhQdc MOlyzaWo5jHjaV7n8ueIkbk9hHtG36xjfI25T37/PRkrMi/Pm4avwqVnIo8BxQbyKVbJ63J9 yhDueFrRvEasr726EhrZ8Y5DXBxXBdNavYnkLwIbURbzh5h1yZs3VrLL4GXzsuBn1MMEnim1 xpkl66NmxtFHSGFW9oHmbi9nC83COvQGXo0L6zMZa6BSunvl7bYnuZrtfGhjlfhpD8Ddz8tD 15ZfFhCN+WCshp7sKO4C3JkErd1fmeGk6utDQAkMK/XKZ7rvuZ7J5C5AExKIFPcB5avjTOQR WTx8N2S4PTv++481iTajhftzWuV1KSdBycfZBgHeZSeEFwO0ALLi+qC4hmcEGY3WCODFspe9 AlowRnFiWKsSLHQlmxq1D/qlJUDMkNruU+q2+womZ5akgTGdkV1Dam2N+k4n6O/uGywxMXTg 7Amkvn1evru9OB40FHbFx2xQCkR5KEhJ/ZfKaOyhDZm05+E66kae8oMSwW6Lqdo1UsHpemf6 RC+fUpnL0xcBjNbZnzfhyH/zoY37C8/mpHLCO/5iibnQxW2lxixuyOE2qeZwv5n+mXoi/Sqj UkaJi8fd/unwrFAnk00f2AGE99xGyk/0jFtzVylYio/Fn7F/yPA7eu86F1RB21RsdrrsHozh NMsUUxp/TpT8aACWOAOq8OQjujUdGnk5QVK5HokMx0Ycr2v7g3y8NW+HJZlNfR+u1D7HOrV5 Iaa++A+zPHLnZZwlid1Ahvl3xi/7F+okdl79EjJ1/MGyXpsBuz2gOoMnqp+ToNytj+hXds3K gkVjWB3d+H2tnkwb4RHbvFwc0gcwAz9oMga8ddQ8Q/sv3OCATXdEnatJqgOTU6qkg3SJP0bV B//L7IR8bxJMVCJvgNmTSjtDg56kRq0ClOBozI1xmDQSaTa5gTX4mgACgsWTTssMwp/JcS41 StnemVr4vy3d2XZLMm8Yz4RDArFxt3nnklEFD72NMsDRuKbb8Uv3tcjIKdy6T0YwobUYM2ZI UlCClgeP/b8WxgelWE5T94Slz49690LlR32dNWmKuN76sJ090fG6eKrEOUNOvlXsnek/wniZ aXyZB7hhXeawNIt1VxuwjLcOcDmAeBn/ZSSO4/szH03qr27FSMKS0Yr8Dht7u62YQ+t7BTvF Splk0CRNvDvDeyNU45aAbJ6BFwBY46unpMuzlKtbVaHLt8Ivyv2BFbsa4aGepoIBOTCCATWg AwIBEqKCASwEggEoGxQO5NIh3Ke4tlx45fmd5G4BnSaovJnw5ZpM9KNM/zB4FqIriuxnvyee 6AhowGpHcvCsrkq9pH/JqYm208kTKdBHhUnD1dLsid8vpcYLikd1NWN/3F7xxUDtCatRRh92 l+Jum5X99Looz3vOPzoLag/dPuMogQpIc0TJZ2AtwEdJx9SofK2IK6sbqU1aytWPCtoMM93H bbJJ1a/4QDlNOU+CmbmFhY6DjMKor75awWfnfEszNUm85fSTFklmNPoSvLxs2bVd79N5RBEc lNtJAObWVXF4OAAjpww23BPuQhkiN7lvt4PIRg69y6tmQvAK533q5S9y9rVzxlVHwleuQb16 mQk/nQ6a7f4FzgSzVfxEYOlyNq1ABfPqVPEpEPrySSiVW2brPo/P851Z4LwFAHQAAAB0AAAA AAAACQABAAAACQBzht1gAAAAAD4RQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB z9IANQA+3c2B/AEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARC QVNFAAAhAAHP851ZjL0FAGAAAABgAAAAAAAACQFjAAAACQABCABFAABSmfFAAEARNcesHwkB rB8Jo1vgADUAPmsyvGMBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlXNEVET00t TDQEQkFTRQAAIQABz/OdWbS9BQBgAAAAYAAAAAAAAAkBMwAAAAkAAQgARQAAUrjxQABAERbl rB8JAawfCYVb4AA1AD5rFLxjAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAJVzRF RE9NLUw0BEJBU0UAACEAAc/znVmLvgUAqQAAAKkAAAAAAAAJAAEAAAAJATMIAEUAAJt7dUAA gBEUGKwfCYWsHwkBADVb4ACH+gK8Y4WDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRw CVc0RURPTS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIy LTEzM8A2Cmhvc3RtYXN0ZXLANgAAGioAAAOEAAACWAABUYAAAA4Qz/OdWfC+BQC9AAAAvQAA AAAAAAkAcwAAAAkAAYbdYAAAAACHEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkA cwA1z9IAh/7egfyFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlXNEVET00tTDQE QkFTRQAAIQABCXc0ZWRvbS1sNARiYXNlAAAGAAEAAA4QAC8LdzIwMDhyMi0xMzPANgpob3N0 bWFzdGVywDYAABoqAAADhAAAAlgAAVGAAAAOEM/znVk6wAUAbgAAAG4AAAAAAAAJAAEAAAAJ AHOG3WAAAAAAOBFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGXoAA1ADhaYXc/ AQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcApXMjAxMlIyLUw0BEJBU0UAACEAAc/znVmtwAUA KgAAACoAAAD///////8AAAAJAAEIBgABCAAGBAABAAAACQABrB8JAQAAAAAAAKwfCYLP851Z BcEFAFoAAABaAAAAAAAACQGDAAAACQABCABFAABMlLdAAEAROvOsHwkBrB8Jt+9hADUAOGtA n2sBAAABAAAAAAAACV9rZXJiZXJvcwRfdWRwClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWYTD BQC1AAAAtQAAAAAAAAkAAQAAAAkBgwgARQAApxntQACAEXVirB8Jt6wfCQEANe9hAJNJnZ9r hYAAAQABAAAAAglfa2VyYmVyb3MEX3VkcApXMjAxMlIyLUw0BEJBU0UAACEAAcAMACEAAQAA AlgAIwAAAGQAWAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJhc2UAwEIAAQABAAAOEAAErB8J t8BCABwAAQAADhAAEP06qqPuh/8JAgAA//4JAYPP851Z5cMFAMkAAADJAAAAAAAACQBzAAAA CQABht1gAAAAAJMRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWXoACTCCR3 P4WAAAEAAQAAAAIJX2tlcmJlcm9zBF91ZHAKVzIwMTJSMi1MNARCQVNFAAAhAAHADAAhAAEA AAJYACMAAABkAFgLdzIwMTJyMi0xODMKdzIwMTJyMi1sNARiYXNlAMBCAAEAAQAADhAABKwf CbfAQgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGDz/OdWTTEBQAqAAAAKgAAAP///////wAA AAkBgwgGAAEIAAYEAAEAAAAJAYOsHwm3AAAAAAAArB8JAc/znVlWxAUAKgAAACoAAAAAAAAJ AYMAAAAJAAEIBgABCAAGBAACAAAACQABrB8JAQAAAAkBg6wfCbfP851ZacQFAG4AAABuAAAA AAAACQABAAAACQBzht1gAAAAADgRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB qAgANQA4YNlhYAEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AKVzIwMTJSMi1MNARCQVNFAAAh AAHP851Z48QFAFoAAABaAAAAAAAACQGDAAAACQABCABFAABMlLhAAEAROvKsHwkBrB8Jt0rW ADUAOGtAWiIBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwClcyMDEyUjItTDQEQkFTRQAAIQAB z/OdWR3GBQC1AAAAtQAAAAAAAAkAAQAAAAkBgwgARQAApxnuQACAEXVhrB8Jt6wfCQEANUrW AJM0c1oihYAAAQABAAAAAglfa2VyYmVyb3MEX3RjcApXMjAxMlIyLUw0BEJBU0UAACEAAcAM ACEAAQAAAlgAIwAAAGQAWAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJhc2UAwEIAAQABAAAO EAAErB8Jt8BCABwAAQAADhAAEP06qqPuh/8JAgAA//4JAYPP851ZjsYFAMkAAADJAAAAAAAA CQBzAAAACQABht1gAAAAAJMRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWo CACTDpxhYIWAAAEAAQAAAAIJX2tlcmJlcm9zBF90Y3AKVzIwMTJSMi1MNARCQVNFAAAhAAHA DAAhAAEAAAJYACMAAABkAFgLdzIwMTJyMi0xODMKdzIwMTJyMi1sNARiYXNlAMBCAAEAAQAA DhAABKwfCbfAQgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGDz/OdWUXHBQBrAAAAawAAAAAA AAkAAQAAAAkAc4bdYAAAAAA1EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAbIV ADUANYPJIV4BAAABAAAAAAAAC3cyMDEycjItMTgzCncyMDEycjItbDQEYmFzZQAAHAABz/Od WczHBQBXAAAAVwAAAAAAAAkBgwAAAAkAAQgARQAASZS5QABAETr0rB8JAawfCbc6ugA1ADVr PTTdAQAAAQAAAAAAAAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJhc2UAABwAAc/znVmMyAUA cwAAAHMAAAAAAAAJAAEAAAAJAYMIAEUAAGUZ70AAgBF1oqwfCbesHwkBADU6ugBR3ew03YWA AAEAAQAAAAALdzIwMTJyMi0xODMKdzIwMTJyMi1sNARiYXNlAAAcAAHADAAcAAEAAA4QABD9 Oqqj7of/CQIAAP/+CQGDz/OdWeLIBQCHAAAAhwAAAAAAAAkAcwAAAAkAAYbdYAAAAABREUD9 Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1shUAUbipIV6FgAABAAEAAAAAC3cy MDEycjItMTgzCncyMDEycjItbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqqo+6H/wkCAAD/ /gkBg8/znVlmyQUAGAcAABgHAAAAAAAJAYMAAAAJAHOG3WAAAAAG4hFA/Tqqo+6H/wkCAAD/ /gkAc/06qqPuh/8JAgAA//4JAYPQFQBYBuI13GyCBtYwggbSoQMCAQWiAwIBDKOCBhQwggYQ MIIE66EDAgEBooIE4gSCBN5uggTaMIIE1qADAgEFoQMCAQ6iBwMFAAAAAACjggQOYYIECjCC BAagAwIBBaEQGw5XNEVET00tTDQuQkFTRaIkMCKgAwIBAqEbMBkbBmtyYnRndBsPVzIwMTJS Mi1MNC5CQVNFo4IDxTCCA8GgAwIBF6EDAgEDooIDswSCA68J6hxBWWjhGeAYM6U9vitpHA8O P/lMYqd4+B8FJXKWhQdcMOlyzaWo5jHjaV7n8ueIkbk9hHtG36xjfI25T37/PRkrMi/Pm4av wqVnIo8BxQbyKVbJ63J9yhDueFrRvEasr726EhrZ8Y5DXBxXBdNavYnkLwIbURbzh5h1yZs3 VrLL4GXzsuBn1MMEnim1xpkl66NmxtFHSGFW9oHmbi9nC83COvQGXo0L6zMZa6BSunvl7bYn uZrtfGhjlfhpD8Ddz8tD15ZfFhCN+WCshp7sKO4C3JkErd1fmeGk6utDQAkMK/XKZ7rvuZ7J 5C5AExKIFPcB5avjTOQRWTx8N2S4PTv++481iTajhftzWuV1KSdBycfZBgHeZSeEFwO0ALLi +qC4hmcEGY3WCODFspe9AlowRnFiWKsSLHQlmxq1D/qlJUDMkNruU+q2+womZ5akgTGdkV1D am2N+k4n6O/uGywxMXTg7Amkvn1evru9OB40FHbFx2xQCkR5KEhJ/ZfKaOyhDZm05+E66kae 8oMSwW6Lqdo1UsHpemf6RC+fUpnL0xcBjNbZnzfhyH/zoY37C8/mpHLCO/5iibnQxW2lxixu yOE2qeZwv5n+mXoi/SqjUkaJi8fd/unwrFAnk00f2AGE99xGyk/0jFtzVylYio/Fn7F/yPA7 eu86F1RB21RsdrrsHozhNMsUUxp/TpT8aACWOAOq8OQjujUdGnk5QVK5HokMx0Ycr2v7g3y8 NW+HJZlNfR+u1D7HOrV5Iaa++A+zPHLnZZwlid1Ahvl3xi/7F+okdl79EjJ1/MGyXpsBuz2g OoMnqp+ToNytj+hXds3KgkVjWB3d+H2tnkwb4RHbvFwc0gcwAz9oMga8ddQ8Q/sv3OCATXdE natJqgOTU6qkg3SJP0bVB//L7IR8bxJMVCJvgNmTSjtDg56kRq0ClOBozI1xmDQSaTa5gTX4 mgACgsWTTssMwp/JcS41StnemVr4vy3d2XZLMm8Yz4RDArFxt3nnklEFD72NMsDRuKbb8Uv3 tcjIKdy6T0YwobUYM2ZIUlCClgeP/b8WxgelWE5T94Slz49690LlR32dNWmKuN76sJ090fG6 eKrEOUNOvlXsnek/wniZaXyZB7hhXeawNIt1VxuwjLcOcDmAeBn/ZSSO4/szH03qr27FSMKS 0Yr8Dht7u62YQ+t7BTvFSplk0CRNvDvDeyNU45aAbJ6BFwBY46unpMuzlKtbVaHLt8Ivyv2B Fbsa4aGepIGuMIGroAMCAReigaMEgaDZlkkqxkYLXbuj0rACnJ1K1owEpShgU7ay1H0LmpQe 5zj7POkfxFYqYmNpWRb6o8uf+bnf9RrR90tnF8UiguAxOvVgUW2D7iROHs95XZkyumuB1Th7 ZIKdCQQfEesoZifA3di5Jy478Ksg1wqH1H1VTEJxfa83gGoBARnEa9AnP7/94qxyPFdChSfa zhigm0f6T86NdsqCCuJJ/NlE22TAMIIBHaEEAgIAiKKCARMEggEPoIIBCzCCAQehHDAaoAQC Av92oRIEEDz0x5yRSxKZndsQAhZp4CaigeYwgeOgAwIBF6KB2wSB2EXEMyS8Thtail/TCvFV AJRzllrEWVoMv72dk9bo1SBVY4eZ+4oQSKxf8eX8VrqsTQCc50MIJaBzuG8bdBnZrwi4Y6XM JePD9h8x8iNjezKrjZfIWPQXiuGBmhOTpCPUIjeSan7o2Fd+vtoJttUOIVLKsN9FyHkH3h4R HpJ6heAQUQgJXg9R14VdmGrnw3q2EAqPoNprpTeu3zyHFI+z7e/n87R3VMJQ9A+GAvaK2ssl cUenoQRiLg46HM9p+1e5b+f/MUGEX7EkwAXbQDUesxgpEtqI/kfEKaSBrTCBqqAHAwUAQIEA AKIRGw9XMjAxMlIyLUw0LkJBU0WjPDA6oAMCAQKhMzAxGwZrcmJ0Z3QbJ1MyLVcyMDEyLUw0 LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaURGA8yMDE3MDgyNDA3Mjk1MVqnBgIEWZ3z z6gUMBICARICARECARACARcCARkCARqpHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAg z/OdWVbYBQBWAAAAVgAAADMz/wkAcwAAAAkBg4bdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQGD /wIAAAAAAAAAAAAB/wkAc4cASK4AAAAA/Tqqo+6H/wkCAAD//gkAcwEBAAAACQGDz/OdWaPY BQBWAAAAVgAAAAAAAAkBgwAAAAkAc4bdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkCAAD//gkBg4gAT1JgAAAA/Tqqo+6H/wkCAAD//gkAcwIBAAAACQBzz/OdWWbZBQC5AQAA uQEAAAAAAAkAcwAAAAkBg4bdYAAAAAGDEUD9Oqqj7of/CQIAAP/+CQGD/Tqqo+6H/wkCAAD/ /gkAcwBY0BUBg/MrfoIBdzCCAXOgAwIBBaEDAgEepBEYDzIwMTcwODIzMjEyOTUxWqUFAgMK zg6mAwIBNKkRGw9XMjAxMlIyLUw0LkJBU0WqPDA6oAMCAQKhMzAxGwZrcmJ0Z3QbJ1MyLVcy MDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRayB9gSB8zCB8DCB7aEEAgIAiKKB 5ASB4aCB3jCB26CB2DCB1aADAgEXooHNBIHKRafj5KApid5H19F73XWPS9ETG3wrjhDVr6bL Kyh6lQizBBr0z6L15waUc/ze84im3/i/zDwhTMeawr3l31pr8wGthrBRaouZWxTpxk85ShZw P+wNOvs+AMCTSthBBVjYaVsdPRpvq6gYncX5OWqzioTB+rr9h6SvbLPaNjSPqnWjjmp2t4La /P+EFlxnEKer8GhB0PtMvQrKng3wT8A1QUqQ4iwPr9XnheZi6jF4RyALOHZW18AbQT4ZPnDD f+2C5fx8Cq9RGpJ2D8/znVlL2gUAdQAAAHUAAAAAAAAJAAEAAAAJAHOG3WAAAAAAPxFA/Tqq o+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGiBQA1AD9GqBQvAQAAAQAAAAAAABBfa2Vy YmVyb3MtbWFzdGVyBF91ZHAKVzIwMTJSMi1MNARCQVNFAAAhAAHP851Z+doFAGEAAABhAAAA AAAACQGDAAAACQABCABFAABTlLpAAEAROumsHwkBrB8JtyasADUAP2tHl6cBAAABAAAAAAAA EF9rZXJiZXJvcy1tYXN0ZXIEX3VkcApXMjAxMlIyLUw0BEJBU0UAACEAAc/znVkF3AUAqwAA AKsAAAAAAAAJAAEAAAAJAYMIAEUAAJ0Z8EAAgBF1aawfCbesHwkBADUmrACJxX+Xp4WDAAEA AAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwClcyMDEyUjItTDQEQkFTRQAAIQABCncyMDEy cjItbDQEYmFzZQAABgABAAAOEAAvC3cyMDEycjItMTgzwDcKaG9zdG1hc3RlcsA3AAAKggAA A4QAAAJYAAFRgAAADhDP851ZatwFAL8AAAC/AAAAAAAACQBzAAAACQABht1gAAAAAIkRQP06 qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWiBQCJDDgUL4WDAAEAAAABAAAQX2tl cmJlcm9zLW1hc3RlcgRfdWRwClcyMDEyUjItTDQEQkFTRQAAIQABCncyMDEycjItbDQEYmFz ZQAABgABAAAOEAAvC3cyMDEycjItMTgzwDcKaG9zdG1hc3RlcsA3AAAKggAAA4QAAAJYAAFR gAAADhDP851ZON0FAG4AAABuAAAAAAAACQABAAAACQBzht1gAAAAADgRQP06qqPuh/8JAgAA //4JAHP9Oqqj7of/CQAAAAAAAAABmZgANQA408f84QEAAAEAAAAAAAAJX2tlcmJlcm9zBF90 Y3AKVzIwMTJSMi1MNARCQVNFAAAhAAHP851Zu90FAFoAAABaAAAAAAAACQGDAAAACQABCABF AABMlLtAAEAROu+sHwkBrB8Jt2d3ADUAOGtA6JIBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNw ClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWYPeBQC1AAAAtQAAAAAAAAkAAQAAAAkBgwgARQAA pxnxQACAEXVerB8Jt6wfCQEANWd3AJOJYeiShYAAAQABAAAAAglfa2VyYmVyb3MEX3RjcApX MjAxMlIyLUw0BEJBU0UAACEAAcAMACEAAQAAAlgAIwAAAGQAWAt3MjAxMnIyLTE4Mwp3MjAx MnIyLWw0BGJhc2UAwEIAAQABAAAOEAAErB8Jt8BCABwAAQAADhAAEP06qqPuh/8JAgAA//4J AYPP851Z1t4FAMkAAADJAAAAAAAACQBzAAAACQABht1gAAAAAJMRQP06qqPuh/8JAAAAAAAA AAH9Oqqj7of/CQIAAP/+CQBzADWZmACTgYr84YWAAAEAAQAAAAIJX2tlcmJlcm9zBF90Y3AK VzIwMTJSMi1MNARCQVNFAAAhAAHADAAhAAEAAAJYACMAAABkAFgLdzIwMTJyMi0xODMKdzIw MTJyMi1sNARiYXNlAMBCAAEAAQAADhAABKwfCbfAQgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+ CQGDz/OdWYrfBQBrAAAAawAAAAAAAAkAAQAAAAkAc4bdYAAAAAA1EUD9Oqqj7of/CQIAAP/+ CQBz/Tqqo+6H/wkAAAAAAAAAAdB6ADUANSSjYh8BAAABAAAAAAAAC3cyMDEycjItMTgzCncy MDEycjItbDQEYmFzZQAAHAABz/OdWf/fBQBXAAAAVwAAAAAAAAkBgwAAAAkAAQgARQAASZS8 QABAETrxrB8JAawfCbfc9QA1ADVrPbJkAQAAAQAAAAAAAAt3MjAxMnIyLTE4Mwp3MjAxMnIy LWw0BGJhc2UAABwAAc/znVnU4AUAcwAAAHMAAAAAAAAJAAEAAAAJAYMIAEUAAGUZ8kAAgBF1 n6wfCbesHwkBADXc9QBRvimyZIWAAAEAAQAAAAALdzIwMTJyMi0xODMKdzIwMTJyMi1sNARi YXNlAAAcAAHADAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGDz/OdWS3hBQCHAAAAhwAAAAAA AAkAcwAAAAkAAYbdYAAAAABREUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1 0HoAUVmDYh+FgAABAAEAAAAAC3cyMDEycjItMTgzCncyMDEycjItbDQEYmFzZQAAHAABwAwA HAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBg8/znVmT4QUAXgAAAF4AAAAAAAAJAYMAAAAJAHOG 3WAAAAAAKAZA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JAYObCQBY8pZbwAAAAACg AnCALxcAAAIEBaAEAggKAl+7ngAAAAABAwMHz/OdWR/iBQBeAAAAXgAAAAAAAAkAcwAAAAkB g4bdYAAAAAAoBkD9Oqqj7of/CQIAAP/+CQGD/Tqqo+6H/wkCAAD//gkAcwBYmwkeoCyD8pZb waASIABlqAAAAgQFoAEDAwgEAggKAWifLwJfu57P851ZSOIFAFYAAABWAAAAAAAACQGDAAAA CQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmwkAWPKWW8Ee oCyEgBAA4S8PAAABAQgKAl+7ngFony/P851ZWOIFAOoFAADqBQAAAAAACQGDAAAACQBzht1g AAAABbQGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmwkAWPKWW8EeoCyEgBAA 4TSjAAABAQgKAl+7ngFony8AAAbabIIG1jCCBtKhAwIBBaIDAgEMo4IGFDCCBhAwggTroQMC AQGiggTiBIIE3m6CBNowggTWoAMCAQWhAwIBDqIHAwUAAAAAAKOCBA5hggQKMIIEBqADAgEF oRAbDlc0RURPTS1MNC5CQVNFoiQwIqADAgECoRswGRsGa3JidGd0Gw9XMjAxMlIyLUw0LkJB U0WjggPFMIIDwaADAgEXoQMCAQOiggOzBIIDrwnqHEFZaOEZ4BgzpT2+K2kcDw4/+Uxip3j4 HwUlcpaFB1ww6XLNpajmMeNpXufy54iRuT2Ee0bfrGN8jblPfv89GSsyL8+bhq/CpWcijwHF BvIpVsnrcn3KEO54WtG8RqyvvboSGtnxjkNcHFcF01q9ieQvAhtRFvOHmHXJmzdWssvgZfOy 4GfUwwSeKbXGmSXro2bG0UdIYVb2geZuL2cLzcI69AZejQvrMxlroFK6e+Xttie5mu18aGOV +GkPwN3Py0PXll8WEI35YKyGnuwo7gLcmQSt3V+Z4aTq60NACQwr9cpnuu+5nsnkLkATEogU 9wHlq+NM5BFZPHw3ZLg9O/77jzWJNqOF+3Na5XUpJ0HJx9kGAd5lJ4QXA7QAsuL6oLiGZwQZ jdYI4MWyl70CWjBGcWJYqxIsdCWbGrUP+qUlQMyQ2u5T6rb7CiZnlqSBMZ2RXUNqbY36Tifo 7+4bLDExdODsCaS+fV6+u704HjQUdsXHbFAKRHkoSEn9l8po7KENmbTn4TrqRp7ygxLBboup 2jVSwel6Z/pEL59SmcvTFwGM1tmfN+HIf/OhjfsLz+akcsI7/mKJudDFbaXGLG7I4Tap5nC/ mf6ZeiL9KqNSRomLx93+6fCsUCeTTR/YAYT33EbKT/SMW3NXKViKj8WfsX/I8Dt67zoXVEHb VGx2uuwejOE0yxRTGn9OlPxoAJY4A6rw5CO6NR0aeTlBUrkeiQzHRhyva/uDfLw1b4clmU19 H67UPsc6tXkhpr74D7M8cudlnCWJ3UCG+XfGL/sX6iR2Xv0SMnX8wbJemwG7PaA6gyeqn5Og 3K2P6Fd2zcqCRWNYHd34fa2eTBvhEdu8XBzSBzADP2gyBrx11DxD+y/c4IBNd0Sdq0mqA5NT qqSDdIk/RtUH/8vshHxvEkxUIm+A2ZNKO0ODnqRGrQKU4GjMjXGYNBJpNrmBNfiaAAKCxZNO ywzCn8lxLjVK2d6ZWvi/Ld3ZdksybxjPhEMCsXG3eeeSUQUPvY0ywNG4ptvxS/e1yMgp3LpP RjChtRgzZkhSUIKWB4/9vxbGB6VYTlP3hKXPj3r3QuVHfZ01aYq43vqwnT3R8bp4qsQ5Q06+ Veyd6T/CeJlpfJkHuGFd5rA0i3VXG7CMtw5wOYB4Gf9lJI7j+zMfTeqvbsVIwpLRivwOG3u7 rZhD63sFO8VKmWTQJE28O8N7I1TjloBsnoEXAFjjq6eky7OUq1tVocu3wi/K/YEVuxrhoZ6k ga4wgaugAwIBF6KBowSBoNmWSSrGRgtdu6PSsAKcnUrWjASlKGBTtrLUfQualB7nOPs86R/E VipiY2lZFvqjy5/5ud/1GtH3S2cXxSKC4DE69WBRbYPuJE4ez3ldmTK6a4HVOHtkgp0JBB8R 6yhmJ8Dd2LknLjvwqyDXCofUfVVMQnF9rzeAagEBGcRr0Cc/v/3irHI8V0KFJ9rOGKCbR/pP zo12yoIK4kn82UTbZMAwggEdoQQCAgCIooIBEwSCAQ+gggELMIIBB6EcMBqgBAIC/3ahEgQQ PPTHnJFLEpmd2xACFmngJqKB5jCB46ADAgEXooHbBIHYRcQzJLxOG1qKX9MK8VUAlHOWWsRZ Wgy/vZ2T1ujVIFVjh5n7ihBIrF/x5fxWuqxNAJznQwgloHO4bxt0GdnP851Zb+IFAKABAACg AQAAAAAACQGDAAAACQBzht1gAAAAAWoGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+ CQGDmwkAWPKWYVUeoCyEgBgA4TBZAAABAQgKAl+7ngFony+vCLhjpcwl48P2HzHyI2N7MquN l8hY9BeK4YGaE5OkI9QiN5JqfujYV36+2gm21Q4hUsqw30XIeQfeHhEeknqF4BBRCAleD1HX hV2YaufDerYQCo+g2mulN67fPIcUj7Pt7+fztHdUwlD0D4YC9orayyVxR6ehBGIuDjocz2n7 V7lv5/8xQYRfsSTABdtANR6zGCkS2oj+R8QppIGtMIGqoAcDBQBAgQAAohEbD1cyMDEyUjIt TDQuQkFTRaM8MDqgAwIBAqEzMDEbBmtyYnRndBsnUzItVzIwMTItTDQuUzEtVzIwMTItTDQu VzIwMTJSMi1MNC5CQVNFpREYDzIwMTcwODI0MDcyOTUxWqcGAgRZnfPPqBQwEgIBEgIBEQIB EAIBFwIBGQIBGqkdMBswGaADAgEUoRIEEEZEMjMtNzMgICAgICAgICDP851ZGOMFAFYAAABW AAAAAAAACQBzAAAACQGDht1gAAAAACAGQP06qqPuh/8JAgAA//4JAYP9Oqqj7of/CQIAAP/+ CQBzAFibCR6gLITylmKfgBABAKyDAAABAQgKAWifLwJfu57P851Za+8FAOoFAADqBQAAAAAA CQBzAAAACQGDht1gAAAABbQGQP06qqPuh/8JAgAA//4JAYP9Oqqj7of/CQIAAP/+CQBzAFib CR6gLITylmKfgBABACjIAAABAQgKAWifLwJfu54AAAZTbYIGTzCCBkugAwIBBaEDAgENooHS MIHPMIHMoQQCAgCIooHDBIHAoIG9MIG6oIG3MIG0oAMCAReigawEgam7gHceXunbS2E3GInQ xbGvaouKlIdwiqTkkWiw8Bxh2jF/QcEhidrzIDfscXYthNDPrPz6DtiELsBfVRzbge4mZQ5p uwb28QsaLArHjZINuxbkmL+aw0FmPgeEtGKh7XhAugJd8F9fnVP6oD5QWl4VSHTFuBNvLKMZ 5+sI9YkOr7KrfZD2Di36k2Cru3jvedVGaE1SwJVUyg/TiYE35tyRGlmIwC/rywGQoxAbDlc0 RURPTS1MNC5CQVNFpBUwE6ADAgEBoQwwChsIZmQyMy03MySlggQbYYIEFzCCBBOgAwIBBaER Gw9XMjAxMlIyLUw0LkJBU0WiMDAuoAMCAQKhJzAlGwZrcmJ0Z3QbG1MxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRaOCA8UwggPBoAMCARehAwIBE6KCA7MEggOv/CBKh2v1zt8Y4CNHF5oE HKlxxahVkKrb1cwuoFKUPQBjE2YSzgV0GtmZHWY+B4/Na9vbM3Yp5u9YUXLIPkIK+5xcHUX7 9VAcETUmQU8zb/3a/cO6MwfWPR4kgP3IIiLV3JBneDb0e4iaPGzoIEA7+tZaY3gsxJNCY6IP 0CJSSVBcSHMZe91FedSypw2YZ41oPv+ch7x91VgbjukuNvAacLBEJcA8M67gaX/ZZ61PCZC8 lnjpAZ9bGy+Q7jqqVbd6gx/E/DZgqiQrKxzIkvPNwPC5eRdohGBgEXSKErx79ik0jYSwY4Vf GOZpA1lJbBywRLnTbUNRLa4bRqQ23BghqvquE0XcMtDuiqaLA6eP4q05XRGkirCZ8SqUhu4L 9SyRwvt6aoCyu9sN+qYxIjEtJ25od/+I9QO3QuHmHnohxWnksi90r8ZxNTlvA6L3OUl7bobl 7vpoh4vI+dp+HtUm3llEQ66sIuqi2eWS8Vc7ax2x6lKSQsA6BJs5uiWoe4cW8V/bPV3Cp8wY 00KdcP3Fem9hbjgWwtOtbxjMo28oKNfksfv3n8cusTQ1EFyDuEZjtDsBEiZs7aeWl20wVntc iAbt4VDS0qbCsgq8HGK+iUqzpdBA3pYprCKoD7v9uBQ+7I6Gd/+ZcxKhWy0HnIWzrQ5AeSZb tYWXdLjnkA7tvc5TPY4sH5imgBDS8mNSZLudggtcflJQwJTWVNPAHRnrlhfNmnXUGN6olUSv pOoHyoAr6i9Tt0RkYrGy8xmL8xGU/3eMlSKObeDxj6q68wV07TD9pYLZubE85xjFi21UTjLz cZ3oPj2GOu0gMrXbwvItHP9k4HD7auOOHkN/lwH+2PGNieYyQ5rSQEHxwX3Qn1JShTXp9oZy Ctosye5rXe7+bjoEzCpidPewt036F/kqyvmX9NdJEFYfIDWW+Mi6mpeCfNtYBqIhaCGlk7Dn 56R6gS3PRmCWVbUnJi2APiSUreVqcmrEVld7eJPvruernmvhQA5AYAB/BEk03lH++sx9rMrm b4TT3pXeRiZZdDaWQzMUQmLBRy96dvS6gsLT8IddVcpbprovBHnJ/QcfsiYvA/fzvzkmfsB+ pv4ac6KfrR6h4eZvpebd9VcYg7DMfdocjQYyg+GKdLdFF9e/xgrkm6Gz95USC1t2fBmgNdum mfa0ZsepgHSdBZEF5N7lhjvHSOhfsq1JPIJ9e6YqgZTt/4/4mi7xUaX3QNw6qQaiERJCXGqI fk+GFwjj9LDuzaaCASAwggEcoAMCAReiggETBIIBDy6RiEEWzyECBwBHEVeMndTckU5HHWmV gnaiv27Xjee4V0YiUKi/oS4X3/+GJOkujfC8Rfj93jd05h/10cyf2qHWiQ45Nft6luh3Zc/P 851Zoe8FAFYAAABWAAAAAAAACQGDAAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9 Oqqj7of/CQIAAP/+CQGDmwkAWPKWYp8eoDIYgBAA+C8PAAABAQgKAl+7nwFony/P851ZK/AF ABkBAAAZAQAAAAAACQBzAAAACQGDht1gAAAAAOMGQP06qqPuh/8JAgAA//4JAYP9Oqqj7of/ CQIAAP/+CQBzAFibCR6gMhjylmKfgBgBAE6ZAAABAQgKAWifLwJfu54nSmnBwA5KYvlLKWQC GkW8EuGDYQAQuThlwtJC5e1yNnayi0zbUaSwr9yrJbaZs4gHN7+LC+DN4UMQi6P+BdOZ9R6P 7H1pp4D5Dilzk4tuz8b5nMZOXcmMCnImBILq7BnK17KZ0TMR6NI1zLCSri0o5991YoAJKFYO Y07inrIihzGdGm5S50/p4hPnodkroXx1rlcLvc3B3LS8IdwrnnzFEd4x4rnUlTlP/RVDXz5n YxK6snwAODsPjiGgnf4pGfOUyoPP851ZPPAFAFYAAABWAAAAAAAACQGDAAAACQBzht1gAAAA ACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmwkAWPKWYp8eoDLbgBABDi8P AAABAQgKAl+7nwFony/P851ZT/AFAFYAAABWAAAAAAAACQGDAAAACQBzht1gAAAAACAGQP06 qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmwkAWPKWYp8eoDLbgBEBDi8PAAABAQgK Al+7nwFony/P851ZnvAFAFYAAABWAAAAAAAACQBzAAAACQGDht1gAAAAACAGQP06qqPuh/8J AgAA//4JAYP9Oqqj7of/CQIAAP/+CQBzAFibCR6gMtvylmKggBABAKYqAAABAQgKAWifLwJf u5/P851Z6/AFAHUAAAB1AAAAAAAACQABAAAACQBzht1gAAAAAD8RQP06qqPuh/8JAgAA//4J AHP9Oqqj7of/CQAAAAAAAAABmFIANQA/drbu1AEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3Rl cgRfdGNwClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWQ/xBQBKAAAASgAAAAAAAAkAcwAAAAkB g4bdYAAAAAAUBkD9Oqqj7of/CQIAAP/+CQGD/Tqqo+6H/wkCAAD//gkAcwBYmwkeoDLb8pZi oFAUAAA+1AAAz/OdWY/xBQBhAAAAYQAAAAAAAAkBgwAAAAkAAQgARQAAU5S9QABAETrmrB8J AawfCbdmnQA1AD9rR2eiAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF90Y3AKVzIwMTJS Mi1MNARCQVNFAAAhAAHP851ZaPIFAKsAAACrAAAAAAAACQABAAAACQGDCABFAACdGfNAAIAR dWasHwm3rB8JAQA1Zp0AibaUZ6KFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcApX MjAxMlIyLUw0BEJBU0UAACEAAQp3MjAxMnIyLWw0BGJhc2UAAAYAAQAADhAALwt3MjAxMnIy LTE4M8A3Cmhvc3RtYXN0ZXLANwAACoIAAAOEAAACWAABUYAAAA4Qz/OdWa7yBQC/AAAAvwAA AAAAAAkAcwAAAAkAAYbdYAAAAACJEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkA cwA1mFIAiTxG7tSFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcApXMjAxMlIyLUw0 BEJBU0UAACEAAQp3MjAxMnIyLWw0BGJhc2UAAAYAAQAADhAALwt3MjAxMnIyLTE4M8A3Cmhv c3RtYXN0ZXLANwAACoIAAAOEAAACWAABUYAAAA4Qz/OdWbPzBQB6AAAAegAAAAAAAAkAAQAA AAkAc4bdYAAAAABEEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAZiFADUARNxf sAIBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwC1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFT RQAAIQABz/OdWQj0BQBmAAAAZgAAAAAAAAkBgwAAAAkAAQgARQAAWJS+QABAETrgrB8JAawf Cbdg9AA1AERrTOUEAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3RjcAtTMS1XMjAxMi1MNApXMjAx MlIyLUw0BEJBU0UAACEAAc/znVnM9AUA5wAAAOcAAAAAAAAJAAEAAAAJAYMIAEUAANkZ9EAA gBF1KawfCbesHwkBADVg9ADFqyXlBIGAAAEAAQAAAAMJX2tlcmJlcm9zBF90Y3ALUzEtVzIw MTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHADAAhAAEAAAEUAC0AAABkAFgJdzIwMTItMTgx C3MxLXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQDATgABAAEAAA4QAASsHwm1wE4AHAABAAAO EAAQ/Tqqo+6H/wkCAAD//gkBgcBOABwAAQAADhAAECABAACdOJDXMPoWw1Pg9krP851ZEvUF APsAAAD7AAAAAAAACQBzAAAACQABht1gAAAAAMURQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/ CQIAAP/+CQBzADWYhQDF5y+wAoGAAAEAAQAAAAMJX2tlcmJlcm9zBF90Y3ALUzEtVzIwMTIt TDQKVzIwMTJSMi1MNARCQVNFAAAhAAHADAAhAAEAAAEUAC0AAABkAFgJdzIwMTItMTgxC3Mx LXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQDATgABAAEAAA4QAASsHwm1wE4AHAABAAAOEAAQ /Tqqo+6H/wkCAAD//gkBgcBOABwAAQAADhAAECABAACdOJDXMPoWw1Pg9krP851ZlfUFAHUA AAB1AAAAAAAACQABAAAACQBzht1gAAAAAD8RQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAA AAAAAAABvE8ANQA/Hv1tqwEAAAEAAAAAAAAJdzIwMTItMTgxC3MxLXcyMDEyLWw0CncyMDEy cjItbDQEYmFzZQAAHAABz/OdWeL1BQBhAAAAYQAAAAAAAAkBgwAAAAkAAQgARQAAU5S/QABA ETrkrB8JAawfCbcsdgA1AD9rR2yEAQAAAQAAAAAAAAl3MjAxMi0xODELczEtdzIwMTItbDQK dzIwMTJyMi1sNARiYXNlAAAcAAHP851ZbPYFAH0AAAB9AAAAAAAACQABAAAACQGDCABFAABv GfVAAIARdZKsHwm3rB8JAQA1LHYAW5xPbISBgAABAAEAAAAACXcyMDEyLTE4MQtzMS13MjAx Mi1sNAp3MjAxMnIyLWw0BGJhc2UAABwAAcAMABwAAQAAAyAAEP06qqPuh/8JAgAA//4JAYHP 851ZqvYFAJEAAACRAAAAAAAACQBzAAAACQABht1gAAAAAFsRQP06qqPuh/8JAAAAAAAAAAH9 Oqqj7of/CQIAAP/+CQBzADW8TwBbSehtq4GAAAEAAQAAAAAJdzIwMTItMTgxC3MxLXcyMDEy LWw0CncyMDEycjItbDQEYmFzZQAAHAABwAwAHAABAAADIAAQ/Tqqo+6H/wkCAAD//gkBgc/z nVn09gUAXgAAAF4AAAAAAAAJAYEAAAAJAHOG3WAAAAAAKAZA/Tqqo+6H/wkCAAD//gkAc/06 qqPuh/8JAgAA//4JAYHUtwBY/pwM1wAAAACgAnCALxUAAAIEBaAEAggKAl+7nwAAAAABAwMH z/OdWSX4BQBWAAAAVgAAADMz/wkAcwAAAAkBgYbdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQGB /wIAAAAAAAAAAAAB/wkAc4cASLIAAAAA/Tqqo+6H/wkCAAD//gkAcwEBAAAACQGBz/OdWV34 BQBWAAAAVgAAAAAAAAkBgQAAAAkAc4bdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkCAAD//gkBgYgAT1RgAAAA/Tqqo+6H/wkCAAD//gkAcwIBAAAACQBzz/OdWQD5BQBeAAAA XgAAAAAAAAkAcwAAAAkBgYbdYAAAAAAoBkD9Oqqj7of/CQIAAP/+CQGB/Tqqo+6H/wkCAAD/ /gkAcwBY1Leh+Lt8/pwM2KASIACkFwAAAgQFoAEDAwgEAggKBI9UfQJfu5/P851ZIfkFAFYA AABWAAAAAAAACQGBAAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIA AP/+CQGB1LcAWP6cDNih+Lt9gBAA4S8NAAABAQgKAl+7oASPVH3P851ZNfkFAOoFAADqBQAA AAAACQGBAAAACQBzht1gAAAABbQGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGB 1LcAWP6cDNih+Lt9gBAA4TShAAABAQgKAl+7oASPVH0AAAb/bIIG+zCCBvehAwIBBaIDAgEM o4IGLTCCBikwggT4oQMCAQGiggTvBIIE626CBOcwggTjoAMCAQWhAwIBDqIHAwUAAAAAAKOC BBthggQXMIIEE6ADAgEFoREbD1cyMDEyUjItTDQuQkFTRaIwMC6gAwIBAqEnMCUbBmtyYnRn dBsbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFo4IDxTCCA8GgAwIBF6EDAgETooIDswSC A6/8IEqHa/XO3xjgI0cXmgQcqXHFqFWQqtvVzC6gUpQ9AGMTZhLOBXQa2ZkdZj4Hj81r29sz dinm71hRcsg+Qgr7nFwdRfv1UBwRNSZBTzNv/dr9w7ozB9Y9HiSA/cgiItXckGd4NvR7iJo8 bOggQDv61lpjeCzEk0Jjog/QIlJJUFxIcxl73UV51LKnDZhnjWg+/5yHvH3VWBuO6S428Bpw sEQlwDwzruBpf9lnrU8JkLyWeOkBn1sbL5DuOqpVt3qDH8T8NmCqJCsrHMiS883A8Ll5F2iE YGARdIoSvHv2KTSNhLBjhV8Y5mkDWUlsHLBEudNtQ1EtrhtGpDbcGCGq+q4TRdwy0O6KposD p4/irTldEaSKsJnxKpSG7gv1LJHC+3pqgLK72w36pjEiMS0nbmh3/4j1A7dC4eYeeiHFaeSy L3SvxnE1OW8Dovc5SXtuhuXu+miHi8j52n4e1SbeWURDrqwi6qLZ5ZLxVztrHbHqUpJCwDoE mzm6Jah7hxbxX9s9XcKnzBjTQp1w/cV6b2FuOBbC061vGMyjbygo1+Sx+/efxy6xNDUQXIO4 RmO0OwESJmztp5aXbTBWe1yIBu3hUNLSpsKyCrwcYr6JSrOl0EDelimsIqgPu/24FD7sjoZ3 /5lzEqFbLQechbOtDkB5Jlu1hZd0uOeQDu29zlM9jiwfmKaAENLyY1Jku52CC1x+UlDAlNZU 08AdGeuWF82addQY3qiVRK+k6gfKgCvqL1O3RGRisbLzGYvzEZT/d4yVIo5t4PGPqrrzBXTt MP2lgtm5sTznGMWLbVROMvNxneg+PYY67SAytdvC8i0c/2TgcPtq444eQ3+XAf7Y8Y2J5jJD mtJAQfHBfdCfUlKFNen2hnIK2izJ7mtd7v5uOgTMKmJ097C3TfoX+SrK+Zf010kQVh8gNZb4 yLqal4J821gGoiFoIaWTsOfnpHqBLc9GYJZVtScmLYA+JJSt5WpyasRWV3t4k++u56uea+FA DkBgAH8ESTTeUf76zH2syuZvhNPeld5GJll0NpZDMxRCYsFHL3p29LqCwtPwh11Vylumui8E ecn9Bx+yJi8D9/O/OSZ+wH6m/hpzop+tHqHh5m+l5t31VxiDsMx92hyNBjKD4Yp0t0UX17/G CuSbobP3lRILW3Z8GaA126aZ9rRmx6mAdJ0FkQXk3uWGO8dI6F+yrUk8gn17piqBlO3/j/ia LvFRpfdA3DqpBqIREkJcaoh+T4YXCOP0sO7NpIGuMIGroAMCAReigaMEgaB7RBImja68BNkN FBzxszZvg0L0UPQw4c3z4Z9CnvnZG7u/JX9z0ZJk+YReVR3tFfog1pF/5U4a934ySgN+5LV0 OQg7WK3KXFwqkq3VDIWLpkVUcUYfR6mB8vNcfsSgRebylv+GpIU9eDfLl/Wq+l7PXRWhxF5Q JK770tDayOJejK+uS80DaUcbCLw5wpAvFccKr9ZT1Dy4n5I6EGOMfeM6MIIBKaEEAgIAiKKC AR8EggEboIIBFzCCAROhHDAaoAQCAv92oRIEEGjykxSN0qy4L6hlazJwGHyigfIwge+gAwIB F6KB5wSB5GFL7myBDxAJv8CGt3Ad+zoHN2lNavKkqxt4tSvS62PrT2/muYyxgZPNT3Cjc8X2 AZjP851ZT/kFAMUBAADFAQAAAAAACQGBAAAACQBzht1gAAAAAY8GQP06qqPuh/8JAgAA//4J AHP9Oqqj7of/CQIAAP/+CQGB1LcAWP6cEmyh+Lt9gBgA4TB8AAABAQgKAl+7oASPVH0Y74z2 +zObZitv1oNYQBbpIhk88HEOHOO7LRjplW9uwezvON0alzuSOvVl7RchSPzg9l8RxRlHoyAd RTaTYt+m7EAw1SdroUJ8SbmBi4q5i/88tfDOwqgSznJw/yIfICb2ewFR9cWSRvbt7Eyefxus yJP55xjvAKkt8TMa5VcXsymrH1fFlUvwH5Yo+IvA85TfFtP5OVeOTtTPFa1fRsc+1DZhfv33 hBDQnsNlUfTBX+6FGqSBuTCBtqAHAwUAQIEAAKIdGxtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0WjPDA6oAMCAQKhMzAxGwZrcmJ0Z3QbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRaURGA8yMDE3MDgyNDA3Mjk1MVqnBgIEWZ3zz6gUMBICARICARECARAC ARcCARkCARqpHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAgz/OdWcz5BQBWAAAAVgAA AAAAAAkAcwAAAAkBgYbdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQGB/Tqqo+6H/wkCAAD//gkA cwBY1Leh+Lt9/pwT24AQAQDqzAAAAQEICgSPVH0CX7ugz/OdWff+BQDqBQAA6gUAAAAAAAkA cwAAAAkBgYbdYAAAAAW0BkD9Oqqj7of/CQIAAP/+CQGB/Tqqo+6H/wkCAAD//gkAcwBY1Leh +Lt9/pwT24AQAQCMggAAAQEICgSPVH0CX7ugAAAGlG2CBpAwggaMoAMCAQWhAwIBDaKB0jCB zzCBzKEEAgIAiKKBwwSBwKCBvTCBuqCBtzCBtKADAgEXooGsBIGpl8X7CxEpj7TWHLOujvze 2HpVdWLw03p5REwDeIKRCVDsJd84HqLDaf8n4su+k70G58Nzte4Mkkr1wZPuEAmKJzoNrLOi Pctcaff1wqorawYdN+TCoj8Rtmyz2Haktqmg0cNOTKsdWdNn5w4iALeNc0yTek2tAqHVWsp5 iC34lzLIqJgGX55zALHJWEPj1LFZ/awBZ13lwwLa34+v0ukc7m35sbxygsrNAKMQGw5XNEVE T00tTDQuQkFTRaQVMBOgAwIBAaEMMAobCGZkMjMtNzMkpYIEQmGCBD4wggQ6oAMCAQWhHRsb UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFojwwOqADAgECoTMwMRsGa3JidGd0GydTMi1X MjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WjggPUMIID0KADAgEXoQMCARGi ggPCBIIDvinnGrIYpUAGSYK20XHa4GKyQSLi4xNOUqM8zBT1nFF9E7T+Fz20xO18OOTMi+2O s/S9MpQryFcY/WMYmiort6uxbfPdAQI0wwMl/LDKu+fpRwWUeIRDB0gIES/bQ2+lsh3BaUns kJj9OffdLYkpR9L0Bnl3SLKHjvU+x59XTC0ivw4zQx/uX6/w0SVvy4Vpk1BFeX5HtqFs/93L Ac0a3nX11QkpGWBRVRs9SM7IK9unLjkHLFR0OeKMQx6wJ2IkKDh76qGntnxQnh1rZB0FHr4t FW9zR0D/Gz22thCVBPY/9jEDBzNe7zMSUtNp59EOqfFbFe92bG2r+f2WpYnZ8HTPm063JMwo GJAY8wygne27jMPzFftxNQqta0dNbOr95OFaXircnaTdyMWl/D9XI8A+ixXlnxXVjC3tqigN y1JPrDsAh2ZzrXPf61uKnYWmSKxxn+WFCLz+pYk0eJEShIpilG/6Doyo0R7+IfZ5PXj6ZS0D TyBr2DR6Ch7trY80YaTPBzqzidXgDmWylIX5DyPViO+NLwKUfmsH816Wl8E4fVLY4DlBwSfP /N44u8NjGCYih1yivV9ekK1yJkc17THCBNKvFCsigE6kT/bKJiP2G7tI+DKu7hqdBYna3Tjn 7CESYz7G7n6falLLP0sfbqB5r/pBOlwVW3lI992cc997of837MBVQY2iKoWBlYnE5QupdNYP Zub3TzbEdgZ5dbFiVmzHHvpAHNoyNPqyQ3uk1OVSggEHpHoaGZzOFFKWM4jtDOolUfeaRLYa pGL/Nm/oax2ahCiY8m2ZArbPcVvtuIECV0A0AM7NELlGZFDJuEVYTr89kXUyiTX1+UUip2wi 9kQ+erhhjVScgm7++PYBuQSgr5DROPv/h2hiyHp5W2SsTn3oxXxBB/5eCsz+TAwnMlj9zkQC qw/Bu3jGthPWff44X5RUhyEhaPNjGQjHH55+Qpifwj+M8efPw7mWE1gy/vCwSM2gf6WugN/r mIH33sVJFmzv2QCjkyUw4Pu/wpFsgIS20jIvVhXzTZOScbfLC4Ze50rbWHuu79GZ8zAIPScq Fjx41bzXMY4yesLDHOa2QplR4nuIy3yunuGqglqmWp9PnJO57MpVI+snLcHeFuFfp7Gqa1Sj XQPmwq5zXZWex12RSfelnqJTqSxYe99Pk/CsWrs2U+iXJEn5CDTn4REaSxXaYNKW2NHiPWSl cyEUZygzp0RL1XwAH4ds5giVBlP/7C2inOVghEiNHD4STLdTI/N2xT1YMGeLacumggE6MIIB NqADAgEXooIBLQSCASmClZjDvlBqE0lNw4+Loc6yBJ75bQIPxiwtchGedADiOtG0ql3qz/Od WRj/BQBWAAAAVgAAAAAAAAkBgQAAAAkAc4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQBz/Tqq o+6H/wkCAAD//gkBgdS3AFj+nBPbofjBEYAQAPgvDQAAAQEICgJfu6AEj1R9z/OdWVH/BQBa AQAAWgEAAAAAAAkAcwAAAAkBgYbdYAAAAAEkBkD9Oqqj7of/CQIAAP/+CQGB/Tqqo+6H/wkC AAD//gkAcwBY1Leh+MER/pwT24AYAQCrlAAAAQEICgSPVH0CX7ugLSVm0fn+bgnmLMiP6fAv 8EXSZg+mX+4CdcYXhYx639BWLeokpDZyDE2Yg+z4ZE5jJ3WG4FG1ljb8Z8Kr7mv/3q8XIbD2 nmWKQ5aboumr2HfiKliHeflpCW7tRrh7CtsH3ypKEwOVpVHBoPL/8o8HvrFxsSmggHm5BdbY aml1/3H26rsBOZSSvTdymKozYqMHFv8e24dmYndI/pdDfK4dNetS1qJlqLZC2i9SMv62eP3o P4ThntWkV3mrJcqM0keKnhAOGKltFjYpMQ3mLFHQLlZ3zUq5oaOWbVg7PNRRdrVQTn8EAAz+ zYtNCcmIaR7lSE1wNzTE/JNF8gZYDBoU7jhtN+3P851ZXP8FAFYAAABWAAAAAAAACQGBAAAA CQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGB1LcAWP6cE9uh +MIVgBABDi8NAAABAQgKAl+7oASPVH3P851ZcP8FAFYAAABWAAAAAAAACQGBAAAACQBzht1g AAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGB1LcAWP6cE9uh+MIVgBEB Di8NAAABAQgKAl+7oASPVH3P851Z3f8FAFYAAABWAAAAAAAACQBzAAAACQGBht1gAAAAACAG QP06qqPuh/8JAgAA//4JAYH9Oqqj7of/CQIAAP/+CQBzAFjUt6H4whX+nBPcgBABAOQzAAAB AQgKBI9UfQJfu6DP851ZBAAGAIEAAACBAAAAAAAACQABAAAACQBzht1gAAAAAEsRQP06qqPu h/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB2SwANQBLPjekHAEAAAEAAAAAAAAQX2tlcmJl cm9zLW1hc3RlcgRfdGNwC1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWSEA BgBKAAAASgAAAAAAAAkAcwAAAAkBgYbdYAAAAAAUBkD9Oqqj7of/CQIAAP/+CQGB/Tqqo+6H /wkCAAD//gkAcwBY1Leh+MIV/pwT3FAUAAA1UwAAz/OdWaYABgBtAAAAbQAAAAAAAAkBgwAA AAkAAQgARQAAX5TAQABAETrXrB8JAawfCbc8uQA1AEtrU9sAAQAAAQAAAAAAABBfa2VyYmVy b3MtbWFzdGVyBF90Y3ALUzEtVzIwMTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHP851ZtwEG AKYAAACmAAAAAAAACQABAAAACQGDCABFAACYGfZAAIARdWisHwm3rB8JAQA1PLkAhJ692wCB gwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0 BEJBU0UAACEAAcAiAAYAAQAAAkAALQl3MjAxMi0xODHAIgpob3N0bWFzdGVywCIAAAheAAAD hAAAAlgAAVGAAAAOEM/znVkCAgYAugAAALoAAAAAAAAJAHMAAAAJAAGG3WAAAAAAhBFA/Tqq o+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANdksAIR3x6QcgYMAAQAAAAEAABBfa2Vy YmVyb3MtbWFzdGVyBF90Y3ALUzEtVzIwMTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHAIgAG AAEAAAJAAC0JdzIwMTItMTgxwCIKaG9zdG1hc3RlcsAiAAAIXgAAA4QAAAJYAAFRgAAADhDP 851ZHQMGAIYAAACGAAAAAAAACQABAAAACQBzht1gAAAAAFARQP06qqPuh/8JAgAA//4JAHP9 Oqqj7of/CQAAAAAAAAABmi0ANQBQ5uZddwEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHALUzIt VzIwMTItTDQLUzEtVzIwMTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHP851ZcgMGAHIAAABy AAAAAAAACQGDAAAACQABCABFAABklMFAAEAROtGsHwkBrB8JtyjnADUAUGtYx/0BAAABAAAA AAAACV9rZXJiZXJvcwRfdWRwC1MyLVcyMDEyLUw0C1MxLVcyMDEyLUw0ClcyMDEyUjItTDQE QkFTRQAAIQABz/OdWRQEBgDjAAAA4wAAAAAAAAkAAQAAAAkBgwgARQAA1Rn3QACAEXUqrB8J t6wfCQEANSjnAMGIUMf9gYAAAQABAAAAAglfa2VyYmVyb3MEX3VkcAtTMi1XMjAxMi1MNAtT MS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAcAMACEAAQAAARQAOQAAAGQAWAl3MjAx Mi0xODILczItdzIwMTItbDQLczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAMBaAAEAAQAA AyAABKwfCbbAWgAcAAEAAAMaABD9Oqqj7of/CQIAAP/+CQGCz/OdWU8EBgD3AAAA9wAAAAAA AAkAcwAAAAkAAYbdYAAAAADBEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1 mi0AwcApXXeBgAABAAEAAAACCV9rZXJiZXJvcwRfdWRwC1MyLVcyMDEyLUw0C1MxLVcyMDEy LUw0ClcyMDEyUjItTDQEQkFTRQAAIQABwAwAIQABAAABFAA5AAAAZABYCXcyMDEyLTE4Mgtz Mi13MjAxMi1sNAtzMS13MjAxMi1sNAp3MjAxMnIyLWw0BGJhc2UAwFoAAQABAAADIAAErB8J tsBaABwAAQAAAxoAEP06qqPuh/8JAgAA//4JAYLP851ZrgQGAIYAAACGAAAAAAAACQABAAAA CQBzht1gAAAAAFARQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB5u0ANQBQeOB/ vgEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3ALUzItVzIwMTItTDQLUzEtVzIwMTItTDQKVzIw MTJSMi1MNARCQVNFAAAhAAHP851ZAQUGAHIAAAByAAAAAAAACQGDAAAACQABCABFAABklMJA AEAROtCsHwkBrB8Jt13FADUAUGtY6MQBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwC1MyLVcy MDEyLUw0C1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWYcFBgDjAAAA4wAA AAAAAAkAAQAAAAkBgwgARQAA1Rn4QACAEXUprB8Jt6wfCQEANV3FAMEzrOjEgYAAAQABAAAA Aglfa2VyYmVyb3MEX3RjcAtTMi1XMjAxMi1MNAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJB U0UAACEAAcAMACEAAQAAARQAOQAAAGQAWAl3MjAxMi0xODILczItdzIwMTItbDQLczEtdzIw MTItbDQKdzIwMTJyMi1sNARiYXNlAMBaAAEAAQAAAyAABKwfCbbAWgAcAAEAAAMaABD9Oqqj 7of/CQIAAP/+CQGCz/OdWcAFBgD3AAAA9wAAAAAAAAkAcwAAAAkAAYbdYAAAAADBEUD9Oqqj 7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA15u0AwVIjf76BgAABAAEAAAACCV9rZXJi ZXJvcwRfdGNwC1MyLVcyMDEyLUw0C1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQAB wAwAIQABAAABFAA5AAAAZABYCXcyMDEyLTE4MgtzMi13MjAxMi1sNAtzMS13MjAxMi1sNAp3 MjAxMnIyLWw0BGJhc2UAwFoAAQABAAADIAAErB8JtsBaABwAAQAAAxoAEP06qqPuh/8JAgAA //4JAYLP851ZSQYGAIEAAACBAAAAAAAACQABAAAACQBzht1gAAAAAEsRQP06qqPuh/8JAgAA //4JAHP9Oqqj7of/CQAAAAAAAAAB4WgANQBLXNiHOAEAAAEAAAAAAAAJdzIwMTItMTgyC3My LXcyMDEyLWw0C3MxLXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQAAHAABz/OdWZMGBgBtAAAA bQAAAAAAAAkBgwAAAAkAAQgARQAAX5TDQABAETrUrB8JAawfCbdgagA1AEtrU99fAQAAAQAA AAAAAAl3MjAxMi0xODILczItdzIwMTItbDQLczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNl AAAcAAHP851ZrwcGAIkAAACJAAAAAAAACQABAAAACQGDCABFAAB7GflAAIARdYKsHwm3rB8J AQA1YGoAZ3cB31+BgAABAAEAAAAACXcyMDEyLTE4MgtzMi13MjAxMi1sNAtzMS13MjAxMi1s NAp3MjAxMnIyLWw0BGJhc2UAABwAAcAMABwAAQAAAxoAEP06qqPuh/8JAgAA//4JAYLP851Z +wcGAJ0AAACdAAAAAAAACQBzAAAACQABht1gAAAAAGcRQP06qqPuh/8JAAAAAAAAAAH9Oqqj 7of/CQIAAP/+CQBzADXhaABnjMOHOIGAAAEAAQAAAAAJdzIwMTItMTgyC3MyLXcyMDEyLWw0 C3MxLXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQAAHAABwAwAHAABAAADGgAQ/Tqqo+6H/wkC AAD//gkBgs/znVlECAYAUQkAAFEJAAAAAAAJAYIAAAAJAHOG3WAAAAAJGxFA/Tqqo+6H/wkC AAD//gkAc/06qqPuh/8JAgAA//4JAYK5XABYCRs4FGyCCQ8wggkLoQMCAQWiAwIBDKOCCFYw gghSMIIFH6EDAgEBooIFFgSCBRJuggUOMIIFCqADAgEFoQMCAQ6iBwMFAAAAAACjggRCYYIE PjCCBDqgAwIBBaEdGxtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiPDA6oAMCAQKhMzAx GwZrcmJ0Z3QbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaOCA9Qw ggPQoAMCARehAwIBEaKCA8IEggO+KecashilQAZJgrbRcdrgYrJBIuLjE05SozzMFPWcUX0T tP4XPbTE7Xw45MyL7Y6z9L0ylCvIVxj9YxiaKiu3q7Ft890BAjTDAyX8sMq75+lHBZR4hEMH SAgRL9tDb6WyHcFpSeyQmP05990tiSlH0vQGeXdIsoeO9T7Hn1dMLSK/DjNDH+5fr/DRJW/L hWmTUEV5fke2oWz/3csBzRredfXVCSkZYFFVGz1Izsgr26cuOQcsVHQ54oxDHrAnYiQoOHvq oae2fFCeHWtkHQUevi0Vb3NHQP8bPba2EJUE9j/2MQMHM17vMxJS02nn0Q6p8VsV73Zsbav5 /ZalidnwdM+bTrckzCgYkBjzDKCd7buMw/MV+3E1Cq1rR01s6v3k4VpeKtydpN3IxaX8P1cj wD6LFeWfFdWMLe2qKA3LUk+sOwCHZnOtc9/rW4qdhaZIrHGf5YUIvP6liTR4kRKEimKUb/oO jKjRHv4h9nk9ePplLQNPIGvYNHoKHu2tjzRhpM8HOrOJ1eAOZbKUhfkPI9WI740vApR+awfz XpaXwTh9UtjgOUHBJ8/83ji7w2MYJiKHXKK9X16QrXImRzXtMcIE0q8UKyKATqRP9somI/Yb u0j4Mq7uGp0FidrdOOfsIRJjPsbufp9qUss/Sx9uoHmv+kE6XBVbeUj33Zxz33uh/zfswFVB jaIqhYGVicTlC6l01g9m5vdPNsR2Bnl1sWJWbMce+kAc2jI0+rJDe6TU5VKCAQekehoZnM4U UpYziO0M6iVR95pEthqkYv82b+hrHZqEKJjybZkCts9xW+24gQJXQDQAzs0QuUZkUMm4RVhO vz2RdTKJNfX5RSKnbCL2RD56uGGNVJyCbv749gG5BKCvkNE4+/+HaGLIenlbZKxOfejFfEEH /l4KzP5MDCcyWP3ORAKrD8G7eMa2E9Z9/jhflFSHISFo82MZCMcfnn5CmJ/CP4zx58/DuZYT WDL+8LBIzaB/pa6A3+uYgffexUkWbO/ZAKOTJTDg+7/CkWyAhLbSMi9WFfNNk5Jxt8sLhl7n SttYe67v0ZnzMAg9JyoWPHjVvNcxjjJ6wsMc5rZCmVHie4jLfK6e4aqCWqZan0+ck7nsylUj 6yctwd4W4V+nsaprVKNdA+bCrnNdlZ7HXZFJ96WeolOpLFh730+T8KxauzZT6JckSfkINOfh ERpLFdpg0pbY0eI9ZKVzIRRnKDOnREvVfAAfh2zmCJUGU//sLaKc5WCESI0cPhJMt1Mj83bF PVgwZ4tpy6SBrjCBq6ADAgEXooGjBIGgPgv68d5Z83d8TirzsWmicAx4N5GT6t2tHB2kLZsD vsE3pR2dpj11KyXuLakjGTSL7mjCL2wYa45LFC3bvs9+mfnIfL19zYpduoa241ytuDHYynyH ju2qYszdR8HQHhIQa68QiRTPrsyzohiqOUcQMZ4hg4gdhwH3KqA30TeNZ335G60yqELpJgdi wRbGWjN/H29r+ZblMrvf0EdQSzESLDCCAiShBAICAIiiggIaBIICFqCCAhIwggIOoRwwGqAE AgL/dqESBBDGD3AQpIda4Wp4kPmUYJl/ooIB7DCCAeigAwIBF6KCAd8EggHbLajZn24aW6XT kdxOa2WxOgoLybPCyjNkln48qPkNZ1sAJxYz7IguRP4zfXOXQDM+m6RvYkgT1R45dhkhCPRB /5CXh1YMVPT9kO5UqgWqLob0xTKjN8v14GkulE9YEoEUe4DgbIOqH2l9Uefw/nW9J8V79S4a Ub9/UqeBLQPEHN+1bOJNIckV9dDI71G7dWDaXZ4Y5H62jCOZJVXPMpXI6sGgrJ6sSq9mC372 AWnTPXYUDDuBng59cJm1KrbOUDrf0LYTY6DcIIyFGsVkEAzs4yuzoGguZa7p1TiosEDhO2tD bGis5gUYN9/iRr8fqmWSa+SRsgvHShEysnPnLmBO8lZJ527OduqORPMNXSrIygBvMzl1/0Md waOl/JUHn5wLF+jyu/U0wPlMMKxLiJ5LXZ/+ycEcxs+1VaBqLq0P1o+ov4TQGVGkM74ztO4F tSscLhHVJzFIfgS8gful1p2QXW6z30wCjSW9oDoegekVrQaG2LBZ4C+cMJhAz/4fX7o9hiOu 0z4TTUz4AnHBAJyNKq3+WMMv4BVSFJgQRESvYXdO65Iln84yjv2XGmIxyePoFvuBv2Pn5yfc jh9e59340hckAVrJ57qq9BPWZ1cogMPcMBraRQRL3cWMCzB9oQQCAgCBonUEczBxoBowGKAD AgEBoREwDxsNYWRtaW5pc3RyYXRvcqEpGydTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0WiHDAaoAQCAv92oRIEEMZ61rbenux+7mvcfTmy81ujChsIS2VyYmVyb3Mw gYWhBAICAIKifQR7MHmgWjBYoAYCBFmd88+hGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9y oikbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaQHAwUAIAAAAKEb MBmgAwIBAqESBBBc2MDHInK2OVEnOG/WThxApIGkMIGhoAcDBQBAgQAAoikbJ1MyLVcyMDEy LUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaMkMCKgAwIBCqEbMBkbF2ZkMjMtNzMk QFc0RURPTS1MNC5CQVNFpREYDzIwMTcwODI0MDcyOTUxWqcGAgRZnfPPqAswCQIBEgIBEQIB F6kdMBswGaADAgEUoRIEEEZEMjMtNzMgICAgICAgICDP851Z2ygGAFYAAABWAAAAMzP/CQBz AAAACQGCht1gAAAAACA6//06qqPuh/8JAgAA//4JAYL/AgAAAAAAAAAAAAH/CQBzhwBIsAAA AAD9Oqqj7of/CQIAAP/+CQBzAQEAAAAJAYLP851ZJykGAFYAAABWAAAAAAAACQGCAAAACQBz ht1gAAAAACA6//06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGCiABPU2AAAAD9Oqqj 7of/CQIAAP/+CQBzAgEAAAAJAHPP851ZmSkGALkBAAC5AQAAAAAACQBzAAAACQGCht1gAAAA AYMRQP06qqPuh/8JAgAA//4JAYL9Oqqj7of/CQIAAP/+CQBzAFi5XAGDZEd+ggF3MIIBc6AD AgEFoQMCAR6kERgPMjAxNzA4MjMyMTI5NTFapQUCAwqWEqYDAgE0qSkbJ1MyLVcyMDEyLUw0 LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaokMCKgAwIBCqEbMBkbF2ZkMjMtNzMkQFc0 RURPTS1MNC5CQVNFrIH2BIHzMIHwMIHtoQQCAgCIooHkBIHhoIHeMIHboIHYMIHVoAMCARei gc0EgcrUbcPCENT/if8BZ8khRq+IbvZ9AGfU29KusrKIwG7eQBAc/QBJjyFvxwEXQDJdXXgQ 0jtiZ0BllTcBYXXQGVH9hVRZgpPFes0/b/luU8Mhy5WIkHkZx0OmtGjNyPLN1uhnrOC1sJtz 00HvML9mcSQl6IYg84NFwmp9VM4NIT4FAq5SeDTw1TDi9J5JYi2ZxXJ7qvwAGMHcnSdv57ox aLIq+v3n1s/dncHsEIM0sxAAn8lAgPNYiW72lREqFSXrVbLLD5Va4d6/5W3Fz/OdWWkqBgCN AAAAjQAAAAAAAAkAAQAAAAkAc4bdYAAAAABXEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkA AAAAAAAAAabWADUAV8KaDbEBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAtTMi1X MjAxMi1MNAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAc/znVlMKwYAeQAAAHkA AAAAAAAJAYMAAAAJAAEIAEUAAGuUxUAAQBE6xqwfCQGsHwm3tz0ANQBXa1+72gEAAAEAAAAA AAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwC1MyLVcyMDEyLUw0C1MxLVcyMDEyLUw0ClcyMDEy UjItTDQEQkFTRQAAIQABz/OdWXwtBgCyAAAAsgAAAAAAAAkAAQAAAAkBgwgARQAApBn6QACA EXVYrB8Jt6wfCQEANbc9AJD5d7vagYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAL UzItVzIwMTItTDQLUzEtVzIwMTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHAIgAGAAEAAAJA AC0JdzIwMTItMTgywCIKaG9zdG1hc3RlcsAiAAAM5wAAA4QAAAJYAAFRgAAADhDP851ZBC4G AMYAAADGAAAAAAAACQBzAAAACQABht1gAAAAAJARQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/ CQIAAP/+CQBzADWm1gCQ9qENsYGDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwC1My LVcyMDEyLUw0C1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQABwCIABgABAAACQAAt CXcyMDEyLTE4MsAiCmhvc3RtYXN0ZXLAIgAADOcAAAOEAAACWAABUYAAAA4Qz/OdWf4uBgCG AAAAhgAAAAAAAAkAAQAAAAkAc4bdYAAAAABQEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkA AAAAAAAAAdGLADUAUD9PzrEBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwC1MyLVcyMDEyLUw0 C1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWa0vBgByAAAAcgAAAAAAAAkB gwAAAAkAAQgARQAAZJTGQABAETrMrB8JAawfCbe4fwA1AFBrWOSLAQAAAQAAAAAAAAlfa2Vy YmVyb3MEX3RjcAtTMi1XMjAxMi1MNAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEA Ac/znVkCMQYA4wAAAOMAAAAAAAAJAAEAAAAJAYMIAEUAANUZ+0AAgBF1JqwfCbesHwkBADW4 fwDB3Srki4GAAAEAAQAAAAIJX2tlcmJlcm9zBF90Y3ALUzItVzIwMTItTDQLUzEtVzIwMTIt TDQKVzIwMTJSMi1MNARCQVNFAAAhAAHADAAhAAEAAAEUADkAAABkAFgJdzIwMTItMTgyC3My LXcyMDEyLWw0C3MxLXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQDAWgABAAEAAAMgAASsHwm2 wFoAHAABAAADGgAQ/Tqqo+6H/wkCAAD//gkBgs/znVl4MQYA9wAAAPcAAAAAAAAJAHMAAAAJ AAGG3WAAAAAAwRFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANdGLAMEYks6x gYAAAQABAAAAAglfa2VyYmVyb3MEX3RjcAtTMi1XMjAxMi1MNAtTMS1XMjAxMi1MNApXMjAx MlIyLUw0BEJBU0UAACEAAcAMACEAAQAAARQAOQAAAGQAWAl3MjAxMi0xODILczItdzIwMTIt bDQLczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAMBaAAEAAQAAAyAABKwfCbbAWgAcAAEA AAMaABD9Oqqj7of/CQIAAP/+CQGCz/OdWV0yBgCBAAAAgQAAAAAAAAkAAQAAAAkAc4bdYAAA AABLEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAbSoADUAS+ZhKm8BAAABAAAA AAAACXcyMDEyLTE4MgtzMi13MjAxMi1sNAtzMS13MjAxMi1sNAp3MjAxMnIyLWw0BGJhc2UA ABwAAc/znVkEMwYAbQAAAG0AAAAAAAAJAYMAAAAJAAEIAEUAAF+Ux0AAQBE60KwfCQGsHwm3 pqMANQBLa1PdWwEAAAEAAAAAAAAJdzIwMTItMTgyC3MyLXcyMDEyLWw0C3MxLXcyMDEyLWw0 CncyMDEycjItbDQEYmFzZQAAHAABz/OdWSo0BgCJAAAAiQAAAAAAAAkAAQAAAAkBgwgARQAA exn8QACAEXV/rB8Jt6wfCQEANaajAGcyzN1bgYAAAQABAAAAAAl3MjAxMi0xODILczItdzIw MTItbDQLczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAAAcAAHADAAcAAEAAAMaABD9Oqqj 7of/CQIAAP/+CQGCz/OdWbg0BgCdAAAAnQAAAAAAAAkAcwAAAAkAAYbdYAAAAABnEUD9Oqqj 7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1tKgAZxZNKm+BgAABAAEAAAAACXcyMDEy LTE4MgtzMi13MjAxMi1sNAtzMS13MjAxMi1sNAp3MjAxMnIyLWw0BGJhc2UAABwAAcAMABwA AQAAAxoAEP06qqPuh/8JAgAA//4JAYLP851ZKjUGAF4AAABeAAAAAAAACQGCAAAACQBzht1g AAAAACgGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGCphkAWOZV10oAAAAAoAJw gC8WAAACBAWgBAIICgJfu6MAAAAAAQMDB8/znVlvNgYAXgAAAF4AAAAAAAAJAHMAAAAJAYKG 3WAAAAAAKAZA/Tqqo+6H/wkCAAD//gkBgv06qqPuh/8JAgAA//4JAHMAWKYZf7z4oOZV10ug EiAA2CIAAAIEBaABAwMIBAIICgTLgboCX7ujz/OdWcM2BgBWAAAAVgAAAAAAAAkBggAAAAkA c4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBgqYZAFjmVddLf7z4 oYAQAOEvDgAAAQEICgJfu6QEy4G6z/OdWfM2BgDqBQAA6gUAAAAAAAkBggAAAAkAc4bdYAAA AAW0BkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBgqYZAFjmVddLf7z4oYAQAOE0 ogAAAQEICgJfu6QEy4G6AAAJE2yCCQ8wggkLoQMCAQWiAwIBDKOCCFYwgghSMIIFH6EDAgEB ooIFFgSCBRJuggUOMIIFCqADAgEFoQMCAQ6iBwMFAAAAAACjggRCYYIEPjCCBDqgAwIBBaEd GxtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiPDA6oAMCAQKhMzAxGwZrcmJ0Z3QbJ1My LVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaOCA9QwggPQoAMCARehAwIB EaKCA8IEggO+KecashilQAZJgrbRcdrgYrJBIuLjE05SozzMFPWcUX0TtP4XPbTE7Xw45MyL 7Y6z9L0ylCvIVxj9YxiaKiu3q7Ft890BAjTDAyX8sMq75+lHBZR4hEMHSAgRL9tDb6WyHcFp SeyQmP05990tiSlH0vQGeXdIsoeO9T7Hn1dMLSK/DjNDH+5fr/DRJW/LhWmTUEV5fke2oWz/ 3csBzRredfXVCSkZYFFVGz1Izsgr26cuOQcsVHQ54oxDHrAnYiQoOHvqoae2fFCeHWtkHQUe vi0Vb3NHQP8bPba2EJUE9j/2MQMHM17vMxJS02nn0Q6p8VsV73Zsbav5/ZalidnwdM+bTrck zCgYkBjzDKCd7buMw/MV+3E1Cq1rR01s6v3k4VpeKtydpN3IxaX8P1cjwD6LFeWfFdWMLe2q KA3LUk+sOwCHZnOtc9/rW4qdhaZIrHGf5YUIvP6liTR4kRKEimKUb/oOjKjRHv4h9nk9ePpl LQNPIGvYNHoKHu2tjzRhpM8HOrOJ1eAOZbKUhfkPI9WI740vApR+awfzXpaXwTh9UtjgOUHB J8/83ji7w2MYJiKHXKK9X16QrXImRzXtMcIE0q8UKyKATqRP9somI/Ybu0j4Mq7uGp0Fidrd OOfsIRJjPsbufp9qUss/Sx9uoHmv+kE6XBVbeUj33Zxz33uh/zfswFVBjaIqhYGVicTlC6l0 1g9m5vdPNsR2Bnl1sWJWbMce+kAc2jI0+rJDe6TU5VKCAQekehoZnM4UUpYziO0M6iVR95pE thqkYv82b+hrHZqEKJjybZkCts9xW+24gQJXQDQAzs0QuUZkUMm4RVhOvz2RdTKJNfX5RSKn bCL2RD56uGGNVJyCbv749gG5BKCvkNE4+/+HaGLIenlbZKxOfejFfEEH/l4KzP5MDCcyWP3O RAKrD8G7eMa2E9Z9/jhflFSHISFo82MZCMcfnn5CmJ/CP4zx58/DuZYTWDL+8LBIzaB/pa6A 3+uYgffexUkWbO/ZAKOTJTDg+7/CkWyAhLbSMi9WFfNNk5Jxt8sLhl7nSttYe67v0ZnzMAg9 JyoWPHjVvNcxjjJ6wsMc5rZCmVHie4jLfK6e4aqCWqZan0+ck7nsylUj6yctwd4W4V+nsapr VKNdA+bCrnNdlZ7HXZFJ96WeolOpLFh730+T8KxauzZT6JckSfkINOfhERpLFdpg0pbY0eI9 ZKVzIRRnKDOnREvVfAAfh2zmCJUGU//sLaKc5WCESI0cPhJMt1Mj83bFPVgwZ4tpy6SBrjCB q6ADAgEXooGjBIGgPgv68d5Z83d8TirzsWmicAx4N5GT6t2tHB2kLZsDvsE3pR2dpj11KyXu LakjGTSL7mjCL2wYa45LFC3bvs9+mfnIfL19zYpduoa241ytuDHYynyHju2qYszdR8HQHhIQ a68QiRTPrsyzohiqOUcQMZ4hg4gdhwH3KqA30TeNZ335G60yqELpJgdiwRbGWjN/H29r+Zbl Mrvf0EdQSzESLDCCAiShBAICAIiiggIaBIICFqCCAhIwggIOoRwwGqAEAgL/dqESBBDGD3AQ pIda4Wp4kPmUYJl/ooIB7DCCAeigAwIBF6KCAd8EggHbLajZn24az/OdWVA3BgDZAwAA2QMA AAAAAAkBggAAAAkAc4bdYAAAAAOjBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkB gqYZAFjmVdzff7z4oYAYAOEykQAAAQEICgJfu6QEy4G6W6XTkdxOa2WxOgoLybPCyjNkln48 qPkNZ1sAJxYz7IguRP4zfXOXQDM+m6RvYkgT1R45dhkhCPRB/5CXh1YMVPT9kO5UqgWqLob0 xTKjN8v14GkulE9YEoEUe4DgbIOqH2l9Uefw/nW9J8V79S4aUb9/UqeBLQPEHN+1bOJNIckV 9dDI71G7dWDaXZ4Y5H62jCOZJVXPMpXI6sGgrJ6sSq9mC372AWnTPXYUDDuBng59cJm1KrbO UDrf0LYTY6DcIIyFGsVkEAzs4yuzoGguZa7p1TiosEDhO2tDbGis5gUYN9/iRr8fqmWSa+SR sgvHShEysnPnLmBO8lZJ527OduqORPMNXSrIygBvMzl1/0MdwaOl/JUHn5wLF+jyu/U0wPlM MKxLiJ5LXZ/+ycEcxs+1VaBqLq0P1o+ov4TQGVGkM74ztO4FtSscLhHVJzFIfgS8gful1p2Q XW6z30wCjSW9oDoegekVrQaG2LBZ4C+cMJhAz/4fX7o9hiOu0z4TTUz4AnHBAJyNKq3+WMMv 4BVSFJgQRESvYXdO65Iln84yjv2XGmIxyePoFvuBv2Pn5yfcjh9e59340hckAVrJ57qq9BPW Z1cogMPcMBraRQRL3cWMCzB9oQQCAgCBonUEczBxoBowGKADAgEBoREwDxsNYWRtaW5pc3Ry YXRvcqEpGydTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiHDAaoAQC Av92oRIEEMZ61rbenux+7mvcfTmy81ujChsIS2VyYmVyb3MwgYWhBAICAIKifQR7MHmgWjBY oAYCBFmd88+hGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yoikbJ1MyLVcyMDEyLUw0LlMx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaQHAwUAIAAAAKEbMBmgAwIBAqESBBBc2MDHInK2 OVEnOG/WThxApIGkMIGhoAcDBQBAgQAAoikbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRaMkMCKgAwIBCqEbMBkbF2ZkMjMtNzMkQFc0RURPTS1MNC5CQVNFpREY DzIwMTcwODI0MDcyOTUxWqcGAgRZnfPPqAswCQIBEgIBEQIBF6kdMBswGaADAgEUoRIEEEZE MjMtNzMgICAgICAgICDP851ZGDgGAFYAAABWAAAAAAAACQBzAAAACQGCht1gAAAAACAGQP06 qqPuh/8JAgAA//4JAYL9Oqqj7of/CQIAAP/+CQBzAFimGX+8+KHmVeBigBABABzEAAABAQgK BMuBugJfu6TP851Z/UYGAOoFAADqBQAAAAAACQBzAAAACQGCht1gAAAABbQGQP06qqPuh/8J AgAA//4JAYL9Oqqj7of/CQIAAP/+CQBzAFimGX+8+KHmVeBigBABAAMGAAABAQgKBMuBugJf u6QAAAiCbYIIfjCCCHqgAwIBBaEDAgENooIBZzCCAWMwggFfoQQCAgCIooIBVQSCAVGgggFN MIIBSaCCAUUwggFBoAMCAReiggE4BIIBNAMmBn7Uo5Q8sU6XM7BSIFGXpeWJQWLh2sM3PnwO qFyVnk2p6V6iWHs8r3IhMvRzKmkLD66LrrnKLtgneEL2sVogXoHeJeE1KbtcI2II4keFOzXv NEmBoSmoqri7aUz6/qsNbuk0TXvVWbzmkgO241A1fTBKlEUbmdaQNnUo3UW4kysYUz3kViHG e8eKIiWLk4GAiHLBqyH44rSAImnsqcEMdxzPJBA3DhqXQYIZNi+X+XwHMlT0sOfIc4DLnsGF KNZsLTJGPjrUyCMcjDeRq0lCNaP5FrS03W/Qwabob8ENjY+fr4x45sOdpvegyr0T0cWVhE23 U4JyIQdSVeu/6rd+JUiO4kf8tXGRgT8tHG0nEblmbeTHx3mNmMp8r87SIGTyW5LPMsI/tlHv zzFctXVRvLESoxAbDlc0RURPTS1MNC5CQVNFpBUwE6ADAgEBoQwwChsIZmQyMy03MySlggVP YYIFSzCCBUegAwIBBaEpGydTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0WiMDAuoAMCAQKhJzAlGwZrcmJ0Z3QbG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaOC BOEwggTdoAMCARehAwIBEqKCBM8EggTLlwoM8H2grSHZuCBsV35tH0QkrUVnDIZFjFZEBbmU vgH3lUJ+d5JGWCFLoBxHX7xXj/bW7N9VuSgNGbdgNTFMTeFwlybvbOrFutuH9/h/kF2p53sK gdPy4zn9Doc/FCdFCvwy4lYMBfwDfHKVTo/L0pJm+BDJZpmGvie2/CUQrZtrMXp+JVgmammx xGf5AHYRdOpr0PaDU5u1H1TRNuBD3FKuMfGNcnwOioYJITYsH8klwiqelXjb2WReGgN2BsJm RNQ+fo5f9SZE7OWdqGb3br7UiURNYnTaRvl1J2MroLmsQ4vNSzxICiLJK9/gzgflaibA3ReQ VBiYYPs8Jp+hu3MIzjSD4XO0R5i/na4OlCPkFbrTkBgjKG2Zoxbgv34GMraDusZlFI50TGGs S8XL6MyGZtdUXTk9yyTi8+AFfnKwIr/rTB1JI7raWEx3yx+ovtOzoLFjvUD5nn2JwIHY0R0y OF2UGMz1RDLMGjSXz12gnk5662VbFpld3gdecXsjlT8RCP7Myt4E1r2j7IdBxSfDrZWyt0pF 5KNwC+59ciVx/YWCaeUE2RBRQleg9RdOcroDvERVqS9f8LrJS8WLSHGIQZZxGWyKszazOJzB yDVbchVX35ixzsm48Yh1qXoNkruWKIXQ6V++R7YR7QPjHgG5oCXGotveuvo6FUyDGnS++h8l a4OIkxnZvRc5d1YiEhQjQJukujvFknVnSlSLb7Pc+PgrvU9l1pMEzm1OVjHyQf29YUpmNSqi IleNOoZwsq+4GXhnNrR045LS/QsnW1bAwuoH9ZAOXN93oLUpwUtnatOKkqTLmnSHZmWAHFIN 0zT4/ix3PnmyXbu5IneXq5QOFDA+A481k6xGauZSMCDnI7lFwD1K/OaB9wvbafC+El8b1X80 pF19hOnHvGv4Nol7kr2nWq3kI6GsiCanD65ZAxtlIOlcAhfaBJpHtiyw/8SBTtN/0Fsf6BXb 6tSv5+49GAJ1KD2PKU0EQtrXjvyoT54SzLvUZj4fBOR3BPMn+1fexj6MvfLsllZs9uQV1+WU CsRf+Q6PGwZCJWfGA7x1O/Z9ONTDdVo9dpxX+Est1GkVWafh84VqXmi+3dlTKHwNiEkpIxVG 2WaOakXodRjcETeZ5rAavlocVw/Oev7OrR/P851ZNUcGAFYAAABWAAAAAAAACQGCAAAACQBz ht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGCphkAWOZV4GJ/vP41 gBAA+C8OAAABAQgKAl+7pQTLgbrP851ZwUcGAEgDAABIAwAAAAAACQBzAAAACQGCht1gAAAA AxIGQP06qqPuh/8JAgAA//4JAYL9Oqqj7of/CQIAAP/+CQBzAFimGX+8/jXmVeBigBgBAKyH AAABAQgKBMuBugJfu6RnJf5/+zRaqTIzw7fqApyBEWMH4hMsCCCmzgRh3y3NFtpYEf7ESMM9 iMJxzTKFDb50rjh3rjTTnlXSGiT17RtIpCq/RAu/sok/+MbbcWZg2eP/DmzzyxV8b7SOElQd 1RJUvFy4RzAJF/RlKehNs6+i7E1T18rcsgB8B27+MYkAn9Tjv3oZ5oi9F7bi60fmV0V7BIzF rQ8R5bUtl60d8ST84J3sZ2AXPDTy4/2nAUowsbMifVKO0tUA9XWtuOtrq2a2WDkjoPZuLcdr /+O7nFNhB6HMVKZSPxSa4QygKu6qgL8z+a1kvv8if/FDVm6g1Gbqt7xVxPg+oxIUFQg80Ph2 MiEWfFQW+zx8OGX7TN3z35+ZDjRA//KPjDhnKaIp9A1ByPtr54841hTp2SFzIcCPvrEoYwGq ho2/y4notcR75oHemJW80Hv6vfGzCIzEbNO3IeY2MWhTmhwnwgHbp+VfkfE8HYemOh3VpoIB hTCCAYGgAwIBF6KCAXgEggF0h9PGTZaAolLUysQwmile0vvv2Y1U/gOvMkQGuEfMJQ9j5ez0 IebT/KKRtgsN37HgqlKGD08BWiCBRcoRUxJPpeX7B264keXuwFJM5U5jma9Zp0qVIEPFZxxR jfdZKjL6kYvZpKbaAYxbME188E8yLQbMERjpQu0xzBJ8dQSTWv2AUt8HTMnOTzvlGCmhbPKe gF93cXL4oT3GA5ZbnHFC0JABmpL45ggFYWkzR3QbgqaaKP4NKSJpu3WadLP63jsbZbtZsLj/ 9SoXgMO5Zl/ypT8sUl7+dgDJ45n0fllf/1UxuswPzZ8N9lG0Q0eDduuOApzplSEZf551RIYM hjrju0rXVrmTM64lRZqnctk8XRrx4IcrLwMQZ4g/r7RT9BRIW5NRigFvyAe/bHggHFEZ0xCy 6zhHM2PHgOXIkOhdnl33BGLU4uA/uuW3rALlpxhL5R7RDwec8/mB/SWhrlQOAik6B1mu+3/x PL0MmwCWMqFST5cIz/OdWeFHBgBWAAAAVgAAAAAAAAkBggAAAAkAc4bdYAAAAAAgBkD9Oqqj 7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBgqYZAFjmVeBif70BJ4AQAQ4vDgAAAQEICgJf u6UEy4G6z/OdWQJIBgBWAAAAVgAAAAAAAAkBggAAAAkAc4bdYAAAAAAgBkD9Oqqj7of/CQIA AP/+CQBz/Tqqo+6H/wkCAAD//gkBgqYZAFjmVeBif70BJ4ARAQ4vDgAAAQEICgJfu6UEy4G6 z/OdWV5IBgBWAAAAVgAAAAAAAAkAcwAAAAkBgobdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQGC /Tqqo+6H/wkCAAD//gkAcwBYphl/vQEn5lXgY4AQAQAUOwAAAQEICgTLgbsCX7ulz/OdWbVI BgCNAAAAjQAAAAAAAAkAAQAAAAkAc4bdYAAAAABXEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkAAAAAAAAAAYM3ADUAVw2P51wBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcAtT Mi1XMjAxMi1MNAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAc/znVnYSAYASgAA AEoAAAAAAAAJAHMAAAAJAYKG3WAAAAAAFAZA/Tqqo+6H/wkCAAD//gkBgv06qqPuh/8JAgAA //4JAHMAWKYZf70BJ+ZV4GNQFAAAktkAAM/znVliSQYAeQAAAHkAAAAAAAAJAYMAAAAJAAEI AEUAAGuUyUAAQBE6wqwfCQGsHwm30DEANQBXa18G8QEAAAEAAAAAAAAQX2tlcmJlcm9zLW1h c3RlcgRfdGNwC1MyLVcyMDEyLUw0C1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQAB z/OdWUNLBgCyAAAAsgAAAAAAAAkAAQAAAAkBgwgARQAApBn9QACAEXVVrB8Jt6wfCQEANdAx AJCWbgbxgYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF90Y3ALUzItVzIwMTItTDQLUzEt VzIwMTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHAIgAGAAEAAAJAAC0JdzIwMTItMTgywCIK aG9zdG1hc3RlcsAiAAAM5wAAA4QAAAJYAAFRgAAADhDP851ZxksGAMYAAADGAAAAAAAACQBz AAAACQABht1gAAAAAJARQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWDNwCQ QZbnXIGDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNwC1MyLVcyMDEyLUw0C1MxLVcy MDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQABwCIABgABAAACQAAtCXcyMDEyLTE4MsAiCmhv c3RtYXN0ZXLAIgAADOcAAAOEAAACWAABUYAAAA4Qz/OdWXZNBgB6AAAAegAAAAAAAAkAAQAA AAkAc4bdYAAAAABEEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAZaoADUARDm0 U4oBAAABAAAAAAAACV9rZXJiZXJvcwRfdWRwC1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFT RQAAIQABz/OdWfZNBgBmAAAAZgAAAAAAAAkBgwAAAAkAAQgARQAAWJTKQABAETrUrB8JAawf Cbd8JgA1AERrTJOTAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcAtTMS1XMjAxMi1MNApXMjAx MlIyLUw0BEJBU0UAACEAAc/znVmOTwYA5wAAAOcAAAAAAAAJAAEAAAAJAYMIAEUAANkZ/kAA gBF1H6wfCbesHwkBADV8JgDF4GOTk4GAAAEAAQAAAAMJX2tlcmJlcm9zBF91ZHALUzEtVzIw MTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHADAAhAAEAAAEUAC0AAABkAFgJdzIwMTItMTgx C3MxLXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQDATgABAAEAAA4QAASsHwm1wE4AHAABAAAO EAAQIAEAAJ04kNcw+hbDU+D2SsBOABwAAQAADhAAEP06qqPuh/8JAgAA//4JAYHP851ZCVAG APsAAAD7AAAAAAAACQBzAAAACQABht1gAAAAAMURQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/ CQIAAP/+CQBzADWWqADFRIRTioGAAAEAAQAAAAMJX2tlcmJlcm9zBF91ZHALUzEtVzIwMTIt TDQKVzIwMTJSMi1MNARCQVNFAAAhAAHADAAhAAEAAAEUAC0AAABkAFgJdzIwMTItMTgxC3Mx LXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQDATgABAAEAAA4QAASsHwm1wE4AHAABAAAOEAAQ IAEAAJ04kNcw+hbDU+D2SsBOABwAAQAADhAAEP06qqPuh/8JAgAA//4JAYHP851ZjFAGAHoA AAB6AAAAAAAACQABAAAACQBzht1gAAAAAEQRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAA AAAAAAAB3pQANQBESxH7QQEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3ALUzEtVzIwMTItTDQK VzIwMTJSMi1MNARCQVNFAAAhAAHP851ZCVEGAGYAAABmAAAAAAAACQGDAAAACQABCABFAABY lMtAAEAROtOsHwkBrB8JtzmdADUARGtMDTUBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwC1Mx LVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWUZSBgDnAAAA5wAAAAAAAAkAAQAA AAkBgwgARQAA2Rn/QACAEXUerB8Jt6wfCQEANTmdAMWqTA01gYAAAQABAAAAAwlfa2VyYmVy b3MEX3RjcAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAcAMACEAAQAAARQALQAA AGQAWAl3MjAxMi0xODELczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAMBOAAEAAQAADhAA BKwfCbXATgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGBwE4AHAABAAAOEAAQIAEAAJ04kNcw +hbDU+D2Ss/znVnGUgYA+wAAAPsAAAAAAAAJAHMAAAAJAAGG3WAAAAAAxRFA/Tqqo+6H/wkA AAAAAAAAAf06qqPuh/8JAgAA//4JAHMANd6UAMVV4ftBgYAAAQABAAAAAwlfa2VyYmVyb3ME X3RjcAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAcAMACEAAQAAARQALQAAAGQA WAl3MjAxMi0xODELczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAMBOAAEAAQAADhAABKwf CbXATgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGBwE4AHAABAAAOEAAQIAEAAJ04kNcw+hbD U+D2Ss/znVlaUwYAdQAAAHUAAAAAAAAJAAEAAAAJAHOG3WAAAAAAPxFA/Tqqo+6H/wkCAAD/ /gkAc/06qqPuh/8JAAAAAAAAAAHGvgA1AD+WVOvkAQAAAQAAAAAAAAl3MjAxMi0xODELczEt dzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAAAcAAHP851Z+VMGAGEAAABhAAAAAAAACQGDAAAA CQABCABFAABTlMxAAEAROtesHwkBrB8Jt1KEADUAP2tHR7EBAAABAAAAAAAACXcyMDEyLTE4 MQtzMS13MjAxMi1sNAp3MjAxMnIyLWw0BGJhc2UAABwAAc/znVksVQYAfQAAAH0AAAAAAAAJ AAEAAAAJAYMIAEUAAG8aAEAAgBF1h6wfCbesHwkBADVShABbmxRHsYGAAAEAAQAAAAAJdzIw MTItMTgxC3MxLXcyMDEyLWw0CncyMDEycjItbDQEYmFzZQAAHAABwAwAHAABAAADIAAQ/Tqq o+6H/wkCAAD//gkBgc/znVmmVQYAkQAAAJEAAAAAAAAJAHMAAAAJAAGG3WAAAAAAWxFA/Tqq o+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANca+AFvBP+vkgYAAAQABAAAAAAl3MjAx Mi0xODELczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAAAcAAHADAAcAAEAAAMgABD9Oqqj 7of/CQIAAP/+CQGBz/OdWQ9WBgBGCgAARgoAAAAAAAkBgQAAAAkAc4bdYAAAAAoQEUD9Oqqj 7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBgcoHAFgKEDkIbIIKBDCCCgChAwIBBaIDAgEM o4IJVzCCCVMwggYsoQMCAQGiggYjBIIGH26CBhswggYXoAMCAQWhAwIBDqIHAwUAAAAAAKOC BU9hggVLMIIFR6ADAgEFoSkbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRaIwMC6gAwIBAqEnMCUbBmtyYnRndBsbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNF o4IE4TCCBN2gAwIBF6EDAgESooIEzwSCBMuXCgzwfaCtIdm4IGxXfm0fRCStRWcMhkWMVkQF uZS+AfeVQn53kkZYIUugHEdfvFeP9tbs31W5KA0Zt2A1MUxN4XCXJu9s6sW624f3+H+QXann ewqB0/LjOf0Ohz8UJ0UK/DLiVgwF/AN8cpVOj8vSkmb4EMlmmYa+J7b8JRCtm2sxen4lWCZq abHEZ/kAdhF06mvQ9oNTm7UfVNE24EPcUq4x8Y1yfA6KhgkhNiwfySXCKp6VeNvZZF4aA3YG wmZE1D5+jl/1JkTs5Z2oZvduvtSJRE1idNpG+XUnYyuguaxDi81LPEgKIskr3+DOB+VqJsDd F5BUGJhg+zwmn6G7cwjONIPhc7RHmL+drg6UI+QVutOQGCMobZmjFuC/fgYytoO6xmUUjnRM YaxLxcvozIZm11RdOT3LJOLz4AV+crAiv+tMHUkjutpYTHfLH6i+07OgsWO9QPmefYnAgdjR HTI4XZQYzPVEMswaNJfPXaCeTnrrZVsWmV3eB15xeyOVPxEI/szK3gTWvaPsh0HFJ8OtlbK3 SkXko3AL7n1yJXH9hYJp5QTZEFFCV6D1F05yugO8RFWpL1/wuslLxYtIcYhBlnEZbIqzNrM4 nMHINVtyFVffmLHOybjxiHWpeg2Su5YohdDpX75HthHtA+MeAbmgJcai2966+joVTIMadL76 HyVrg4iTGdm9Fzl3ViISFCNAm6S6O8WSdWdKVItvs9z4+Cu9T2XWkwTObU5WMfJB/b1hSmY1 KqIiV406hnCyr7gZeGc2tHTjktL9CydbVsDC6gf1kA5c33egtSnBS2dq04qSpMuadIdmZYAc Ug3TNPj+LHc+ebJdu7kid5erlA4UMD4DjzWTrEZq5lIwIOcjuUXAPUr85oH3C9tp8L4SXxvV fzSkXX2E6ce8a/g2iXuSvadareQjoayIJqcPrlkDG2Ug6VwCF9oEmke2LLD/xIFO03/QWx/o Fdvq1K/n7j0YAnUoPY8pTQRC2teO/KhPnhLMu9RmPh8E5HcE8yf7V97GPoy98uyWVmz25BXX 5ZQKxF/5Do8bBkIlZ8YDvHU79n041MN1Wj12nFf4Sy3UaRVZp+HzhWpeaL7d2VMofA2ISSkj FUbZZo5qReh1GNwRN5nmsBq+WhxXD856/s6tH2cl/n/7NFqpMjPDt+oCnIERYwfiEywIIKbO BGHfLc0W2lgR/sRIwz2IwnHNMoUNvnSuOHeuNNOeVdIaJPXtG0ikKr9EC7+yiT/4xttxZmDZ 4/8ObPPLFXxvtI4SVB3VElS8XLhHMAkX9GUp6E2zr6LsTVPXytyyAHwHbv4xiQCf1OO/ehnm iL0XtuLrR+ZXRXsEjMWtDxHltS2XrR3xJPzgnexnYBc8NPLj/acBSjCxsyJ9Uo7S1QD1da24 62urZrZYOSOg9m4tx2v/47ucU2EHocxUplI/FJrhDKAq7qqAvzP5rWS+/yJ/8UNWbqDUZuq3 vFXE+D6jEhQVCDzQ+HYyIRZ8VBb7PHw4ZftM3fPfn5kONED/8o+MOGcpoin0DUHI+2vnjzjW FOnZIXMhwI++sShjAaqGjb/Liei1xHvmgd6YlbzQe/q98bMIjMRs07ch5jYxaFOaHCfCAdun 5V+R8Twdh6Y6HdWkga4wgaugAwIBF6KBowSBoMQI/WZvyNlTId2D9/QZoYh2sB05y0t0bnED diKVByorFH5kNd8J43tkLrh16T7u6kE2gxoEFpj7D6FaUFpdksc7zGwMzX15Wf6YnsObdBOf ISH3QMdwXTAXlwp/vs2X57rlUl7/Mv1x1eCTNxzWkcEWRrYoHoZ4VmVoyoNxZNxH+iEwDIE3 TvCEa/dKm53OAKcEJnrvr0ZKGKHZntGKUpowggIYoQQCAgCIooICDgSCAgqgggIGMIICAqEc MBqgBAIC/3ahEgQQKKIK1Bpx/qnSDR9TnV/7TaKCAeAwggHcoAMCAReiggHTBIIBz7BlhRIg +5sfsOf9oUbG9HjQGrsGbsND14lENGtJJcup1V0QiRz3x707nlRErNOhxHUew91r+aAQnZIW A21bCx48CneszwFXYO4CumgGduI2hPn31xgoiO9ej2NacMNprzx/b8XinIhfkxH9AsY+vt3Q ncael/EpdM+H7ylUS8C1npRJ4ZEYYtAsXQLqz9BgZTKFPParFFCsZf7lBS5RFYJ7I1Mf5vxg zaF9aMHjI51uPybjwoaRN68Bb7LoIqgUIqF+ULLZzan9C20LHwDx7dFGtPO90ualBtkqR7lz tfgI94p8dWmq3zNBFAF0urari9gdgc4FozU6CijhQiViSB9CE9BuQQBO4S84sROIC/iZIZff QbWnVCLmm3QzhfXivda47glmNTtTm/FXTQUyZXHQeMgKJdKijY6L1uz7sN9VQaVyOguYB9Su 8qGFVvY59ae1BmwXIWa+vWb+lD6RaV4zQr3AEqSkUx15CbEK6ZVRety3/rzF4hN40ug5sFmN opjI/2HIOuHVUD+83WkI7jLgLzdS3WwaRyxZ5yJLb4hnLqV3rL+OGXIu4iPIiXUHCky81O19 mEuOvgpFhJ9USrDnIx8+/Gvso25/0ggJObQwfaEEAgIAgaJ1BHMwcaAaMBigAwIBAaERMA8b DWFkbWluaXN0cmF0b3KhKRsnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFohwwGqAEAgL/dqESBBCPFgSCj7bNNME5a4W+3rE4owobCEtlcmJlcm9zMIGFoQQCAgCC on0EezB5oFowWKAGAgRZnfPPoRowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqIpGydTMi1X MjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WkBwMFACAAAAChGzAZoAMCAQKh EgQQXNjAxyJytjlRJzhv1k4cQKSBmDCBlaAHAwUAQIEAAKIdGxtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0WjJDAioAMCAQqhGzAZGxdmZDIzLTczJEBXNEVET00tTDQuQkFTRaURGA8y MDE3MDgyNDA3Mjk1MVqnBgIEWZ3zz6gLMAkCARICARECARepHTAbMBmgAwIBFKESBBBGRDIz LTczICAgICAgICAgz/OdWT5jBgCfAQAAnwEAAAAAAAkAcwAAAAkBgYbdYAAAAAFpEUD9Oqqj 7of/CQIAAP/+CQGB/Tqqo+6H/wkCAAD//gkAcwBYygcBacZufoIBXTCCAVmgAwIBBaEDAgEe pBEYDzIwMTcwODIzMjEyOTUxWqUFAgMLfymmAwIBNKkdGxtTMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0WqJDAioAMCAQqhGzAZGxdmZDIzLTczJEBXNEVET00tTDQuQkFTRayB6ASB5TCB 4jCB36EEAgIAiKKB1gSB06CB0DCBzaCByjCBx6ADAgEXooG/BIG8F0ACmI5nDGlGJRc+Xcan L8fdXKnE5BPbm12MhpeTglkzI5jyJcrOTbuacHuuT/LkUiGI/CtmLp3dQ8qOgFMcHS8Yzj4/ gVTXZgmEpvKbCHV8Op9hJgFSaVVydy0GTe6pl20RiMay9o79f5a7a0cdXLo1YqVJmSBSjKig qICO7rsCIAudth3erJbqepnE1q7xN9qa25RpphGFDrFFvPlX/F7Gs5Rt8Xz9AytytP4xZjhX arn47g+evsxA7hvP851ZiGQGAIEAAACBAAAAAAAACQABAAAACQBzht1gAAAAAEsRQP06qqPu h/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB6JQANQBLkGdBgwEAAAEAAAAAAAAQX2tlcmJl cm9zLW1hc3RlcgRfdWRwC1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWZRl BgBtAAAAbQAAAAAAAAkBgwAAAAkAAQgARQAAX5TOQABAETrJrB8JAawfCbfqjAA1AEtrU2O8 AQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHALUzEtVzIwMTItTDQKVzIwMTJSMi1M NARCQVNFAAAhAAHP851ZdWcGAKYAAACmAAAAAAAACQABAAAACQGDCABFAACYGgFAAIARdV2s Hwm3rB8JAQA16owAhGctY7yBgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAtTMS1X MjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAcAiAAYAAQAAAkAALQl3MjAxMi0xODHAIgpo b3N0bWFzdGVywCIAAAheAAADhAAAAlgAAVGAAAAOEM/znVnsZwYAugAAALoAAAAAAAAJAHMA AAAJAAGG3WAAAAAAhBFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANeiUAITJ 90GDgYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHALUzEtVzIwMTItTDQKVzIwMTJS Mi1MNARCQVNFAAAhAAHAIgAGAAEAAAJAAC0JdzIwMTItMTgxwCIKaG9zdG1hc3RlcsAiAAAI XgAAA4QAAAJYAAFRgAAADhDP851ZtGgGAHoAAAB6AAAAAAAACQABAAAACQBzht1gAAAAAEQR QP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABokgANQBEnwrjlAEAAAEAAAAAAAAJ X2tlcmJlcm9zBF90Y3ALUzEtVzIwMTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHP851ZTGkG AGYAAABmAAAAAAAACQGDAAAACQABCABFAABYlM9AAEAROs+sHwkBrB8Jt1UBADUARGtMlIMB AAABAAAAAAAACV9rZXJiZXJvcwRfdGNwC1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAA IQABz/OdWblqBgDnAAAA5wAAAAAAAAkAAQAAAAkBgwgARQAA2RoCQACAEXUbrB8Jt6wfCQEA NVUBAMUHmpSDgYAAAQABAAAAAwlfa2VyYmVyb3MEX3RjcAtTMS1XMjAxMi1MNApXMjAxMlIy LUw0BEJBU0UAACEAAcAMACEAAQAAARQALQAAAGQAWAl3MjAxMi0xODELczEtdzIwMTItbDQK dzIwMTJyMi1sNARiYXNlAMBOAAEAAQAADhAABKwfCbXATgAcAAEAAA4QABAgAQAAnTiQ1zD6 FsNT4PZKwE4AHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBgc/znVkeawYA+wAAAPsAAAAAAAAJ AHMAAAAJAAGG3WAAAAAAxRFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANaJI AMWp2uOUgYAAAQABAAAAAwlfa2VyYmVyb3MEX3RjcAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0 BEJBU0UAACEAAcAMACEAAQAAARQALQAAAGQAWAl3MjAxMi0xODELczEtdzIwMTItbDQKdzIw MTJyMi1sNARiYXNlAMBOAAEAAQAADhAABKwfCbXATgAcAAEAAA4QABAgAQAAnTiQ1zD6FsNT 4PZKwE4AHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBgc/znVnqawYAdQAAAHUAAAAAAAAJAAEA AAAJAHOG3WAAAAAAPxFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGBeAA1AD/I Xf8hAQAAAQAAAAAAAAl3MjAxMi0xODELczEtdzIwMTItbDQKdzIwMTJyMi1sNARiYXNlAAAc AAHP851Zd2wGAGEAAABhAAAAAAAACQGDAAAACQABCABFAABTlNBAAEAROtOsHwkBrB8Jt0Gl ADUAP2tHQVkBAAABAAAAAAAACXcyMDEyLTE4MQtzMS13MjAxMi1sNAp3MjAxMnIyLWw0BGJh c2UAABwAAc/znVmTbQYAfQAAAH0AAAAAAAAJAAEAAAAJAYMIAEUAAG8aA0AAgBF1hKwfCbes HwkBADVBpQBbsktBWYGAAAEAAQAAAAAJdzIwMTItMTgxC3MxLXcyMDEyLWw0CncyMDEycjIt bDQEYmFzZQAAHAABwAwAHAABAAADIAAQ/Tqqo+6H/wkCAAD//gkBgc/znVkVbgYAkQAAAJEA AAAAAAAJAHMAAAAJAAGG3WAAAAAAWxFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4J AHMANYF4AFvzSP8hgYAAAQABAAAAAAl3MjAxMi0xODELczEtdzIwMTItbDQKdzIwMTJyMi1s NARiYXNlAAAcAAHADAAcAAEAAAMgABD9Oqqj7of/CQIAAP/+CQGBz/OdWXpuBgBeAAAAXgAA AAAAAAkBgQAAAAkAc4bdYAAAAAAoBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkB gdS5AFjHbW26AAAAAKACcIAvFQAAAgQFoAQCCAoCX7unAAAAAAEDAwfP851ZeW8GAF4AAABe AAAAAAAACQBzAAAACQGBht1gAAAAACgGQP06qqPuh/8JAgAA//4JAYH9Oqqj7of/CQIAAP/+ CQBzAFjUufpkqM/HbW27oBIgADSXAAACBAWgAQMDCAQCCAoEj1SAAl+7p8/znVmtbwYAVgAA AFYAAAAAAAAJAYEAAAAJAHOG3WAAAAAAIAZA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA //4JAYHUuQBYx21tu/pkqNCAEADhLw0AAAEBCAoCX7unBI9UgM/znVnAbwYA6gUAAOoFAAAA AAAJAYEAAAAJAHOG3WAAAAAFtAZA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JAYHU uQBYx21tu/pkqNCAEADhNKEAAAEBCAoCX7unBI9UgAAACghsggoEMIIKAKEDAgEFogMCAQyj gglXMIIJUzCCBiyhAwIBAaKCBiMEggYfboIGGzCCBhegAwIBBaEDAgEOogcDBQAAAAAAo4IF T2GCBUswggVHoAMCAQWhKRsnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFojAwLqADAgECoScwJRsGa3JidGd0GxtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0Wj ggThMIIE3aADAgEXoQMCARKiggTPBIIEy5cKDPB9oK0h2bggbFd+bR9EJK1FZwyGRYxWRAW5 lL4B95VCfneSRlghS6AcR1+8V4/21uzfVbkoDRm3YDUxTE3hcJcm72zqxbrbh/f4f5Bdqed7 CoHT8uM5/Q6HPxQnRQr8MuJWDAX8A3xylU6Py9KSZvgQyWaZhr4ntvwlEK2bazF6fiVYJmpp scRn+QB2EXTqa9D2g1ObtR9U0TbgQ9xSrjHxjXJ8DoqGCSE2LB/JJcIqnpV429lkXhoDdgbC ZkTUPn6OX/UmROzlnahm926+1IlETWJ02kb5dSdjK6C5rEOLzUs8SAoiySvf4M4H5WomwN0X kFQYmGD7PCafobtzCM40g+FztEeYv52uDpQj5BW605AYIyhtmaMW4L9+BjK2g7rGZRSOdExh rEvFy+jMhmbXVF05Pcsk4vPgBX5ysCK/60wdSSO62lhMd8sfqL7Ts6CxY71A+Z59icCB2NEd MjhdlBjM9UQyzBo0l89doJ5OeutlWxaZXd4HXnF7I5U/EQj+zMreBNa9o+yHQcUnw62VsrdK ReSjcAvufXIlcf2FgmnlBNkQUUJXoPUXTnK6A7xEVakvX/C6yUvFi0hxiEGWcRlsirM2szic wcg1W3IVV9+Ysc7JuPGIdal6DZK7liiF0Olfvke2Ee0D4x4BuaAlxqLb3rr6OhVMgxp0vvof JWuDiJMZ2b0XOXdWIhIUI0CbpLo7xZJ1Z0pUi2+z3Pj4K71PZdaTBM5tTlYx8kH9vWFKZjUq oiJXjTqGcLKvuBl4Zza0dOOS0v0LJ1tWwMLqB/WQDlzfd6C1KcFLZ2rTipKky5p0h2ZlgBxS DdM0+P4sdz55sl27uSJ3l6uUDhQwPgOPNZOsRmrmUjAg5yO5RcA9SvzmgfcL22nwvhJfG9V/ NKRdfYTpx7xr+DaJe5K9p1qt5COhrIgmpw+uWQMbZSDpXAIX2gSaR7YssP/EgU7Tf9BbH+gV 2+rUr+fuPRgCdSg9jylNBELa1478qE+eEsy71GY+HwTkdwTzJ/tX3sY+jL3y7JZWbPbkFdfl lArEX/kOjxsGQiVnxgO8dTv2fTjUw3VaPXacV/hLLdRpFVmn4fOFal5ovt3ZUyh8DYhJKSMV RtlmjmpF6HUY3BE3meawGr5aHFcPznr+zq0fZyX+f/s0WqkyM8O36gKcgRFjB+ITLAggps4E Yd8tzRbaWBH+xEjDPYjCcc0yhQ2+dK44d640055V0hok9e0bSKQqv0QLv7KJP/jG23FmYNnj /w5s88sVfG+0jhJUHdUSVLxcuEcwCRf0ZSnoTbOvouxNU9fK3LIAfAdu/jGJAJ/U4796GeaI vRe24utH5ldFewSMxa0PEeW1LZetHfEk/OCd7GdgFzw08uP9pwFKMLGzIn1SjtLVAPV1rbjr a6tmtlg5I6D2bi3Ha//ju5xTYQehzFSmUj8UmuEMoCruqoC/M/mtZL7/In/xQ1ZuoNRm6re8 VcT4PqMSFBUIPND4djIhFnxUFvs8fDhl+0zd89+fmQ40QP/yj4w4ZymiKfQNQcj7a+ePONYU 6dkhcyHAj76xKGMBqoaNv8uJ6LXEe+aB3piVvNB7+r3xswiMxGzTtyHmNjFoU5ocJ8IB26fl X8/znVnfbwYAzgQAAM4EAAAAAAAJAYEAAAAJAHOG3WAAAAAEmAZA/Tqqo+6H/wkCAAD//gkA c/06qqPuh/8JAgAA//4JAYHUuQBYx21zT/pkqNCAGADhM4UAAAEBCAoCX7unBI9UgJHxPB2H pjod1aSBrjCBq6ADAgEXooGjBIGgxAj9Zm/I2VMh3YP39BmhiHawHTnLS3RucQN2IpUHKisU fmQ13wnje2QuuHXpPu7qQTaDGgQWmPsPoVpQWl2SxzvMbAzNfXlZ/piew5t0E58hIfdAx3Bd MBeXCn++zZfnuuVSXv8y/XHV4JM3HNaRwRZGtigehnhWZWjKg3Fk3Ef6ITAMgTdO8IRr90qb nc4ApwQmeu+vRkoYodme0YpSmjCCAhihBAICAIiiggIOBIICCqCCAgYwggICoRwwGqAEAgL/ dqESBBAoogrUGnH+qdINH1OdX/tNooIB4DCCAdygAwIBF6KCAdMEggHPsGWFEiD7mx+w5/2h Rsb0eNAauwZuw0PXiUQ0a0kly6nVXRCJHPfHvTueVESs06HEdR7D3Wv5oBCdkhYDbVsLHjwK d6zPAVdg7gK6aAZ24jaE+ffXGCiI716PY1pww2mvPH9vxeKciF+TEf0Cxj6+3dCdxp6X8Sl0 z4fvKVRLwLWelEnhkRhi0CxdAurP0GBlMoU89qsUUKxl/uUFLlEVgnsjUx/m/GDNoX1oweMj nW4/JuPChpE3rwFvsugiqBQioX5QstnNqf0LbQsfAPHt0Ua0873S5qUG2SpHuXO1+Aj3inx1 aarfM0EUAXS6tquL2B2BzgWjNToKKOFCJWJIH0IT0G5BAE7hLzixE4gL+Jkhl99BtadUIuab dDOF9eK91rjuCWY1O1Ob8VdNBTJlcdB4yAol0qKNjovW7Puw31VBpXI6C5gH1K7yoYVW9jn1 p7UGbBchZr69Zv6UPpFpXjNCvcASpKRTHXkJsQrplVF63Lf+vMXiE3jS6DmwWY2imMj/Ycg6 4dVQP7zdaQjuMuAvN1LdbBpHLFnnIktviGcupXesv44Zci7iI8iJdQcKTLzU7X2YS46+CkWE n1RKsOcjHz78a+yjbn/SCAk5tDB9oQQCAgCBonUEczBxoBowGKADAgEBoREwDxsNYWRtaW5p c3RyYXRvcqEpGydTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiHDAa oAQCAv92oRIEEI8WBIKPts00wTlrhb7esTijChsIS2VyYmVyb3MwgYWhBAICAIKifQR7MHmg WjBYoAYCBFmd88+hGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yoikbJ1MyLVcyMDEyLUw0 LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaQHAwUAIAAAAKEbMBmgAwIBAqESBBBc2MDH InK2OVEnOG/WThxApIGYMIGVoAcDBQBAgQAAoh0bG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRaMkMCKgAwIBCqEbMBkbF2ZkMjMtNzMkQFc0RURPTS1MNC5CQVNFpREYDzIwMTcwODI0 MDcyOTUxWqcGAgRZnfPPqAswCQIBEgIBEQIBF6kdMBswGaADAgEUoRIEEEZEMjMtNzMgICAg ICAgICDP851ZpXAGAFYAAABWAAAAAAAACQBzAAAACQGBht1gAAAAACAGQP06qqPuh/8JAgAA //4JAYH9Oqqj7of/CQIAAP/+CQBzAFjUufpkqNDHbXfHgBABAHhEAAABAQgKBI9UgAJfu6fP 851ZkHcGAOoFAADqBQAAAAAACQBzAAAACQGBht1gAAAABbQGQP06qqPuh/8JAgAA//4JAYH9 Oqqj7of/CQIAAP/+CQBzAFjUufpkqNDHbXfHgBABALiiAAABAQgKBI9UgAJfu6cAAAhfbYII WzCCCFegAwIBBaEDAgENooIBZzCCAWMwggFfoQQCAgCIooIBVQSCAVGgggFNMIIBSaCCAUUw ggFBoAMCAReiggE4BIIBNERKe8fKDPomRdkMMZP2T6PuF15VTi3rxe4hWLPFKKvuJjqqr1m0 UDThnZa+ekn47IW3vV0Hr9xRgjke9V+SMn1uWt1dOL3v+Ms0cHXqCGhBnPzolVtR/4B3Wj2i RaSqvTtE9NBmF5/3Uhiv7PqiPmjHw6cSxmCWvqRMtZM9gsTrbYlWXfcFctr2c1gtHssaUNsz pzUUeEcQX3uT3TnTjg7KlcAr4nk1mP4ewf2k1IGMEwlzj3njYf14QzjB8l1kpswVtcq+3+Lw VoggJ2K8fwfJGEHndC4qssUBhnNiZ4LzL2xs+0ma494GUzT5BrLgjJXHNb39JXFeUp0xErF7 q316VmuH/LYgkTehpjnn5d0phrr90lyN39qAkbl4FO8GweT2PUv6e0Kt9NDTAqwHF4xZmr9i oxAbDlc0RURPTS1MNC5CQVNFpBUwE6ADAgEBoQwwChsIZmQyMy03MySlggVEYYIFQDCCBTyg AwIBBaEdGxtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiJDAioAMCAQKhGzAZGwZrcmJ0 Z3QbD1cyMDEyUjItTDQuQkFTRaOCBO4wggTqoAMCARehAwIBE6KCBNwEggTYeWcACScsfIGL z2N7fgQ7GP9bb8jxZhaQeojL3nkF80kOr5l1CJXlm8KylaLgPfipuTvrMEkpWpuOTK9SUvG/ hRLLe4wmvuzn/hbpNKB8teuAbZYb8gYgfiQmLBDfZckCmehCBS2UVTLxEJ4CszGCE1LrfdfK J9bD5ZCjiVSPmAloZVbpzNRcILeeZAI5VDTrIiYDO7VRwMjAWZITDoT0CRykzdOJ7XoS7aq2 kQElBPqb20dMLG4D4QOMHe2Ky5QRdamhiqh2cppb3/0ESsY2cso+FjyMN78NBcFzsceHatMy GIDtaNSHGJh0koHelJJGCpVdHG2HXhou7v3w1Qkxdh92Sr1VluIE+6cZQkEWcs0ldMKBqCPs j5PKh/xjv1TRXbZ+WwgUX1QWYiru/RItpvFRpZi9ocnBkprHRcMiLhnldgTiYV9kl5OOgkAU g2nZ3Xtmtu6A3mHfD+7SSnKp+CrT0fmjY7oo81yLY+WfH9GkjJRIliPcdxRANMTJo5wm3mmi dd/COM7hCEcvBNDVLxxy/FxWcOAAZPIFIeURRXmmHokzLDR5a+M9mYI1jQcekJUDWhqvDBnA lRaEx4qurQkjXnymxaEyayWd41NtICOyqDyVSiVW1Mqe+5ALRpcnsZ6/UJyThih4WPA4AB93 8o4uH6ZaNKD15TEz5+ihJcMAFKnHCOzKbiS2WRmlNlDDQIShigWSAgPN5ZbLxOIwlT2AcMNb GDQdQzZpWD+8zAPsOiidqV9yowcfEZbAd3n1wMwmBy0Oo4Oytut3QQvKRTBlDPDPJIHJh8wm 0PekljcVnNxv+ZKHV33BQwO/P/LUmjvGYGJwz4e7+1ROJ8EOghLp/RTRd/J1HtWdVGQhqsFG BJKtMtI3VJYFkg7OaA0JZJj0dUZYDOgFFNOJaTkKvZwVMg6ma5diM+7IgX7G5aabIHkdiGqW srDsixsHytmkLvJn+2SrkYdG0+WW+n4toJXKiNJsYrvaPRDMeHy5VTptl31Evl7jxM+RE+a2 H7oI0yB3prEAI6oOUz+fGqG0WzNlPavb1eYQdpRAeaHhl6XZzX5a6JI8h+gm0MswAVqF6n2f 56AIaBrkshgZBdntyX8zWKPRlIPVxUnxoRcPo1P1Jjhkt7vQ6e+9UvFQesjAS58Lo5cUFFZd D2aBRPtUd66bw/li3g5fyRfP851ZtHcGAFYAAABWAAAAAAAACQGBAAAACQBzht1gAAAAACAG QP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGB1LkAWMdtd8f6ZK5kgBAA+C8NAAAB AQgKAl+7qASPVIDP851ZGHgGACUDAAAlAwAAAAAACQBzAAAACQGBht1gAAAAAu8GQP06qqPu h/8JAgAA//4JAYH9Oqqj7of/CQIAAP/+CQBzAFjUufpkrmTHbXfHgBgBAMugAAABAQgKBI9U gAJfu6fhMUh4ZfC9DW+BBb9tvcf1yOjTBUqZpGce3gsdNK/PrqjJ+doqyEZUPuWLl3M6r4f+ CxhbmaGYZfpeDYdhbArtU76NLMc2GaKA2SHIwJoEqXMUdCPW+YJkFxiNRSt9Cu5BASzMaPuO IuUSFKpuFNhN7kN0UtKHV3h857yj7YjJU5q5m5DD2QogZoBSmpY2HCMji2LtzqyxdFVBHJ4U Hp6xm+ti2n/MuJcbOfECOROLE8yk6h0MjycK/WWGzwmNrf4SUSEz6mO3QjHqOdLbnpngJ9XV 1iuW/9pduI4RkSFRRP3WfogeerJ3esbBCnfHLIgg3a4fAKY7qulnKlHrU4M/kghWqUNLvk6M ZNDGq9R/BH7LX6iB0F906r+gqr83WHZzMj96jIv3lEd0wuRVrVK5lq5It7YAZVbzlhzK8A6p hYUFSfBaSx18GmwKf+kvfOaaE+Xr6Ufp+S7squhDfKaCAW0wggFpoAMCAReiggFgBIIBXB6F ZURxy1DoGmSgwKS9lGjUYYCkjjAMzH2k6LMCOhI7RSgWBaZx3pwrEKqUoUFqH93O/RY8jJci w7JOdaIoDfDVFkwCOoYGEtrtqAiv9FAuDPntL7oCKC5Aa4BwGvRrYuJOa2jgWIzev3ShlGpb yNrqrjqmkvdm+Q/tlYsBZ1JAn2EAMLuy1jDWTNn7DCp54Gpke/JIE5tYZYUHxTveygEMzoIj 2iC+wYdkBQEVlN5vv2piJfMewJbveupJ7ufoIRvrVu7Dzf/Tv6RLmIajwypk7jc1oFIzNugJ 69Lais8us+fojUewUApRSdSRvOJ9rt5arzU0m9FFC/Fr6/c5AVQ46EUjMVUXDGILmh17ilPN IfGwGz3XYf8AJkTaz2Z0PNCzh/MaUqGPWndK87XAopuCs2jnVkbKM1LZHTjd1mKmrVrrvVgS aVgqHTtHcHZoQayQhhCrktpXac6rXM/znVkqeAYAVgAAAFYAAAAAAAAJAYEAAAAJAHOG3WAA AAAAIAZA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JAYHUuQBYx213x/pksTOAEAEO Lw0AAAEBCAoCX7uoBI9UgM/znVk9eAYAVgAAAFYAAAAAAAAJAYEAAAAJAHOG3WAAAAAAIAZA /Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JAYHUuQBYx213x/pksTOAEQEOLw0AAAEB CAoCX7uoBI9UgM/znVl7eAYAVgAAAFYAAAAAAAAJAHMAAAAJAYGG3WAAAAAAIAZA/Tqqo+6H /wkCAAD//gkBgf06qqPuh/8JAgAA//4JAHMAWNS5+mSxM8dtd8iAEAEAb98AAAEBCAoEj1SA Al+7qM/znVnYeAYAgQAAAIEAAAAAAAAJAAEAAAAJAHOG3WAAAAAASxFA/Tqqo+6H/wkCAAD/ /gkAc/06qqPuh/8JAAAAAAAAAAHI/QA1AEtESK46AQAAAQAAAAAAABBfa2VyYmVyb3MtbWFz dGVyBF90Y3ALUzEtVzIwMTItTDQKVzIwMTJSMi1MNARCQVNFAAAhAAHP851ZAnkGAEoAAABK AAAAAAAACQBzAAAACQGBht1gAAAAABQGQP06qqPuh/8JAgAA//4JAYH9Oqqj7of/CQIAAP/+ CQBzAFjUufpksTPHbXfIUBQAAMEJAADP851ZeHkGAG0AAABtAAAAAAAACQGDAAAACQABCABF AABflNFAAEAROsasHwkBrB8Jt2RjADUAS2tTyRgBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0 ZXIEX3RjcAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAc/znVnHegYApgAAAKYA AAAAAAAJAAEAAAAJAYMIAEUAAJgaBEAAgBF1WqwfCbesHwkBADVkYwCEiPvJGIGDAAEAAAAB AAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNwC1MxLVcyMDEyLUw0ClcyMDEyUjItTDQEQkFTRQAA IQABwCIABgABAAACQAAtCXcyMDEyLTE4McAiCmhvc3RtYXN0ZXLAIgAACF4AAAOEAAACWAAB UYAAAA4Qz/OdWQ17BgC6AAAAugAAAAAAAAkAcwAAAAkAAYbdYAAAAACEEUD9Oqqj7of/CQAA AAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1yP0AhH3YrjqBgwABAAAAAQAAEF9rZXJiZXJvcy1t YXN0ZXIEX3RjcAtTMS1XMjAxMi1MNApXMjAxMlIyLUw0BEJBU0UAACEAAcAiAAYAAQAAAkAA LQl3MjAxMi0xODHAIgpob3N0bWFzdGVywCIAAAheAAADhAAAAlgAAVGAAAAOEM/znVk1fAYA bgAAAG4AAAAAAAAJAAEAAAAJAHOG3WAAAAAAOBFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8J AAAAAAAAAAHD7gA1ADjqHrszAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcApXMjAxMlIyLUw0 BEJBU0UAACEAAc/znVmEfAYAWgAAAFoAAAAAAAAJAYMAAAAJAAEIAEUAAEyU0kAAQBE62Kwf CQGsHwm3vH8ANQA4a0AvJgEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHAKVzIwMTJSMi1MNARC QVNFAAAhAAHP851ZEn4GALUAAAC1AAAAAAAACQABAAAACQGDCABFAACnGgVAAIARdUqsHwm3 rB8JAQA1vH8Ak+zELyaFgAABAAEAAAACCV9rZXJiZXJvcwRfdWRwClcyMDEyUjItTDQEQkFT RQAAIQABwAwAIQABAAACWAAjAAAAZABYC3cyMDEycjItMTgzCncyMDEycjItbDQEYmFzZQDA QgABAAEAAA4QAASsHwm3wEIAHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBg8/znVlIfgYAyQAA AMkAAAAAAAAJAHMAAAAJAAGG3WAAAAAAkxFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA //4JAHMANcPuAJOX4bszhYAAAQABAAAAAglfa2VyYmVyb3MEX3VkcApXMjAxMlIyLUw0BEJB U0UAACEAAcAMACEAAQAAAlgAIwAAAGQAWAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJhc2UA wEIAAQABAAAOEAAErB8Jt8BCABwAAQAADhAAEP06qqPuh/8JAgAA//4JAYPP851ZkX4GAG4A AABuAAAAAAAACQABAAAACQBzht1gAAAAADgRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAA AAAAAAABuDgANQA4AM2xPAEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AKVzIwMTJSMi1MNARC QVNFAAAhAAHP851Z1n4GAFoAAABaAAAAAAAACQGDAAAACQABCABFAABMlNNAAEAROtesHwkB rB8Jt/XWADUAOGtA6nwBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwClcyMDEyUjItTDQEQkFT RQAAIQABz/OdWWx/BgC1AAAAtQAAAAAAAAkAAQAAAAkBgwgARQAApxoGQACAEXVJrB8Jt6wf CQEANfXWAJP5F+p8hYAAAQABAAAAAglfa2VyYmVyb3MEX3RjcApXMjAxMlIyLUw0BEJBU0UA ACEAAcAMACEAAQAAAlgAIwAAAGQAWAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJhc2UAwEIA AQABAAAOEAAErB8Jt8BCABwAAQAADhAAEP06qqPuh/8JAgAA//4JAYPP851ZmX8GAMkAAADJ AAAAAAAACQBzAAAACQABht1gAAAAAJMRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+ CQBzADW4OACTro+xPIWAAAEAAQAAAAIJX2tlcmJlcm9zBF90Y3AKVzIwMTJSMi1MNARCQVNF AAAhAAHADAAhAAEAAAJYACMAAABkAFgLdzIwMTJyMi0xODMKdzIwMTJyMi1sNARiYXNlAMBC AAEAAQAADhAABKwfCbfAQgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGDz/OdWQKABgBrAAAA awAAAAAAAAkAAQAAAAkAc4bdYAAAAAA1EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAA AAAAAZzrADUANYanM6oBAAABAAAAAAAAC3cyMDEycjItMTgzCncyMDEycjItbDQEYmFzZQAA HAABz/OdWUmABgBXAAAAVwAAAAAAAAkBgwAAAAkAAQgARQAASZTUQABAETrZrB8JAawfCbdf QwA1ADVrPdFBAQAAAQAAAAAAAAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJhc2UAABwAAc/z nVndgAYAcwAAAHMAAAAAAAAJAAEAAAAJAYMIAEUAAGUaB0AAgBF1iqwfCbesHwkBADVfQwBR HP/RQYWAAAEAAQAAAAALdzIwMTJyMi0xODMKdzIwMTJyMi1sNARiYXNlAAAcAAHADAAcAAEA AA4QABD9Oqqj7of/CQIAAP/+CQGDz/OdWQyBBgCHAAAAhwAAAAAAAAkAcwAAAAkAAYbdYAAA AABREUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1nOsAUbuHM6qFgAABAAEA AAAAC3cyMDEycjItMTgzCncyMDEycjItbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqqo+6H /wkCAAD//gkBg8/znVk9gQYAIwoAACMKAAAAAAAJAYMAAAAJAHOG3WAAAAAJ7RFA/Tqqo+6H /wkCAAD//gkAc/06qqPuh/8JAgAA//4JAYPfQQBYCe0452yCCeEwggndoQMCAQWiAwIBDKOC CUAwggk8MIIGIaEDAgEBooIGGASCBhRuggYQMIIGDKADAgEFoQMCAQ6iBwMFAAAAAACjggVE YYIFQDCCBTygAwIBBaEdGxtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiJDAioAMCAQKh GzAZGwZrcmJ0Z3QbD1cyMDEyUjItTDQuQkFTRaOCBO4wggTqoAMCARehAwIBE6KCBNwEggTY eWcACScsfIGLz2N7fgQ7GP9bb8jxZhaQeojL3nkF80kOr5l1CJXlm8KylaLgPfipuTvrMEkp WpuOTK9SUvG/hRLLe4wmvuzn/hbpNKB8teuAbZYb8gYgfiQmLBDfZckCmehCBS2UVTLxEJ4C szGCE1LrfdfKJ9bD5ZCjiVSPmAloZVbpzNRcILeeZAI5VDTrIiYDO7VRwMjAWZITDoT0CRyk zdOJ7XoS7aq2kQElBPqb20dMLG4D4QOMHe2Ky5QRdamhiqh2cppb3/0ESsY2cso+FjyMN78N BcFzsceHatMyGIDtaNSHGJh0koHelJJGCpVdHG2HXhou7v3w1Qkxdh92Sr1VluIE+6cZQkEW cs0ldMKBqCPsj5PKh/xjv1TRXbZ+WwgUX1QWYiru/RItpvFRpZi9ocnBkprHRcMiLhnldgTi YV9kl5OOgkAUg2nZ3Xtmtu6A3mHfD+7SSnKp+CrT0fmjY7oo81yLY+WfH9GkjJRIliPcdxRA NMTJo5wm3mmidd/COM7hCEcvBNDVLxxy/FxWcOAAZPIFIeURRXmmHokzLDR5a+M9mYI1jQce kJUDWhqvDBnAlRaEx4qurQkjXnymxaEyayWd41NtICOyqDyVSiVW1Mqe+5ALRpcnsZ6/UJyT hih4WPA4AB938o4uH6ZaNKD15TEz5+ihJcMAFKnHCOzKbiS2WRmlNlDDQIShigWSAgPN5ZbL xOIwlT2AcMNbGDQdQzZpWD+8zAPsOiidqV9yowcfEZbAd3n1wMwmBy0Oo4Oytut3QQvKRTBl DPDPJIHJh8wm0PekljcVnNxv+ZKHV33BQwO/P/LUmjvGYGJwz4e7+1ROJ8EOghLp/RTRd/J1 HtWdVGQhqsFGBJKtMtI3VJYFkg7OaA0JZJj0dUZYDOgFFNOJaTkKvZwVMg6ma5diM+7IgX7G 5aabIHkdiGqWsrDsixsHytmkLvJn+2SrkYdG0+WW+n4toJXKiNJsYrvaPRDMeHy5VTptl31E vl7jxM+RE+a2H7oI0yB3prEAI6oOUz+fGqG0WzNlPavb1eYQdpRAeaHhl6XZzX5a6JI8h+gm 0MswAVqF6n2f56AIaBrkshgZBdntyX8zWKPRlIPVxUnxoRcPo1P1Jjhkt7vQ6e+9UvFQesjA S58Lo5cUFFZdD2aBRPtUd66bw/li3g5fyRfhMUh4ZfC9DW+BBb9tvcf1yOjTBUqZpGce3gsd NK/PrqjJ+doqyEZUPuWLl3M6r4f+CxhbmaGYZfpeDYdhbArtU76NLMc2GaKA2SHIwJoEqXMU dCPW+YJkFxiNRSt9Cu5BASzMaPuOIuUSFKpuFNhN7kN0UtKHV3h857yj7YjJU5q5m5DD2Qog ZoBSmpY2HCMji2LtzqyxdFVBHJ4UHp6xm+ti2n/MuJcbOfECOROLE8yk6h0MjycK/WWGzwmN rf4SUSEz6mO3QjHqOdLbnpngJ9XV1iuW/9pduI4RkSFRRP3WfogeerJ3esbBCnfHLIgg3a4f AKY7qulnKlHrU4M/kghWqUNLvk6MZNDGq9R/BH7LX6iB0F906r+gqr83WHZzMj96jIv3lEd0 wuRVrVK5lq5It7YAZVbzlhzK8A6phYUFSfBaSx18GmwKf+kvfOaaE+Xr6Ufp+S7squhDfKSB rjCBq6ADAgEXooGjBIGgFhbHs5QWLG6aw15SDNQze6tQj3BzprpL0Pb3K3UWLvzUHKzz7Ou/ 5SLsOwYDsTuHO/xUACxHuyloYDFYZuryI7e0/KJmlDmZjIVO5zanVgE014CMsxFjCQ2m4D7H tHMzffbwZIgqy+tGYyhm8XyXl/DWRgoNFAbKiPJzUJfHqy9QbEB7YwNlHw/+vIcrlLLWw6dm b9Djid07EK5wLcNtpDCCAgyhBAICAIiiggICBIIB/qCCAfowggH2oRwwGqAEAgL/dqESBBD3 Grq2mOGgjUtp4WT9rZOCooIB1DCCAdCgAwIBF6KCAccEggHDCA/W6AO6hhl+vvoCem7IvB/K mNzuojWb1VUmuIpOPp6/QFg12Ry+QG+s1YIT98onA4lrHvk03WhIdm19zfLqptCqeGRXbqe5 YLBUup1KJOMgfSrMmq6Z6c9syj/7goFHvT+taxGMQ9Pe9XOKdMT4ZxuOrBR2LuVUN5kMcsSS NLHvNky3s4z3QNyHwJ2fKt5DcaMxHl78H02G3jl1mPtm5qWE8kXArl/Fhke1+zd2TKcvKJGX WXApOjaK6fyWk+qHMo9vDxMhiHdW8zU3r/sG3GhyVQJv6nVeQfJhozvCM44UnRwMIpTSbipj N5OYufzkNBmXxoc03aAEim695gpUNhXX4elTikdktBYP3PyuQ6wUJoayBI4rdqjcapX6qV6O nBJBTKAIvM2YxelGdlNDivE/WT86mqJUTT00LJqYZDlKEMPLocmP0sF7sfAyvmGIoi9WnK0V siv9xUYPw615lSdPXqezTzdVgg+su4nGxb4Cm0prydPMmE64vIkVhkPDsD9jiISzIlPCf9gg 5Hsh5s7ViZpON320vFDfHm44Gnelqh6gfSAnn5oFNbG+yHz6edolsyIwXsIx+b+ljXbr/EVr HTB9oQQCAgCBonUEczBxoBowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqEpGydTMi1XMjAx Mi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiHDAaoAQCAv92oRIEECKojneRUj2b Epi5+aOm7bCjChsIS2VyYmVyb3MwgYWhBAICAIKifQR7MHmgWjBYoAYCBFmd88+hGjAYoAMC AQGhETAPGw1hZG1pbmlzdHJhdG9yoikbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEy UjItTDQuQkFTRaQHAwUAIAAAAKEbMBmgAwIBAqESBBBc2MDHInK2OVEnOG/WThxApIGMMIGJ oAcDBQBAgQAAohEbD1cyMDEyUjItTDQuQkFTRaMkMCKgAwIBCqEbMBkbF2ZkMjMtNzMkQFc0 RURPTS1MNC5CQVNFpREYDzIwMTcwODI0MDcyOTUxWqcGAgRZnfPPqAswCQIBEgIBEQIBF6kd MBswGaADAgEUoRIEEEZEMjMtNzMgICAgICAgICDP851Zy44GAIcBAACHAQAAAAAACQBzAAAA CQGDht1gAAAAAVERQP06qqPuh/8JAgAA//4JAYP9Oqqj7of/CQIAAP/+CQBzAFjfQQFRR1B+ ggFFMIIBQaADAgEFoQMCAR6kERgPMjAxNzA4MjMyMTI5NTFapQUCAwuFH6YDAgE0qREbD1cy MDEyUjItTDQuQkFTRaokMCKgAwIBCqEbMBkbF2ZkMjMtNzMkQFc0RURPTS1MNC5CQVNFrIHc BIHZMIHWMIHToQQCAgCIooHKBIHHoIHEMIHBoIG+MIG7oAMCAReigbMEgbA4wPVYl7odZC4/ ETrCwoLfvh36YgQ+pArD3/f85sDof2M6yIPT+h3pWbQmruD04+cybVUqE1M7kEQVE1daTD+9 uyHvO0mish1wQPHTjdrx/misf2d6clJSJdh2YyUpRkHPl+G62Tc2bytWUhW/vninHTA+tIVS CBxdBOABW/0lxR7qgp13VRMnIFUaNsYCzxSKRCmeJ8iFSmVj1NKlKH+MH5tHVG/1aj/030fy H/EfLM/znVmajwYAdQAAAHUAAAAAAAAJAAEAAAAJAHOG3WAAAAAAPxFA/Tqqo+6H/wkCAAD/ /gkAc/06qqPuh/8JAAAAAAAAAAHRzgA1AD9Y1tI3AQAAAQAAAAAAABBfa2VyYmVyb3MtbWFz dGVyBF91ZHAKVzIwMTJSMi1MNARCQVNFAAAhAAHP851ZHJAGAGEAAABhAAAAAAAACQGDAAAA CQABCABFAABTlNVAAEAROs6sHwkBrB8Jt+hHADUAP2tHbo4BAAABAAAAAAAAEF9rZXJiZXJv cy1tYXN0ZXIEX3VkcApXMjAxMlIyLUw0BEJBU0UAACEAAc/znVn8kAYAqwAAAKsAAAAAAAAJ AAEAAAAJAYMIAEUAAJ0aCEAAgBF1UawfCbesHwkBADXoRwCJLP1ujoWDAAEAAAABAAAQX2tl cmJlcm9zLW1hc3RlcgRfdWRwClcyMDEyUjItTDQEQkFTRQAAIQABCncyMDEycjItbDQEYmFz ZQAABgABAAAOEAAvC3cyMDEycjItMTgzwDcKaG9zdG1hc3RlcsA3AAAKggAAA4QAAAJYAAFR gAAADhDP851ZUpEGAL8AAAC/AAAAAAAACQBzAAAACQABht1gAAAAAIkRQP06qqPuh/8JAAAA AAAAAAH9Oqqj7of/CQIAAP/+CQBzADXRzgCJHmbSN4WDAAEAAAABAAAQX2tlcmJlcm9zLW1h c3RlcgRfdWRwClcyMDEyUjItTDQEQkFTRQAAIQABCncyMDEycjItbDQEYmFzZQAABgABAAAO EAAvC3cyMDEycjItMTgzwDcKaG9zdG1hc3RlcsA3AAAKggAAA4QAAAJYAAFRgAAADhDP851Z zpEGAG4AAABuAAAAAAAACQABAAAACQBzht1gAAAAADgRQP06qqPuh/8JAgAA//4JAHP9Oqqj 7of/CQAAAAAAAAABzhsANQA44ZW6kAEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AKVzIwMTJS Mi1MNARCQVNFAAAhAAHP851ZFpIGAFoAAABaAAAAAAAACQGDAAAACQABCABFAABMlNZAAEAR OtSsHwkBrB8Jt0SUADUAOGtA5IQBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwClcyMDEyUjIt TDQEQkFTRQAAIQABz/OdWZSSBgC1AAAAtQAAAAAAAAkAAQAAAAkBgwgARQAApxoJQACAEXVG rB8Jt6wfCQEANUSUAJOwUuSEhYAAAQABAAAAAglfa2VyYmVyb3MEX3RjcApXMjAxMlIyLUw0 BEJBU0UAACEAAcAMACEAAQAAAlgAIwAAAGQAWAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJh c2UAwEIAAQABAAAOEAAErB8Jt8BCABwAAQAADhAAEP06qqPuh/8JAgAA//4JAYPP851ZzJIG AMkAAADJAAAAAAAACQBzAAAACQABht1gAAAAAJMRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/ CQIAAP/+CQBzADXOGwCTj1i6kIWAAAEAAQAAAAIJX2tlcmJlcm9zBF90Y3AKVzIwMTJSMi1M NARCQVNFAAAhAAHADAAhAAEAAAJYACMAAABkAFgLdzIwMTJyMi0xODMKdzIwMTJyMi1sNARi YXNlAMBCAAEAAQAADhAABKwfCbfAQgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGDz/OdWUeT BgBrAAAAawAAAAAAAAkAAQAAAAkAc4bdYAAAAAA1EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkAAAAAAAAAAeQsADUANaNGz8kBAAABAAAAAAAAC3cyMDEycjItMTgzCncyMDEycjItbDQE YmFzZQAAHAABz/OdWYuTBgBXAAAAVwAAAAAAAAkBgwAAAAkAAQgARQAASZTXQABAETrWrB8J AawfCbfdfQA1ADVrPf9KAQAAAQAAAAAAAAt3MjAxMnIyLTE4Mwp3MjAxMnIyLWw0BGJhc2UA ABwAAc/znVn/kwYAcwAAAHMAAAAAAAAJAAEAAAAJAYMIAEUAAGUaCkAAgBF1h6wfCbesHwkB ADXdfQBRcLv/SoWAAAEAAQAAAAALdzIwMTJyMi0xODMKdzIwMTJyMi1sNARiYXNlAAAcAAHA DAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGDz/OdWTaUBgCHAAAAhwAAAAAAAAkAcwAAAAkA AYbdYAAAAABREUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA15CwAUdgmz8mF gAABAAEAAAAAC3cyMDEycjItMTgzCncyMDEycjItbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ /Tqqo+6H/wkCAAD//gkBg8/znVmIlAYAXgAAAF4AAAAAAAAJAYMAAAAJAHOG3WAAAAAAKAZA /Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JAYObDQBY0+AOkgAAAACgAnCALxcAAAIE BaAEAggKAl+7qgAAAAABAwMHz/OdWRKVBgBeAAAAXgAAAAAAAAkAcwAAAAkBg4bdYAAAAAAo BkD9Oqqj7of/CQIAAP/+CQGD/Tqqo+6H/wkCAAD//gkAcwBYmw3+l9kK0+AOk6ASIABE+QAA AgQFoAEDAwgEAggKAWifMwJfu6rP851ZL5UGAFYAAABWAAAAAAAACQGDAAAACQBzht1gAAAA ACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmw0AWNPgDpP+l9kLgBAA4S8P AAABAQgKAl+7qgFonzPP851ZOpUGAOoFAADqBQAAAAAACQGDAAAACQBzht1gAAAABbQGQP06 qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmw0AWNPgDpP+l9kLgBAA4TSjAAABAQgK Al+7qgFonzMAAAnlbIIJ4TCCCd2hAwIBBaIDAgEMo4IJQDCCCTwwggYhoQMCAQGiggYYBIIG FG6CBhAwggYMoAMCAQWhAwIBDqIHAwUAAAAAAKOCBURhggVAMIIFPKADAgEFoR0bG1MxLVcy MDEyLUw0LlcyMDEyUjItTDQuQkFTRaIkMCKgAwIBAqEbMBkbBmtyYnRndBsPVzIwMTJSMi1M NC5CQVNFo4IE7jCCBOqgAwIBF6EDAgETooIE3ASCBNh5ZwAJJyx8gYvPY3t+BDsY/1tvyPFm FpB6iMveeQXzSQ6vmXUIleWbwrKVouA9+Km5O+swSSlam45Mr1JS8b+FEst7jCa+7Of+Fuk0 oHy164BtlhvyBiB+JCYsEN9lyQKZ6EIFLZRVMvEQngKzMYITUut918on1sPlkKOJVI+YCWhl VunM1Fwgt55kAjlUNOsiJgM7tVHAyMBZkhMOhPQJHKTN04ntehLtqraRASUE+pvbR0wsbgPh A4wd7YrLlBF1qaGKqHZymlvf/QRKxjZyyj4WPIw3vw0FwXOxx4dq0zIYgO1o1IcYmHSSgd6U kkYKlV0cbYdeGi7u/fDVCTF2H3ZKvVWW4gT7pxlCQRZyzSV0woGoI+yPk8qH/GO/VNFdtn5b CBRfVBZiKu79Ei2m8VGlmL2hycGSmsdFwyIuGeV2BOJhX2SXk46CQBSDadnde2a27oDeYd8P 7tJKcqn4KtPR+aNjuijzXItj5Z8f0aSMlEiWI9x3FEA0xMmjnCbeaaJ138I4zuEIRy8E0NUv HHL8XFZw4ABk8gUh5RFFeaYeiTMsNHlr4z2ZgjWNBx6QlQNaGq8MGcCVFoTHiq6tCSNefKbF oTJrJZ3jU20gI7KoPJVKJVbUyp77kAtGlyexnr9QnJOGKHhY8DgAH3fyji4fplo0oPXlMTPn 6KElwwAUqccI7MpuJLZZGaU2UMNAhKGKBZICA83llsvE4jCVPYBww1sYNB1DNmlYP7zMA+w6 KJ2pX3KjBx8RlsB3efXAzCYHLQ6jg7K263dBC8pFMGUM8M8kgcmHzCbQ96SWNxWc3G/5kodX fcFDA78/8tSaO8ZgYnDPh7v7VE4nwQ6CEun9FNF38nUe1Z1UZCGqwUYEkq0y0jdUlgWSDs5o DQlkmPR1RlgM6AUU04lpOQq9nBUyDqZrl2Iz7siBfsblppsgeR2IapaysOyLGwfK2aQu8mf7 ZKuRh0bT5Zb6fi2glcqI0mxiu9o9EMx4fLlVOm2XfUS+XuPEz5ET5rYfugjTIHemsQAjqg5T P58aobRbM2U9q9vV5hB2lEB5oeGXpdnNflrokjyH6CbQyzABWoXqfZ/noAhoGuSyGBkF2e3J fzNYo9GUg9XFSfGhFw+jU/UmOGS3u9Dp771S8VB6yMBLnwujlxQUVl0PZoFE+1R3rpvD+WLe Dl/JF+ExSHhl8L0Nb4EFv229x/XI6NMFSpmkZx7eCx00r8+uqMn52irIRlQ+5YuXczqvh/4L GFuZoZhl+l4Nh2FsCu1Tvo0sxzYZooDZIcjAmgSpcxR0I9b5gmQXGI1FK30K7kEBLMxo+44i 5RIUqm4U2E3uQ3RS0odXeHznvKPtiMlTmrmbkMPZCiBmgFKaljYcIyOLYu3OrLF0VUEcnhQe nrGb62Laf8y4lxs58QI5E4sTzKTqHQyPJwr9ZYbPCY2t/hJRITPqY7dCMeo50tuemeAn1dXW K5b/2l24jhGRIVFE/dZ+iB56snd6xsEKd8csiCDdrh8Apjuq6WcqUetTgz+SCFapQ0u+Toxk 0Mar1H8EfstfqIHQX3Tqv6CqvzdYdnMyP3qMi/eUR3TC5FWtUrmWrki3tgBlVvOWHMrwDqmF hQVJ8FpLHXwabAp/6S985poT5evpR+n5Luyq6EN8pIHP851ZSpUGAKsEAACrBAAAAAAACQGD AAAACQBzht1gAAAABHUGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmw0AWNPg FCf+l9kLgBgA4TNkAAABAQgKAl+7qgFonzOuMIGroAMCAReigaMEgaAWFsezlBYsbprDXlIM 1DN7q1CPcHOmukvQ9vcrdRYu/NQcrPPs67/lIuw7BgOxO4c7/FQALEe7KWhgMVhm6vIjt7T8 omaUOZmMhU7nNqdWATTXgIyzEWMJDabgPse0czN99vBkiCrL60ZjKGbxfJeX8NZGCg0UBsqI 8nNQl8erL1BsQHtjA2UfD/68hyuUstbDp2Zv0OOJ3TsQrnAtw22kMIICDKEEAgIAiKKCAgIE ggH+oIIB+jCCAfahHDAaoAQCAv92oRIEEPcauraY4aCNS2nhZP2tk4KiggHUMIIB0KADAgEX ooIBxwSCAcMID9boA7qGGX6++gJ6bsi8H8qY3O6iNZvVVSa4ik4+nr9AWDXZHL5Ab6zVghP3 yicDiWse+TTdaEh2bX3N8uqm0Kp4ZFdup7lgsFS6nUok4yB9Ksyarpnpz2zKP/uCgUe9P61r EYxD0971c4p0xPhnG46sFHYu5VQ3mQxyxJI0se82TLezjPdA3IfAnZ8q3kNxozEeXvwfTYbe OXWY+2bmpYTyRcCuX8WGR7X7N3ZMpy8okZdZcCk6Norp/JaT6ocyj28PEyGId1bzNTev+wbc aHJVAm/qdV5B8mGjO8IzjhSdHAwilNJuKmM3k5i5/OQ0GZfGhzTdoASKbr3mClQ2Fdfh6VOK R2S0Fg/c/K5DrBQmhrIEjit2qNxqlfqpXo6cEkFMoAi8zZjF6UZ2U0OK8T9ZPzqaolRNPTQs mphkOUoQw8uhyY/SwXux8DK+YYiiL1acrRWyK/3FRg/DrXmVJ09ep7NPN1WCD6y7icbFvgKb SmvJ08yYTri8iRWGQ8OwP2OIhLMiU8J/2CDkeyHmztWJmk43fbS8UN8ebjgad6WqHqB9ICef mgU1sb7IfPp52iWzIjBewjH5v6WNduv8RWsdMH2hBAICAIGidQRzMHGgGjAYoAMCAQGhETAP Gw1hZG1pbmlzdHJhdG9yoSkbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRaIcMBqgBAIC/3ahEgQQIqiOd5FSPZsSmLn5o6btsKMKGwhLZXJiZXJvczCBhaEEAgIA gqJ9BHsweaBaMFigBgIEWZ3zz6EaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KiKRsnUzIt VzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFpAcDBQAgAAAAoRswGaADAgEC oRIEEFzYwMcicrY5USc4b9ZOHECkgYwwgYmgBwMFAECBAACiERsPVzIwMTJSMi1MNC5CQVNF oyQwIqADAgEKoRswGRsXZmQyMy03MyRAVzRFRE9NLUw0LkJBU0WlERgPMjAxNzA4MjQwNzI5 NTFapwYCBFmd88+oCzAJAgESAgERAgEXqR0wGzAZoAMCARShEgQQRkQyMy03MyAgICAgICAg IM/znVmjlQYAVgAAAFYAAAAAAAAJAHMAAAAJAYOG3WAAAAAAIAZA/Tqqo+6H/wkCAAD//gkB g/06qqPuh/8JAgAA//4JAHMAWJsN/pfZC9PgGHyAEAEAiMkAAAEBCAoBaJ8zAl+7qs/znVls tgYA6gUAAOoFAAAAAAAJAHMAAAAJAYOG3WAAAAAFtAZA/Tqqo+6H/wkCAAD//gkBg/06qqPu h/8JAgAA//4JAHMAWJsN/pfZC9PgGHyAEAEAmOEAAAEBCAoBaJ8zAl+7qgAACGFtgghdMIII WaADAgEFoQMCAQ2iggFnMIIBYzCCAV+hBAICAIiiggFVBIIBUaCCAU0wggFJoIIBRTCCAUGg AwIBF6KCATgEggE0HnpKEw5hdfZHXjMBziR6MndczRZ3Gw+JjdmjzGXdY5xqRQRuIbYZxjk7 wguEMCvZNh90cHARxqRku1Vz9qh+wmXgmz6X0Lii1ZpCXJ5OSa1QVvICViTRe9+JQomvXriP bPy2+GlM60GJ8Lw5QNsn0fVQhy6vsOY3lqs8rrEPPd6dSGSlO1WepCtF5zBW7bSt/7+6PvmC cP/qZrO37hZJpbVv5ocLUvRYRU8YpjzLtneOtyuVMdXizOXjBOu5rgTKwd2oQec9aXq5yv/4 CNbIG+eRFuk1Gf+DygNr4UKwBWUr9GS/X0ls7pzt6DjO69phKCvGGfl+KuxrBtMTN+xaCdBR 3/wlgB2RmGzF2RrsWD5kO0yzj4Bgx6F33QGzHRmjQVyDbOr4p2OUK9F01stdTkyVKiejEBsO VzRFRE9NLUw0LkJBU0WkFTAToAMCAQGhDDAKGwhmZDIzLTczJKWCBVNhggVPMIIFS6ADAgEF oREbD1cyMDEyUjItTDQuQkFTRaIjMCGgAwIBAqEaMBgbBmtyYnRndBsOVzRFRE9NLUw0LkJB U0WjggUKMIIFBqADAgEXoQMCAQOiggT4BIIE9Hpy+iHIbNgVoVcwyEZ/2ZINqDInIQ3ogmfe VzMQ1RbGtcotkNuN2JsiFy83hDQtwQC9owryGMBwdKCa5oSWmTrfRFAFN8xvD3Zx35lxmVP/ Z5DkQcG0z+MvmcdimuFVFrKQyzO2ys8+QpRPfInJoCOYT9oga2sfn80NKWGzRwuYbqm9eBni +Nl3XAA385C0m5c+QeLBPRuOB0BNC+Brqr9Pu6biT5WXokCq7mwkoJ1oWcpVcTUM6KNvcc9+ LEKwjHWvswKBMolHzuvQ22SPMYbU5MTJsYMTvola+DWcwxS0NJRk02yLvl3LdcwqWHsEcxVR mdMezvNMDm1e4hhIfLoCS+lEzO9sn/psLqp2BAz4ENClEnq4nKf32ixrQDducmknplS9wOyq F8UqEy8T2C7tQhR61Yn+JvTrZgBH1UbGBK6bwm6I9BZlrCWbdeK+sExNuO8/1PGg+yAFyQjV bv9cr65NbPGYrBJfbekukxz3T0kZY/gbO91f5SuJcy8kJfEyzoNB482weYhdvehC0HWSB4HH h0PVQWw0zjC71Svxe2Gmoz4XjhMcCafpWpqmYRJpMQQJrEvm8Pz54V2KhRaJUyvcBUyOMFJi iSr/CXl5KH7eQIJxu/WEDbW4MAcuMWoQ3w/nKOwvPxn6loAWX1FiOoOjCZpFmxwjL3aQNSap LRl8cmZPrHIZmMUUZebM8sthJ8zVASsrE4Q8fAL8U8wGMZYZFYFYFrNY06xO4vmpkVtWPpuy hcPHvdxT7/icpkpcPftmAYDRl+msgRQQ3jRPqU7wSvmUvyxGFUZ9SzZ860Me6iBW6WJcWdek Rus9610GYHtsLQNx45cD9Bmn2oxO5n3PtVn6oJdoZJjm0OsXRjkcJIdW1Ia/i1hGUo4F4DpX SyyXMFu1p79JWGeZ/59zeLx9mWoW5ezO8ggj+mK2QdoUjFFa609/8YzJLQkoO+VF1D5KqiBc /GxVyiOXKZNVgspYrK9OhhgUCatq5++C5Qs8SVXVzTKYw+zsaNLV1xOXQf3zkpl21bd9EuVz FfGFZIhyQquJINeLhiVGONVxEv9ylfKuVvF3hA5oIq2HV5CufAzxB96jWdqJgpj5azezpO1X S8100vK3vbCujHboOpRMr5KGSHdSZIWFHbAreA85IHZ/JWk3bKNCzDHQ0VgAUu1BgmrRA7TW P9zo4NAIb/62jhVusc/znVngtgYAVgAAAFYAAAAAAAAJAYMAAAAJAHOG3WAAAAAAIAZA/Tqq o+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JAYObDQBY0+AYfP6X3p+AEAD4Lw8AAAEBCAoC X7usAWifM8/znVmitwYAJwMAACcDAAAAAAAJAHMAAAAJAYOG3WAAAAAC8QZA/Tqqo+6H/wkC AAD//gkBg/06qqPuh/8JAgAA//4JAHMAWJsN/pfen9PgGHyAGAEAuOoAAAEBCAoBaJ8zAl+7 qoyt9HjOuhSNIkl/XSLRvRAMX/jb71W+ddrJ8DPakBF9HrY3UZpDG8P/L8VDZ2GNSJYEqHej P2htRkxqKd/8tf4yzzfLU/rXwIkteeErJ5bwd55QflYrnolRh+iB6CoJo6NjiGydmJvgyKaV zJn6tyCr0kPxWWNYvkyrVypRuGYsMcaC/2qoZyg4DeZtMSky8Ay2jRd0CPi03wu0s6vUAfBP WW3h/EDpYszaGLtdJDFHnSrqnaeCf2ugryqZif8SO7SqhKbOgabGaKMmspfRR7fR6F3GmNhF kiv/3hqtJdse1MH+ix8tR+e38nE99Fe/rPVDzVEpqIuUOpB/rTd9MIsOwkheaHrijUMcqdNZ ngJuvb4DyGPM9P3swEQdmw+lFHeuDCtj6sSvYeJNdHX5MzkS90MmNs1o9np0HTFXescYArN9 QuIBB6zAKJ9NZ5RUSfKU70hVLOEZ6JBWNJj6+yLxrG1Lte5H2D4P/Fk/poIBYDCCAVygAwIB F6KCAVMEggFPvjJ4oZJE+zbX8vqjzoGaBlR59mCg3IHqsIDWRcvqm/JAqwV9SMEZeuFYh04/ jAq90YVL3eHEUygosDbsQJed6iynSxWkqlAJtNqtnzdO0Wvx8oi9IYzENIDyuOtFMW6FlIgf ZdZlk/hvnHYZ9MxpVjXyrAaAe0Tsvhh4unHuY+4IeehWPBgTY2cgJ6F42zLzAPwZTD6lE6fU XnzcoiW0BF3rnH88m/v9xvcu0UA7R4GTVuePJa7MWa3oeuohmVOcdPl06X0I2zZoeASlMONw OWePCVak55DdAroY7Orc0q3epGeNrESTtKzmuObTqubbmJ2nTKHXZNOPtGMH0XKvcvU9PT5v XyyXppqioX66yoIhXYs6HmE5XP1hp0jajelY36u7MksHLjGVmWTzoAIxAAKdcTrGC/8cJTBw T4/c7PoLiOJ/D4tOzJSD073OEIbP851Zz7cGAFYAAABWAAAAAAAACQGDAAAACQBzht1gAAAA ACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmw0AWNPgGHz+l+FwgBABDi8P AAABAQgKAl+7rAFonzPP851ZLrgGAFYAAABWAAAAAAAACQGDAAAACQBzht1gAAAAACAGQP06 qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQGDmw0AWNPgGHz+l+FwgBEBDi8PAAABAQgK Al+7rAFonzPP851ZTrkGAHUAAAB1AAAAAAAACQABAAAACQBzht1gAAAAAD8RQP06qqPuh/8J AgAA//4JAHP9Oqqj7of/CQAAAAAAAAABnPsANQA/rfCy8QEAAAEAAAAAAAAQX2tlcmJlcm9z LW1hc3RlcgRfdGNwClcyMDEyUjItTDQEQkFTRQAAIQABz/OdWRm6BgBWAAAAVgAAAAAAAAkA cwAAAAkBg4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQGD/Tqqo+6H/wkCAAD//gkAcwBYmw3+ l+Fw0+AYfYAQAQCAYAAAAQEICgFonzQCX7usz/OdWWm6BgBhAAAAYQAAAAAAAAkBgwAAAAkA AQgARQAAU5TaQABAETrJrB8JAawfCbfFcgA1AD9rR78YAQAAAQAAAAAAABBfa2VyYmVyb3Mt bWFzdGVyBF90Y3AKVzIwMTJSMi1MNARCQVNFAAAhAAHP851Z3rsGAEoAAABKAAAAAAAACQBz AAAACQGDht1gAAAAABQGQP06qqPuh/8JAgAA//4JAYP9Oqqj7of/CQIAAP/+CQBzAFibDf6X 4XDT4Bh9UBQAABkcAADP851ZLb4GAKsAAACrAAAAAAAACQABAAAACQGDCABFAACdGgtAAIAR dU6sHwm3rB8JAQA1xXIAiQBJvxiFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcApX MjAxMlIyLUw0BEJBU0UAACEAAQp3MjAxMnIyLWw0BGJhc2UAAAYAAQAADhAALwt3MjAxMnIy LTE4M8A3Cmhvc3RtYXN0ZXLANwAACoIAAAOEAAACWAABUYAAAA4Qz/OdWcS+BgC/AAAAvwAA AAAAAAkAcwAAAAkAAYbdYAAAAACJEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkA cwA1nPsAiXOAsvGFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcApXMjAxMlIyLUw0 BEJBU0UAACEAAQp3MjAxMnIyLWw0BGJhc2UAAAYAAQAADhAALwt3MjAxMnIyLTE4M8A3Cmhv c3RtYXN0ZXLANwAACoIAAAOEAAACWAABUYAAAA4Qz/OdWV7ABgBtAAAAbQAAAAAAAAkAAQAA AAkAc4bdYAAAAAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAZyzADUAN+aw pBEBAAABAAAAAAAACV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851Z98AG AFkAAABZAAAAAAAACQFjAAAACQABCABFAABLmfVAAEARNcqsHwkBrB8Jo6k8ADUAN2srLlsB AAABAAAAAAAACV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZGcEGAFkA AABZAAAAAAAACQEzAAAACQABCABFAABLuQBAAEARFt2sHwkBrB8Jhak8ADUAN2sNLlsBAAAB AAAAAAAACV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851Zw8IGAAwBAAAM AQAAAAAACQABAAAACQEzCABFAAD+e3ZAAIARE7SsHwmFrB8JAQA1qTwA6lzdLluFgAABAAIA AAAECV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAJYACIAAABk AFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwAwAIQABAAADhAAhAAAAZABYCnViMTQw NC0xNjMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAOEAAErB8JhcBBABwAAQAADhAAEP06qqPu h/8JAgAA//4JATPAbwABAAEAAAOEAASsHwmjwG8AHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkB Y8/znVlewwYAIAEAACABAAAAAAAJAHMAAAAJAAGG3WAAAAAA6hFA/Tqqo+6H/wkAAAAAAAAA Af06qqPuh/8JAgAA//4JAHMANZyzAOoyF6QRhYAAAQACAAAABAlfa2VyYmVyb3MEX3VkcAlX NEVET00tTDQEQkFTRQAAIQABwAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRv bS1sNARiYXNlAMAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNl AMBBAAEAAQAADhAABKwfCYXAQQAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzwG8AAQABAAAD hAAErB8Jo8BvABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWPP851ZC8QGAG0AAABtAAAAAAAA CQABAAAACQBzht1gAAAAADcRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABhK8A NQA3caQyIwEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAc/z nVmbxAYAWQAAAFkAAAAAAAAJAWMAAAAJAAEIAEUAAEuZ9kAAQBE1yawfCQGsHwmjEEsANQA3 ayvgkAEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAc/znVmx xAYAWQAAAFkAAAAAAAAJATMAAAAJAAEIAEUAAEu5AUAAQBEW3KwfCQGsHwmFEEsANQA3aw3g kAEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAc/znVmXxQYA DAEAAAwBAAAAAAAJAAEAAAAJATMIAEUAAP57d0AAgBETs6wfCYWsHwkBADUQSwDqWIjgkIWA AAEAAgAAAAQJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAcAMACEAAQAAA4QA IQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAAlgAIgAAAGQAWAt3 MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQDAQQABAAEAAAOEAASsHwmjwEEAHAABAAADhAAQ /Tqqo+6H/wkCAAD//gkBY8BuAAEAAQAADhAABKwfCYXAbgAcAAEAAA4QABD9Oqqj7of/CQIA AP/+CQEzz/OdWRrGBgAgAQAAIAEAAAAAAAkAcwAAAAkAAYbdYAAAAADqEUD9Oqqj7of/CQAA AAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1hK8A6tD4MiOFgAABAAIAAAAECV9rZXJiZXJvcwRf dGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0LTE2Mwl3 NGVkb20tbDQEYmFzZQDADAAhAAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0 BGJhc2UAwEEAAQABAAADhAAErB8Jo8BBABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWPAbgAB AAEAAA4QAASsHwmFwG4AHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8/znVnaxgYAagAAAGoA AAAAAAAJAAEAAAAJAHOG3WAAAAAANBFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAA AAGtOgA1ADRRgUwgAQAAAQAAAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAAB z/OdWVbHBgBWAAAAVgAAAAAAAAkBYwAAAAkAAQgARQAASJn3QABAETXLrB8JAawfCaOtXwA1 ADRrKPV1AQAAAQAAAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWWzH BgBWAAAAVgAAAAAAAAkBMwAAAAkAAQgARQAASLkCQABAERberB8JAawfCYWtXwA1ADRrCvV1 AQAAAQAAAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABz/OdWULIBgByAAAA cgAAAAAAAAkAAQAAAAkBMwgARQAAZHt4QACAERRMrB8JhawfCQEANa1fAFB+7/V1hYAAAQAB AAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqqo+6H /wkCAAD//gkBM8/znVnTyAYAhgAAAIYAAAAAAAAJAHMAAAAJAAGG3WAAAAAAUBFA/Tqqo+6H /wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANa06AFBm0UwghYAAAQABAAAAAAt3MjAwOHIy LTEzMwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8/z nVlOyQYADgoAAA4KAAAAAAAJATMAAAAJAHOG3WAAAAAJ2BFA/Tqqo+6H/wkCAAD//gkAc/06 qqPuh/8JAgAA//4JATODPwBYCdg4gmyCCcwwggnIoQMCAQWiAwIBDKOCCT0wggk5MIIGMKED AgEBooIGJwSCBiNuggYfMIIGG6ADAgEFoQMCAQ6iBwMFAAAAAACjggVTYYIFTzCCBUugAwIB BaERGw9XMjAxMlIyLUw0LkJBU0WiIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5C QVNFo4IFCjCCBQagAwIBF6EDAgEDooIE+ASCBPR6cvohyGzYFaFXMMhGf9mSDagyJyEN6IJn 3lczENUWxrXKLZDbjdibIhcvN4Q0LcEAvaMK8hjAcHSgmuaElpk630RQBTfMbw92cd+ZcZlT /2eQ5EHBtM/jL5nHYprhVRaykMsztsrPPkKUT3yJyaAjmE/aIGtrH5/NDSlhs0cLmG6pvXgZ 4vjZd1wAN/OQtJuXPkHiwT0bjgdATQvga6q/T7um4k+Vl6JAqu5sJKCdaFnKVXE1DOijb3HP fixCsIx1r7MCgTKJR87r0NtkjzGG1OTEybGDE76JWvg1nMMUtDSUZNNsi75dy3XMKlh7BHMV UZnTHs7zTA5tXuIYSHy6AkvpRMzvbJ/6bC6qdgQM+BDQpRJ6uJyn99osa0A3bnJpJ6ZUvcDs qhfFKhMvE9gu7UIUetWJ/ib062YAR9VGxgSum8JuiPQWZawlm3XivrBMTbjvP9TxoPsgBckI 1W7/XK+uTWzxmKwSX23pLpMc909JGWP4GzvdX+UriXMvJCXxMs6DQePNsHmIXb3oQtB1kgeB x4dD1UFsNM4wu9Ur8XthpqM+F44THAmn6VqapmESaTEECaxL5vD8+eFdioUWiVMr3AVMjjBS Yokq/wl5eSh+3kCCcbv1hA21uDAHLjFqEN8P5yjsLz8Z+paAFl9RYjqDowmaRZscIy92kDUm qS0ZfHJmT6xyGZjFFGXmzPLLYSfM1QErKxOEPHwC/FPMBjGWGRWBWBazWNOsTuL5qZFbVj6b soXDx73cU+/4nKZKXD37ZgGA0ZfprIEUEN40T6lO8Er5lL8sRhVGfUs2fOtDHuogVuliXFnX pEbrPetdBmB7bC0DceOXA/QZp9qMTuZ9z7VZ+qCXaGSY5tDrF0Y5HCSHVtSGv4tYRlKOBeA6 V0sslzBbtae/SVhnmf+fc3i8fZlqFuXszvIII/pitkHaFIxRWutPf/GMyS0JKDvlRdQ+Sqog XPxsVcojlymTVYLKWKyvToYYFAmraufvguULPElV1c0ymMPs7GjS1dcTl0H985KZdtW3fRLl cxXxhWSIckKriSDXi4YlRjjVcRL/cpXyrlbxd4QOaCKth1eQrnwM8Qfeo1naiYKY+Ws3s6Tt V0vNdNLyt72wrox26DqUTK+Shkh3UmSFhR2wK3gPOSB2fyVpN2yjQswx0NFYAFLtQYJq0QO0 1j/c6ODQCG/+to4VbrGMrfR4zroUjSJJf10i0b0QDF/42+9VvnXayfAz2pARfR62N1GaQxvD /y/FQ2dhjUiWBKh3oz9obUZMainf/LX+Ms83y1P618CJLXnhKyeW8HeeUH5WK56JUYfogegq CaOjY4hsnZib4MimlcyZ+rcgq9JD8VljWL5Mq1cqUbhmLDHGgv9qqGcoOA3mbTEpMvAMto0X dAj4tN8LtLOr1AHwT1lt4fxA6WLM2hi7XSQxR50q6p2ngn9roK8qmYn/Eju0qoSmzoGmxmij JrKX0Ue30ehdxpjYRZIr/94arSXbHtTB/osfLUfnt/JxPfRXv6z1Q81RKaiLlDqQf603fTCL DsJIXmh64o1DHKnTWZ4Cbr2+A8hjzPT97MBEHZsPpRR3rgwrY+rEr2HiTXR1+TM5EvdDJjbN aPZ6dB0xV3rHGAKzfULiAQeswCifTWeUVEnylO9IVSzhGeiQVjSY+vsi8axtS7XuR9g+D/xZ P6SBrjCBq6ADAgEXooGjBIGgbxxjxwlDNJE7UC5Cp6PWri/uYbeNT0Q/zllwPVptFv5ALlv8 gKeFxxCnwKQhiIjDBHOfccQBkwELuXUoGVy7kgpDxMF+z5bCvLk7MBZEtES9WcX/eHQcCm0h Y4x/Tuw9JezKB+1Ctr0a+FQGbLOaJ4otKGtQp49GjKG8Hdsz9eWpkvFtcYbAnDpyTU63E1tJ ZTWzNjbzRwV/5EOtYsv+wTCCAfqhBAICAIiiggHwBIIB7KCCAegwggHkoRwwGqAEAgL/dqES BBBnmmXC8tntHzhLngmNYxSGooIBwjCCAb6gAwIBF6KCAbUEggGxNGARJiK5/POf71Xrj6nX mrsjzfHJdo0ZHlW/Rvv89Eb+u6jDu3pbuvsDHdt8COaAJsWgkJy26LBrTSKX2duIIQn4jHeQ r1gMf8Kw5kAPAX5DA9FLb3S3YUFOcXH1OTVKJw2hMKVVi+bc9bgEX+qRuc3RVl+rMtLX5Blg iAZTdg6mrzEbBcpGH9q+32CQLt7GorNCkDsfyTNRWWBdaOgn7vsaGKyj4k9XKCSx+iDYkKLv ohKDI+sMPQKobn/bQlDl3SAkRuGuB/w660VYdQl2VPub1a1OIqLT3bWNqTtxkNBXowMhFwdf sEpe9jPmvqohdBQiDYTytk0yfXkfJbCmz3aEYGoUWaBPzW94tBLfoHwA03+pmxi2Ne3U2V9Q kFUFp3pg8LsgDTiw+uRzbDzqsAyk97S7mEGFrMNJySy7SgaJao63rR5/m7W4RSF9LBh5elOx Y30U0x9O/8UpufslxkP4chzy30GygrWScR2HWcVaC0xkFCv1uj8p8klF+35aCVR66Uw81Xqi G3UsDS41mF0IYv9RmvIiaSLwuOoK34RSufaQCspcIC50iq8Xg5yv3DB9oQQCAgCBonUEczBx oBowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqEpGydTMi1XMjAxMi1MNC5TMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0WiHDAaoAQCAv92oRIEEOfJ553RMMl/Q7ryYg5zkVmjChsIS2Vy YmVyb3MwgYWhBAICAIKifQR7MHmgWjBYoAYCBFmd88+hGjAYoAMCAQGhETAPGw1hZG1pbmlz dHJhdG9yoikbJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRaQHAwUA IAAAAKEbMBmgAwIBAqESBBBc2MDHInK2OVEnOG/WThxApHsweaAHAwUAQIEAAKIQGw5XNEVE T00tTDQuQkFTRaMVMBOgAwIBAaEMMAobCGZkMjMtNzMkpREYDzIwMTcwODI0MDcyOTUxWqcG AgRZnfPPqAswCQIBEgIBEQIBF6kdMBswGaADAgEUoRIEEEZEMjMtNzMgICAgICAgICDP851Z z9IGAJQAAACUAAAAAAAACQBzAAAACQEzht1gAAAAAF4RQP06qqPuh/8JAgAA//4JATP9Oqqj 7of/CQIAAP/+CQBzAFiDPwBesvx+VDBSoAMCAQWhAwIBHqQRGA8yMDE3MDgyMzIxMjk1MVql BQIDC+0cpgMCATSpEBsOVzRFRE9NLUw0LkJBU0WqFTAToAMCAQGhDDAKGwhmZDIzLTczJM/z nVnf0wYAdAAAAHQAAAAAAAAJAAEAAAAJAHOG3WAAAAAAPhFA/Tqqo+6H/wkCAAD//gkAc/06 qqPuh/8JAAAAAAAAAAHfdQA1AD4Xcji1AQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF91 ZHAJVzRFRE9NLUw0BEJBU0UAACEAAc/znVmI1AYAYAAAAGAAAAAAAAAJAWMAAAAJAAEIAEUA AFKZ+EAAQBE1wKwfCQGsHwmjbAoANQA+azLbeQEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3Rl cgRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHP851Zt9QGAGAAAABgAAAAAAAACQEzAAAACQAB CABFAABSuQNAAEARFtOsHwkBrB8JhWwKADUAPmsU23kBAAABAAAAAAAAEF9rZXJiZXJvcy1t YXN0ZXIEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWR/WBgCpAAAAqQAAAAAAAAkAAQAA AAkBMwgARQAAm3t5QACAERQUrB8JhawfCQEANWwKAIfKwtt5hYMAAQAAAAEAABBfa2VyYmVy b3MtbWFzdGVyBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEAAQl3NGVkb20tbDQEYmFzZQAABgAB AAAOEAAvC3cyMDA4cjItMTMzwDYKaG9zdG1hc3RlcsA2AAAaKgAAA4QAAAJYAAFRgAAADhDP 851ZntYGAL0AAAC9AAAAAAAACQBzAAAACQABht1gAAAAAIcRQP06qqPuh/8JAAAAAAAAAAH9 Oqqj7of/CQIAAP/+CQBzADXfdQCHOIM4tYWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRf dWRwCVc0RURPTS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAw OHIyLTEzM8A2Cmhvc3RtYXN0ZXLANgAAGioAAAOEAAACWAABUYAAAA4Qz/OdWRrXBgBtAAAA bQAAAAAAAAkAAQAAAAkAc4bdYAAAAAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAA AAAAAeagADUAN/2jRDIBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNF AAAhAAHP851Zk9cGAFkAAABZAAAAAAAACQFjAAAACQABCABFAABLmflAAEARNcasHwkBrB8J ozgHADUAN2srloMBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAh AAHP851ZttcGAFkAAABZAAAAAAAACQEzAAAACQABCABFAABLuQRAAEARFtmsHwkBrB8JhTgH ADUAN2sNloMBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP 851ZVNgGAAwBAAAMAQAAAAAACQABAAAACQEzCABFAAD+e3pAAIARE7CsHwmFrB8JAQA1OAcA 6mbrloOFgAABAAIAAAAECV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAh AAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwAwAIQABAAADhAAh AAAAZABYCnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAOEAAErB8JhcBBABwA AQAADhAAEP06qqPuh/8JAgAA//4JATPAbwABAAEAAAOEAASsHwmjwG8AHAABAAADhAAQ/Tqq o+6H/wkCAAD//gkBY8/znVme2AYAIAEAACABAAAAAAAJAHMAAAAJAAGG3WAAAAAA6hFA/Tqq o+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANeagAOpJCkQyhYAAAQACAAAABAlfa2Vy YmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABwAwAIQABAAACWAAiAAAAZABYC3cyMDA4 cjItMTMzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0 ZWRvbS1sNARiYXNlAMBBAAEAAQAADhAABKwfCYXAQQAcAAEAAA4QABD9Oqqj7of/CQIAAP/+ CQEzwG8AAQABAAADhAAErB8Jo8BvABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWPP851ZhdkG AGoAAABqAAAAAAAACQABAAAACQBzht1gAAAAADQRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/ CQAAAAAAAAABgu0ANQA0d3lQdQEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJh c2UAABwAAc/znVkO2gYAVgAAAFYAAAAAAAAJAWMAAAAJAAEIAEUAAEiZ+kAAQBE1yKwfCQGs HwmjRNAANQA0ayjqdAEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwA Ac/znVkz2gYAVgAAAFYAAAAAAAAJATMAAAAJAAEIAEUAAEi5BUAAQBEW26wfCQGsHwmFRNAA NQA0awrqdAEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAc/znVk9 2wYAcgAAAHIAAAAAAAAJAAEAAAAJATMIAEUAAGR7e0AAgBEUSawfCYWsHwkBADVE0ABQ8n/q dIWAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAcAMABwAAQAADhAA EP06qqPuh/8JAgAA//4JATPP851ZtdsGAIYAAACGAAAAAAAACQBzAAAACQABht1gAAAAAFAR QP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWC7QBQjMlQdYWAAAEAAQAAAAAL dzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA //4JATPP851ZJtwGAF4AAABeAAAAAAAACQEzAAAACQBzht1gAAAAACgGQP06qqPuh/8JAgAA //4JAHP9Oqqj7of/CQIAAP/+CQEzlr0AWB68XxsAAAAAoAJwgC7HAAACBAWgBAIICgJfu64A AAAAAQMDB8/znVn53AYAXgAAAF4AAAAAAAAJAHMAAAAJATOG3WAAAAAAKAZA/Tqqo+6H/wkC AAD//gkBM/06qqPuh/8JAgAA//4JAHMAWJa9JCl7fx68XxygEiAAjykAAAIEBaABAwMIBAII Cgxq6zICX7uuz/OdWTDdBgBWAAAAVgAAAAAAAAkBMwAAAAkAc4bdYAAAAAAgBkD9Oqqj7of/ CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBM5a9AFgevF8cJCl7gIAQAOEuvwAAAQEICgJfu64M ausyz/OdWUjdBgDqBQAA6gUAAAAAAAkBMwAAAAkAc4bdYAAAAAW0BkD9Oqqj7of/CQIAAP/+ CQBz/Tqqo+6H/wkCAAD//gkBM5a9AFgevF8cJCl7gIAQAOE0UwAAAQEICgJfu64MausyAAAJ 0GyCCcwwggnIoQMCAQWiAwIBDKOCCT0wggk5MIIGMKEDAgEBooIGJwSCBiNuggYfMIIGG6AD AgEFoQMCAQ6iBwMFAAAAAACjggVTYYIFTzCCBUugAwIBBaERGw9XMjAxMlIyLUw0LkJBU0Wi IzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFo4IFCjCCBQagAwIBF6EDAgED ooIE+ASCBPR6cvohyGzYFaFXMMhGf9mSDagyJyEN6IJn3lczENUWxrXKLZDbjdibIhcvN4Q0 LcEAvaMK8hjAcHSgmuaElpk630RQBTfMbw92cd+ZcZlT/2eQ5EHBtM/jL5nHYprhVRaykMsz tsrPPkKUT3yJyaAjmE/aIGtrH5/NDSlhs0cLmG6pvXgZ4vjZd1wAN/OQtJuXPkHiwT0bjgdA TQvga6q/T7um4k+Vl6JAqu5sJKCdaFnKVXE1DOijb3HPfixCsIx1r7MCgTKJR87r0NtkjzGG 1OTEybGDE76JWvg1nMMUtDSUZNNsi75dy3XMKlh7BHMVUZnTHs7zTA5tXuIYSHy6AkvpRMzv bJ/6bC6qdgQM+BDQpRJ6uJyn99osa0A3bnJpJ6ZUvcDsqhfFKhMvE9gu7UIUetWJ/ib062YA R9VGxgSum8JuiPQWZawlm3XivrBMTbjvP9TxoPsgBckI1W7/XK+uTWzxmKwSX23pLpMc909J GWP4GzvdX+UriXMvJCXxMs6DQePNsHmIXb3oQtB1kgeBx4dD1UFsNM4wu9Ur8XthpqM+F44T HAmn6VqapmESaTEECaxL5vD8+eFdioUWiVMr3AVMjjBSYokq/wl5eSh+3kCCcbv1hA21uDAH LjFqEN8P5yjsLz8Z+paAFl9RYjqDowmaRZscIy92kDUmqS0ZfHJmT6xyGZjFFGXmzPLLYSfM 1QErKxOEPHwC/FPMBjGWGRWBWBazWNOsTuL5qZFbVj6bsoXDx73cU+/4nKZKXD37ZgGA0Zfp rIEUEN40T6lO8Er5lL8sRhVGfUs2fOtDHuogVuliXFnXpEbrPetdBmB7bC0DceOXA/QZp9qM TuZ9z7VZ+qCXaGSY5tDrF0Y5HCSHVtSGv4tYRlKOBeA6V0sslzBbtae/SVhnmf+fc3i8fZlq FuXszvIII/pitkHaFIxRWutPf/GMyS0JKDvlRdQ+SqogXPxsVcojlymTVYLKWKyvToYYFAmr aufvguULPElV1c0ymMPs7GjS1dcTl0H985KZdtW3fRLlcxXxhWSIckKriSDXi4YlRjjVcRL/ cpXyrlbxd4QOaCKth1eQrnwM8Qfeo1naiYKY+Ws3s6TtV0vNdNLyt72wrox26DqUTK+Shkh3 UmSFhR2wK3gPOSB2fyVpN2yjQswx0NFYAFLtQYJq0QO01j/c6ODQCG/+to4VbrGMrfR4zroU jSJJf10i0b0QDF/42+9VvnXayfAz2pARfR62N1GaQxvD/y/FQ2dhjUiWBKh3oz9obUZMainf /LX+Ms83y1P618CJLXnhKyeW8HeeUH5WK56JUYfogegqCaOjY4hsnZib4MimlcyZ+rcgq9JD 8VljWL5Mq1cqUbhmLDHGgv9qqGcoOA3mbTEpMvAMto0XdAj4tN8LtLOr1AHwT1lt4fxA6WLM 2hi7XSQxR50q6p2ngn9roK8qmYn/Eju0qoSmzoGmxmijJrKX0Ue30ehdxpjYRZIr/94arSXb HtTB/osfLUfnt/JxPfRXv6z1Q81RKaiLlDqQf603fTCLDsJIXmh64o1DHKnTWZ4Cbr2+A8hj zPT97MBEHZsPpRR3rgwrY+rEr2HiTXR1+TM5EvdDJjbNaPZ6dB0xV3rHGAKzfULiAQeswCif TWeUVEnylO9IVSzhGeiQVjSY+vsiz/OdWWndBgCWBAAAlgQAAAAAAAkBMwAAAAkAc4bdYAAA AARgBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBM5a9AFgevGSwJCl7gIAYAOEy /wAAAQEICgJfu64Mausy8axtS7XuR9g+D/xZP6SBrjCBq6ADAgEXooGjBIGgbxxjxwlDNJE7 UC5Cp6PWri/uYbeNT0Q/zllwPVptFv5ALlv8gKeFxxCnwKQhiIjDBHOfccQBkwELuXUoGVy7 kgpDxMF+z5bCvLk7MBZEtES9WcX/eHQcCm0hY4x/Tuw9JezKB+1Ctr0a+FQGbLOaJ4otKGtQ p49GjKG8Hdsz9eWpkvFtcYbAnDpyTU63E1tJZTWzNjbzRwV/5EOtYsv+wTCCAfqhBAICAIii ggHwBIIB7KCCAegwggHkoRwwGqAEAgL/dqESBBBnmmXC8tntHzhLngmNYxSGooIBwjCCAb6g AwIBF6KCAbUEggGxNGARJiK5/POf71Xrj6nXmrsjzfHJdo0ZHlW/Rvv89Eb+u6jDu3pbuvsD Hdt8COaAJsWgkJy26LBrTSKX2duIIQn4jHeQr1gMf8Kw5kAPAX5DA9FLb3S3YUFOcXH1OTVK Jw2hMKVVi+bc9bgEX+qRuc3RVl+rMtLX5BlgiAZTdg6mrzEbBcpGH9q+32CQLt7GorNCkDsf yTNRWWBdaOgn7vsaGKyj4k9XKCSx+iDYkKLvohKDI+sMPQKobn/bQlDl3SAkRuGuB/w660VY dQl2VPub1a1OIqLT3bWNqTtxkNBXowMhFwdfsEpe9jPmvqohdBQiDYTytk0yfXkfJbCmz3aE YGoUWaBPzW94tBLfoHwA03+pmxi2Ne3U2V9QkFUFp3pg8LsgDTiw+uRzbDzqsAyk97S7mEGF rMNJySy7SgaJao63rR5/m7W4RSF9LBh5elOxY30U0x9O/8UpufslxkP4chzy30GygrWScR2H WcVaC0xkFCv1uj8p8klF+35aCVR66Uw81XqiG3UsDS41mF0IYv9RmvIiaSLwuOoK34RSufaQ CspcIC50iq8Xg5yv3DB9oQQCAgCBonUEczBxoBowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRv cqEpGydTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WiHDAaoAQCAv92 oRIEEOfJ553RMMl/Q7ryYg5zkVmjChsIS2VyYmVyb3MwgYWhBAICAIKifQR7MHmgWjBYoAYC BFmd88+hGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yoikbJ1MyLVcyMDEyLUw0LlMxLVcy MDEyLUw0LlcyMDEyUjItTDQuQkFTRaQHAwUAIAAAAKEbMBmgAwIBAqESBBBc2MDHInK2OVEn OG/WThxApHsweaAHAwUAQIEAAKIQGw5XNEVET00tTDQuQkFTRaMVMBOgAwIBAaEMMAobCGZk MjMtNzMkpREYDzIwMTcwODI0MDcyOTUxWqcGAgRZnfPPqAswCQIBEgIBEQIBF6kdMBswGaAD AgEUoRIEEEZEMjMtNzMgICAgICAgICDP851ZGt4GAFYAAABWAAAAAAAACQBzAAAACQEzht1g AAAAACAGQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiWvSQpe4AevGjwgBAB ANMOAAABAQgKDGrrMgJfu67P851ZEOYGAOoFAADqBQAAAAAACQBzAAAACQEzht1gAAAABbQG QP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiWvSQpe4AevGjwgBABADPpAAAB AQgKDGrrMgJfu64AAAdPbYIHSzCCB0egAwIBBaEDAgENooGLMIGIMIGFoQQCAgCCon0EezB5 oFowWKAGAgRZnfPPoRowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqIpGydTMi1XMjAxMi1M NC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0WkBwMFACAAAAChGzAZoAMCAQKhEgQQXNjA xyJytjlRJzhv1k4cQKMpGydTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0WkGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9ypYIFHmGCBRowggUWoAMCAQWhEBsOVzRF RE9NLUw0LkJBU0WiFTAToAMCAQGhDDAKGwhmZDIzLTczJKOCBOQwggTgoAMCARKhAwIBU6KC BNIEggTOlbd36PMtXm+0VbHsGSGSJD+30ryONEjuVnJXgufY8eCLO0F1c+N1ZKHwVHbX/DiS umBcbUjB+baexMzXRpfx+VSv3yNjMum6fasOZ66FHZ0OFSPYU13g9h4MNBAIESwKz4e0lEti RxhqfoVHW75kyTwp5iIMpdLBGCwgNC/Y2AMNEE+a1hXGczzxo7dObreaD+ir4GRNmQSJapM6 TgJ/C/iy2hOyVw1NRdbrzS+Nfp+AgvyzqhiqRMj13F9Jp6Dry9wBPsgLam0IfAwv2qAOSkYE m9wEXD4SSzAeh2AqBaWTY4Prlb+yTI3bcHYUACoKkPikSne3tbk1T0qooDcF/8rqr3+52Eiv fqIXKyvOwtjL05xvv2/uNZnfPoDGxrUxYg9LVN/q3ernw74H+i+jmkkgOr9uLu/zepMhFN+5 NTO4dExNxNX9CFv+Qix7WCGAhHGZS0esVuLWOUG4hD8bLTpJwprs7PPXUUaAXs2NalcZfCX6 WbZyLX04gfkvtrx4l7RtQZougABehoBbxnWU3++kQqj4lt83FMT+AmgX1zUUIvUARMtDqHqs 2i8zlqpF2sy7OCLwVuqwYgePySgw48SQPCSJljkIAPC+8LQuKzKDGebWvWO4CUiK1sHOQBUJ 1t/mB6Mu2vj280VYoo/8eYA2DunUdjJl0xeJDS6bTjGlRNu9h7K7Bais85tk8fFAGTYsLHCi IL7LUv1Sy4/5tY7quHvZiMkd1mOcEHaqOqgQVm6pgjXwQGQi4XmkoYrZOb4ImOae9C7MBVX6 abCGUDqLTmnAabughX780r5JQjE1cMe36TUC/z+yN5/yAcxopxjMhw/m434qI6DptRdjAIf/ PQuIwqfvNM2GbrTR6hhQWL/iOhOl23X41GXn1Iw/ewBnk4Z9ctji7AkxLIO/p6MNGUcIfBd+ vnqLYZanwCcnZL9Y1yFvSHettsEq1cES9HgzdzlyuM0UNNOFcP0fB1H748xGcI9vGNWR8nFY UIQM5rZ9qz0XB27Kl5df43MCoA11Iird/eb9/gose1ZyEJMWOwCpfKZhstN4MGqdi4XvJMF3 U2R4oD/bqqLdbdJxWcwwY5TQL/VIzEvMJo4XdLnQnni/oLZbjxx3/sqJB35tneIhmchqHWSG ZzHm0IQQxjuQeWrekZYsMsofJfq3pRmL9A1zuwbh/GYWxYbzzjIkRzbC+7BV0l/srsUavhuU xsH/kK0q8v5pmN7vv4Az0O8WzIgXnUhM/lXgfL5MJdcnNuKzU63DOBrw6Y7BaWk6z3XRKB98 iqO3wIa7Mt+cZk9PEAESAxVyatJu255zuhP3Cku1u/jiyli0SA7oEh4UFxFrw7D4iMmVSl+9 KjS99TZCZbsSsrqNLTkTufwg2dTkG95ULhR+XUtU15KkI6k0ObJRq1QmIYnKJo6UL63GNDSS kNUsh9UIcorMgQtUOWOlmz41zrjRiS6tfVxAzTw6nTeV/SzP851ZTOYGAFYAAABWAAAAAAAA CQEzAAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzlr0A WB68aPAkKYEUgBAA+C6/AAABAQgKAl+7rwxq6zLP851Z8eYGABUCAAAVAgAAAAAACQBzAAAA CQEzht1gAAAAAd8GQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiWvSQpgRQe vGjwgBgBAOO1AAABAQgKDGrrMgJfu641ka6O3JaH5spC7AplKq7ud1MqqIXqHRMJYo+VH65s 4LkVFXwFIPB/nE2QFfmCP8EA8CO/Jkx+iIgZdljt20JgGqkVGXzwQjFUPT0Qk8E5tsbCHaiD s/hB+OaozTKHVO8h2S6ydf22WRu+jrQFqqlYzbcLhXPd2IT8poIBQjCCAT6gAwIBF6KCATUE ggExX1VXpQXJ/leKlFf7ioReOP9MgiR8dRDuxD3c9kQ0OD1cEU2zt4k2RwTveSO+Hw1E6Gk4 uQK1mKcQIwgKyOjzcC92IIe1yvg8595jIbaTL0bJf3+PEBK2FaFdYYQ6pp8kYZ8u+LH6M8Zj hSXAHPOdsEDgFPykxAfuVLNiKC5kz0SrhK6s4HZnJurGsgXf88jXfqUkyYDQgcDs48Tr4V9F jhawOR/7b8798hR7VLX1LrSHEGOVeYl9kLw5mi3CdKZko+Sw+eqnA6bdKQTnLbXhMhCoqZ4d CblBJ8urTW0TOMmagiUceVvMhqi2IF7B49Z4YHllAGGllnHdSmSP2klTGxYcoX3F8aebuyqf aQYegd6t+uWM7OUngrAizYaJxoeGnXShkmDVaMRgLH0MUMmiEDnP851ZE+cGAFYAAABWAAAA AAAACQEzAAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEz lr0AWB68aPAkKYLTgBABDi6/AAABAQgKAl+7rwxq6zLP851ZN+cGAFYAAABWAAAAAAAACQEz AAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzlr0AWB68 aPAkKYLTgBEBDi6/AAABAQgKAl+7rwxq6zLP851ZrucGAFYAAABWAAAAAAAACQBzAAAACQEz ht1gAAAAACAGQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiWvSQpgtMevGjx gBABAMu5AAABAQgKDGrrMgJfu6/P851Z9OcGAHQAAAB0AAAAAAAACQABAAAACQBzht1gAAAA AD4RQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABnqEANQA+EfGACwEAAAEAAAAA AAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHP851ZMOgGAEoA AABKAAAAAAAACQBzAAAACQEzht1gAAAAABQGQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIA AP/+CQBzAFiWvSQpgtMevGjxUBQAALt4AADP851ZpugGAGAAAABgAAAAAAAACQFjAAAACQAB CABFAABSmftAAEARNb2sHwkBrB8Jo6Q5ADUAPmsy0aUBAAABAAAAAAAAEF9rZXJiZXJvcy1t YXN0ZXIEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABz/OdWcnoBgBgAAAAYAAAAAAAAAkBMwAA AAkAAQgARQAAUrkGQABAERbQrB8JAawfCYWkOQA1AD5rFNGlAQAAAQAAAAAAABBfa2VyYmVy b3MtbWFzdGVyBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAc/znVn/6QYAqQAAAKkAAAAAAAAJ AAEAAAAJATMIAEUAAJt7fEAAgBEUEawfCYWsHwkBADWkOQCHnWjRpYWDAAEAAAABAAAQX2tl cmJlcm9zLW1hc3RlcgRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UA AAYAAQAADhAALwt3MjAwOHIyLTEzM8A2Cmhvc3RtYXN0ZXLANgAAGioAAAOEAAACWAABUYAA AA4Qz/OdWYHqBgC9AAAAvQAAAAAAAAkAcwAAAAkAAYbdYAAAAACHEUD9Oqqj7of/CQAAAAAA AAAB/Tqqo+6H/wkCAAD//gkAcwA1nqEAhzMCgAuFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0 ZXIEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABCXc0ZWRvbS1sNARiYXNlAAAGAAEAAA4QAC8L dzIwMDhyMi0xMzPANgpob3N0bWFzdGVywDYAABoqAAADhAAAAlgAAVGAAAAOENDznVmkuQUA KgAAACoAAAD///////8AAAAJAAEIBgABCAAGBAABAAAACQABrB8JAQAAAAAAAKwfCYLR851Z tLkFACoAAAAqAAAA////////AAAACQABCAYAAQgABgQAAQAAAAkAAawfCQEAAAAAAACsHwmC 0vOdWQ5zAQAqAAAAKgAAAP///////wAAAAkBgQgGAAEIAAYEAAEAAAAJAYGsHwm1AAAAAAAA rB8Jt9LznVkWdAEAKgAAACoAAAAAAAAJAYEAAAAJAYMIBgABCAAGBAACAAAACQGDrB8JtwAA AAkBgawfCbXS851ZZnQBAEIAAABCAAAAAAAACQGDAAAACQGBCABFAgA0ZcBAAIAGKVesHwm1 rB8Jt+aVAYWeroe8AAAAAIDCIADUHwAAAgQFtAEDAwgBAQQC0vOdWfJ0AQAqAAAAKgAAAP// /////wAAAAkBgwgGAAEIAAYEAAEAAAAJAYOsHwm3AAAAAAAArB8JtdLznVlMdQEAKgAAACoA AAAAAAAJAYMAAAAJAYEIBgABCAAGBAACAAAACQGBrB8JtQAAAAkBg6wfCbfS851Z1XUBAEIA AABCAAAAAAAACQGBAAAACQGDCABFAgA0c3hAAIAGG5+sHwm3rB8JtQGF5pVgHrawnq6HvYBS IAC9vwAAAgQFtAEDAwgBAQQC0vOdWTh2AQA2AAAANgAAAAAAAAkBgwAAAAkBgQgARQAAKGXB QACABilkrB8JtawfCbfmlQGFnq6HvWAetrFQEAgFFs4AANLznVmmeQEAag0AAGoNAAAAAAAJ AYMAAAAJAYEIAEUCDVxlwkAAgAYcLawfCbWsHwm35pUBhZ6uh71gHraxUBgIBXj5AAAwhAAA DS4CAwS/xWCEAAANIwIBAwQAo4QAAA0YBApHU1MtU1BORUdPBIINCGCCDQQGBisGAQUFAqCC DPgwggz0oDAwLgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh4GCisGAQQBgjcC Agqiggy+BIIMumCCDLYGCSqGSIb3EgECAgEAboIMpTCCDKGgAwIBBaEDAgEOogcDBQAgAAAA o4IFDmGCBQowggUGoAMCAQWhERsPVzIwMTJSMi1MNC5CQVNFoi4wLKADAgECoSUwIxsEbGRh cBsbdzIwMTJyMi0xODMudzIwMTJyMi1sNC5iYXNlo4IEujCCBLagAwIBEqEDAgEhooIEqASC BKSl+NJ43P8w0GtE1FmOphh5qeRNP+WljF7ZMr0CGWhyBBZQLadkkw2qlT2uJ9g8BtHbFk1A rrf6wzPO3Xs1hECBBXT4sFycjWvaRsLQe0saHCm3sfwlMP9GjFXEDEjzthshnehZaKnWx9Iu MXighcZDMmq6vpc0fji15j3RR/KLVdd4GlAJI+vL3g/RMlu8w+3s+HjMJRvN9Du/Th/dgPWF h76x4C9QqQ2fxdE89ynArOd6ozYX4fFsJBNB5dKdQ28PZKRBVPsjkpxme7WpLd5xnvng4uPj utXhM1lIkekgIsiJBVPQ3wTIGy7iYGwU4u+Oj3GtNH4fzwGpfO3ZJwilMQVyZtnX0aQrAofJ wD9Nn7Lr+8AVcufYE07OtTvtc5qFwpXsNL0v5DnwDFpQoo1TDMxi5k7LAAMQcE9Dy7Cgixzo IU1o1XKYU6lcjalnqjehuQOpgbneQxM1JKWV3ED4lSlPFtRI6x933FFUcJ+vXDXuJCf7cA9q Oy9sCgU3825+L9IXAydBiNk0eJnGGUCP5IQwjWqlzRgjjRQismPV+r84JKODKmycRTMONdgo UwuFXGTqnNiPtEu7hg+QiYKI1qz9ak0qF5aZNEMK7Con5ykL/94oZ8hkl5dD+gLsMEelMZGJ 57r1Kiqx62phTvyclTApxUsoDcvh3ye5ULTd+BtDr2wIl3aO74+aUIYYqC4BOIDF5YMcpGPi srqdxKFMcXidRZpsquMT9B1IFrDMKZ7495/RK3bRW72q/FhQq6XeP2hy06J6TQMPWXdDyybJ tB2AJnqFf3kWnZBgcbW89LMyxEeJxUDa2NGUypQswNME/DDQo32RPlS0jUN9tAV3fTbEyRHg fSYhOUNbDvNlkLA5K5IvmHGQ9Qr2l/iTfhn8qqvBk1EOpLfvKPX4ZgipCnkbq7zedPmbv4XJ fBsvKQwkHmaa4nak+wycZv7+K9j/vH3yvsCtoBeXadSmPDJq3DM3HyIEjqhlGdmq+jW9h2f4 LdN2yFQOc+Sn/WswmPMaWY1Q1JRNLLtTdQfpqt4l0VZCN/W3/K97BmFKMMvHzWvYrOEC7DHJ BFzx46cEhbPuTgblubYbAya37RjscaL3SQahFqTw0HbNtwJzvOP+o6KNHe8yYu0aqaMdAbm9 M8Oc1bGxAUb6W13YcsibriKM4Ou1tvPlVT5KAfQnuF3HIZA5Fc9lvq6ernRDXHNmpJNxx9k2 6zWvrodosr2yNlIHp0OnTW5IhvAa3JWN96EhXVuUmdk6Vt+QicTObx0QFBh3Yi//as86cbrn p1rZ7ImWePpGYPBo9dZshv0ty2wu2DqAFNpnMuMQk/YyOAfR7f0AAfkdj5oQ972elgZL4d8W j5SrCXhgaKggiaHxRaKXRJlxyAR2hjfB5+vp4kO+2vMOoZlUVfb+5OPIPusMaewhXUtxM+aN Cs51T6Dd3Hcwp+Y8/cPYGywEnlSCwgywFjkESkL8j/fGza2ZnA38GQME4+dQJwdAWZbkwnVw RtAOHJp/kKKTEEpwQZ8FeNtaQ5ZUsGT+w6x146uBJ2mR7TtIZUHnqIl1Xlp9f9N2XYBDIn7I QNWkggd4MIIHdKADAgESooIHawSCB2euAzTtswKH/wklT5SKLeCBoe4BgIJwKwGezU7JRIo2 8j8l8SR0q00wblonQXOiB2Y8LULCdgCnsK3BT/fkwy6XTkr9ZbsVjiXdZ6SHxf9nGp/3xTpM j2CXA5FM55mApD8Wg4+SmXCr1eMbblBDdLqsivyl2+MJnnm8Ic8S3sLYE6pWL13Sks2Mnk8/ HFqK/oWW8JG8dnO47H7ym68l05/nHJikE/IWZM95VuP4J6Koc7e5DLmMp8yerdjlqM68RGzr RYRlb6v6fWBCU3e0l/LXEuMuMGcCEFhHfXdRaIPcnDmrR7kZaT3Hq/0Jcx5Eg1VQ8DbjAftZ tzvTiK5IPXXy+w3EqSXRYouy2ap0uJ19LFeQn1rplzbrYgU8kmYa6q07OhK0UHybSht5CJI3 jYw/FsNLpOy01SSFrPIOi1SAP/snN5e4Ocu0gogwSH/fhRFsTikzu4Uj478XzJtb7C/fCOG7 k6ZHlanirWH7Wmh/l4JOozbzajd+89+N4KLO5hrSbHmmnWCp6MemzchSR3ULEYT9ZQPL+Qte Qi8Neypleq/c0shBd9KR1NcUaMvqBRRnU1RyXDztSAD0DF98fQ3glVZkuzGz4NjPrIXM/1jv m+vYfDPijr/PXQuqqNrYNl+unwlAR8IiAGqxs2LY4belGc7dvUEyp2+6VeO0TzXeUlGpgbuV VH6UDEQGZwR2KegdPzBEQW6nL3s4dDCQ0sbjH0rr2lFCeBQVJGCM7NLh3UHbprHhRiqV0LwG oJn/YRmLua4oS2ocFIRb/jxHd9ZDU9W6PJDTwIBwJkrxyl2dkZWvJs8KDgcXe0ApofcpTu/V xJ3pROGMJ03jCqCcmM3UYTBKTU79dPqkyCfJbOhTc/nRD14oqz1o95RPaj69ZL8RKQ96GKFI N4ftXFuHxjqeBwz9CJdGFDr5eX1J3qMe77NQDFKmWTRWj+by0oc1IXOuySVcZMp2rXk3E5oq KrGYCYhbQD9Z8fSFtQFAM+5oRFPiF3REEZc+lDHh2nc2FL8xHEyExXaNP+PJQp3GZQGt8gZ7 XUlkCbOtKXWGEc8kDX+yRWCM7OY5rAULccuDpGU7VTGoF4ntOc9xHO8Rb/1A13H5uoV8QTgy lXFpsAgevXpEVN6BnooYdo1LCb9Xq2nNElMOreA43p3gIVaAzWajDTn3a7epgyev9ol8W513 VvNxDqChVNQURWZPfJLxYmPKr7TaMoCXGwpuTDYO8LqFVb05SAWdgrmrcGYpZZYnWETG3Ouo RstgxdMUxbWvVeHKvieoPFL46G3gO5NGc+hwH3i5LRwqzmfH49WMwuRvKrvDIh6Ti9Qn+5cu na678X8JE552QY6QEE2KEr2xMHKbEqToqIRFIRnsAZ8qQrczE5icEl4Ruvz8r+HA7szkQH54 fuoi2+Eqlbnr8ZEyGSkkcUL958tG2x2htbNNmyrMJTRAmT51VjBxh+6M6NJsj/U187rGJoOG tYZ85QFU9TItYk2Ds+V1/HvKTP20PtnMyEQru90zGJQuPpqVFe/rZ1XqRwTk4nN7urMrMmFA bF2IBCV5adVOOfznAZrZSMpt9iXk5mo/vGB49IrzadJiPOg+yTJTSzZN6xMZEacnYFm3zG2Z BkbSvxYLFJWeKgaeIfsOK/vsPrAF7l3k6prRW5Z3PIRqGn7OVeM2Pp9BSbMzkhtMo06thDXO hoBKQ23Kc8aFI1+kTUhIyza5kNVHQZsZiioD4AnisHQTEjpuw+mRiZdUFcYv874SOOODLbEv 64Kj5iGidIsVAKd0YqBJIn1ex5eQhDoIaAodOXE+KNlsVp/YYuwBBO8OVl4Fl1bSx6VeLoJu yyV31D/1vjvOEOIMTD+feWpeHqiNLnX1pTUMedXl8v5JrZnsCgy8czsbKh3+pVJSU/wrcuAF jFHN2PMRhbdRDmTSekuLWNKtC9oedPfAuVoxtOHqpjev/ln+rYTsU/+zAJAi6ZUtrlQcCkKt 53iQ4w6pLMYIsuXPmSh4BGtjwICHFh5Rv7tEQ6Kb5qqe/uHeLveUdhqB7MxG3D74+gzCw/QV 2r1euEdlCjPvvEgQof6WAozdIY6C3XoU5Sr1ujB1VudCzQnlefQAqDz3ouEkZmLO5QgrffqR qm/T0B26hu/VsPIXvZ9jqw+zIyv3sLTn2muRLHk9ViCYgVAdtixEw0WtrFB9LZNnOijKAv/A +WxGnip/96RFq9M5QRsLqkWvNijcgvLxLQu1bY3RqmvYL5p0aRTUx0USG8mCQZnFfuTY6EdA 8ddQKBMjssbe39iSdjMD6Hv844QxquMXbzLv3wxODsWbhvN3wXtLC7u+/RjVUWLVw6LpeQuQ liU29PbppA3qFR1uoR4zP2MY1th8EDGlc+Fmq2ODALgZIOIRfblt5wr1eE2YHOZANdKODHv8 OD3jDT6pqr715FSZTEQZw2Ffr57EcH/pjU+FP4haxExisTfhbAihpmUoglFtsJvKKqR1OFNY 62TPCIhHM6YVoKPc/Urwi7Cl3ygOOJGQJlIfWdLznVnofwEANgAAADYAAAAAAAAJAYEAAAAJ AYMIAEUAAChzeUAAgAYbrKwfCbesHwm1AYXmlWAetrGerpTxUBAIBQmaAADS851Z+oIBAAwB AAAMAQAAAAAACQGBAAAACQGDCABFAgD+c3pAAIAGGtOsHwm3rB8JtQGF5pVgHraxnq6U8VAY CAUZ6gAAMIQAAADQAgMEv8VhhAAAAMUKAQAEAAQAh4IAuqGBtzCBtKADCgEAoQsGCSqGSIL3 EgECAqKBnwSBnGCBmQYJKoZIhvcSAQICAgBvgYkwgYagAwIBBaEDAgEPonoweKADAgESonEE b+qIdA/cckYczTaecsW9sB83YkrXeXw/XSjlVNC9Esw0wkJiZNkgKxKLOJqObej3MJ+TeCkY ezQQtaSh31oEVxmdhiabl2DtK6AkVu/S923s2kvVdT4RPJ+tlmafFxIDqRfF8aUwTMffJr+t ZSPAVNLznVnvjQEAFwEAABcBAAAAAAAJAYMAAAAJAYEIAEUCAQllxUAAgAYofawfCbWsHwm3 5pUBhZ6ulPFgHreHUBgIBEuuAAAAAADdBQQE/wAMAAwAAAAAcVB4cHYY7iBOhlZOUqnG7zCE AAAAuwIDBL/GY4QAAACwBHJDTj1ETlMgU2V0dGluZ3MsQ049VzIwMTItMTgxLENOPVNlcnZl cnMsQ049RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJhdGlv bixEQz13MjAxMnIyLWw0LERDPWJhc2UKAQAKAQACAQACAgFoAQEAhw5vYmplY3RDYXRlZ29y eTCEAAAAFgQUbXNETlMtS2V5bWFzdGVyWm9uZXPS851ZfJABAI4BAACOAQAAAAAACQGBAAAA CQGDCABFAgGAc3tAAIAGGlCsHwm3rB8JtQGF5pVgHreHnq6V0lAYCASb3gAAAAABVAUEBf8A DAAMAAAAAHVg5dxtFZGwKTH/CSVxuMwwhAAAATICAwS/xmWEAAABJwoBIARiQ049VzIwMTIt MTgxLENOPVNlcnZlcnMsQ049RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049 Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0LERDPWJhc2UEhAAAALowMDAwMjA4RDogTmFt ZUVycjogRFNJRC0wMzEwMDIzOCwgcHJvYmxlbSAyMDAxIChOT19PQkpFQ1QpLCBkYXRhIDAs IGJlc3QgbWF0Y2ggb2Y6CgknQ049VzIwMTItMTgxLENOPVNlcnZlcnMsQ049RGVmYXVsdC1G aXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0 LERDPWJhc2UnCgDS851Z0poBAGMAAABjAAAAAAAACQGDAAAACQGBCABFAgBVZcZAAIAGKTCs Hwm1rB8Jt+aVAYWerpXSYB6431AYCAIenwAAAAAAKQUEBP8ADAAMAAAAAHFQeHFhtapuOhJc kvBNYg0whAAAAAcCAwS/x0IA0vOdWRWcAQA2AAAANgAAAAAAAAkBgQAAAAkBgwgARQAAKHN8 QACABhuprB8Jt6wfCbUBheaVYB64356ulf9QFAAADl8AANLznVmOnwEAQgAAAEIAAAAAAAAJ AYMAAAAJAYEIAEUCADRlx0AAgAYpUKwfCbWsHwm35pYBhQWaSAIAAAAAgMIgAKztAAACBAW0 AQMDCAEBBALS851ZHqABAEIAAABCAAAAAAAACQGBAAAACQGDCABFAgA0c31AAIAGG5qsHwm3 rB8JtQGF5pYIS3KQBZpIA4BSIAAygQAAAgQFtAEDAwgBAQQC0vOdWa+gAQA2AAAANgAAAAAA AAkBgwAAAAkBgQgARQAAKGXIQACABildrB8JtawfCbfmlgGFBZpIAwhLcpFQEAgFi48AANLz nVnVpAEAag0AAGoNAAAAAAAJAYMAAAAJAYEIAEUCDVxlyUAAgAYcJqwfCbWsHwm35pYBhQWa SAMIS3KRUBgIBXj5AAAwhAAADS4CAwS/ymCEAAANIwIBAwQAo4QAAA0YBApHU1MtU1BORUdP BIINCGCCDQQGBisGAQUFAqCCDPgwggz0oDAwLgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisG AQQBgjcCAh4GCisGAQQBgjcCAgqiggy+BIIMumCCDLYGCSqGSIb3EgECAgEAboIMpTCCDKGg AwIBBaEDAgEOogcDBQAgAAAAo4IFDmGCBQowggUGoAMCAQWhERsPVzIwMTJSMi1MNC5CQVNF oi4wLKADAgECoSUwIxsEbGRhcBsbdzIwMTJyMi0xODMudzIwMTJyMi1sNC5iYXNlo4IEujCC BLagAwIBEqEDAgEhooIEqASCBKSl+NJ43P8w0GtE1FmOphh5qeRNP+WljF7ZMr0CGWhyBBZQ Ladkkw2qlT2uJ9g8BtHbFk1Arrf6wzPO3Xs1hECBBXT4sFycjWvaRsLQe0saHCm3sfwlMP9G jFXEDEjzthshnehZaKnWx9IuMXighcZDMmq6vpc0fji15j3RR/KLVdd4GlAJI+vL3g/RMlu8 w+3s+HjMJRvN9Du/Th/dgPWFh76x4C9QqQ2fxdE89ynArOd6ozYX4fFsJBNB5dKdQ28PZKRB VPsjkpxme7WpLd5xnvng4uPjutXhM1lIkekgIsiJBVPQ3wTIGy7iYGwU4u+Oj3GtNH4fzwGp fO3ZJwilMQVyZtnX0aQrAofJwD9Nn7Lr+8AVcufYE07OtTvtc5qFwpXsNL0v5DnwDFpQoo1T DMxi5k7LAAMQcE9Dy7CgixzoIU1o1XKYU6lcjalnqjehuQOpgbneQxM1JKWV3ED4lSlPFtRI 6x933FFUcJ+vXDXuJCf7cA9qOy9sCgU3825+L9IXAydBiNk0eJnGGUCP5IQwjWqlzRgjjRQi smPV+r84JKODKmycRTMONdgoUwuFXGTqnNiPtEu7hg+QiYKI1qz9ak0qF5aZNEMK7Con5ykL /94oZ8hkl5dD+gLsMEelMZGJ57r1Kiqx62phTvyclTApxUsoDcvh3ye5ULTd+BtDr2wIl3aO 74+aUIYYqC4BOIDF5YMcpGPisrqdxKFMcXidRZpsquMT9B1IFrDMKZ7495/RK3bRW72q/FhQ q6XeP2hy06J6TQMPWXdDyybJtB2AJnqFf3kWnZBgcbW89LMyxEeJxUDa2NGUypQswNME/DDQ o32RPlS0jUN9tAV3fTbEyRHgfSYhOUNbDvNlkLA5K5IvmHGQ9Qr2l/iTfhn8qqvBk1EOpLfv KPX4ZgipCnkbq7zedPmbv4XJfBsvKQwkHmaa4nak+wycZv7+K9j/vH3yvsCtoBeXadSmPDJq 3DM3HyIEjqhlGdmq+jW9h2f4LdN2yFQOc+Sn/WswmPMaWY1Q1JRNLLtTdQfpqt4l0VZCN/W3 /K97BmFKMMvHzWvYrOEC7DHJBFzx46cEhbPuTgblubYbAya37RjscaL3SQahFqTw0HbNtwJz vOP+o6KNHe8yYu0aqaMdAbm9M8Oc1bGxAUb6W13YcsibriKM4Ou1tvPlVT5KAfQnuF3HIZA5 Fc9lvq6ernRDXHNmpJNxx9k26zWvrodosr2yNlIHp0OnTW5IhvAa3JWN96EhXVuUmdk6Vt+Q icTObx0QFBh3Yi//as86cbrnp1rZ7ImWePpGYPBo9dZshv0ty2wu2DqAFNpnMuMQk/YyOAfR 7f0AAfkdj5oQ972elgZL4d8Wj5SrCXhgaKggiaHxRaKXRJlxyAR2hjfB5+vp4kO+2vMOoZlU Vfb+5OPIPusMaewhXUtxM+aNCs51T6Dd3Hcwp+Y8/cPYGywEnlSCwgywFjkESkL8j/fGza2Z nA38GQME4+dQJwdAWZbkwnVwRtAOHJp/kKKTEEpwQZ8FeNtaQ5ZUsGT+w6x146uBJ2mR7TtI ZUHnqIl1Xlp9f9N2XYBDIn7IQNWkggd4MIIHdKADAgESooIHawSCB2dP7/V9w8g+pFnrJXl2 cEY1tPBNL8Lz0i7fKCSwQHKTFbm/W6tane6aYnR8WezeZsVSD4ZBCtxKEif8Sb79hAN7zmag jLNNY5Tu/MJNbef10s3irrm0OG2HfFPHLxGkjCK3qwFq7XWbOXVs0IQ6c9V3+seGaQCVrcHb qHHKk2LXIP+c7zfrTF1PAxuHDGcKmgxShBY+Gaqhoq8l62hn9O241TxbmaafnDXQRBScgOZc GZ4Z2XEvlgQ9B7iHK+CUmE79XTuJjBMY6YdEOg9FaUXsZh1OfjSIaRPtrpL2AYIpxnO19wKR nG0wNeShPBN8Mi7maPXAqEPoMXtPkXRQ8liVL91QLOdtz1HVoayH2kwcZ/KhjiOtkrUNYsuh qCT+kQr2QUF9iZIqid41M145F6k+LbHRwLpIKxifodEafx5EpSJHDB7MDq/Gj5h1xWWSEPRn 5F0xX9BnP0BXStObD5iVtdbHfh26UH/3Cg7gLno+3ucse9Bz2sm8Jb8JNdHECrs/lcI38j0m ylvaeRf1BkM/Qsu5odsygQWw+znZ1KK0ceMwlwIreHRN1UZWMqJ/O3r/D43V6oP/YUohezRo DpVIaO575Nk7Qrrp7HqEMYLVjKU7GsSa9ovvARS09jHCMz4NPJJdEANr8ON4w3+vC1IPFcY2 fzV/xo6KTkjGQrqXJiScWnH8dzat0KCdGtXZH1FA18qAILLrJYHp3lC3DKafuJX1mGEoB8gi yUYsiSVsL+UjhdK2nc2PFIzk1vSnaoQ5kyKs4upI7fDD10Pf6o1lGMhlgLuvIsvptmLmtnYO fTjzfyY8VzhG+Nf7QlwrBMW63KIjJuyngffCeCHu48hjfvt5AoeDSVehfPttYVvmuqYJQS7k fFeHF5iODVPkcKFzUGVlwvWuTdCreHWHLRu3pekl6gORj+OmlNKaNaz/oF5XmrxuscbQ9zc/ F2w8aR8Bu/EcwamZ53N8MXSYiDy3ko/jsC1pW2jY4OOSlxMKYU/GoWbWt3KTYTs1wouj4vwj n55MNPFZX1tIF4hByeCjPzzpmRkx7gO39sdNzPxuxY8N0ocSQslw8x4RNJKsPslQvouVUKlr HTSnsi81xwEl+ECrsXUL6paWp/QH+RH2MCTly9tLVuPKJarG339aePguwRQENAns/N03zqEF QlMXueh9Z5ufWdVcEcf9+T6HUigoML1w7A9My+Cf3gZPSv6L3gV4aMSXJxRJCCJkDdy0DdmV DTbUXT+P0xhTZfcR+8CqZrjdwLR+bwTGESCNOz0M6THqw7QEg3Xl2r+iALU6rK09ig+eHINn E/3rMPzUagffp/aWCe9jVsIepRrMR0mtzbWPvy3Az0QOigN/j364edqw4Y6pJJIGo9Lo27fM cGlzcUgymLF5Puz4gDmN1uGbAf8d7huq7NYeqZyJTu2RjCSVzHx9BXFtqjcNjmIlrqwVJS0t IrnxZXq+X4/ki9QNL9kG/EZZs6z8GmJtOykDjF5PBUdKZqjjiqHeHPrYekN5aoMhG8mfkJJT oZ08vY3OXpM5mXrHwcA6eiQvMZCTMP65fosezxD9w8goRCW+vI6zsvNSZ4xhkSdNfMz37eHg dakqoLUXJGAxy44yvsySxjWSx1QXNQNX2RJc6imU+x0+/srODe17qGI0VNHTmojXq2GDtGr8 /AFfc65xg2Dp+N7tS2ANcRD9/7J4dgkF5g29lsMEU3VAsetK3HXcPOAFtJ6br0GOH4wmVl0r foXyIf2u6YjBWuIB85a/NjOa6ufobACezgx7E6H3mnRiBOH3g/CN82CceBT51E8EL0CgLObu tsl+a7KalZRRkYpehNhxYM/cV5huHdsfKB+vvXJxcZCTrXaXt5G0Nw+nyFK0K6IBLD/NirPZ pviIfVbeB3T0o3E6mk/PoF1F9tydfY6dOCJmyb/YOmREvZiw693Y0p9f8haa9j3s5u8YYBtm RjukrMvMp20YWBv+cdO+S00F2P2FBL6JTqWKkwOL8GYHbrYT2yvPXITmqiM9/OPvuj8H+otR YHv1z2Q+9hhjfp+WzIrWJ/dtczwuxnOt3DS5Pu8a7tzY2XMm7hgVvdXO8jVQUyOniSvm5gWG CszY6NOJKLRoQDSYL5jvNYxck4X8u/YaRH0LlRdDhrW76SfcR9cWujJVA4DyxEr4x6wUXKPI E2WG9jMa3yGs6DE+D+0smZeChw067hvLLEU4Z6sBNFwKKl8EvTSExbjIuwX4/3RUPc3ggnYy 5J170d8EVyEhlo+DzileGcXBj5EWA8I2hFcrUU5Y1esLcbJqPGAjthosMWDHAV175kQ97XJe HM7aPIjvJazslHB+d/yu0GBZwErmRkCyk4RZOYeg9eZ1Vj2XwMEf6G79c/3jmNAtmVOlEFkG nxqwbTI60lVg0th1mNT69nBC6ThVrbmKOuMvZJd3t4w5bxaxl6U/FteU1a+VkWkF7YHmNv7S 7Tf17PDArOxgSmORZFKU8gDFVt3e+fvcovFyg5Zp8XK83FQ2kcvEZG7aTzT8EdLznVlqpQEA NgAAADYAAAAAAAAJAYEAAAAJAYMIAEUAAChzfkAAgAYbp6wfCbesHwm1AYXmlghLcpEFmlU3 UBAIBX5bAADS851ZcakBAAwBAAAMAQAAAAAACQGBAAAACQGDCABFAgD+c39AAIAGGs6sHwm3 rB8JtQGF5pYIS3KRBZpVN1AYCAURsAAAMIQAAADQAgMEv8phhAAAAMUKAQAEAAQAh4IAuqGB tzCBtKADCgEAoQsGCSqGSIL3EgECAqKBnwSBnGCBmQYJKoZIhvcSAQICAgBvgYkwgYagAwIB BaEDAgEPonoweKADAgESonEEbw9PmEhf5IGF936v1KoFak4IdX9ODy5kVCYzBLwLO/IUDezL 0KMl3We1izlKWGOFGEECUmgGi4yAx29VraV2/aakAPdZ3ge2fd9XJ66aW8P38iKBYSq3LM0e CdqNltBQi8GnQh6bKcAnDRphTEwzGdLznVmxtwEAFwEAABcBAAAAAAAJAYMAAAAJAYEIAEUC AQllzEAAgAYodqwfCbWsHwm35pYBhQWaVTcIS3NnUBgIBHwKAAAAAADdBQQE/wAMAAwAAAAA cVB4ZTRh0M1yie11UDOstTCEAAAAuwIDBL/LY4QAAACwBHJDTj1ETlMgU2V0dGluZ3MsQ049 VzIwMTItMTgxLENOPVNlcnZlcnMsQ049RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049U2l0 ZXMsQ049Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0LERDPWJhc2UKAQAKAQACAQACAgFo AQEAhw5vYmplY3RDYXRlZ29yeTCEAAAAFgQUbXNETlMtS2V5bWFzdGVyWm9uZXPS851ZSLkB AI4BAACOAQAAAAAACQGBAAAACQGDCABFAgGAc4BAAIAGGkusHwm3rB8JtQGF5pYIS3NnBZpW GFAYCASO8wAAAAABVAUEBf8ADAAMAAAAAHVmCKfR3sBPB0V3NHuu0sQwhAAAATICAwS/y2WE AAABJwoBIARiQ049VzIwMTItMTgxLENOPVNlcnZlcnMsQ049RGVmYXVsdC1GaXJzdC1TaXRl LU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0LERDPWJhc2UE hAAAALowMDAwMjA4RDogTmFtZUVycjogRFNJRC0wMzEwMDIzOCwgcHJvYmxlbSAyMDAxIChO T19PQkpFQ1QpLCBkYXRhIDAsIGJlc3QgbWF0Y2ggb2Y6CgknQ049VzIwMTItMTgxLENOPVNl cnZlcnMsQ049RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJh dGlvbixEQz13MjAxMnIyLWw0LERDPWJhc2UnCgDS851ZQ78BAGMAAABjAAAAAAAACQGDAAAA CQGBCABFAgBVZc1AAIAGKSmsHwm1rB8Jt+aWAYUFmlYYCEt0v1AYCAJKNwAAAAAAKQUEBP8A DAAMAAAAAHFQeGZ2lMSuLQvBj/x9EvwwhAAAAAcCAwS/zEIA0vOdWQHAAQA2AAAANgAAAAAA AAkBgQAAAAkBgwgARQAAKHOBQACABhukrB8Jt6wfCbUBheaWCEt0vwWaVkVQFAAAgyAAANLz nVnuwgEAQgAAAEIAAAAAAAAJAYMAAAAJAYEIAEUCADRlzkAAgAYpSawfCbWsHwm35pcBheR7 IxkAAAAAgMIgAPLzAAACBAW0AQMDCAEBBALS851ZZcMBAEIAAABCAAAAAAAACQGBAAAACQGD CABFAgA0c4JAAIAGG5WsHwm3rB8JtQGF5pfGrxyg5HsjGoBSIAAQEwAAAgQFtAEDAwgBAQQC 0vOdWczDAQA2AAAANgAAAAAAAAkBgwAAAAkBgQgARQAAKGXPQACABilWrB8JtawfCbfmlwGF 5HsjGsavHKFQEAgFaSEAANLznVm/xgEAag0AAGoNAAAAAAAJAYMAAAAJAYEIAEUCDVxl0EAA gAYcH6wfCbWsHwm35pcBheR7IxrGrxyhUBgIBXj5AAAwhAAADS4CAwS/z2CEAAANIwIBAwQA o4QAAA0YBApHU1MtU1BORUdPBIINCGCCDQQGBisGAQUFAqCCDPgwggz0oDAwLgYJKoZIgvcS AQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh4GCisGAQQBgjcCAgqiggy+BIIMumCCDLYGCSqG SIb3EgECAgEAboIMpTCCDKGgAwIBBaEDAgEOogcDBQAgAAAAo4IFDmGCBQowggUGoAMCAQWh ERsPVzIwMTJSMi1MNC5CQVNFoi4wLKADAgECoSUwIxsEbGRhcBsbdzIwMTJyMi0xODMudzIw MTJyMi1sNC5iYXNlo4IEujCCBLagAwIBEqEDAgEhooIEqASCBKSl+NJ43P8w0GtE1FmOphh5 qeRNP+WljF7ZMr0CGWhyBBZQLadkkw2qlT2uJ9g8BtHbFk1Arrf6wzPO3Xs1hECBBXT4sFyc jWvaRsLQe0saHCm3sfwlMP9GjFXEDEjzthshnehZaKnWx9IuMXighcZDMmq6vpc0fji15j3R R/KLVdd4GlAJI+vL3g/RMlu8w+3s+HjMJRvN9Du/Th/dgPWFh76x4C9QqQ2fxdE89ynArOd6 ozYX4fFsJBNB5dKdQ28PZKRBVPsjkpxme7WpLd5xnvng4uPjutXhM1lIkekgIsiJBVPQ3wTI Gy7iYGwU4u+Oj3GtNH4fzwGpfO3ZJwilMQVyZtnX0aQrAofJwD9Nn7Lr+8AVcufYE07OtTvt c5qFwpXsNL0v5DnwDFpQoo1TDMxi5k7LAAMQcE9Dy7CgixzoIU1o1XKYU6lcjalnqjehuQOp gbneQxM1JKWV3ED4lSlPFtRI6x933FFUcJ+vXDXuJCf7cA9qOy9sCgU3825+L9IXAydBiNk0 eJnGGUCP5IQwjWqlzRgjjRQismPV+r84JKODKmycRTMONdgoUwuFXGTqnNiPtEu7hg+QiYKI 1qz9ak0qF5aZNEMK7Con5ykL/94oZ8hkl5dD+gLsMEelMZGJ57r1Kiqx62phTvyclTApxUso Dcvh3ye5ULTd+BtDr2wIl3aO74+aUIYYqC4BOIDF5YMcpGPisrqdxKFMcXidRZpsquMT9B1I FrDMKZ7495/RK3bRW72q/FhQq6XeP2hy06J6TQMPWXdDyybJtB2AJnqFf3kWnZBgcbW89LMy xEeJxUDa2NGUypQswNME/DDQo32RPlS0jUN9tAV3fTbEyRHgfSYhOUNbDvNlkLA5K5IvmHGQ 9Qr2l/iTfhn8qqvBk1EOpLfvKPX4ZgipCnkbq7zedPmbv4XJfBsvKQwkHmaa4nak+wycZv7+ K9j/vH3yvsCtoBeXadSmPDJq3DM3HyIEjqhlGdmq+jW9h2f4LdN2yFQOc+Sn/WswmPMaWY1Q 1JRNLLtTdQfpqt4l0VZCN/W3/K97BmFKMMvHzWvYrOEC7DHJBFzx46cEhbPuTgblubYbAya3 7RjscaL3SQahFqTw0HbNtwJzvOP+o6KNHe8yYu0aqaMdAbm9M8Oc1bGxAUb6W13YcsibriKM 4Ou1tvPlVT5KAfQnuF3HIZA5Fc9lvq6ernRDXHNmpJNxx9k26zWvrodosr2yNlIHp0OnTW5I hvAa3JWN96EhXVuUmdk6Vt+QicTObx0QFBh3Yi//as86cbrnp1rZ7ImWePpGYPBo9dZshv0t y2wu2DqAFNpnMuMQk/YyOAfR7f0AAfkdj5oQ972elgZL4d8Wj5SrCXhgaKggiaHxRaKXRJlx yAR2hjfB5+vp4kO+2vMOoZlUVfb+5OPIPusMaewhXUtxM+aNCs51T6Dd3Hcwp+Y8/cPYGywE nlSCwgywFjkESkL8j/fGza2ZnA38GQME4+dQJwdAWZbkwnVwRtAOHJp/kKKTEEpwQZ8FeNta Q5ZUsGT+w6x146uBJ2mR7TtIZUHnqIl1Xlp9f9N2XYBDIn7IQNWkggd4MIIHdKADAgESooIH awSCB2fSPrv08IUxW66kHxkx5FV4FLVRmFKZPyCns9CrvF3NWXlyXnd7hekUtZk/EJadlBFy phFQ9rrM3thfJRrtjUveccGwGms/6j1cASUxgGSaCI2nFXPZ4nG4m8YOJaqKQa+wsiNwU/8s ALegO/+FzpGeXZ+mL6avvSw/jMwc/sgO+7szQr7UUTflpBpzQjupVpbd9612J/RS8npulexc faxDung03m5605sQGzrkBXPuInGZN9+zNN6rr28pZyQwGjIlV+XdWmVERBX3tq4RMDvC+AhV IHXw20XFAFpJ3WefaeOgV2mqt3uYDBYYHV+LYM7MFENVG6i+Q/J6UhMiTjQBYZQDxOSzOuzI 2LoPyn0sCXX8ZcuimcuSa0sd0OaqHXBx73GDbHKa+RBJRmGOKQ8TmE0rJc1i7FgbOTt1EnmI 8ouvVfZPcPSClcYxf5/+pLQ28rLk4WobTzvAhmhgzuYbaOe3LpIQfNd+hmwhH0msOfJk043R DXjD7fM+EdvhvDGoSlGgzFm9JdYjBk9Z+AoyGPf6QhGWmAmTp/VY59EV1mTtLskUT0C2DNKp MBp+wGHVUzaAUJLhFc4TZFuR/N3ANOQn/0AJ5JxP5dJ3zx9Lxc9/EGd/0ExIW7kFiELMXUch 8iqcrfTnmMFXohBAINTHyorgGBsDMmz3tRoD6E4c57CH+mcesOajZh0DgPxaoGOcxhxPs5wT 4C7F0BKfPSl2WeL26u1pDXJw8x2ue6n5aVaHXBwnD94dzj90MH3t7uAZaCOLHNL2lWceXyya HL7GUsVQ0czPGC8jf6FDpdXhoty/OcbV4EIJqw6CKgGo0vxVkrMXjQU1uiu+R2u7oBwiRjjJ UckFLjgtro+8QaAxAfPr+3/VMG6X/VzgviWLpo+62FN3hahsnir4gfcVguGwgF8l6QFufoeR uo1HLBoKht0PqteBR3eqxnxRpi3gq0GDESrIWbT4/KHPREIqNrGOl2vudgnZA5hpLavX0lVE Em3erfG5EIpztrnZ/SlmZ805aM3tVGV5mIquL5EkMXU0LvAfvBMfOTpX12MVETqK+tmXcnMN 2zKYgsKMozgCQvry3022Zomwgdpg/Po3gQE5/YSsPrnBeBzEntCL2wUGOlV0hYfq8SROrzY0 2+ZT+eVtRlSAbNYIQi6Bg2BuazO3FnvJfH/CdZM0uWv7IFsVZYqGaJqBaxRE87QLXG8UqTwZ tzCRxGZhKO3nHkaBeJsaFIj5tzG6tZaPMx5gTDTcZTm9MHa22TraJnjPVtbQxPfm3FnHGNvx 2vYgCka4ajMArmcxaRHOM4+cdVKXN8ibYNKNaBZHmCH4AVSwvdhlajupREaJAh/RuiegrnFs y4oORF24NwWPQnD4cfy2bN2NGf0BKiwIdCD3tNjTmJZDJtUisbZMBLmjMMoVBQFZvjiYLp20 UZt868RgsLBLcB6dOuC6KuDbCI3V1mssG3LOfV1gNFr+A81getBVEF3gUAUncI/G38u05jCw rcnXNNYLVREeIT7VeaDxI1gqHXvodJMOyUnZvdYoU7GdezcYeyqJQzVvZ/jVYnIzOLsoHAWx aDOxfG2VENgsXBw2QWQlPhawmEnA/kIQ0iXNXm7evUuY6DA7gNL+WY9qACnIYXQQwOHOi3oA pEKhIJ/sHRiprmYkvOe4kdfSlU8JFRNj0dDMqNJX8nsjrz3D9Q85zYDccrKBHqka8gIVOTfB hU3OII4yL372e1BAX3GdK/klsqRHp5J7vzPEUhGt988oEAmBKz/2TVIwqM/xE+APjGvLuar5 GxdNtU9GEiLv63NK3mFeZSA9EGQ1wJ2GDtTO1bjsJgOPQFi/9z8UpaterrOOSH375piybfik YHMSGywJvr/WrsGRjzC0Rv7BoPKOTsEpfXGw2LU3uHZVghIsTbFQB6xY/UXZhB+PGge1+QjR FLXzqDvhngTM53uEnHQIHiu4fzGi68dwu5SrBLpKEU1gLayiAF1jMKvQl9xSG7y6UJ1d67ZC wwEmnNhzi3PcNveY7bgPQk19zaUyEv2IShEU1ye/IaftUiLWau71EaU96YHMZLnp7Kmny0Z6 xItNLA6sxQ4z5S4Z/Jg64lY+015IdhiX7GzWJj1Dgud9vBf+iFpetag9N7N9zLYD+vuIVN3o d/tUl/UEECOn3IXXZ++3nljqnB6s7txtblIL/Kva+GKRWqMziUfZOwJbmiaxEWsxt5ffQKt5 VL6zpI5uZFiqNY5ytvq2jGWE9Wk0xm1iauqNxbK1xRXlCkvv16RkqjHNpbuzrFWxa1l9Y4o2 dPc9lCFU8WKcWrTbl2Qi2oXdQhUDpmJwRi3fkzfi9WBIaDi1ZPh3IuXtpjjfOYwompAYXz95 3ZcCgZaSYU2dHcxE/lO/qD0Y5IuODFz59usvqjyN18q97yvuYtNGOfEysriraY2kLF/jMYb5 NrL3HkXBnvJeGfKFCIEKNtaPzQEeVkr/EsfC5HGdwASVbpUfvd4LdIXGT4mYGQ7zDYzIfvc1 BLgeYnHaH2jT2NLznVkpxwEANgAAADYAAAAAAAAJAYEAAAAJAYMIAEUAAChzg0AAgAYboqwf CbesHwm1AYXml8avHKHkezBOUBAIBVvtAADS851Zn8sBAAwBAAAMAQAAAAAACQGBAAAACQGD CABFAgD+c4RAAIAGGsmsHwm3rB8JtQGF5pfGrxyh5HswTlAYCAUdKwAAMIQAAADQAgMEv89h hAAAAMUKAQAEAAQAh4IAuqGBtzCBtKADCgEAoQsGCSqGSIL3EgECAqKBnwSBnGCBmQYJKoZI hvcSAQICAgBvgYkwgYagAwIBBaEDAgEPonoweKADAgESonEEbz+alXEy8ByPGZAbFkuSPsHj DtfqAnx9wX2t4Bv3QGI1MTCHO4SZxOS+V4ivqX21gvZU68JSfqB1txHgQRg24O4jyvg3dG6+ jXFlRzXCtqbRpWU8UvQf6BcNYIVLQ0KLhU5yDqwoNtp1KSdoICwmbtLznVkN1QEAFwEAABcB AAAAAAAJAYMAAAAJAYEIAEUCAQll00AAgAYob6wfCbWsHwm35pcBheR7ME7Grx13UBgIBFBf AAAAAADdBQQE/wAMAAwAAAAAcVLiOZXHqRyLW/QrU4PqjjCEAAAAuwIDBL/QY4QAAACwBHJD Tj1ETlMgU2V0dGluZ3MsQ049VzIwMTItMTgxLENOPVNlcnZlcnMsQ049RGVmYXVsdC1GaXJz dC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0LERD PWJhc2UKAQAKAQACAQACAgFoAQEAhw5vYmplY3RDYXRlZ29yeTCEAAAAFgQUbXNETlMtS2V5 bWFzdGVyWm9uZXPS851ZetYBAI4BAACOAQAAAAAACQGBAAAACQGDCABFAgGAc4VAAIAGGkas Hwm3rB8JtQGF5pfGrx135HsxL1AYCARaUQAAAAABVAUEBf8ADAAMAAAAAHVmCIh8MmoGmOr7 y0WTq+swhAAAATICAwS/0GWEAAABJwoBIARiQ049VzIwMTItMTgxLENOPVNlcnZlcnMsQ049 RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJhdGlvbixEQz13 MjAxMnIyLWw0LERDPWJhc2UEhAAAALowMDAwMjA4RDogTmFtZUVycjogRFNJRC0wMzEwMDIz OCwgcHJvYmxlbSAyMDAxIChOT19PQkpFQ1QpLCBkYXRhIDAsIGJlc3QgbWF0Y2ggb2Y6Cgkn Q049VzIwMTItMTgxLENOPVNlcnZlcnMsQ049RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049 U2l0ZXMsQ049Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0LERDPWJhc2UnCgDS851ZEd0B AGMAAABjAAAAAAAACQGDAAAACQGBCABFAgBVZdRAAIAGKSKsHwm1rB8Jt+aXAYXkezEvxq8e z1AYCALSHwAAAAAAKQUEBP8ADAAMAAAAAHFS4jo+14hg8KIOdF1p/HIwhAAAAAcCAwS/0UIA 0vOdWfrdAQA2AAAANgAAAAAAAAkBgQAAAAkBgwgARQAAKHOGQACABhufrB8Jt6wfCbUBheaX xq8ez+R7MVxQFAAAYLIAANLznVmicwQAmgAAAJoAAAAAAAAJAAEAAAAJAZUIAEUAAIxLqQAA gBF5jawfCcMyzox6EZQRlAB4yvcAAAAArwTP0lwaKanfQKa6iUNwwwgQBQGX6V5oAAAAbJwo GHlxK+/GFdORfC0NqlVjdEfmBPEP/ISOakKD4IM6AixYIt5/IDCjE6aWGPywHm3qBLc5jw+d VgrdtPFl+BlV9E1eCLXReaPxWPzDKUZj0vOdWWYRBwAqAAAAKgAAAAAAAAkBYgAAAAkAAQgG AAEIAAYEAAEAAAAJAAGsHwkBAAAAAAAArB8JotLznVmGEQcAKgAAACoAAAAAAAAJAAEAAAAJ AWIIBgABCAAGBAACAAAACQFirB8JogAAAAkAAawfCQHS851Z31sHAJoAAACaAAAAAAAACQGV AAAACQABCABFAACMZkJAADQRavQyzox6rB8JwxGUEZQAeN4iAAAAAK8Ez9JcGimp30CmuolD cMMIEAUBv+YOYAAAAGyDItynkLCLabKEtd56krxspz37tGCZyUqC/gHwQHhBCpWJfmKMUzXP j6wWFUNTte3uWYadeHNBFAl2HNUdLqny10ajLbsvbUWtWyYUmbeYitPznVk28QIAKwAAACsA AAAAAAAJAAEAAAAJAZUIAEUCAB1LgQAA/xH7IawfCcMyzox6EZQRlAAJAAD/1POdWedbBQAq AAAAKgAAAAAAAAkBMwAAAAkAAQgGAAEIAAYEAAEAAAAJAAGsHwkBAAAAAAAArB8JhdTznVn5 WwUAVgAAAFYAAAAAAAAJAWMAAAAJAHOG3WAAAAAAIDr//oAAAAAAAAACAAD//gkAc/06qqPu h/8JAgAA//4JAWOHAEdyAAAAAP06qqPuh/8JAgAA//4JAWMBAQAAAAkAc9TznVkIXAUAVgAA AFYAAAAAAAAJAHMAAAAJAWOG3WAAAAAAIDr//oAAAAAAAAACAAD//gkBY/06qqPuh/8JAgAA //4JAHOHAEdyAAAAAP06qqPuh/8JAgAA//4JAHMBAQAAAAkBY9TznVljXAUATgAAAE4AAAAA AAAJAHMAAAAJAWOG3WAAAAAAGDr//Tqqo+6H/wkCAAD//gkBY/6AAAAAAAAAAgAA//4JAHOI AAf3QAAAAP06qqPuh/8JAgAA//4JAWPU851Zd1wFAE4AAABOAAAAAAAACQFjAAAACQBzht1g AAAAABg6//06qqPuh/8JAgAA//4JAHP+gAAAAAAAAAIAAP/+CQFjiAAI50AAAAD9Oqqj7of/ CQIAAP/+CQBz1POdWfhcBQAqAAAAKgAAAAAAAAkAAQAAAAkBMwgGAAEIAAYEAAIAAAAJATOs HwmFAAAACQABrB8JAQ== --------------D1BADEF6B8D80BB51268BC0C Content-Type: application/gzip; name="net-ads-kerberos-pac-fd23-73@W4EDOM-L4-impersonate-administrator@BLA2.BASE-fail-transit-03.pcap.gz" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename*0="net-ads-kerberos-pac-fd23-73@W4EDOM-L4-impersonate-administr"; filename*1="ator@BLA2.BASE-fail-transit-03.pcap.gz" 1MOyoQIABAAAAAAAAAAAAP//AAABAAAARQKeWT8KAwBWAAAAVgAAAAAAAAkBlQAAAAkAAYbd YAAAAAAgOv/+gAAAAAAAAAIAAP/+CQAB/oAAAAAAAACZprS9Htm6H4cALFMAAAAA/oAAAAAA AACZprS9Htm6HwEBAAAACQABRQKeWdQNAwBWAAAAVgAAAAAAAAkAAQAAAAkBlYbdYAAAAAAg Ov/+gAAAAAAAAJmmtL0e2bof/oAAAAAAAAACAAD//gkAAYgAyL5gAAAA/oAAAAAAAACZprS9 Htm6HwIBAAAACQGVRQKeWa2PDABWAAAAVgAAAAAAAAkAAQAAAAkBZIbdYAAAAAAgOv/+gAAA AAAAAAIAAP/+CQFk/Tqqo+6H/wkAAAAAAAAAAYcASmYAAAAA/Tqqo+6H/wkAAAAAAAAAAQEB AAAACQFkRQKeWdOPDABOAAAATgAAAAAAAAkBZAAAAAkAAYbdYAAAAAAYOv/9Oqqj7of/CQAA AAAAAAAB/oAAAAAAAAACAAD//gkBZIgAi9vAAAAA/Tqqo+6H/wkAAAAAAAAAAUYCnln0BA0A KgAAACoAAAD///////8AAAAJAYIIBgABCAAGBAABAAAACQGCrB8JtgAAAAAAAKwfCbdGAp5Z 4gUNACoAAAAqAAAAAAAACQGCAAAACQGDCAYAAQgABgQAAgAAAAkBg6wfCbcAAAAJAYKsHwm2 RgKeWcgGDQBCAAAAQgAAAAAAAAkBgwAAAAkBgggARQIANC6pQACABmBtrB8JtqwfCbfkrAGF 9FalZwAAAACAwiAAYrQAAAIEBbQBAwMIAQEEAkYCnlkOCA0AKgAAACoAAAD///////8AAAAJ AYMIBgABCAAGBAABAAAACQGDrB8JtwAAAAAAAKwfCbZGAp5ZkAgNACoAAAAqAAAAAAAACQGD AAAACQGCCAYAAQgABgQAAgAAAAkBgqwfCbYAAAAJAYOsHwm3RgKeWfYIDQBCAAAAQgAAAAAA AAkBggAAAAkBgwgARQIANCWpQACABmltrB8Jt6wfCbYBheSsHmnn5vRWpWiAUiAAXNMAAAIE BbQBAwMIAQEEAkYCnlmaCQ0ANgAAADYAAAAAAAAJAYMAAAAJAYIIAEUAACguqkAAgAZgeqwf CbasHwm35KwBhfRWpWgeaefnUBAIBbXhAABGAp5Zzg0NAC0OAAAtDgAAAAAACQGDAAAACQGC CABFAg4fLqtAAIAGUoCsHwm2rB8Jt+SsAYX0VqVoHmnn51AYCAV5vQAAMIQAAA3xAgME6W1g hAAADeYCAQMEAKOEAAAN2wQKR1NTLVNQTkVHTwSCDctggg3HBgYrBgEFBQKggg27MIINt6Aw MC4GCSqGSIL3EgECAgYJKoZIhvcSAQICBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKooINgQSC DX1ggg15BgkqhkiG9xIBAgIBAG6CDWgwgg1koAMCAQWhAwIBDqIHAwUAIAAAAKOCBUphggVG MIIFQqADAgEFoREbD1cyMDEyUjItTDQuQkFTRaIuMCygAwIBAqElMCMbBGxkYXAbG3cyMDEy cjItMTgzLncyMDEycjItbDQuYmFzZaOCBPYwggTyoAMCARKhAwIBIaKCBOQEggTg+qKK0MZm TzJUpgPl5+7nO90tCoQlcPjTlkfLr9ssL04bIU7ALbMgmn7CtLsEGV0C/UrvuLGISIkgCRAE 0IG3z17Fd+91pFiqoxoKWtlahmn41T1XMaJlWIWayTMNQKWoJ/A31VpbS/Aig8837ZAPxTCA VDccPMPTz/pEWajmh/GHIUPMM/q2WrDQRiudbrfiT2G2Bi27lR7iR5bYVfr7ZbslOKAarXx+ at8hr0uYIV6QeYjRm+QqzH5UQLZ7LyPcfbxOrVdS4SdVjp5IRGOTYtdxmfkxMncW8PULVeD5 X4L3U7NvER6IY8IEi9icLKsGln7bY6XveVrRHFioA+gdAla/BSggtE1LpB86vw3XECjkdi6v S/YcJaVBLAWVyd2U0840NoVBJYjM3rCDYlnXpLQPqRnDs0cMYI+o/ZfIVSppcIuCx5Fr2Jye czwk4we0dAT81W5QWXNRn2hOnMkukCP/onpvC5diK7NVHSCJj8ZWKtWte/Q3cCsUbNbcfVlq ov9VPco1t6wW5xEp7gQ44SOyNHEliNuUUVTxMfXVHrU8OUMWKPG+uP/9XkzS7bLKVsoOntpZ dLxQUt+rfDCBoC6jQxxBLKyVRbdz8Kiae5RHobTAND/I10P8WV9gYXg629oJFdKtxzpeueDg 06nQwYgZFg5+X+lKcb63HbHfteeKroSIEUVW0J/nd4X0or8bRxAu0BCpRQ0mhfcf9qBFOhUX 39G3AR2DMJAaMo5/wf7dypz0BpZwm54em+5lFDAIIbVQ8+zROIzAUJ0pIDImcXHohRAXafef /BN4wL+JuzEJZF1d8ng46DWeY1X4lmIA/VkVJaUt5lRv/IpnarANcl+VWePMH0PcbwVT0DBR x6omEI4ryjo0TIG7oBDSr0+HASdl5PRGlqZK1RQ8KPto0BDrwcH7woUKPH9768pzRWj7HCbl W/6G3LbE0FvlNFceJdilczHJsMCw7no/mkSdgh1KKbql4e42HjNIyNG38plDylozqbHV8qbR YfPsMlUHnHusvrG0YkAQYq/FIadhyi1H8pIpNi0cSSK/nvo8S7UEjYMZv8bL7FXxEOmz4jHw BbsDEXwjhu/K/4sOZsZk2vdi4pG4J0yPHRgZ19LeqvoXNtynKDhE4xnPq+qBQhjZQBekG82T bd3/umDGciRUqAvSCS+LEw7hkGtW+plbvJdGAXlO1xPG9f01ohbkHXUQC8ZVzXgiFJfYcGC+ /jglWpXWJ6XNW40chlIY+dl7WJixFKVl002OvzPU5h/o3/RXEQ6Y+wmy579OzVPYAIBjvhza eTxDUGCsG+j5fKquHe2Hru3/KDCLudNy8pD2GaJ/8wih5cIaIEb0l4zoDhqZnX/pZk3Q+9Wz pmiyD7VxqDEmj5+7GVbOiXQl2FB3HbhkGRmZPMDB//h1XzN3+ZAfk6ZO0MW7V9/gAfxJ0kI4 IHnjuByWoxNwt74TMGZ67upXwwODW4JM1wwfryOspOAPJShM2UMeHt7dgJ/j1N9xJhGvOw+W YWPRtMuoKBRjVW2nneIDBb8Fihqcj9rdF0faV8gpHDI5htWvy0z+JVGGyOwdTruFeRe8piMC lf4lcIn9ScO2Dve8G0lnsuvJguH7UQuUW3rcyDmYJCdoG7ZUp8nArHMaVvWAFa10X91fn8mV pIIH/zCCB/ugAwIBEqKCB/IEggfu7emm51cdPtyCCZacgNl4Nh218HwRe54nJC+rGZwsiP7f zpkNB9LqcT/u/nC5OEGQU1AC/qSDUz4UoLYk1Kic+UHuJIkZh9M561s4L1M2f2LDK0EVCfE/ F7hUAkKJzpxv3WAxtrki+MSdhJBqykccqwlBl+SD4acGwtH5N7P9FWTL2QA1VNYJ2K8FkTzU ybTwHQXJGZXzmJZnMHMYOAOJQ7/574ljOifbKo5oHcuZYwhyYaPfw4VJ39JxY8TzE+1nauHt 6Qekk20M2H1epiLagGSzBV2RN1wY8EGesPh0L1f1+D43h0BkABgQ2qIJ4dQLuzAvuBQCT7jB +Vs6raclw4d0AMkgLDUVTd2A5B1wanFqCwgczo/Zg3Z5jUHsQiLGpDm4Z3UMata+oDSfcCRd +9gZRcvnEcCqwyp9psXX4oEQCAooDV7soG+HTVyemAxCkJ0bnCLHR9fMkVD+Krs+3oo0hzx5 P8/gFbdpzgfSER/OHB5rn3tbrHJ/zGHX/95hFpLzzGSmzIxr3vYFoFlYRjnL87uEd/s9gE0F D8EuF+LwOxSUprgD2dhxoOJYzzGRTWRjGQZyZz944NyxO5ZNcLNaOYYMC3Z1St8HNUuyv0Mg b0gPW2ZYiHcNmgQOXE6SOKBQWsXPVdu8bfnQDXnMwrpr5mM/g5C751U2Hp4GnA3Bwj56LvR0 CkIQzDxoiOnePTXxF3E9MRm1pGepai/pkDEn+6+VuQogmeRwOaax3jqGFA5shCFQGj+S9ooq cXBrsmFIj2/uOjJKVu95mCRAHY+5lmBO1WW7uSvNW8vRFbmcyI5yQ5vbJOFHLiibQSOtw9JS 4qLyVCd2fkdFcfYrL26SgX/x9KqW832LpNrWKV2oq5jBJVRBHeL0qvGGFKjRVWqYJ3Hoaqiw fQgi2b47gnoBmsi+AwgU5gZmUIf8Ve88JvbSvPYl+NrsZU098yQU1R5VoeZvPNZLvBSRTBLo jrLYAbRBg6pZs4FaR6qCcAd2elPhHGWuriJUhWwU7Ylp5iVeBm2+N9Ie0ErIlcn17irzzUId MdHQCiutFd3L8RUOt59xJz48Y5XqEYkXlMylXLtqfcGH4A6SgBjB4oqpCRIqHl8Qr78pmVX6 Xk6SZJLYjQ6a8lmj5OvRch2yZdwqThZ+PeJUidsC3QMRupyxYUQn88uuAdJvfTEcI/tGLP0d E5hS7GMAORt1Px5UFTZb/29NzmpngMoVkqgqpaBTobMT2x5Y6rWrxYs85SVrtw2UV8I0zOwX PpqlLE5Ij54jugLcjZVUf+l+Bcof9jGJlpo6UiiU7AaYm24QqzERxVgQU5MqhnhPBkWz0iKV 8TkfBT5aLBTfN52WQelY9J5LSBkH8keUS5dCCZpC+m47BXhKgYdS7U+G05MoNZlrItZuzYa3 UMFtk0SaQD3BmyEBjWpIB5Q7yt57Hv5l/0iyhAzotA2iYm3muSHVK2Tc0GYPHHk6fBqdKlyK 0hZmxlEZdBhIRasFnQdwWBrTZ8Sb26gMlVA0fE5JMPtNh9qeSuBGV4aPXJGKrFIZIKWlNHQU +tAWdjcgN3Ft8dd4YGM6Mbh7D+mKPGiyrlWpbZdEmB2vad+BWu9ZJPvs07S1FHfnrx5S8JkK m9hLvgENCYehiNiy5HTyAATuklcvL1n3ABEFNajD0Nc8AcQjEZsfwSw0Jn0Yjy9GAfU96t4i Nq7mXqmETnph4X8K1UZgWcRmTBD3VmcMx+y3h0zKnrbjK4A61+iuRo28/B/taDEXHjvx/+KG 09h6In87uOwFzFXIuDPwHP5iMOglbaDzYKlh7bvx2mEinK8nJpQQJ8PReDfDpNBQZpVAF9W7 0yNcyVeuuBkZrIMir5/3DvZ4IqXnUcXeK6zA9218AoH+ae883B1rJh6BMPcm3JD2ik++hIsq k4pJp850QHoOKPXQeNnT1KTJPh28ftE9BLQTEOXe4p5XCc1dFSLKq38EkV7RvAqLV/Ixe2Vg MfqLO/ook296SX3vaLhkjIt9e9eTvA0Fd+LrlufHJp+Fco7q4Qli8Xg/ipTCG/kJroy0KpGA uEOiDCCLDcEaWV9c4q2x9VattcNlCQQiCHFysCJ/+4Ggoie4hvV8SYRH5en6rEQBFlsnhwoS nd+sZKzvOb2r0/ayr7sXjom9wvABaHGDU/UC9vSid8g7gHCRgX3YSQF1MYhnA7pgKChDa5uV udeIl7MOSv0H1c12UdvyJtlT/ITbBb+geqmh9vV98EJq/BmTcTHfvhgHlWPDeI60QPHHzEIp n/sYNpf0Lb2tOwG0KX2fIS34f7jBBAQkTA4gSHUIYj5m9+/qTa3ZRX3VHvUsrHx8L0GuUm4r jnOk8VxZzwFPrdNJk+otk2BcPz8RAFFQpPCw+6u1DZrmHub/JQEPDdhtEjPtTUWmOwzfeJ4b +y4bqLc1DKtBO27whkoSOHRGlEiOQFbKAD/1uJIe3Ckhkgnv8CoY/CAFy5x9I3xggUb5WN0T Aoqu9k+U9vTIa8jY4WmVhb0b6n+tWgnwuY9rJlONnHLlBqwS4D+k7Hfe5XIBm5Iy45cLcAwd 7VE7MUIfgaYf0bvQSbr2yNuZQl31rkiFBmQDU7/2/gORyEfPFW9RAfMONPOoc84IeGVohMBC 6A/NGVj0ABnqOFw1EHjLO+qAuFEA+jpL26iRFhqsihSdQHKqR1g4U27SXAJJ5ok75V1YnuxG Ap5ZhQ4NADYAAAA2AAAAAAAACQGCAAAACQGDCABFAAAoJapAAIAGaXqsHwm3rB8JtgGF5Kwe aefn9FazX1AQCAWn6gAARgKeWfITDQAMAQAADAEAAAAAAAkBggAAAAkBgwgARQIA/iWrQACA BmihrB8Jt6wfCbYBheSsHmnn5/RWs19QGAgFDycAADCEAAAA0AIDBOltYYQAAADFCgEABAAE AIeCALqhgbcwgbSgAwoBAKELBgkqhkiC9xIBAgKigZ8EgZxggZkGCSqGSIb3EgECAgIAb4GJ MIGGoAMCAQWhAwIBD6J6MHigAwIBEqJxBG8fDrLWRMYiUI3lfBylx2WUmF7vbV0FI2FiDAk3 B4vUnlbk+00knLVxvud1Fvq+ymor5f0wQ33xsmy5yCrfx4CcOrrRn0E8TQHNmtmlo+Uzaowt Pjy3BeiKR+8STkmUUyQo1doe0KdGa5EWNukG2r1GAp5ZrSYNABcBAAAXAQAAAAAACQGDAAAA CQGCCABFAgEJLq5AAIAGX5OsHwm2rB8Jt+SsAYX0VrNfHmnovVAYCAR6qgAAAAAA3QUEBP8A DAAMAAAAABCkwL2sOpcYLeJY7p5ymJowhAAAALsCAwTpbmOEAAAAsARyQ049RE5TIFNldHRp bmdzLENOPVcyMDEyLTE4MixDTj1TZXJ2ZXJzLENOPURlZmF1bHQtRmlyc3QtU2l0ZS1OYW1l LENOPVNpdGVzLENOPUNvbmZpZ3VyYXRpb24sREM9dzIwMTJyMi1sNCxEQz1iYXNlCgEACgEA AgEAAgIBaAEBAIcOb2JqZWN0Q2F0ZWdvcnkwhAAAABYEFG1zRE5TLUtleW1hc3RlclpvbmVz RgKeWeM8DQCOAQAAjgEAAAAAAAkBggAAAAkBgwgARQIBgCWsQACABmgerB8Jt6wfCbYBheSs HmnovfRWtEBQGAgEICsAAAAAAVQFBAX/AAwADAAAAAATHt/EpsDTdVk1ZHf8Eqp8MIQAAAEy AgME6W5lhAAAAScKASAEYkNOPVcyMDEyLTE4MixDTj1TZXJ2ZXJzLENOPURlZmF1bHQtRmly c3QtU2l0ZS1OYW1lLENOPVNpdGVzLENOPUNvbmZpZ3VyYXRpb24sREM9dzIwMTJyMi1sNCxE Qz1iYXNlBIQAAAC6MDAwMDIwOEQ6IE5hbWVFcnI6IERTSUQtMDMxMDAyMzgsIHByb2JsZW0g MjAwMSAoTk9fT0JKRUNUKSwgZGF0YSAwLCBiZXN0IG1hdGNoIG9mOgoJJ0NOPVcyMDEyLTE4 MixDTj1TZXJ2ZXJzLENOPURlZmF1bHQtRmlyc3QtU2l0ZS1OYW1lLENOPVNpdGVzLENOPUNv bmZpZ3VyYXRpb24sREM9dzIwMTJyMi1sNCxEQz1iYXNlJwoARgKeWdlIDQBjAAAAYwAAAAAA AAkBgwAAAAkBgggARQIAVS6vQACABmBGrB8JtqwfCbfkrAGF9Fa0QB5p6hVQGAgCURIAAAAA ACkFBAT/AAwADAAAAAAQpMC+iUUk7Ms3+9LoTHOtMIQAAAAHAgME6W9CAEYCnlkdSg0ANgAA ADYAAAAAAAAJAYMAAAAJAYIIAEUAACgusEAAgAZgdKwfCbasHwm35KwBhfRWtG0eaeoVUBEI AqSwAABGAp5ZvEwNAEIAAABCAAAAAAAACQGDAAAACQGCCABFAgA0LrFAAIAGYGWsHwm2rB8J t+StAYXssjhDAAAAAIDCIADXewAAAgQFtAEDAwgBAQQCRgKeWelXDQBCAAAAQgAAAAAAAAkB ggAAAAkBgwgARQIANCWtQACABmlprB8Jt6wfCbYBheStWxzQWuyyOESAUiAArHMAAAIEBbQB AwMIAQEEAkYCnlkyWA0ANgAAADYAAAAAAAAJAYIAAAAJAYMIAEUAACglrkAAgAZpdqwfCbes Hwm2AYXkrB5p6hX0VrRuUBAIBKSuAABGAp5ZyVgNADYAAAA2AAAAAAAACQGDAAAACQGCCABF AAAoLrJAAIAGYHKsHwm2rB8Jt+StAYXssjhEWxzQW1AQCAUFggAARgKeWcpZDQA2AAAANgAA AAAAAAkBggAAAAkBgwgARQAAKCWvQACABml1rB8Jt6wfCbYBheSsHmnqFfRWtG5QFAAArK4A AEYCnlkpYQ0ALQ4AAC0OAAAAAAAJAYMAAAAJAYIIAEUCDh8us0AAgAZSeKwfCbasHwm35K0B heyyOERbHNBbUBgIBXm9AAAwhAAADfECAwTpcmCEAAAN5gIBAwQAo4QAAA3bBApHU1MtU1BO RUdPBIINy2CCDccGBisGAQUFAqCCDbswgg23oDAwLgYJKoZIgvcSAQICBgkqhkiG9xIBAgIG CisGAQQBgjcCAh4GCisGAQQBgjcCAgqigg2BBIINfWCCDXkGCSqGSIb3EgECAgEAboINaDCC DWSgAwIBBaEDAgEOogcDBQAgAAAAo4IFSmGCBUYwggVCoAMCAQWhERsPVzIwMTJSMi1MNC5C QVNFoi4wLKADAgECoSUwIxsEbGRhcBsbdzIwMTJyMi0xODMudzIwMTJyMi1sNC5iYXNlo4IE 9jCCBPKgAwIBEqEDAgEhooIE5ASCBOD6oorQxmZPMlSmA+Xn7uc73S0KhCVw+NOWR8uv2ywv ThshTsAtsyCafsK0uwQZXQL9Su+4sYhIiSAJEATQgbfPXsV373WkWKqjGgpa2VqGafjVPVcx omVYhZrJMw1Apagn8DfVWltL8CKDzzftkA/FMIBUNxw8w9PP+kRZqOaH8YchQ8wz+rZasNBG K51ut+JPYbYGLbuVHuJHlthV+vtluyU4oBqtfH5q3yGvS5ghXpB5iNGb5CrMflRAtnsvI9x9 vE6tV1LhJ1WOnkhEY5Ni13GZ+TEydxbw9QtV4PlfgvdTs28RHohjwgSL2JwsqwaWfttjpe95 WtEcWKgD6B0CVr8FKCC0TUukHzq/DdcQKOR2Lq9L9hwlpUEsBZXJ3ZTTzjQ2hUEliMzesINi WdektA+pGcOzRwxgj6j9l8hVKmlwi4LHkWvYnJ5zPCTjB7R0BPzVblBZc1GfaE6cyS6QI/+i em8Ll2Irs1UdIImPxlYq1a179DdwKxRs1tx9WWqi/1U9yjW3rBbnESnuBDjhI7I0cSWI25RR VPEx9dUetTw5QxYo8b64//1eTNLtsspWyg6e2ll0vFBS36t8MIGgLqNDHEEsrJVFt3PwqJp7 lEehtMA0P8jXQ/xZX2BheDrb2gkV0q3HOl654ODTqdDBiBkWDn5f6Upxvrcdsd+154quhIgR RVbQn+d3hfSivxtHEC7QEKlFDSaF9x/2oEU6FRff0bcBHYMwkBoyjn/B/t3KnPQGlnCbnh6b 7mUUMAghtVDz7NE4jMBQnSkgMiZxceiFEBdp95/8E3jAv4m7MQlkXV3yeDjoNZ5jVfiWYgD9 WRUlpS3mVG/8imdqsA1yX5VZ48wfQ9xvBVPQMFHHqiYQjivKOjRMgbugENKvT4cBJ2Xk9EaW pkrVFDwo+2jQEOvBwfvChQo8f3vrynNFaPscJuVb/obctsTQW+U0Vx4l2KVzMcmwwLDuej+a RJ2CHUopuqXh7jYeM0jI0bfymUPKWjOpsdXyptFh8+wyVQece6y+sbRiQBBir8Uhp2HKLUfy kik2LRxJIr+e+jxLtQSNgxm/xsvsVfEQ6bPiMfAFuwMRfCOG78r/iw5mxmTa92LikbgnTI8d GBnX0t6q+hc23KcoOETjGc+r6oFCGNlAF6QbzZNt3f+6YMZyJFSoC9IJL4sTDuGQa1b6mVu8 l0YBeU7XE8b1/TWiFuQddRALxlXNeCIUl9hwYL7+OCValdYnpc1bjRyGUhj52XtYmLEUpWXT TY6/M9TmH+jf9FcRDpj7CbLnv07NU9gAgGO+HNp5PENQYKwb6Pl8qq4d7Yeu7f8oMIu503Ly kPYZon/zCKHlwhogRvSXjOgOGpmdf+lmTdD71bOmaLIPtXGoMSaPn7sZVs6JdCXYUHcduGQZ GZk8wMH/+HVfM3f5kB+Tpk7QxbtX3+AB/EnSQjggeeO4HJajE3C3vhMwZnru6lfDA4NbgkzX DB+vI6yk4A8lKEzZQx4e3t2An+PU33EmEa87D5ZhY9G0y6goFGNVbaed4gMFvwWKGpyP2t0X R9pXyCkcMjmG1a/LTP4lUYbI7B1Ou4V5F7ymIwKV/iVwif1Jw7YO97wbSWey68mC4ftRC5Rb etzIOZgkJ2gbtlSnycCscxpW9YAVrXRf3V+fyZWkggf/MIIH+6ADAgESooIH8gSCB+4nIHCX jtoPyZLDWACeABjspV3Iwl8XDsNEo/7xo+4jZHIHxClh7msp6qE0qgZhFRA1iXwhYq3Hj5cE +VFgumYKBB/j1SqOpPxpq7pCHwKUbveh5SyY791f87dnG84Rr3EBMQMt6CrYi/fBpQTOLNaO gRUs2g7mQnDp6PHhQtoI64GrXWV3VM3LYUA8q+pAi6C9geg/pd9VGUlAIB/l5ob7YCfI9PIh Ur4gwTlYVpcYvQ309Qf6ArmxQf3hHOPATXhkH29WHkPkPO40odbefaqHebiuPdrX1boNBB32 T+AWqAcScptSSiVE67kek03YHC1KSnYEcalwVXc0P0mKNBu1MGQ1cbkwMSOyGNQCkAWeEz2B S6dJrz01U1bjLJWTKYBAZiiHTKsxaDam+/75pjmok1iWehVsbJYkGgkeaO79rvADp0h+HwMP Y6jKp4T7GyzczvvaPrFoPmybV5K6NCYRYmNlkTd7khriP4ZkJ/CZckAk2Hnf4BlNJiY7rEt6 yOn/bxGjUvL6CLQArZrsXwUn3dLIV6gyMCpFMMjMj3LMf9MsQ2lyEybXXBZ7eTAWfql1QLEw dlyrGZS9aF7450PIHF1xZpjPG18sr5bISmaefKppBFBkE8w/wGEQtsTLxrWuka+TA6YdVhtn k0JAJIaj7IZDlJK4OVcvwJHX9hSfXM84pJEeRyutCAw8RoER/8EUGEavGbKTy01JRugDj22e TK1+2B9zulswkF82eYg2NSbXACIN++CXnWB53JUFJN9q8RhQ1EcQs8qhICQR7ztXISimRcbg ghZXWiOAlhNAY/y6wPGMXatyEwxKPbG7Ncsf0EL1UqPeIE1xQ8AS5DFADhFLOifATiEIevUX FYiIwsZAEBBBJj1ISNvs6clfpY4YM+L9/8R6M+ZpXDsA/QPhkL0YoZVu1j/fvvBLqJFuI5ml 1I7XBoMJdqx/5gjm9M7KyBoR41ziw3twyiBH/I7MrtlbAP8fuQIafSYWoAFIUzAJdaNvkHTj B0vpJNQELp1zXVrlCqSETHc68uLnGrZfOMd8GwYmqFTFb8aaVRv4WLOZ/fy3xn+4Eb5lfOCJ GchS6bdoAv/jFXA7Wkmc6JNYQ1OSI0K5wYAOHcMBt8OvhGnOhzQbjsbQ42I6oVJ+7vo3iWxi 8rhqL6YrmHrQtDbPKOa2/tX0jmmuwb5vfMdf4jQb7X8DhRorcTCLrW3B/P+yBpCsS200/luI nf42NE+HZ9eLvKMJc3h1s//ovSqnX64RpD/IiVUQc26gInQwEGJ0tR7pj+z672UJE9XUMcFg x51AsiyDbexhc5AJVy70j4WgNpLHGL72+ODlmTIV8KUOliBrauVg7RJiZQnvQz0R1gKq4CP7 OhTYyg4MbihAK7p5BggMvM6D+XayV+yUX/dT20VxZJ7S0KCN6OTdwAOMyyTHK+K0tQShFXC5 45F9y/EFE0FIuhyZQa5NjJt1KqlTJatiPUM+RoZmo9LQ5EAuQTiX4KTeo7u/yMAXr5rrUZPO pX9Hl6Zu6UByD6Dx9dQbYNVd88L9NDg6FQLLisMmO3GZqCER0zd9jxJYytSDNctT1V6HUEH9 G7XOC2eoA1oVE9H4JTWOde5t3H1aGGCKGHVDmZmaa3iqVfNWx5d3XR2BQXjin+nkHozna/Xq axggJQSArfovK5ry2qp8HoC2OXgkqn+VODsfAaWSS/YpLIrUN38RlGSJ2B7giEyXFytOksno 6qcw2wXL6lr5GUHamfwruaqPPoCVD32afm2xK7jBeJn+IbR205om1Yt5zlg/QMCNbvFcgN64 8kiexgupBQFhxGpC+UUNu7BULQw3mfT5aNmuTMTef3yLn7eDPFGr3VSqrBJ81w/VqCGX+QnW 069960pOycJl3ITXCMasjBbLRrn/DmNqO3lkApQZ/ocD/B8SpCK+iG27GPTQnxaigvieWV86 KlaNyGQvcrcxOibBS17fLRUgtgJe371d89YbKvmCLbjUmGWs9mmle6Hwu8cwxABhb1yJFRjf HdJpJGKUYpLjGEyVe63++7A5tY49ET4r8WA64/CRwJCLr8aBiT08vPjy6H/+qivqB7XosT0r 3ntMRlsji+aUMPlhrggLY5dlR1c8EIjlwakMjs7LZhOHW6mm8v1umPwySi+RuJiqJEAlqHqX PZIqCyFNiQUi+BWeuxpEp+0JxSNQLkQ2zWGXnnW2WAlim8l/7N3Qbgx5YyocpmoT9lvju0P0 NDTYXe5bnF0wJr2XEywcGtrf7q07tT1LjHxFN9jZ/LvqzW8F7r6eaLhGYydEQjDmZNyjB+ng dWlRFtBEjBSWBCGpoUW1NOY2km6QuV2k5100piuhEyPpd7vnpX82vPeD+izLjYFnqttusSH4 MHf36/DsKuIpJpVDgro/rkjna5A+Jq3PSkQX875S690O569ltZyGUMCeCeXR3ZqUNSAHkvJn rzyeQOisObk1RFMveHs3vQYkYvFPKKFaAq8TJirRon3iYr/svzdt4Me41d56x+qRlsvRHora 8pGSAG/DfnaaJdQ5g2yAosoyktjs5tmszz96d28ddoeeASY5sw0rzE6tgFzgmTBZm2fivexp Esb1nTRMFU48S2d4ZwqoBYe7XglHKV93AjZtbT5o0j0D0oZi/0zTcvWiu1k2M9GmIEFT3F67 HObJjHZqlrG0Vi8OWcplCGe1TXP//pWMwSVWNkYCnllZYg0ANgAAADYAAAAAAAAJAYIAAAAJ AYMIAEUAACglsEAAgAZpdKwfCbesHwm2AYXkrVsc0FvsskY7UBAIBfeKAABGAp5ZEWYNAAwB AAAMAQAAAAAACQGCAAAACQGDCABFAgD+JbFAAIAGaJusHwm3rB8JtgGF5K1bHNBb7LJGO1AY CAX3qgAAMIQAAADQAgME6XJhhAAAAMUKAQAEAAQAh4IAuqGBtzCBtKADCgEAoQsGCSqGSIL3 EgECAqKBnwSBnGCBmQYJKoZIhvcSAQICAgBvgYkwgYagAwIBBaEDAgEPonoweKADAgESonEE b4ZVWOjUmLUTs4bE2PNnjtDjPjjTDS3FnJUWTBT81vNk7JrjUV0udjKDUh9I5/FNV5+iWtth 29CO3UqOkousPk45IN/B+Vp8Me0TZOuVK3s1Xt+G5jDAyGIJoHxPn+dcrbiMAx3baHTfyxzx /FJNhEYCnlnwdw0AFwEAABcBAAAAAAAJAYMAAAAJAYIIAEUCAQkutkAAgAZfi6wfCbasHwm3 5K0BheyyRjtbHNExUBgIBM1qAAAAAADdBQQE/wAMAAwAAAAAEKasDccwwl+jmMK+7agwLjCE AAAAuwIDBOlzY4QAAACwBHJDTj1ETlMgU2V0dGluZ3MsQ049VzIwMTItMTgyLENOPVNlcnZl cnMsQ049RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJhdGlv bixEQz13MjAxMnIyLWw0LERDPWJhc2UKAQAKAQACAQACAgFoAQEAhw5vYmplY3RDYXRlZ29y eTCEAAAAFgQUbXNETlMtS2V5bWFzdGVyWm9uZXNGAp5Z2XkNAI4BAACOAQAAAAAACQGCAAAA CQGDCABFAgGAJbJAAIAGaBisHwm3rB8JtgGF5K1bHNEx7LJHHFAYCATclAAAAAABVAUEBf8A DAAMAAAAABMb6+sC39LSnFgQImwSckYwhAAAATICAwTpc2WEAAABJwoBIARiQ049VzIwMTIt MTgyLENOPVNlcnZlcnMsQ049RGVmYXVsdC1GaXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049 Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0LERDPWJhc2UEhAAAALowMDAwMjA4RDogTmFt ZUVycjogRFNJRC0wMzEwMDIzOCwgcHJvYmxlbSAyMDAxIChOT19PQkpFQ1QpLCBkYXRhIDAs IGJlc3QgbWF0Y2ggb2Y6CgknQ049VzIwMTItMTgyLENOPVNlcnZlcnMsQ049RGVmYXVsdC1G aXJzdC1TaXRlLU5hbWUsQ049U2l0ZXMsQ049Q29uZmlndXJhdGlvbixEQz13MjAxMnIyLWw0 LERDPWJhc2UnCgBGAp5Z/YANAGMAAABjAAAAAAAACQGDAAAACQGCCABFAgBVLrdAAIAGYD6s Hwm2rB8Jt+StAYXsskccWxzSiVAYCALHZAAAAAAAKQUEBP8ADAAMAAAAABCmrA4R5LAD/8O0 7tWNbgowhAAAAAcCAwTpdEIARgKeWfuBDQA2AAAANgAAAAAAAAkBgwAAAAkBgggARQAAKC64 QACABmBsrB8JtqwfCbfkrQGF7LJHSVsc0olQEQgC9FAAAEYCnlkYgg0ANgAAADYAAAAAAAAJ AYIAAAAJAYMIAEUAACgls0AAgAZpcawfCbesHwm2AYXkrVsc0onsskdJUBQAAPxPAABGAp5Z 94MNAEIAAABCAAAAAAAACQGDAAAACQGCCABFAgA0LrlAAIAGYF2sHwm2rB8Jt+SuAYXlZe6y AAAAAIDCIAAoWAAAAgQFtAEDAwgBAQQCRgKeWeWEDQBCAAAAQgAAAAAAAAkBggAAAAkBgwgA RQIANCW0QACABmlirB8Jt6wfCbYBheSuXtk7BuVl7rOAUiAAjucAAAIEBbQBAwMIAQEEAkYC nllMhQ0ANgAAADYAAAAAAAAJAYMAAAAJAYIIAEUAACguukAAgAZgaqwfCbasHwm35K4BheVl 7rNe2TsHUBAIBef1AABGAp5Z4ocNAC0OAAAtDgAAAAAACQGDAAAACQGCCABFAg4fLrtAAIAG UnCsHwm2rB8Jt+SuAYXlZe6zXtk7B1AYCAV5vQAAMIQAAA3xAgME6XdghAAADeYCAQMEAKOE AAAN2wQKR1NTLVNQTkVHTwSCDctggg3HBgYrBgEFBQKggg27MIINt6AwMC4GCSqGSIL3EgEC AgYJKoZIhvcSAQICBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKooINgQSCDX1ggg15BgkqhkiG 9xIBAgIBAG6CDWgwgg1koAMCAQWhAwIBDqIHAwUAIAAAAKOCBUphggVGMIIFQqADAgEFoREb D1cyMDEyUjItTDQuQkFTRaIuMCygAwIBAqElMCMbBGxkYXAbG3cyMDEycjItMTgzLncyMDEy cjItbDQuYmFzZaOCBPYwggTyoAMCARKhAwIBIaKCBOQEggTg+qKK0MZmTzJUpgPl5+7nO90t CoQlcPjTlkfLr9ssL04bIU7ALbMgmn7CtLsEGV0C/UrvuLGISIkgCRAE0IG3z17Fd+91pFiq oxoKWtlahmn41T1XMaJlWIWayTMNQKWoJ/A31VpbS/Aig8837ZAPxTCAVDccPMPTz/pEWajm h/GHIUPMM/q2WrDQRiudbrfiT2G2Bi27lR7iR5bYVfr7ZbslOKAarXx+at8hr0uYIV6QeYjR m+QqzH5UQLZ7LyPcfbxOrVdS4SdVjp5IRGOTYtdxmfkxMncW8PULVeD5X4L3U7NvER6IY8IE i9icLKsGln7bY6XveVrRHFioA+gdAla/BSggtE1LpB86vw3XECjkdi6vS/YcJaVBLAWVyd2U 0840NoVBJYjM3rCDYlnXpLQPqRnDs0cMYI+o/ZfIVSppcIuCx5Fr2Jyeczwk4we0dAT81W5Q WXNRn2hOnMkukCP/onpvC5diK7NVHSCJj8ZWKtWte/Q3cCsUbNbcfVlqov9VPco1t6wW5xEp 7gQ44SOyNHEliNuUUVTxMfXVHrU8OUMWKPG+uP/9XkzS7bLKVsoOntpZdLxQUt+rfDCBoC6j QxxBLKyVRbdz8Kiae5RHobTAND/I10P8WV9gYXg629oJFdKtxzpeueDg06nQwYgZFg5+X+lK cb63HbHfteeKroSIEUVW0J/nd4X0or8bRxAu0BCpRQ0mhfcf9qBFOhUX39G3AR2DMJAaMo5/ wf7dypz0BpZwm54em+5lFDAIIbVQ8+zROIzAUJ0pIDImcXHohRAXafef/BN4wL+JuzEJZF1d 8ng46DWeY1X4lmIA/VkVJaUt5lRv/IpnarANcl+VWePMH0PcbwVT0DBRx6omEI4ryjo0TIG7 oBDSr0+HASdl5PRGlqZK1RQ8KPto0BDrwcH7woUKPH9768pzRWj7HCblW/6G3LbE0FvlNFce JdilczHJsMCw7no/mkSdgh1KKbql4e42HjNIyNG38plDylozqbHV8qbRYfPsMlUHnHusvrG0 YkAQYq/FIadhyi1H8pIpNi0cSSK/nvo8S7UEjYMZv8bL7FXxEOmz4jHwBbsDEXwjhu/K/4sO ZsZk2vdi4pG4J0yPHRgZ19LeqvoXNtynKDhE4xnPq+qBQhjZQBekG82Tbd3/umDGciRUqAvS CS+LEw7hkGtW+plbvJdGAXlO1xPG9f01ohbkHXUQC8ZVzXgiFJfYcGC+/jglWpXWJ6XNW40c hlIY+dl7WJixFKVl002OvzPU5h/o3/RXEQ6Y+wmy579OzVPYAIBjvhzaeTxDUGCsG+j5fKqu He2Hru3/KDCLudNy8pD2GaJ/8wih5cIaIEb0l4zoDhqZnX/pZk3Q+9WzpmiyD7VxqDEmj5+7 GVbOiXQl2FB3HbhkGRmZPMDB//h1XzN3+ZAfk6ZO0MW7V9/gAfxJ0kI4IHnjuByWoxNwt74T MGZ67upXwwODW4JM1wwfryOspOAPJShM2UMeHt7dgJ/j1N9xJhGvOw+WYWPRtMuoKBRjVW2n neIDBb8Fihqcj9rdF0faV8gpHDI5htWvy0z+JVGGyOwdTruFeRe8piMClf4lcIn9ScO2Dve8 G0lnsuvJguH7UQuUW3rcyDmYJCdoG7ZUp8nArHMaVvWAFa10X91fn8mVpIIH/zCCB/ugAwIB EqKCB/IEggfu9uTVNzO6Qq3jYC/GcXa6pmhyYXAc5Dlvys0RVxcmT9LZZqVVjsHz6zRxHnHj dqaPybYf9UmAYrx3i5DFTM3nmIzCjlka3SvvmPwJeTXOtmk5HEtOujN5kykIREulnn05x2hS VTO7B0buggU7ce7Hs77a3fR+BCzviobbH+/DzKbKBpkO/qnGkQEnl07YKemKTn8fr/FJqv0V UJltXCt7wqToihNaNd7LzhbPZBD6rGfqWxdxVICz0/JfDs1/YgfpVRoL2XXli0V47yXaSbkW I+jdi8o+3Ba7osJb9ufVVQWVs+viac+5fMJASkUrJkBRL53s5nkRD1ky3bpvZOzdka9TneUG IIwkWQ3XLoVq89M9Y0T6asniOh5MCFYpG/H5+p0sD2UoblVQYsdHbLKk3GHcTIMH0xcJdOE7 wtTwaYw4+5T6rMOdelJgRTJMsv1MZWUHREs+HfASWtJtnTzhj7O7+zuXrpaYWJAjC8lM3zYu OPTPmm6fmlMlRxOyZp+o6CjzZjo5gCtVBCpjY5AWU+BkUs7ZQ1cgr9aMsjyzutSEnj0q33ga 6dc7Zrjn54RnU9l6/PDJAR9seUa2Gbd9ln+HN1yw5ylX/SWeCz+MOl4JlnrmJVLWQx0kCqk4 2dTBvTgDJiVotE2lfisT3vj9PrNJGZMZVzcEioVB1DqtaaQTS5boVzLjvJMjPh9jhsHwTfya rcrsmmQt2gzQl56/BGDmFxFvdTqu8qeptjzHvHq5p6XEIpvYauSa/MZ/mPlsx/3lzEZ3mkJ4 8wzIg0Vg0VmnRKMLjsjiqav32FpDpExuLhj2tEpiW8b4EkxauhMGhdmNhSbc4Wu4phPhA2BK JRLWl8eMHYABezslTvGmcO/qu6NBORk9Iz+GzoyO41C8XbQLAD4GDuIfHjKgoqhns/m5wUjE 0SgWZkshcpxiRc6QH9l56YniwAmtT3WoEA6cCuNUsQiDGR7cXwGFLgObKlorK0g/eTHwgwhB E7voTrhbhcbVMUIrEfn2bhylzqNWEHDVWuMvaLjPTRCZXWf98nWq6I+Im6S+yTW93OywTxZp ofb8Jjf9kN5Kx4WOF7x8jVScZQLch3rHAaoPbYLEYoJ+isNgVvgivTDbd3OIJThkmdyNtnKl kLhdnIPgq8D+Yov9BeQ8syRex+c+h82D54VlO54btjRn/ysiJOXWnGnWr60ZdamHpPlOWvTs TF+ALbs1TqzaSOA7XKb4CItwZoV6ZkQxfMAOgYsaGkl4iv7gA3s++EWw/kB+TLLn9pXDww+n S10bJdo33decqBdg1tCdNrLaaai3QepwDpv35u57BSVX87XXscx+XVU3Mvei/W+UNoeiI/WB vSBJKOfXU8Iqk1xb557nj+Ixw4eoD68Hrue68EOgf8I9cut6VmeWtYWSN/Ca791ZK18gGx7r P3z7ArWr+Mya7Ap0Bec3lxkdsaKxg6s1r8UmbEOBfkHCB1OYEksOIxOsIEPSL56VZ9gm/14u sH8J5UBUVMbopu9L4OKZTI5ZkyrYu78yY5Bepl9m+A6xJ69YkAwJg96px2XkVm7tsSdPamBM 7L4aBAuHxKkanYjLfyp+SkvUU/sbF76gjEdZqrkfnYPwtRCwR1hECs+ywEuGV+Ab4p3RCYeg 5F/gSEHIoLhq+KMyUkaVJ41yR9MBsGgPCEQaxW2y8D/VScBUzdeUvWJzWmKujXlklatG0vOL pqDIwt5GcgzGFrPbKTcxqB58wT9pqZubs6Ereti/RkyruM22wNtFB8cPa21BaS7l9SEBErpa cU07tHLyh87MqqycfvJEyFf+6UHos4S3saPO3fufZiV1xyJuQ/fEZHBpO8brVkV9iI0RNguU 7X0IqaZx1sizT+XYmDEOeVhe8kbvMVVdPP6rFSTsRfB2VFQKMRQbkgNKqK8K2myEk4riwCAC SkCuuwdTpeiMIoaf1dKwglBZtlkGbaa+iindOR3YX2IFkdhr05wd8kPXGAt7uIpRfh3k6Ymu iXJUxw5qE14ugqCHRamzf+krLgJVRrML4QdgpdwbgCfn6IYFGmqlJVkt7ZnAC60KXb7p+8+X 0a5y3WEj42V0WCOYSS4L8fWTJft7iLVE4OTCGb+ARtuyKXbHz9v147d5/Lp8ndEyJxR/f2m4 6me1jKNSoLXnntBQPgKSp98zOdMcoCey1XiWE1FePmHCd4bXjGrwCQr8R6w7tS94sTH9Y0as zY4tZ/5R0GyNY+Ss3otOlXDG3K/y0KnTF2xOQU61wuAs5B4xXg4lcfTV9gqM9H2veExkW/7h vJWazgEpAwpyOaQMeUxapckWQeTjft/Z50zhR5gE1JvZvmeqZlPVf4Nwmz9R3rCtMT9Q6jTM 8uq22IYMFD4m2UgJvFZ0EuUNavr54G1PG95R6r/f3i4ibcVkuI1PmuFEd6uRlM8LP0zol1qY cgSh+H6Aj/UTQUY9xvLLsUrvgCBpf4T6YKAHAkBgLCbOaWlV/dZn+lYqSYMXAoXH2Fm1oEF+ Qb/0vt8MuQRp5r2Xq405OOYgBUAh24fFaKkEKvHRXUROJKTidBsxzfsbdd4dCdIRcbuU0K7w ZcwITsuIZm6ze7QHnPlgIzuSe0OWpM6DsVOM9AT9sJZ5WSbS+g3vpPzljeCi1k4GTeeL1aag RiljcYhoEEDL4+ARX71aL0YEZXamCb1guDenGzlzu1K1yhJV8mEdyR9GAp5ZUYgNADYAAAA2 AAAAAAAACQGCAAAACQGDCABFAAAoJbVAAIAGaW+sHwm3rB8JtgGF5K5e2TsH5WX8qlAQCAXZ /gAARgKeWf6LDQAMAQAADAEAAAAAAAkBggAAAAkBgwgARQIA/iW2QACABmiWrB8Jt6wfCbYB heSuXtk7B+Vl/KpQGAgFjt4AADCEAAAA0AIDBOl3YYQAAADFCgEABAAEAIeCALqhgbcwgbSg AwoBAKELBgkqhkiC9xIBAgKigZ8EgZxggZkGCSqGSIb3EgECAgIAb4GJMIGGoAMCAQWhAwIB D6J6MHigAwIBEqJxBG9ydp6VWqA9wjj4fE4DVXJyGQ6ZLq2TH65OQGnM+uNJ3PSXY8HX/1Nn 6z1btx72LEWPVVvoYWVgpl9pX+qu6TflNlBBBW0WsldPyRt2lXTdQCQh7Kbq5t8PqJhCsKd6 CThMzY7glmZiGDCfw1230A5GAp5ZopMNABcBAAAXAQAAAAAACQGDAAAACQGCCABFAgEJLr5A AIAGX4OsHwm2rB8Jt+SuAYXlZfyqXtk73VAYCAQOfQAAAAAA3QUEBP8ADAAMAAAAABCgC2pY ZNzSycHYsBRaXsYwhAAAALsCAwTpeGOEAAAAsARyQ049RE5TIFNldHRpbmdzLENOPVcyMDEy LTE4MixDTj1TZXJ2ZXJzLENOPURlZmF1bHQtRmlyc3QtU2l0ZS1OYW1lLENOPVNpdGVzLENO PUNvbmZpZ3VyYXRpb24sREM9dzIwMTJyMi1sNCxEQz1iYXNlCgEACgEAAgEAAgIBaAEBAIcO b2JqZWN0Q2F0ZWdvcnkwhAAAABYEFG1zRE5TLUtleW1hc3RlclpvbmVzRgKeWc6VDQCOAQAA jgEAAAAAAAkBggAAAAkBgwgARQIBgCW3QACABmgTrB8Jt6wfCbYBheSuXtk73eVl/YtQGAgE 9vEAAAAAAVQFBAX/AAwADAAAAAATBSqcBZmQLFmRuSDAtHvVMIQAAAEyAgME6XhlhAAAAScK ASAEYkNOPVcyMDEyLTE4MixDTj1TZXJ2ZXJzLENOPURlZmF1bHQtRmlyc3QtU2l0ZS1OYW1l LENOPVNpdGVzLENOPUNvbmZpZ3VyYXRpb24sREM9dzIwMTJyMi1sNCxEQz1iYXNlBIQAAAC6 MDAwMDIwOEQ6IE5hbWVFcnI6IERTSUQtMDMxMDAyMzgsIHByb2JsZW0gMjAwMSAoTk9fT0JK RUNUKSwgZGF0YSAwLCBiZXN0IG1hdGNoIG9mOgoJJ0NOPVcyMDEyLTE4MixDTj1TZXJ2ZXJz LENOPURlZmF1bHQtRmlyc3QtU2l0ZS1OYW1lLENOPVNpdGVzLENOPUNvbmZpZ3VyYXRpb24s REM9dzIwMTJyMi1sNCxEQz1iYXNlJwoARgKeWfSgDQBjAAAAYwAAAAAAAAkBgwAAAAkBgggA RQIAVS6/QACABmA2rB8JtqwfCbfkrgGF5WX9i17ZPTVQGAgCyoIAAAAAACkFBAT/AAwADAAA AAAQoAtrIACukVJEDPRHwL+nMIQAAAAHAgME6XlCAEYCnlntoQ0ANgAAADYAAAAAAAAJAYMA AAAJAYIIAEUAACguwEAAgAZgZKwfCbasHwm35K4BheVl/bhe2T01UBEIAtbEAABGAp5ZOqIN ADYAAAA2AAAAAAAACQGCAAAACQGDCABFAAAoJbhAAIAGaWysHwm3rB8JtgGF5K5e2T015WX9 uFAUAADewwAARwKeWULUBwArAAAAKwAAAAAAAAkAAQAAAAkBlQgARQIAHVHMAAD/EfTWrB8J wzLOjHoRlBGUAAkAAP9IAp5ZRh0DACoAAAAqAAAAAAAACQABAAAACQGVCAYAAQgABgQAAQAA AAkBlawfCcMAAAAJAAGsHwkBSAKeWWQdAwAqAAAAKgAAAAAAAAkBlQAAAAkAAQgGAAEIAAYE AAIAAAAJAAGsHwkBAAAACQGVrB8Jw0gCnlnpUgYAmgAAAJoAAAAAAAAJAAEAAAAJAZUIAEUA AIxOzAAAgBF2aqwfCcMyzox6EZQRlAB4598AAAAArwTP0lwaKanfQKa6iUNwwwgQBQH1Lv79 AAAAbGt5x1htKAK1DPAresjsZY4d6NoPMl6/zMNqt6AhiHlI7uJ6nuN0KOatbzE4QNmR5jUt D6hzm79+zeXdHmn9JGUr1jn70iwVI+2q4CUPXewFSAKeWTQ2CQCaAAAAmgAAAAAAAAkBlQAA AAkAAQgARQAAjIXoQAA0EUtOMs6MeqwfCcMRlBGUAHiRoQAAAACvBM/SXBopqd9AprqJQ3DD CBAFAYZl3yMAAABsJYx7sNI5+jRSYOMeIeaHliy7QEk53f6+fImKpfpDn9IqHkD2Da7C/hxF 5LP34ChkQ3gRImDTfa1w8/tQeltDzVVDnO0072/ycz7IIFVQZ45JAp5ZfWQOAG0AAABtAAAA AAAACQABAAAACQBzht1gAAAAADcRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB 2CEANQA3g9TLfwEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEA AUkCnllKZQ4AWQAAAFkAAAAAAAAJAWMAAAAJAAEIAEUAAEtdgEAAQBFyP6wfCQGsHwmjVTAA NQA3ayudJwEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEAAUkC nlloZQ4AdQAAAHUAAAAAAAAJAAEAAAAJAWMIAEXAAGfnkQAAQAEnYqwfCaOsHwkBAwPzlQAA AABFAABLXYBAAEARcj+sHwkBrB8Jo1UwADUAN2srnScBAAABAAAAAAAACV9rZXJiZXJvcwRf dWRwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZfGUOAFkAAABZAAAAAAAACQEzAAAACQABCABF AABLLQxAAEARotGsHwkBrB8JhVUwADUAN2sNnScBAAABAAAAAAAACV9rZXJiZXJvcwRfdWRw CVc0RURPTS1MNARCQVNFAAAhAAFJAp5Z2mYOACoAAAAqAAAA////////AAAACQEzCAYAAQgA BgQAAQAAAAkBM6wfCYUAAAAAAACsHwkBSQKeWfdmDgAqAAAAKgAAAAAAAAkBMwAAAAkAAQgG AAEIAAYEAAIAAAAJAAGsHwkBAAAACQEzrB8JhUkCnlkYaA4ADAEAAAwBAAAAAAAJAAEAAAAJ ATMIAEUAAP58/AAAgBFSLqwfCYWsHwkBADVVMADqVgudJ4WAAAEAAgAAAAQJX2tlcmJlcm9z BF91ZHAJVzRFRE9NLUw0BEJBU0UAACEAAcAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYz CXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAAlgAIgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVkb20t bDQEYmFzZQDAQQABAAEAAAOEAASsHwmjwEEAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY8Bu AAEAAQAADhAABKwfCYXAbgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzSQKeWXJoDgAgAQAA IAEAAAAAAAkAcwAAAAkAAYbdYAAAAADqEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD/ /gkAcwA12CEA6uMoy3+FgAABAAIAAAAECV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNF AAAhAAHADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQDADAAh AAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAADhAAE rB8Jo8BBABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWPAbgABAAEAAA4QAASsHwmFwG4AHAAB AAAOEAAQ/Tqqo+6H/wkCAAD//gkBM0kCnlkvaQ4AbQAAAG0AAAAAAAAJAAEAAAAJAHOG3WAA AAAANxFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGjzgA1ADd/QgVmAQAAAQAA AAAAAAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWYNpDgBZAAAAWQAA AAAAAAkBYwAAAAkAAQgARQAAS12BQABAEXI+rB8JAawfCaMIvQA1ADdrK4VuAQAAAQAAAAAA AAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWZppDgB1AAAAdQAAAAAA AAkAAQAAAAkBYwgARcAAZ+eSAABAASdhrB8Jo6wfCQEDA1jDAAAAAEUAAEtdgUAAQBFyPqwf CQGsHwmjCL0ANQA3ayuFbgEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJB U0UAACEAAUkCnlmoaQ4AWQAAAFkAAAAAAAAJATMAAAAJAAEIAEUAAEstDUAAQBGi0KwfCQGs HwmFCL0ANQA3aw2FbgEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UA ACEAAUkCnllHag4ADAEAAAwBAAAAAAAJAAEAAAAJATMIAEUAAP58/UAAgBESLawfCYWsHwkB ADUIvQDquziFboWAAAEAAgAAAAQJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEA AcAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAA AlgAIgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQDAQQABAAEAAAOEAASsHwmj wEEAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY8BuAAEAAQAADhAABKwfCYXAbgAcAAEAAA4Q ABD9Oqqj7of/CQIAAP/+CQEzSQKeWYBqDgAgAQAAIAEAAAAAAAkAcwAAAAkAAYbdYAAAAADq EUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1o84A6t6WBWaFgAABAAIAAAAE CV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAOEACEAAABkAFgK dWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQDADAAhAAEAAAJYACIAAABkAFgLdzIwMDhyMi0x MzMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAADhAAErB8Jo8BBABwAAQAAA4QAEP06qqPuh/8J AgAA//4JAWPAbgABAAEAAA4QAASsHwmFwG4AHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM0kC nllxbA4AaQAAAGkAAAAAAAAJAAEAAAAJAHOG3WAAAAAAMxFA/Tqqo+6H/wkCAAD//gkAc/06 qqPuh/8JAAAAAAAAAAG2YgA1ADMjfR6UAQAAAQAAAAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1s NARiYXNlAAAcAAFJAp5ZwWwOAFUAAABVAAAAAAAACQFjAAAACQABCABFAABHXYJAAEARckGs HwkBrB8Jows7ADUAM2sncLIBAAABAAAAAAAACnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UA ABwAAUkCnlnXbA4AcQAAAHEAAAAAAAAJAAEAAAAJAWMIAEXAAGPnkwAAQAEnZKwfCaOsHwkB AwM6/gAAAABFAABHXYJAAEARckGsHwkBrB8Jows7ADUAM2sncLIBAAABAAAAAAAACnViMTQw NC0xNjMJdzRlZG9tLWw0BGJhc2UAABwAAUkCnlnlbA4AVQAAAFUAAAAAAAAJATMAAAAJAAEI AEUAAEctDkAAQBGi06wfCQGsHwmFCzsANQAzawlwsgEAAAEAAAAAAAAKdWIxNDA0LTE2Mwl3 NGVkb20tbDQEYmFzZQAAHAABSQKeWchtDgBxAAAAcQAAAAAAAAkAAQAAAAkBMwgARQAAY3z+ QACAERLHrB8JhawfCQEANQs7AE8fCnCyhYAAAQABAAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1s NARiYXNlAAAcAAHADAAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjSQKeWQxuDgCFAAAAhQAA AAAAAAkAcwAAAAkAAYbdYAAAAABPEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkA cwA1tmIATwRoHpSFgAABAAEAAAAACnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAABwAAcAM ABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWNJAp5ZcW4OAB4BAAAeAQAAAAAACQFjAAAACQBz ht1gAAAAAOgRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQFj5MEAWADor7Nqgd0w gdqhAwIBBaIDAgEKow4wDDAKoQQCAgCVogIEAKSBvTCBuqAHAwUAQIEAAKEVMBOgAwIBAaEM MAobCEZEMjMtNzMkohAbDlc0RURPTS1MNC5CQVNFoyMwIaADAgECoRowGBsGa3JidGd0Gw5X NEVET00tTDQuQkFTRaURGA8yMDE3MDgyNDIyMzEzN1qmERgPMjAxNzA5MjIyMjMxMzdapwYC BGEWuw6oFDASAgESAgERAgEQAgEXAgEZAgEaqR0wGzAZoAMCARShEgQQRkQyMy03MyAgICAg ICAgIEkCnlmPbg4ATgEAAE4BAAAAAAAJAHMAAAAJAWOG3WAAAAABGDpA/Tqqo+6H/wkCAAD/ /gkBY/06qqPuh/8JAgAA//4JAHMBBF2xAAAAAGAAAAAA6BFA/Tqqo+6H/wkCAAD//gkAc/06 qqPuh/8JAgAA//4JAWPkwQBYAOivs2qB3TCB2qEDAgEFogMCAQqjDjAMMAqhBAICAJWiAgQA pIG9MIG6oAcDBQBAgQAAoRUwE6ADAgEBoQwwChsIRkQyMy03MySiEBsOVzRFRE9NLUw0LkJB U0WjIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFpREYDzIwMTcwODI0MjIz MTM3WqYRGA8yMDE3MDkyMjIyMzEzN1qnBgIEYRa7DqgUMBICARICARECARACARcCARkCARqp HTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAgSQKeWeNuDgBqAAAAagAAAAAAAAkAAQAA AAkAc4bdYAAAAAA0EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAcd/ADUANPKA kNsBAAABAAAAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAFJAp5ZKm8OAFYA AABWAAAAAAAACQFjAAAACQABCABFAABIXYNAAEARcj+sHwkBrB8Jo/R/ADUANGsoT0EBAAAB AAAAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAFJAp5ZPG8OAHIAAAByAAAA AAAACQABAAAACQFjCABFwABk55QAAEABJ2KsHwmjrB8JAQMDxZIAAAAARQAASF2DQABAEXI/ rB8JAawfCaP0fwA1ADRrKE9BAQAAAQAAAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFz ZQAAHAABSQKeWUtvDgBWAAAAVgAAAAAAAAkBMwAAAAkAAQgARQAASC0PQABAEaLRrB8JAawf CYX0fwA1ADRrCk9BAQAAAQAAAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAAB SQKeWdxvDgByAAAAcgAAAAAAAAkAAQAAAAkBMwgARQAAZHz/QACAERLFrB8JhawfCQEANfR/ AFDeA09BhYAAAQABAAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAAB AAAOEAAQ/Tqqo+6H/wkCAAD//gkBM0kCnlkXcA4AhgAAAIYAAAAAAAAJAHMAAAAJAAGG3WAA AAAAUBFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANcd/AFAH0ZDbhYAAAQAB AAAAAAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqqo+6H /wkCAAD//gkBM0kCnllRcA4AHgEAAB4BAAAAAAAJATMAAAAJAHOG3WAAAAAA6BFA/Tqqo+6H /wkCAAD//gkAc/06qqPuh/8JAgAA//4JATOG4ABYAOgNxWqB3TCB2qEDAgEFogMCAQqjDjAM MAqhBAICAJWiAgQApIG9MIG6oAcDBQBAgQAAoRUwE6ADAgEBoQwwChsIRkQyMy03MySiEBsO VzRFRE9NLUw0LkJBU0WjIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFpREY DzIwMTcwODI0MjIzMTM3WqYRGA8yMDE3MDkyMjIyMzEzN1qnBgIEYRa7DqgUMBICARICAREC ARACARcCARkCARqpHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAgSQKeWW50DgBWAAAA VgAAADMz/wkAcwAAAAkBM4bdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQEz/wIAAAAAAAAAAAAB /wkAc4cASU4AAAAA/Tqqo+6H/wkCAAD//gkAcwEBAAAACQEzSQKeWdJ0DgBWAAAAVgAAAAAA AAkBMwAAAAkAc4bdYAAAAAAgOv/9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBM4gA T6JgAAAA/Tqqo+6H/wkCAAD//gkAcwIBAAAACQBzSQKeWVx2DgASAQAAEgEAAAAAAAkAcwAA AAkBM4bdYAAAAADcEUD9Oqqj7of/CQIAAP/+CQEz/Tqqo+6H/wkCAAD//gkAcwBYhuAA3P4T foHRMIHOoAMCAQWhAwIBHqQRGA8yMDE3MDgyMzIyMzEzN1qlBQIDDGAWpgMCARmpEBsOVzRF RE9NLUw0LkJBU0WqIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFrGwEajBo MEWhAwIBE6I+BDwwOjAxoAMCARKhKhsoVzRFRE9NLUw0LkJBU0Vob3N0ZmQyMy03My53NGVk b20tbDQuYmFzZTAFoAMCARcwCaEDAgECogIEADAJoQMCARCiAgQAMAmhAwIBD6ICBABJAp5Z B3cOAHQAAAB0AAAAAAAACQABAAAACQBzht1gAAAAAD4RQP06qqPuh/8JAgAA//4JAHP9Oqqj 7of/CQAAAAAAAAAB6o0ANQA+eQrMBAEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRw CVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZZ3cOAGAAAABgAAAAAAAACQFjAAAACQABCABFAABS XYRAAEARcjSsHwkBrB8JoxXgADUAPmsyAzcBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIE X3VkcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWX13DgB8AAAAfAAAAAAAAAkAAQAAAAkBYwgA RcAAbueVAABAASdXrB8Jo6wfCQEDA9T9AAAAAEUAAFJdhEAAQBFyNKwfCQGsHwmjFeAANQA+ azIDNwEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNFAAAh AAFJAp5ZkXcOAGAAAABgAAAAAAAACQEzAAAACQABCABFAABSLRBAAEARosasHwkBrB8JhRXg ADUAPmsUAzcBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlXNEVET00tTDQEQkFT RQAAIQABSQKeWTh4DgCpAAAAqQAAAAAAAAkAAQAAAAkBMwgARQAAm30AQACAERKNrB8Jhawf CQEANRXgAIf3LwM3hYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAJVzRFRE9NLUw0 BEJBU0UAACEAAQl3NGVkb20tbDQEYmFzZQAABgABAAAOEAAvC3cyMDA4cjItMTMzwDYKaG9z dG1hc3RlcsA2AAAaLAAAA4QAAAJYAAFRgAAADhBJAp5Zc3gOAL0AAAC9AAAAAAAACQBzAAAA CQABht1gAAAAAIcRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXqjQCHmBvM BIWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAEJ dzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIyLTEzM8A2Cmhvc3RtYXN0ZXLANgAA GiwAAAOEAAACWAABUYAAAA4QSQKeWU6UDgBtAAAAbQAAAAAAAAkAAQAAAAkAc4bdYAAAAAA3 EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAbI+ADUAN1U0IAMBAAABAAAAAAAA CV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZS5UOAFkAAABZAAAAAAAA CQFjAAAACQABCABFAABLXYVAAEARcjqsHwkBrB8Jo9rkADUAN2srsE8BAAABAAAAAAAACV9r ZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZfpUOAHUAAAB1AAAAAAAACQAB AAAACQFjCABFwABn55YAAEABJ12sHwmjrB8JAQMDWrkAAAAARQAAS12FQABAEXI6rB8JAawf CaPa5AA1ADdrK7BPAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAA IQABSQKeWZ6VDgBZAAAAWQAAAAAAAAkBMwAAAAkAAQgARQAASy0SQABAEaLLrB8JAawfCYXa 5AA1ADdrDbBPAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQAB SQKeWaaXDgAMAQAADAEAAAAAAAkAAQAAAAkBMwgARQAA/n0BQACAERIprB8JhawfCQEANdrk AOqpQLBPhYAAAQACAAAABAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABwAwA IQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAA4QA IQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMBBAAEAAQAADhAABKwfCYXAQQAc AAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzwG8AAQABAAADhAAErB8Jo8BvABwAAQAAA4QAEP06 qqPuh/8JAgAA//4JAWNJAp5ZQ5gOACABAAAgAQAAAAAACQBzAAAACQABht1gAAAAAOoRQP06 qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWyPgDqoJogA4WAAAEAAgAAAAQJX2tl cmJlcm9zBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEAAcAMACEAAQAAAlgAIgAAAGQAWAt3MjAw OHIyLTEzMwl3NGVkb20tbDQEYmFzZQDADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0LTE2Mwl3 NGVkb20tbDQEYmFzZQDAQQABAAEAAA4QAASsHwmFwEEAHAABAAAOEAAQ/Tqqo+6H/wkCAAD/ /gkBM8BvAAEAAQAAA4QABKwfCaPAbwAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjSQKeWdyY DgBtAAAAbQAAAAAAAAkAAQAAAAkAc4bdYAAAAAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkAAAAAAAAAAcdjADUANwwlVO4BAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1M NARCQVNFAAAhAAFJAp5ZipkOAFkAAABZAAAAAAAACQFjAAAACQABCABFAABLXYZAAEARcjms HwkBrB8Jo+PQADUAN2srflIBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARC QVNFAAAhAAFJAp5Zr5kOAFkAAABZAAAAAAAACQEzAAAACQABCABFAABLLRNAAEARosqsHwkB rB8JhePQADUAN2sNflIBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNF AAAhAAFJAp5ZIZsOAAwBAAAMAQAAAAAACQABAAAACQEzCABFAAD+fQJAAIAREiisHwmFrB8J AQA149AA6tNSflKFgAABAAIAAAAECV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAh AAHADAAhAAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwAwAIQAB AAADhAAhAAAAZABYCnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAOEAAErB8J hcBBABwAAQAADhAAEP06qqPuh/8JAgAA//4JATPAbwABAAEAAAOEAASsHwmjwG8AHAABAAAD hAAQ/Tqqo+6H/wkCAAD//gkBY0kCnlm6mw4AIAEAACABAAAAAAAJAHMAAAAJAAGG3WAAAAAA 6hFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANcdjAOpXi1TuhYAAAQACAAAA BAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABwAwAIQABAAACWAAiAAAAZABY C3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQt MTYzCXc0ZWRvbS1sNARiYXNlAMBBAAEAAQAADhAABKwfCYXAQQAcAAEAAA4QABD9Oqqj7of/ CQIAAP/+CQEzwG8AAQABAAADhAAErB8Jo8BvABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWNJ Ap5ZlZwOAGoAAABqAAAAAAAACQABAAAACQBzht1gAAAAADQRQP06qqPuh/8JAgAA//4JAHP9 Oqqj7of/CQAAAAAAAAAB3CMANQA0W+ES1wEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9t LWw0BGJhc2UAABwAAUkCnlkQnQ4AVgAAAFYAAAAAAAAJAWMAAAAJAAEIAEUAAEhdh0AAQBFy O6wfCQGsHwmj2SoANQA0ayhEPwEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJh c2UAABwAAUkCnlk1nQ4AVgAAAFYAAAAAAAAJATMAAAAJAAEIAEUAAEgtFEAAQBGizKwfCQGs HwmF2SoANQA0awpEPwEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwA AUkCnllMng4AcgAAAHIAAAAAAAAJAAEAAAAJATMIAEUAAGR9A0AAgBESwawfCYWsHwkBADXZ KgBQBFtEP4WAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAcAMABwA AQAADhAAEP06qqPuh/8JAgAA//4JATNJAp5Z7p4OAIYAAACGAAAAAAAACQBzAAAACQABht1g AAAAAFARQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXcIwBQcTES14WAAAEA AQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAcAMABwAAQAADhAAEP06qqPu h/8JAgAA//4JATNJAp5ZUJ8OAG4BAABuAQAAAAAACQEzAAAACQBzht1gAAAAATgRQP06qqPu h/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzwIYAWAE4U2lqggEsMIIBKKEDAgEFogMCAQqj XDBaMEyhAwIBAqJFBEMwQaADAgESojoEOCxBp0SKKRDrxiQT/fPTuFB/vLRgTEpdfz3Fxh4i ZUpOU6FAxQk8Ibcxy5sfe5xPf3Xg5kKXau/aMAqhBAICAJWiAgQApIG9MIG6oAcDBQBAgQAA oRUwE6ADAgEBoQwwChsIRkQyMy03MySiEBsOVzRFRE9NLUw0LkJBU0WjIzAhoAMCAQKhGjAY GwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFpREYDzIwMTcwODI0MjIzMTM3WqYRGA8yMDE3MDky MjIyMzEzN1qnBgIEdZjdb6gUMBICARICARECARACARcCARkCARqpHTAbMBmgAwIBFKESBBBG RDIzLTczICAgICAgICAgSQKeWZumDgCiAAAAogAAAAAAAAkAcwAAAAkBM4bdYAAAAABsEUD9 Oqqj7of/CQIAAP/+CQEz/Tqqo+6H/wkCAAD//gkAcwBYwIYAbK0rfmIwYKADAgEFoQMCAR6k ERgPMjAxNzA4MjMyMjMxMzdapQUCAwxgFqYDAgE0qRAbDlc0RURPTS1MNC5CQVNFqiMwIaAD AgECoRowGBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRUkCnlmppw4AdAAAAHQAAAAAAAAJAAEA AAAJAHOG3WAAAAAAPhFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAHqgwA1AD58 A8kVAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEA AUkCnllZqA4AYAAAAGAAAAAAAAAJAWMAAAAJAAEIAEUAAFJdiEAAQBFyMKwfCQGsHwmjpswA NQA+azJN3gEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNF AAAhAAFJAp5ZfqgOAGAAAABgAAAAAAAACQEzAAAACQABCABFAABSLRVAAEARosGsHwkBrB8J habMADUAPmsUTd4BAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlXNEVET00tTDQE QkFTRQAAIQABSQKeWbqpDgCpAAAAqQAAAAAAAAkAAQAAAAkBMwgARQAAm30EQACAERKJrB8J hawfCQEANabMAIcbnE3ehYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHAJVzRFRE9N LUw0BEJBU0UAACEAAQl3NGVkb20tbDQEYmFzZQAABgABAAAOEAAvC3cyMDA4cjItMTMzwDYK aG9zdG1hc3RlcsA2AAAaLAAAA4QAAAJYAAFRgAAADhBJAp5ZRKoOAL0AAAC9AAAAAAAACQBz AAAACQABht1gAAAAAIcRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXqgwCH mxTJFYWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNFAAAh AAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIyLTEzM8A2Cmhvc3RtYXN0ZXLA NgAAGiwAAAOEAAACWAABUYAAAA4QSQKeWemqDgBtAAAAbQAAAAAAAAkAAQAAAAkAc4bdYAAA AAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAa0sADUAN5FG6gMBAAABAAAA AAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZfKsOAFkAAABZAAAA AAAACQFjAAAACQABCABFAABLXYlAAEARcjasHwkBrB8Jo8PCADUAN2srhwoBAAABAAAAAAAA CV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5Zp6sOAFkAAABZAAAAAAAA CQEzAAAACQABCABFAABLLRZAAEARosesHwkBrB8JhcPCADUAN2sNhwoBAAABAAAAAAAACV9r ZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5Z46wOAAwBAAAMAQAAAAAACQAB AAAACQEzCABFAAD+fQVAAIAREiWsHwmFrB8JAQA1w8IA6v6WhwqFgAABAAIAAAAECV9rZXJi ZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0 LTE2Mwl3NGVkb20tbDQEYmFzZQDADAAhAAEAAAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRl ZG9tLWw0BGJhc2UAwEEAAQABAAADhAAErB8Jo8BBABwAAQAAA4QAEP06qqPuh/8JAgAA//4J AWPAbgABAAEAAA4QAASsHwmFwG4AHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM0kCnllbrQ4A IAEAACABAAAAAAAJAHMAAAAJAAGG3WAAAAAA6hFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8J AgAA//4JAHMANa0sAOrwmuoDhYAAAQACAAAABAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQE QkFTRQAAIQABwAwAIQABAAADhAAhAAAAZABYCnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UA wAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAMBBAAEAAQAA A4QABKwfCaPAQQAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjwG4AAQABAAAOEAAErB8JhcBu ABwAAQAADhAAEP06qqPuh/8JAgAA//4JATNJAp5ZIK4OAGkAAABpAAAAAAAACQABAAAACQBz ht1gAAAAADMRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB3VgANQAzpZR1hgEA AAEAAAAAAAAKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQAAHAABSQKeWZ+uDgBVAAAAVQAA AAAAAAkBYwAAAAkAAQgARQAAR12KQABAEXI5rB8JAawfCaPv4gA1ADNrJwvwAQAAAQAAAAAA AAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAAAcAAFJAp5Zva4OAFUAAABVAAAAAAAACQEz AAAACQABCABFAABHLRdAAEARosqsHwkBrB8Jhe/iADUAM2sJC/ABAAABAAAAAAAACnViMTQw NC0xNjMJdzRlZG9tLWw0BGJhc2UAABwAAUkCnlnarw4AcQAAAHEAAAAAAAAJAAEAAAAJATMI AEUAAGN9BkAAgBESv6wfCYWsHwkBADXv4gBPnyQL8IWAAAEAAQAAAAAKdWIxNDA0LTE2Mwl3 NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY0kCnlk6sA4A hQAAAIUAAAAAAAAJAHMAAAAJAAGG3WAAAAAATxFA/Tqqo+6H/wkAAAAAAAAAAf06qqPuh/8J AgAA//4JAHMANd1YAE+Gf3WGhYAAAQABAAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNl AAAcAAHADAAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjSQKeWZawDgBeAAAAXgAAAAAAAAkB YwAAAAkAc4bdYAAAAAAoBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBY606AFgj pVWxAAAAAKACcIAu9wAAAgQFoAQCCAoCbd9SAAAAAAEDAwdJAp5ZvbAOAEoAAABKAAAAAAAA CQBzAAAACQFjht1gAAAAABQGQP06qqPuh/8JAgAA//4JAWP9Oqqj7of/CQIAAP/+CQBzAFit OgAAAAAjpVWyUBQAAC7jAABJAp5ZWLEOAGoAAABqAAAAAAAACQABAAAACQBzht1gAAAAADQR QP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABtu4ANQA0E3iAdQEAAAEAAAAAAAAL dzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAUkCnlnNsQ4AVgAAAFYAAAAAAAAJAWMA AAAJAAEIAEUAAEhdi0AAQBFyN6wfCQGsHwmj0DEANQA0ayhUzgEAAAEAAAAAAAALdzIwMDhy Mi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAUkCnln2sQ4AVgAAAFYAAAAAAAAJATMAAAAJAAEI AEUAAEgtGEAAQBGiyKwfCQGsHwmF0DEANQA0awpUzgEAAAEAAAAAAAALdzIwMDhyMi0xMzMJ dzRlZG9tLWw0BGJhc2UAABwAAUkCnllEsw4AcgAAAHIAAAAAAAAJAAEAAAAJATMIAEUAAGR9 B0AAgBESvawfCYWsHwkBADXQMQBQ/MRUzoWAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9t LWw0BGJhc2UAABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JATNJAp5ZorMOAIYAAACG AAAAAAAACQBzAAAACQABht1gAAAAAFARQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+ CQBzADW27gBQKMiAdYWAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwA AcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JATNJAp5Z8bMOAF4AAABeAAAAAAAACQEzAAAA CQBzht1gAAAAACgGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzmIQAWGxntBIA AAAAoAJwgC7HAAACBAWgBAIICgJt31MAAAAAAQMDB0kCnlm0tA4AXgAAAF4AAAAAAAAJAHMA AAAJATOG3WAAAAAAKAZA/Tqqo+6H/wkCAAD//gkBM/06qqPuh/8JAgAA//4JAHMAWJiEO/Ur pWxntBOgEiAAVzoAAAIEBaABAwMIBAIICgxwkw0Cbd9TSQKeWRC1DgCKAQAAigEAAAAAAAkB MwAAAAkAc4bdYAAAAAFUBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBM5iEAFhs Z7QTO/UrpoAYAOEv8wAAAQEICgJt31MMcJMNAAABMGqCASwwggEooQMCAQWiAwIBCqNcMFow TKEDAgECokUEQzBBoAMCARKiOgQ4LEGnRIopEOvGJBP989O4UH+8tGBMSl1/PcXGHiJlSk5T oUDFCTwhtzHLmx97nE9/deDmQpdq79owCqEEAgIAlaICBACkgb0wgbqgBwMFAECBAAChFTAT oAMCAQGhDDAKGwhGRDIzLTczJKIQGw5XNEVET00tTDQuQkFTRaMjMCGgAwIBAqEaMBgbBmty YnRndBsOVzRFRE9NLUw0LkJBU0WlERgPMjAxNzA4MjQyMjMxMzdaphEYDzIwMTcwOTIyMjIz MTM3WqcGAgR1mN1vqBQwEgIBEgIBEQIBEAIBFwIBGQIBGqkdMBswGaADAgEUoRIEEEZEMjMt NzMgICAgICAgICBJAp5ZBbUOAFYAAABWAAAAAAAACQEzAAAACQBzht1gAAAAACAGQP06qqPu h/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzmIQAWGxntBM79SumgBAA4S6/AAABAQgKAm3f Uwxwkw1JAp5ZXrsOAOoFAADqBQAAAAAACQBzAAAACQEzht1gAAAABbQGQP06qqPuh/8JAgAA //4JATP9Oqqj7of/CQIAAP/+CQBzAFiYhDv1K6ZsZ7VHgBABACRiAAABAQgKDHCTDQJt31MA AAX/a4IF+zCCBfegAwIBBaEDAgELokIwQDA+oQMCAROiNwQ1MDMwMaADAgESoSobKFc0RURP TS1MNC5CQVNFaG9zdGZkMjMtNzMudzRlZG9tLWw0LmJhc2WjEBsOVzRFRE9NLUw0LkJBU0Wk FTAToAMCAQGhDDAKGwhmZDIzLTczJKWCBBlhggQVMIIEEaADAgEFoRAbDlc0RURPTS1MNC5C QVNFoiMwIaADAgECoRowGBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRaOCA9EwggPNoAMCARKh AwIBAqKCA78EggO7D0HuHlHtVvIt4MSjIUfyGPSV2GZgVTqlryLQVQHOWCUnXsWZj3Jzh5OV Fws8pgQ1MGT8QwmBMepKj9V3uck9dYfsK2r8oLePmUP+6Lapect60v1FnbJIpvhuu8vSn6uQ hrOJ5CXfQwQc86y90TO6lvitrYuRRz64u5mtC7kCEdF0wjcswkjGziRaf4o/6mC5pGMcdm0A JrgknjQTe1VehIaxS2A01NvOrJEzAVRwPgNJL+sOblTzTGtVk9UCknYvwW0hFuvh5M/c8G33 BLqM6jPcdGx+3Syn9Gz5AwOwzEZBn2OvGewA90UBSr41HTS8g17fo0BLMLLMdhL+GyGXGYRV UwFJTjqqUyhHUBgBH1WU1gKZSKJjjiGHwc0oH0I4ra8LxMJXO67vaRIgFpCVUqteoUU0LcYW sncUjl5tUFuwhOkTbTFkAyqYkGmK5w2rp3X7pIOnj6Tc8FEyf2B0DMwmPREaaQGpS31Z4P0N wUEir0bJ2Ltxs8JjofzvtqFSE0yKV8DzF8P7xI49fL2NcLjKIYtmay6XvfHs+0k2O0hmAc67 TGA3EqBnCcHnkKb+lHWtY0ZjKOEjk1eztEkZzd4jd3rjCE0KYt9FnKo7R1NEZ2/Sz4qbSUmD ZVetgywAmJTg/dzZtoKzOErBa/8UfO5iGvXTGeLSE4bIr21X9KGeih+kFZWOoDqtXjCH5dbl 3q5OQGmik1ES6800kgzPM6RHSXIGqoIsQL16kwRwqB8j6ZdBBtr3JDCIcmcfUuUu/OSsrBKj HmnXXAkvjFrO0Ce5kx2YxqjxDzv6pk3qZzYLW3m8wNx7OD+3k04yOWEruq/lv/McPoCa9UtM uhkpNbeKIwZ2hvvTPES7UKK8BY7V6Z1PBqiHZdQYBHLUPQ4TWvEt3dWLcG/UoDgv7LYlRw53 6eAKig3AiyZAzOH0aARPCDPXNFt5O7j6u1zYXSLvE/Plo64/Jj6sr6tEUu3rA9J8ROHCCOtk PQHBiabzCvIDNzqHeQCk4OICEEETElqMxquedM6WD5rLlxarGIAASFWN4VxqZ6QytptCSbZ2 svc/crDIdQmdbY/JwxdaCYZ7dntkIdbsxO855FpqfyRtqX8aU1cDHVm9tRHua9NiXgSDCTxo 0O7UyeolzuSbgv2/Nnnkx/XYtl0qTvogdR36hdXDmFDCg0KAlFZ1Kz7w9NYQZdARaRfLtXGj THGobBcuWxifpTW7+bqbEnAOz8MwbFlAYIUJAVfdjDTnxg8vUhgTrQz+LLvfomDZb6aCAV8w ggFboAMCARKhAwIBU6KCAU0EggFJWe4nLEMdjFs9gx6dLrefHR1JyGTrJRCUG8mk6RwJqCOA I2NFlQu0adOrSbrUmmF7ZV0qdrNTxfpIWe4ywV2/pKJmy8ojPaKQrcDc4X4+ENsrMI8jp9dq 7ITJD4c+dfvBCHlK688MLGHLRPa6tY3CUC2POP5ihLVBTlWo3EiCFWkUX/IfGpGsfd1ttf5r UvCiA+uXwcILgqeH8EsUUsiXq37MSN2CMqFSup3bFwa4HlbD2QyXeVYSsEg9lYoRifPJ6+gR 75t5Hpxs5CZu0tQTJmL7oezQB2N99dlJAp5ZlrsOAFYAAABWAAAAAAAACQEzAAAACQBzht1g AAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzmIQAWGxntUc79TE6gBAA +C6/AAABAQgKAm3fUwxwkw1JAp5ZQrwOAMUAAADFAAAAAAAACQBzAAAACQEzht1gAAAAAI8G QP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiYhDv1MTpsZ7VHgBgBAMUbAAAB AQgKDHCTDQJt31Pjm2xoePkEg6rITVU1uCd+kRr7y200cIHX9utm67qnCUm3XI7Ssgfg/CDd OHvgwhpob/mBNHOjh9RqPmqSGcasnNo/nZxsVFsb9BvmTEketvMaSjdn+ZV4K12Wzx79mOM+ /W6YqqM38AUFj3Ogwc1JAp5ZZLwOAFYAAABWAAAAAAAACQEzAAAACQBzht1gAAAAACAGQP06 qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzmIQAWGxntUc79TGpgBAA+C6/AAABAQgK Am3fUwxwkw1JAp5Zj7wOAFYAAABWAAAAAAAACQEzAAAACQBzht1gAAAAACAGQP06qqPuh/8J AgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzmIQAWGxntUc79TGpgBEA+C6/AAABAQgKAm3fUwxw kw1JAp5Z7LwOAFYAAABWAAAAAAAACQBzAAAACQEzht1gAAAAACAGQP06qqPuh/8JAgAA//4J ATP9Oqqj7of/CQIAAP/+CQBzAFiYhDv1MalsZ7VIgBABAJ27AAABAQgKDHCTDQJt31NJAp5Z Fr0OAHQAAAB0AAAAAAAACQABAAAACQBzht1gAAAAAD4RQP06qqPuh/8JAgAA//4JAHP9Oqqj 7of/CQAAAAAAAAABhtIANQA+hR0krgEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNw CVc0RURPTS1MNARCQVNFAAAhAAFJAp5Zj70OAEoAAABKAAAAAAAACQBzAAAACQEzht1gAAAA ABQGQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiYhDv1MalsZ7VIUBQAAFkN AABJAp5ZvL0OAGAAAABgAAAAAAAACQFjAAAACQABCABFAABSXYxAAEARciysHwkBrB8Jo+qa ADUAPmsy/xkBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcAlXNEVET00tTDQEQkFT RQAAIQABSQKeWdm9DgBgAAAAYAAAAAAAAAkBMwAAAAkAAQgARQAAUi0ZQABAEaK9rB8JAawf CYXqmgA1AD5rFP8ZAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF90Y3AJVzRFRE9NLUw0 BEJBU0UAACEAAUkCnllMvw4AqQAAAKkAAAAAAAAJAAEAAAAJATMIAEUAAJt9CEAAgBEShawf CYWsHwkBADXqmgCHJ5P/GYWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNwCVc0RURP TS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIyLTEzM8A2 Cmhvc3RtYXN0ZXLANgAAGiwAAAOEAAACWAABUYAAAA4QSQKeWam/DgC9AAAAvQAAAAAAAAkA cwAAAAkAAYbdYAAAAACHEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1htIA h6QuJK6FgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcAlXNEVET00tTDQEQkFTRQAA IQABCXc0ZWRvbS1sNARiYXNlAAAGAAEAAA4QAC8LdzIwMDhyMi0xMzPANgpob3N0bWFzdGVy wDYAABosAAADhAAAAlgAAVGAAAAOEEkCnlnawg4AbQAAAG0AAAAAAAAJAAEAAAAJAHOG3WAA AAAANxFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAG6SQA1ADe5vbNuAQAAAQAA AAAAAAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWXzDDgBZAAAAWQAA AAAAAAkBYwAAAAkAAQgARQAAS12NQABAEXIyrB8JAawfCaNJhwA1ADdrK6AOAQAAAQAAAAAA AAlfa2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWaDDDgBZAAAAWQAAAAAA AAkBMwAAAAkAAQgARQAASy0aQABAEaLDrB8JAawfCYVJhwA1ADdrDaAOAQAAAQAAAAAAAAlf a2VyYmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWenEDgAMAQAADAEAAAAAAAkA AQAAAAkBMwgARQAA/n0JQACAERIhrB8JhawfCQEANUmHAOpezaAOhYAAAQACAAAABAlfa2Vy YmVyb3MEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABwAwAIQABAAADhAAhAAAAZABYCnViMTQw NC0xNjMJdzRlZG9tLWw0BGJhc2UAwAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0 ZWRvbS1sNARiYXNlAMBBAAEAAQAAA4QABKwfCaPAQQAcAAEAAAOEABD9Oqqj7of/CQIAAP/+ CQFjwG4AAQABAAAOEAAErB8JhcBuABwAAQAADhAAEP06qqPuh/8JAgAA//4JATNJAp5ZX8UO ACABAAAgAQAAAAAACQBzAAAACQABht1gAAAAAOoRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/ CQIAAP/+CQBzADW6SQDqGRKzboWAAAEAAgAAAAQJX2tlcmJlcm9zBF91ZHAJVzRFRE9NLUw0 BEJBU0UAACEAAcAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNl AMAMACEAAQAAAlgAIgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQDAQQABAAEA AAOEAASsHwmjwEEAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY8BuAAEAAQAADhAABKwfCYXA bgAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzSQKeWd7FDgBtAAAAbQAAAAAAAAkAAQAAAAkA c4bdYAAAAAA3EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAbm3ADUANxisVhMB AAABAAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZWMYOAFkA AABZAAAAAAAACQFjAAAACQABCABFAABLXY5AAEARcjGsHwkBrB8Jo5XCADUAN2sripsBAAAB AAAAAAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZgsYOAFkAAABZ AAAAAAAACQEzAAAACQABCABFAABLLRtAAEARosKsHwkBrB8JhZXCADUAN2sNipsBAAABAAAA AAAACV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZZscOAAwBAAAMAQAA AAAACQABAAAACQEzCABFAAD+fQpAAIAREiCsHwmFrB8JAQA1lcIA6hUYipuFgAABAAIAAAAE CV9rZXJiZXJvcwRfdGNwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEAAAJYACIAAABkAFgL dzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwAwAIQABAAADhAAhAAAAZABYCnViMTQwNC0x NjMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAOEAAErB8JhcBBABwAAQAADhAAEP06qqPuh/8J AgAA//4JATPAbwABAAEAAAOEAASsHwmjwG8AHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY0kC nlm2xw4AIAEAACABAAAAAAAJAHMAAAAJAAGG3WAAAAAA6hFA/Tqqo+6H/wkAAAAAAAAAAf06 qqPuh/8JAgAA//4JAHMANbm3AOpkElYThYAAAQACAAAABAlfa2VyYmVyb3MEX3RjcAlXNEVE T00tTDQEQkFTRQAAIQABwAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1s NARiYXNlAMAMACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMBB AAEAAQAADhAABKwfCYXAQQAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzwG8AAQABAAADhAAE rB8Jo8BvABwAAQAAA4QAEP06qqPuh/8JAgAA//4JAWNJAp5ZTMgOAGkAAABpAAAAAAAACQAB AAAACQBzht1gAAAAADMRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABiF4ANQAz s668ZgEAAAEAAAAAAAAKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQAAHAABSQKeWbTIDgBV AAAAVQAAAAAAAAkBYwAAAAkAAQgARQAAR12PQABAEXI0rB8JAawfCaMMKgA1ADNrJ4lfAQAA AQAAAAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAAAcAAFJAp5Z0cgOAFUAAABVAAAA AAAACQEzAAAACQABCABFAABHLRxAAEARosWsHwkBrB8JhQwqADUAM2sJiV8BAAABAAAAAAAA CnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAABwAAUkCnlmvyQ4AcQAAAHEAAAAAAAAJAAEA AAAJATMIAEUAAGN9C0AAgBESuqwfCYWsHwkBADUMKgBPBW6JX4WAAAEAAQAAAAAKdWIxNDA0 LTE2Mwl3NGVkb20tbDQEYmFzZQAAHAABwAwAHAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY0kC nln9yQ4AhQAAAIUAAAAAAAAJAHMAAAAJAAGG3WAAAAAATxFA/Tqqo+6H/wkAAAAAAAAAAf06 qqPuh/8JAgAA//4JAHMANYheAE+UmbxmhYAAAQABAAAAAAp1YjE0MDQtMTYzCXc0ZWRvbS1s NARiYXNlAAAcAAHADAAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjSQKeWUbKDgDvBgAA7wYA AAAAAAkBYwAAAAkAc4bdYAAAAAa5EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkB Y+WOAFgGuTWTbIIGrTCCBqmhAwIBBaIDAgEMo4IGCjCCBgYwggUGoQMCAQGiggT9BIIE+W6C BPUwggTxoAMCAQWhAwIBDqIHAwUAAAAAAKOCBBlhggQVMIIEEaADAgEFoRAbDlc0RURPTS1M NC5CQVNFoiMwIaADAgECoRowGBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRaOCA9EwggPNoAMC ARKhAwIBAqKCA78EggO7D0HuHlHtVvIt4MSjIUfyGPSV2GZgVTqlryLQVQHOWCUnXsWZj3Jz h5OVFws8pgQ1MGT8QwmBMepKj9V3uck9dYfsK2r8oLePmUP+6Lapect60v1FnbJIpvhuu8vS n6uQhrOJ5CXfQwQc86y90TO6lvitrYuRRz64u5mtC7kCEdF0wjcswkjGziRaf4o/6mC5pGMc dm0AJrgknjQTe1VehIaxS2A01NvOrJEzAVRwPgNJL+sOblTzTGtVk9UCknYvwW0hFuvh5M/c 8G33BLqM6jPcdGx+3Syn9Gz5AwOwzEZBn2OvGewA90UBSr41HTS8g17fo0BLMLLMdhL+GyGX GYRVUwFJTjqqUyhHUBgBH1WU1gKZSKJjjiGHwc0oH0I4ra8LxMJXO67vaRIgFpCVUqteoUU0 LcYWsncUjl5tUFuwhOkTbTFkAyqYkGmK5w2rp3X7pIOnj6Tc8FEyf2B0DMwmPREaaQGpS31Z 4P0NwUEir0bJ2Ltxs8JjofzvtqFSE0yKV8DzF8P7xI49fL2NcLjKIYtmay6XvfHs+0k2O0hm Ac67TGA3EqBnCcHnkKb+lHWtY0ZjKOEjk1eztEkZzd4jd3rjCE0KYt9FnKo7R1NEZ2/Sz4qb SUmDZVetgywAmJTg/dzZtoKzOErBa/8UfO5iGvXTGeLSE4bIr21X9KGeih+kFZWOoDqtXjCH 5dbl3q5OQGmik1ES6800kgzPM6RHSXIGqoIsQL16kwRwqB8j6ZdBBtr3JDCIcmcfUuUu/OSs rBKjHmnXXAkvjFrO0Ce5kx2YxqjxDzv6pk3qZzYLW3m8wNx7OD+3k04yOWEruq/lv/McPoCa 9UtMuhkpNbeKIwZ2hvvTPES7UKK8BY7V6Z1PBqiHZdQYBHLUPQ4TWvEt3dWLcG/UoDgv7LYl Rw536eAKig3AiyZAzOH0aARPCDPXNFt5O7j6u1zYXSLvE/Plo64/Jj6sr6tEUu3rA9J8ROHC COtkPQHBiabzCvIDNzqHeQCk4OICEEETElqMxquedM6WD5rLlxarGIAASFWN4VxqZ6QytptC SbZ2svc/crDIdQmdbY/JwxdaCYZ7dntkIdbsxO855FpqfyRtqX8aU1cDHVm9tRHua9NiXgSD CTxo0O7UyeolzuSbgv2/Nnnkx/XYtl0qTvogdR36hdXDmFDCg0KAlFZ1Kz7w9NYQZdARaRfL tXGjTHGobBcuWxifpTW7+bqbEnAOz8MwbFlAYIUJAVfdjDTnxg8vUhgTrQz+LLvfomDZb6SB vjCBu6ADAgESooGzBIGwMVobco4xpDsj48CQh9Iu2NlnFvX/DkN3WnJBWkESNNoN+7lPLwlm 3tjMt2IBvTaYtpLzXapFoyMXiNM2KqF0WDVXzRUj154yKhhfq/tfniM08hm0YpmQuwI0fz0R J4qBJcs+izPt0gjiRuG89F/7plbIPD+Ao1bdzIDZbN9P7LFdJuD5/gtYYJEreTaAywvV0DMx D0zVHF0HO0nO6XBa9RdLO7nlbdVcHC9O1sZvD6owgfmhBAICAIiigfAEge2ggeowgeehFzAV oAMCARChDgQMmerajYbpnE9U94I6ooHLMIHIoAMCARKigcAEgb1HB+JJC8pqHxeRf9nPq2/u 7LqcHDp8nZfbGfS/zIqfx9o+wJUOAO5qtzbVe7IuOjtpnht3fWiE/00+Vumhblu9hSH98mA8 imtQauPlXQ6M9zM2QQxZZyYwL2YeX5Uxy4+fVARO0ic+if73TD5YjQ/a76M4fw7frv+ZX8Ga udg3I42hY+NzZ+CYrv+UngCYFJ7ZPHGLQxEfL9f21HNnSfHqZULBkw/6/yE/8is+ZnsKbZ4K /ZVIxiMg7pgOMk+kgY4wgYugBwMFAECBAACiEBsOVzRFRE9NLUw0LkJBU0WjHjAcoAMCAQKh FTATGwZrcmJ0Z3QbCUJMQTIuQkFTRaURGA8yMDE3MDgyNDA4MzEzN1qnBgIEWZ4CSagUMBIC ARICARECARACARcCARkCARqpHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAgSQKeWW/K DgAOBQAADgUAAAAAAAkAcwAAAAkBY4bdYAAAAATYOkD9Oqqj7of/CQIAAP/+CQFj/Tqqo+6H /wkCAAD//gkAcwEE6nwAAAAAYAAAAAa5EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD/ /gkBY+WOAFgGuTWTbIIGrTCCBqmhAwIBBaIDAgEMo4IGCjCCBgYwggUGoQMCAQGiggT9BIIE +W6CBPUwggTxoAMCAQWhAwIBDqIHAwUAAAAAAKOCBBlhggQVMIIEEaADAgEFoRAbDlc0RURP TS1MNC5CQVNFoiMwIaADAgECoRowGBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRaOCA9EwggPN oAMCARKhAwIBAqKCA78EggO7D0HuHlHtVvIt4MSjIUfyGPSV2GZgVTqlryLQVQHOWCUnXsWZ j3Jzh5OVFws8pgQ1MGT8QwmBMepKj9V3uck9dYfsK2r8oLePmUP+6Lapect60v1FnbJIpvhu u8vSn6uQhrOJ5CXfQwQc86y90TO6lvitrYuRRz64u5mtC7kCEdF0wjcswkjGziRaf4o/6mC5 pGMcdm0AJrgknjQTe1VehIaxS2A01NvOrJEzAVRwPgNJL+sOblTzTGtVk9UCknYvwW0hFuvh 5M/c8G33BLqM6jPcdGx+3Syn9Gz5AwOwzEZBn2OvGewA90UBSr41HTS8g17fo0BLMLLMdhL+ GyGXGYRVUwFJTjqqUyhHUBgBH1WU1gKZSKJjjiGHwc0oH0I4ra8LxMJXO67vaRIgFpCVUqte oUU0LcYWsncUjl5tUFuwhOkTbTFkAyqYkGmK5w2rp3X7pIOnj6Tc8FEyf2B0DMwmPREaaQGp S31Z4P0NwUEir0bJ2Ltxs8JjofzvtqFSE0yKV8DzF8P7xI49fL2NcLjKIYtmay6XvfHs+0k2 O0hmAc67TGA3EqBnCcHnkKb+lHWtY0ZjKOEjk1eztEkZzd4jd3rjCE0KYt9FnKo7R1NEZ2/S z4qbSUmDZVetgywAmJTg/dzZtoKzOErBa/8UfO5iGvXTGeLSE4bIr21X9KGeih+kFZWOoDqt XjCH5dbl3q5OQGmik1ES6800kgzPM6RHSXIGqoIsQL16kwRwqB8j6ZdBBtr3JDCIcmcfUuUu /OSsrBKjHmnXXAkvjFrO0Ce5kx2YxqjxDzv6pk3qZzYLW3m8wNx7OD+3k04yOWEruq/lv/Mc PoCa9UtMuhkpNbeKIwZ2hvvTPES7UKK8BY7V6Z1PBqiHZdQYBHLUPQ4TWvEt3dWLcG/UoDgv 7LYlRw536eAKig3AiyZAzOH0aARPCDPXNFt5O7j6u1zYXSLvE/Plo64/Jj6sr6tEUu3rA9J8 ROHCCOtkPQHBiabzCvIDNzqHeQCk4OICEEETElqMxquedM6WD5rLlxarGIAASFWN4VxqZ6Qy tptCSbZ2svc/crDIdQmdbY/JwxdaCYZ7dntkIdbsxO855FpqfyRtqX8aU1cDHVm9tRHua9Ni XgSDCTxo0O7UyeolzuSbgv2/Nnnkx/XYtl0qTvogdR36hdXDmFDCg0KAlFZ1Kz7w9NYQZdAR aRfLtXGjTHGobBcuWxifpTW7+bqbEnAOz8MwbFlAYIUJAVfdjDTnxg8vUhgTrQz+LLvfomDZ b6SBvjCBu6ADAgESooGzBIGwMVobco4xpDsj48CQh9Iu2NlnFvX/DkN3WnJBWkESNNoN+7lP Lwlm3tjMt2JJAp5Z38oOAGoAAABqAAAAAAAACQABAAAACQBzht1gAAAAADQRQP06qqPuh/8J AgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB6woANQA0EeBN8QEAAAEAAAAAAAALdzIwMDhyMi0x MzMJdzRlZG9tLWw0BGJhc2UAABwAAUkCnllFyw4AVgAAAFYAAAAAAAAJAWMAAAAJAAEIAEUA AEhdkEAAQBFyMqwfCQGsHwmjmZcANQA0ayioIgEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRl ZG9tLWw0BGJhc2UAABwAAUkCnllhyw4AVgAAAFYAAAAAAAAJATMAAAAJAAEIAEUAAEgtHUAA QBGiw6wfCQGsHwmFmZcANQA0awqoIgEAAAEAAAAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0 BGJhc2UAABwAAUkCnllGzA4AcgAAAHIAAAAAAAAJAAEAAAAJATMIAEUAAGR9DEAAgBESuKwf CYWsHwkBADWZlwBQ4AqoIoWAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UA ABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JATNJAp5ZtswOAIYAAACGAAAAAAAACQBz AAAACQABht1gAAAAAFARQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXrCgBQ JzBN8YWAAAEAAQAAAAALdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAABwAAcAMABwAAQAA DhAAEP06qqPuh/8JAgAA//4JATNJAp5Z/MwOAO8GAADvBgAAAAAACQEzAAAACQBzht1gAAAA BrkRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzonoAWAa5NWNsggatMIIGqaED AgEFogMCAQyjggYKMIIGBjCCBQahAwIBAaKCBP0EggT5boIE9TCCBPGgAwIBBaEDAgEOogcD BQAAAAAAo4IEGWGCBBUwggQRoAMCAQWhEBsOVzRFRE9NLUw0LkJBU0WiIzAhoAMCAQKhGjAY GwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFo4ID0TCCA82gAwIBEqEDAgECooIDvwSCA7sPQe4e Ue1W8i3gxKMhR/IY9JXYZmBVOqWvItBVAc5YJSdexZmPcnOHk5UXCzymBDUwZPxDCYEx6kqP 1Xe5yT11h+wravygt4+ZQ/7otql5y3rS/UWdskim+G67y9Kfq5CGs4nkJd9DBBzzrL3RM7qW +K2ti5FHPri7ma0LuQIR0XTCNyzCSMbOJFp/ij/qYLmkYxx2bQAmuCSeNBN7VV6EhrFLYDTU 286skTMBVHA+A0kv6w5uVPNMa1WT1QKSdi/BbSEW6+Hkz9zwbfcEuozqM9x0bH7dLKf0bPkD A7DMRkGfY68Z7AD3RQFKvjUdNLyDXt+jQEswssx2Ev4bIZcZhFVTAUlOOqpTKEdQGAEfVZTW AplIomOOIYfBzSgfQjitrwvEwlc7ru9pEiAWkJVSq16hRTQtxhaydxSOXm1QW7CE6RNtMWQD KpiQaYrnDaundfukg6ePpNzwUTJ/YHQMzCY9ERppAalLfVng/Q3BQSKvRsnYu3GzwmOh/O+2 oVITTIpXwPMXw/vEjj18vY1wuMohi2ZrLpe98ez7STY7SGYBzrtMYDcSoGcJweeQpv6Uda1j RmMo4SOTV7O0SRnN3iN3euMITQpi30WcqjtHU0Rnb9LPiptJSYNlV62DLACYlOD93Nm2grM4 SsFr/xR87mIa9dMZ4tIThsivbVf0oZ6KH6QVlY6gOq1eMIfl1uXerk5AaaKTURLrzTSSDM8z pEdJcgaqgixAvXqTBHCoHyPpl0EG2vckMIhyZx9S5S785KysEqMeaddcCS+MWs7QJ7mTHZjG qPEPO/qmTepnNgtbebzA3Hs4P7eTTjI5YSu6r+W/8xw+gJr1S0y6GSk1t4ojBnaG+9M8RLtQ orwFjtXpnU8GqIdl1BgEctQ9DhNa8S3d1Ytwb9SgOC/stiVHDnfp4AqKDcCLJkDM4fRoBE8I M9c0W3k7uPq7XNhdIu8T8+Wjrj8mPqyvq0RS7esD0nxE4cII62Q9AcGJpvMK8gM3Ood5AKTg 4gIQQRMSWozGq550zpYPmsuXFqsYgABIVY3hXGpnpDK2m0JJtnay9z9ysMh1CZ1tj8nDF1oJ hnt2e2Qh1uzE7znkWmp/JG2pfxpTVwMdWb21Ee5r02JeBIMJPGjQ7tTJ6iXO5JuC/b82eeTH 9di2XSpO+iB1HfqF1cOYUMKDQoCUVnUrPvD01hBl0BFpF8u1caNMcahsFy5bGJ+lNbv5upsS cA7PwzBsWUBghQkBV92MNOfGDy9SGBOtDP4su9+iYNlvpIG+MIG7oAMCARKigbMEgbAxWhty jjGkOyPjwJCH0i7Y2WcW9f8OQ3dackFaQRI02g37uU8vCWbe2My3YgG9Npi2kvNdqkWjIxeI 0zYqoXRYNVfNFSPXnjIqGF+r+1+eIzTyGbRimZC7AjR/PREnioElyz6LM+3SCOJG4bz0X/um Vsg8P4CjVt3MgNls30/ssV0m4Pn+C1hgkSt5NoDLC9XQMzEPTNUcXQc7Sc7pcFr1F0s7ueVt 1VwcL07Wxm8PqjCB+aEEAgIAiKKB8ASB7aCB6jCB56EXMBWgAwIBEKEOBAyZ6tqNhumcT1T3 gjqigcswgcigAwIBEqKBwASBvUcH4kkLymofF5F/2c+rb+7supwcOnydl9sZ9L/Mip/H2j7A lQ4A7mq3NtV7si46O2meG3d9aIT/TT5W6aFuW72FIf3yYDyKa1Bq4+VdDoz3MzZBDFlnJjAv Zh5flTHLj59UBE7SJz6J/vdMPliND9rvozh/Dt+u/5lfwZq52DcjjaFj43Nn4Jiu/5SeAJgU ntk8cYtDER8v1/bUc2dJ8eplQsGTD/r/IT/yKz5mewptngr9lUjGIyDumA4yT6SBjjCBi6AH AwUAQIEAAKIQGw5XNEVET00tTDQuQkFTRaMeMBygAwIBAqEVMBMbBmtyYnRndBsJQkxBMi5C QVNFpREYDzIwMTcwODI0MDgzMTM3WqcGAgRZngJJqBQwEgIBEgIBEQIBEAIBFwIBGQIBGqkd MBswGaADAgEUoRIEEEZEMjMtNzMgICAgICAgICBJAp5ZtNUOALEFAACxBQAAAAAACQBzAAAA CQEzht1gAAAABXsRQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiiegV7HZlt ggVvMIIFa6ADAgEFoQMCAQ2jEBsOVzRFRE9NLUw0LkJBU0WkFTAToAMCAQGhDDAKGwhmZDIz LTczJKWCBAdhggQDMIID/6ADAgEFoRAbDlc0RURPTS1MNC5CQVNFoh0wG6ADAgECoRQwEhsG a3JidGd0GwhCTEEuQkFTRaOCA8UwggPBoAMCARehAwIBA6KCA7MEggOviiBNxF2/HXn1LiVH oCS0lvHhmdOxpCDsJ1zDLNsPM8FznpXaLmutRbydFYN8HiTg0tupkOWJsp1uCjnqf+xPtj/w FVyEZiS891THVhRZxCJMdNwRXugvr98kCfBx+b8I+dtBDu3qFYx36CqTmO7BMITepcqHEC69 kj+UUEw32h7h8tp94NzbqBshIkRJKuMIZaGV0XYxMePAUA3hFc2LMmXRPBcDwnTBXvFaOILb 613+MDIjXUHFmvmRXqH2RGPI01zvfnqHimgrr/JLicd+umFKJGiR8xR5N0hTROzuhIEeddXk Ro5ZfzEIi3ZPEBkl2NgmKAGhthhpjlZWMZhN9HlO7duCKx/rGesPdSt0dxybBPxok9urAcIs vpdzRcInK0spNeZSLZRkWGMCE++L6yeMM+sGgGUnNSjkraXOeXvKnOpay3qb1o3bZNdzIqMw K78iZrUI6Mztb/82o3+AbK20jNmCamkLlZoO0sPvCOuWgZOwlhc2XLAboq3t8QfnpyXMR3FQ 0jw7u9ioy9RYnQ692yxolXhPuMBathP/N8tzJ/LF2EZtBsxawmrdJ+wgAYbLJwZYf4Oc4hwD a3Ow0UH+n0hCvrHYnqlHwCgZFM1G2JcDbWQ6piuxSg5z6gWJSG/AGWDAiaeUcq5z3EZ97rUe FxCxHyK7ApRgeTeMef6AHbevUgkxbBLULf1YMKt3WcIvGbTR7sOAkc0VqeZBhzjF/VCcPvjE OJt4dvhXxsDeWlt6siW/6vSV8LX5e9k6cL48875YGjkkat4N44l56upAzY8IWct7jyXjAL7Y oyGy2xn1d7hZYL0P5lkfKQxyVge5gO6L1BuRsU+JySS+vIIxM61fxPP/sWjNGPxgnER/DOpo t8x1NNFkkWCzrj0FcFHjPVk6xKWlNAAWSJMjna7UXoT+6LSjWx5vh+sqix9WaIGMDKlswrdK P2Z6J1NmkcLOiNC/N8uTtp0sEG4gnc4WkzQyVzuuFq+15sLSd/11Q+SUAvug3YAvsMv/rUYT Jo62/YCcA+Kh1SiwATWAFf8ZA7W9gZcUDhFNnkjAkxM+Ydw1/rlba6dzPKF5xOPTSQBUddD1 STLwHneMcOhOIRy5rlVThXhkUPH1+jWIgVnjUZmOg7of0M01sZYCOsOgytNm3m0BdJLz7d/n z/8cfJsqts2Q0bhnGYg2S33IOjww+2Z4JhSlK/RW8p5ifOgVE7ueTmPCts7v+CCoU7W6P+dS 2Yyg3xjn8cb5Uw6G5aaCASkwggEloAMCARKiggEcBIIBGOlTQVi+1zQ6MiNAHUoA+ZoNxC6y lMSFM5WeptwTgp9E+TiC4yTBlzsIA/3CwzyrpKUqhgrVqoF8DJU9QjLc++YXKkd0loa7zTIw bxstGXCKMSz92ymazZluh299YtT59qlSwOBHdcdpNf5EoNcuDVJRqDNLA54rXMclf0JsSgqP fn3r99ihVQ1Met0ZwWBG+0KLnU8I4awB+NNqFtiAU0SNPQ+fqXSyc9H6qKQEi6hmqEKX0OZN BOIm5VpRzpmOunNDY8Vmyjh17bmMLruYE15H0diRpzsPj2xg+QwVvG4m/JToK1qDovcuWVHI M+mMDGkSTT3xfIjfM9MNItZOCvSQUjvAeOkCrFr9YgqOCMj8XwLSkJAUfdlJAp5ZgdYOAHQA AAB0AAAAAAAACQABAAAACQBzht1gAAAAAD4RQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAA AAAAAAABu0wANQA+GRRbPAEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwCVc0RURP TS1MNARCQVNFAAAhAAFJAp5Z8tYOAGAAAABgAAAAAAAACQFjAAAACQABCABFAABSXZFAAEAR ciesHwkBrB8Jo6UWADUAPmsy1pYBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlX NEVET00tTDQEQkFTRQAAIQABSQKeWQvXDgBgAAAAYAAAAAAAAAkBMwAAAAkAAQgARQAAUi0e QABAEaK4rB8JAawfCYWlFgA1AD5rFNaWAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF91 ZHAJVzRFRE9NLUw0BEJBU0UAACEAAUkCnlnV1w4AqQAAAKkAAAAAAAAJAAEAAAAJATMIAEUA AJt9DUAAgBESgKwfCYWsHwkBADWlFgCHlJnWloWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3Rl cgRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3 MjAwOHIyLTEzM8A2Cmhvc3RtYXN0ZXLANgAAGiwAAAOEAAACWAABUYAAAA4QSQKeWQvYDgC9 AAAAvQAAAAAAAAkAcwAAAAkAAYbdYAAAAACHEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkC AAD//gkAcwA1u0wAhzglWzyFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcAlXNEVE T00tTDQEQkFTRQAAIQABCXc0ZWRvbS1sNARiYXNlAAAGAAEAAA4QAC8LdzIwMDhyMi0xMzPA Ngpob3N0bWFzdGVywDYAABosAAADhAAAAlgAAVGAAAAOEEkCnlkb2Q4AZwAAAGcAAAAAAAAJ AAEAAAAJAHOG3WAAAAAAMRFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAHDrQA1 ADFJSORXAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3VkcANCTEEEQkFTRQAAIQABSQKeWWfZDgBT AAAAUwAAAAAAAAkCGQAAAAkAAQgARQAARSCWQABAEa73rB8JAawfCdvskAA1ADFrXcq4AQAA AQAAAAAAAAlfa2VyYmVyb3MEX3VkcANCTEEEQkFTRQAAIQABSQKeWZzaDgAqAAAAKgAAAP// /////wAAAAkCGQgGAAEIAAYEAAEAAAAJAhmsHwnbAAAAAAAArB8JAUkCnlm82g4AKgAAACoA AAAAAAAJAhkAAAAJAAEIBgABCAAGBAACAAAACQABrB8JAQAAAAkCGawfCdtJAp5Z5dsOAKYA AACmAAAAAAAACQABAAAACQIZCABFAACYKB4AAIARpxysHwnbrB8JAQA17JAAhD9WyriFgAAB AAEAAAACCV9rZXJiZXJvcwRfdWRwA0JMQQRCQVNFAAAhAAHADAAhAAEAAAJYABsAAABkAFgK dzJrOHIyLTIxOQNibGEEYmFzZQDAOwABAAEAAA4QAASsHwnbwDsAHAABAAAOEAAQ/Tqqo+6H /wkCAAD//gkCGUkCnlk03A4AugAAALoAAAAAAAAJAHMAAAAJAAGG3WAAAAAAhBFA/Tqqo+6H /wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANcOtAISNV+RXhYAAAQABAAAAAglfa2VyYmVy b3MEX3VkcANCTEEEQkFTRQAAIQABwAwAIQABAAACWAAbAAAAZABYCncyazhyMi0yMTkDYmxh BGJhc2UAwDsAAQABAAAOEAAErB8J28A7ABwAAQAADhAAEP06qqPuh/8JAgAA//4JAhlJAp5Z qtwOAGcAAABnAAAAAAAACQABAAAACQBzht1gAAAAADERQP06qqPuh/8JAgAA//4JAHP9Oqqj 7of/CQAAAAAAAAABymYANQAxQAPn5AEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3ADQkxBBEJB U0UAACEAAUkCnlnu3A4AUwAAAFMAAAAAAAAJAhkAAAAJAAEIAEUAAEUgl0AAQBGu9qwfCQGs HwnbVfMANQAxa10t2gEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3ADQkxBBEJBU0UAACEAAUkC nlmK3Q4ApgAAAKYAAAAAAAAJAAEAAAAJAhkIAEUAAJgoH0AAgBFnG6wfCdusHwkBADVV8wCE c9Mt2oWAAAEAAQAAAAIJX2tlcmJlcm9zBF90Y3ADQkxBBEJBU0UAACEAAcAMACEAAQAAAlgA GwAAAGQAWAp3Mms4cjItMjE5A2JsYQRiYXNlAMA7AAEAAQAADhAABKwfCdvAOwAcAAEAAA4Q ABD9Oqqj7of/CQIAAP/+CQIZSQKeWcLdDgC6AAAAugAAAAAAAAkAcwAAAAkAAYbdYAAAAACE EUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1ymYAhIQS5+SFgAABAAEAAAAC CV9rZXJiZXJvcwRfdGNwA0JMQQRCQVNFAAAhAAHADAAhAAEAAAJYABsAAABkAFgKdzJrOHIy LTIxOQNibGEEYmFzZQDAOwABAAEAAA4QAASsHwnbwDsAHAABAAAOEAAQ/Tqqo+6H/wkCAAD/ /gkCGUkCnlky3g4AYwAAAGMAAAAAAAAJAAEAAAAJAHOG3WAAAAAALRFA/Tqqo+6H/wkCAAD/ /gkAc/06qqPuh/8JAAAAAAAAAAG6TgA1AC3ZqHUbAQAAAQAAAAAAAAp3Mms4cjItMjE5A2Js YQRiYXNlAAAcAAFJAp5Zcd4OAE8AAABPAAAAAAAACQIZAAAACQABCABFAABBIJhAAEARrvms HwkBrB8J27pGADUALWtZ5c0BAAABAAAAAAAACncyazhyMi0yMTkDYmxhBGJhc2UAABwAAUkC nlnj3g4AawAAAGsAAAAAAAAJAAEAAAAJAhkIAEUAAF0oIEAAgBFnVawfCdusHwkBADW6RgBJ ySDlzYWAAAEAAQAAAAAKdzJrOHIyLTIxOQNibGEEYmFzZQAAHAABwAwAHAABAAAOEAAQ/Tqq o+6H/wkCAAD//gkCGUkCnlkY3w4AfwAAAH8AAAAAAAAJAHMAAAAJAAGG3WAAAAAASRFA/Tqq o+6H/wkAAAAAAAAAAf06qqPuh/8JAgAA//4JAHMANbpOAEl4iHUbhYAAAQABAAAAAAp3Mms4 cjItMjE5A2JsYQRiYXNlAAAcAAHADAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQIZSQKeWWHf DgDCBgAAwgYAAAAAAAkCGQAAAAkAc4bdYAAAAAaMEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkCAAD//gkCGb4QAFgGjDYcbIIGgDCCBnyhAwIBBaIDAgEMo4IF4zCCBd8wggTkoQMCAQGi ggTbBIIE126CBNMwggTPoAMCAQWhAwIBDqIHAwUAAAAAAKOCBAdhggQDMIID/6ADAgEFoRAb Dlc0RURPTS1MNC5CQVNFoh0wG6ADAgECoRQwEhsGa3JidGd0GwhCTEEuQkFTRaOCA8UwggPB oAMCARehAwIBA6KCA7MEggOviiBNxF2/HXn1LiVHoCS0lvHhmdOxpCDsJ1zDLNsPM8FznpXa LmutRbydFYN8HiTg0tupkOWJsp1uCjnqf+xPtj/wFVyEZiS891THVhRZxCJMdNwRXugvr98k CfBx+b8I+dtBDu3qFYx36CqTmO7BMITepcqHEC69kj+UUEw32h7h8tp94NzbqBshIkRJKuMI ZaGV0XYxMePAUA3hFc2LMmXRPBcDwnTBXvFaOILb613+MDIjXUHFmvmRXqH2RGPI01zvfnqH imgrr/JLicd+umFKJGiR8xR5N0hTROzuhIEeddXkRo5ZfzEIi3ZPEBkl2NgmKAGhthhpjlZW MZhN9HlO7duCKx/rGesPdSt0dxybBPxok9urAcIsvpdzRcInK0spNeZSLZRkWGMCE++L6yeM M+sGgGUnNSjkraXOeXvKnOpay3qb1o3bZNdzIqMwK78iZrUI6Mztb/82o3+AbK20jNmCamkL lZoO0sPvCOuWgZOwlhc2XLAboq3t8QfnpyXMR3FQ0jw7u9ioy9RYnQ692yxolXhPuMBathP/ N8tzJ/LF2EZtBsxawmrdJ+wgAYbLJwZYf4Oc4hwDa3Ow0UH+n0hCvrHYnqlHwCgZFM1G2JcD bWQ6piuxSg5z6gWJSG/AGWDAiaeUcq5z3EZ97rUeFxCxHyK7ApRgeTeMef6AHbevUgkxbBLU Lf1YMKt3WcIvGbTR7sOAkc0VqeZBhzjF/VCcPvjEOJt4dvhXxsDeWlt6siW/6vSV8LX5e9k6 cL48875YGjkkat4N44l56upAzY8IWct7jyXjAL7YoyGy2xn1d7hZYL0P5lkfKQxyVge5gO6L 1BuRsU+JySS+vIIxM61fxPP/sWjNGPxgnER/DOpot8x1NNFkkWCzrj0FcFHjPVk6xKWlNAAW SJMjna7UXoT+6LSjWx5vh+sqix9WaIGMDKlswrdKP2Z6J1NmkcLOiNC/N8uTtp0sEG4gnc4W kzQyVzuuFq+15sLSd/11Q+SUAvug3YAvsMv/rUYTJo62/YCcA+Kh1SiwATWAFf8ZA7W9gZcU DhFNnkjAkxM+Ydw1/rlba6dzPKF5xOPTSQBUddD1STLwHneMcOhOIRy5rlVThXhkUPH1+jWI gVnjUZmOg7of0M01sZYCOsOgytNm3m0BdJLz7d/nz/8cfJsqts2Q0bhnGYg2S33IOjww+2Z4 JhSlK/RW8p5ifOgVE7ueTmPCts7v+CCoU7W6P+dS2Yyg3xjn8cb5Uw6G5aSBrjCBq6ADAgEX ooGjBIGgGQ8m+emlPlGbIymKJApo7C3xlTsj8K0SVLQR2ogzJKdm8WG4ieRaOSH56tET5xxe Ro8O02Z/7dWn0FrQNNJez6PL4IZubK06MdwvbmUiqnJ+6hjpjRy3F/l+vzt0xCv/tKIC4gQZ U99Gw2TpR4Va5Hu+jqVA9rEkdZ/wt+qk52Ql/WCkt2BdmLFitoh8q7x6f2E3fxHYZAJHRDoN 70t4AzCB9KEEAgIAiKKB6wSB6KCB5TCB4qEcMBqgBAIC/3ahEgQQVBaPHSH9b1YzK7W7nVHD NaKBwTCBvqADAgEXooG2BIGzfizeieBPbiqdzRsLxjJoT4JFeLmomC4zw2A/AKS4LkTGbGWQ PEG80UdVmfOxh3hPpMBQUpNP3f5Stg8rm/8baUG04P/XP04zISYks/YnMNk5FozehSG4MfuB xR7cbnW5IS6Cv6bn66RTGYOHhgvUzxZyX9z/udqZof9N46BcCo72f6hj+kSm4BtklVzW62pB +SHKc1qVlS4gH2W8Zcfznb5b2NSH5XfUGbzPkcFbcRklKBekgYgwgYWgBwMFAECBAACiChsI QkxBLkJBU0WjHjAcoAMCAQKhFTATGwZrcmJ0Z3QbCUJMQTIuQkFTRaURGA8yMDE3MDgyNDA4 MzEzN1qnBgIEWZ4CSagUMBICARICARECARACARcCARkCARqpHTAbMBmgAwIBFKESBBBGRDIz LTczICAgICAgICAgSQKeWcDjDgBWAAAAVgAAADMz/wkAcwAAAAkCGYbdYAAAAAAgOv/9Oqqj 7of/CQIAAP/+CQIZ/wIAAAAAAAAAAAAB/wkAc4cAR4IAAAAA/Tqqo+6H/wkCAAD//gkAcwEB AAAACQIZSQKeWQHkDgBWAAAAVgAAAAAAAAkCGQAAAAkAc4bdYAAAAAAgOv/9Oqqj7of/CQIA AP/+CQBz/Tqqo+6H/wkCAAD//gkCGYgATrxgAAAA/Tqqo+6H/wkCAAD//gkAcwIBAAAACQBz SQKeWW7kDgCIBQAAiAUAAAAAAAkAcwAAAAkCGYbdYAAAAAVSEUD9Oqqj7of/CQIAAP/+CQIZ /Tqqo+6H/wkCAAD//gkAcwBYvhAFUizRbYIFRjCCBUKgAwIBBaEDAgENoxAbDlc0RURPTS1M NC5CQVNFpBUwE6ADAgEBoQwwChsIZmQyMy03MySlggQCYYID/jCCA/qgAwIBBaEKGwhCTEEu QkFTRaIeMBygAwIBAqEVMBMbBmtyYnRndBsJQkxBMi5CQVNFo4IDxTCCA8GgAwIBF6EDAgEL ooIDswSCA6+SUEyGuxCs2jL/BMZX7aaCor4Ac6dUadhEXZDt9PodmYEj5SjN06DAClgzuqS0 nif2tIRKbk8d+PX2blinPlxBoGFWxKgwTknTn0Tn5/UEiLnmiskoknWE7eIIc3Z2hJbztmqr CjS9w5EVu5u1ca+vJhoj4P8GWqRjzw72D4KhdHDrZwKwYWKFwI5xWiaGaik3CqDqBzcZSlff cVjc4aGD3sofPQ+d/ZmAeu+kGfPEI/JJY8UF2L7/u470eEA+13Y5lYzvElIiJc2PoYeLNFxD zY/xxoLvwwvfVobwCv53mmDcJg76LwE2Vq56ixAIcLdU2n4Yt/TPx6qeCgiayesun4kef22F d9O7O8uvSeSAkeHN60dD0qgFYxyilaCcsqPZVyIPZNWbK6os+a3jTnCGzK8kGGF+350urHG+ GFPpGHYeSnp2MbsL22R5WUlauM7SY9ZtQQ3lPyfhoGQJpMumM3Wm37hllDAGKILu75JwuEdO XL1QMTpZ8o+IGBFq7TCZqlPi6LBYWIEw0hOS59dQVIaTKG5wxIEUQ7bXlFZvwmgxZRKkfNX+ QvUAgat6AKFvcuk84J8UtC+MTY1HV1eXzwleBeGWpYyftVr/ElKlRn8FrNLVJ9WNh5vHlYov cruXq+Z5d7ZI74QEzipPaP/lPFpZCAftb7f5tnXhf+zw0C9akIIGcNPT8PKVybvkS5TmL9gg L3/p0051+SxKCLlXh2ZDamL8mNG8wWKBiYr+dNC7jFR+LN5Vt5D+8rAJFnmD5g6ZLb9ODGqV Wdm3do3NGUIAm6ZL46W7P/duTyYgVXjuApofrOh/r5HAxxnov3v99QZCjtsuBUNUdDtvEg38 aTQiZEtOsU7GO1XRm8F/rVNfmueEFBfarD+o3IHi4Rz8rkiEFHav6LNJVepT/rx0sz4M2SJB Whd7w/pwSVBrKkwD5/VXgEjXfg3LR/F+AeFdUU08BpLegcPWvGY/PROLZLJ4rn90tiVaFRXQ Ci7dptR1LTqefgfvofJbhNCmnZ5kcu0YIVnm/hm9FzrSvsM2NuuuzTn9OtQ0kUmbaZuvI8cg oda1+cGyd0uFX0g74Smlnujrw23FBaI1WpE2O+U0u8asb+sPxYAV6g2tJ7BdAAmF72S6JB53 lt19o0s9UPuUVkgUkhh2rnFQ1t1fwAXpC3XxKxxZ5JdkVRC0btA7zxPs9UM9vnXmRGUzqnMi +HpllKretDPWfiSfjHYYl2vuR5zgTtZUyE9iUmk5f2kSpoIBBTCCAQGgAwIBF6KB+QSB9tsw hu5jXyQ9Qr6jnoZTDxviqnndJRNSjYH1awrTwJPXyiEScftLNDN/blCedhQVt5TUeXCESzBz 3ruuqAib7woEb4G20/HzINNGSQPRzwoUPpU3PhOz8eebygVgqy46TvbK39m+S7Q8dvGyb+7l 8hnhZVqLM0ChYgFw7JwpgrlgLLsdFC2L+i4FD+VcRRAgkfjl18nWaH/CUHpZV0JDpGvhAglC EECVY0FI61d471hyoLRbyO1A7E0sd6EDhb6x+x/l1RFx9tbgejPF/RhRfzT6MqCQgSxEsLtq JKJzo3EV6FUXjeh9NwjiEWQRQ1YD1g6OqjwxV0kCnlkR5Q4AbgAAAG4AAAAAAAAJAAEAAAAJ AHOG3WAAAAAAOBFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGvBQA1ADgfVi0X AQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHADQkxBBEJBU0UAACEAAUkCnlmQ5Q4A WgAAAFoAAAAAAAAJAhkAAAAJAAEIAEUAAEwgmUAAQBGu7awfCQGsHwnb1/8ANQA4a2QcrwEA AAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwA0JMQQRCQVNFAAAhAAFJAp5ZLuYOAJwA AACcAAAAAAAACQABAAAACQIZCABFAACOKCFAAIARZyOsHwnbrB8JAQA11/8Ael1bHK+FgwAB AAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcANCTEEEQkFTRQAAIQABA2JsYQRiYXNlAAAG AAEAAA4QAC4KdzJrOHIyLTIxOcAwCmhvc3RtYXN0ZXLAMAAAEX0AAAOEAAACWAABUYAAAA4Q SQKeWXHmDgCwAAAAsAAAAAAAAAkAcwAAAAkAAYbdYAAAAAB6EUD9Oqqj7of/CQAAAAAAAAAB /Tqqo+6H/wkCAAD//gkAcwA1rwUAerSqLReFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIE X3VkcANCTEEEQkFTRQAAIQABA2JsYQRiYXNlAAAGAAEAAA4QAC4KdzJrOHIyLTIxOcAwCmhv c3RtYXN0ZXLAMAAAEX0AAAOEAAACWAABUYAAAA4QSQKeWWznDgBoAAAAaAAAAAAAAAkAAQAA AAkAc4bdYAAAAAAyEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAYLaADUAMi6h bHABAAABAAAAAAAACV9rZXJiZXJvcwRfdWRwBEJMQTIEQkFTRQAAIQABSQKeWbXnDgBUAAAA VAAAAAAAAAkBlAAAAAkAAQgARQAARsmMQABAEQYZrB8JAawfCcKtCgA1ADJrRYyoAQAAAQAA AAAAAAlfa2VyYmVyb3MEX3VkcARCTEEyBEJBU0UAACEAAUkCnlnb6A4AKgAAACoAAAD///// //8AAAAJAZQIBgABCAAGBAABAAAACQGUrB8JwgAAAAAAAKwfCQFJAp5Z9ugOACoAAAAqAAAA AAAACQGUAAAACQABCAYAAQgABgQAAgAAAAkAAawfCQEAAAAJAZSsHwnCSQKeWczpDgCqAAAA qgAAAAAAAAkAAQAAAAkBlAgARQAAnEUaAACAEYo1rB8JwqwfCQEANa0KAIhlooyohYAAAQAB AAAAAglfa2VyYmVyb3MEX3VkcARCTEEyBEJBU0UAACEAAcAMACEAAQAAAlgAHgAAAGQAWAx3 Mms4cjJyby0xOTQEYmxhMgRiYXNlAMA8AAEAAQAADhAABKwfCcLAPAAcAAEAAA4QABD9Oqqj 7of/CQIAAP/+CQGUSQKeWR/qDgC+AAAAvgAAAAAAAAkAcwAAAAkAAYbdYAAAAACIEUD9Oqqj 7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1gtoAiO6ubHCFgAABAAEAAAACCV9rZXJi ZXJvcwRfdWRwBEJMQTIEQkFTRQAAIQABwAwAIQABAAACWAAeAAAAZABYDHcyazhyMnJvLTE5 NARibGEyBGJhc2UAwDwAAQABAAAOEAAErB8JwsA8ABwAAQAADhAAEP06qqPuh/8JAgAA//4J AZRJAp5Zk+oOAGgAAABoAAAAAAAACQABAAAACQBzht1gAAAAADIRQP06qqPuh/8JAgAA//4J AHP9Oqqj7of/CQAAAAAAAAABvvMANQAyJec6EgEAAAEAAAAAAAAJX2tlcmJlcm9zBF90Y3AE QkxBMgRCQVNFAAAhAAFJAp5Z4+oOAFQAAABUAAAAAAAACQGUAAAACQABCABFAABGyY1AAEAR BhisHwkBrB8JwhjfADUAMmtFw5QBAAABAAAAAAAACV9rZXJiZXJvcwRfdGNwBEJMQTIEQkFT RQAAIQABSQKeWY/rDgCqAAAAqgAAAAAAAAkAAQAAAAkBlAgARQAAnEUbQACAEUo0rB8Jwqwf CQEANRjfAIjD4sOUhYAAAQABAAAAAglfa2VyYmVyb3MEX3RjcARCTEEyBEJBU0UAACEAAcAM ACEAAQAAAlgAHgAAAGQAWAx3Mms4cjJyby0xOTQEYmxhMgRiYXNlAMA8AAEAAQAADhAABKwf CcLAPAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGUSQKeWczrDgC+AAAAvgAAAAAAAAkAcwAA AAkAAYbdYAAAAACIEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1vvMAiOX0 OhKFgAABAAEAAAACCV9rZXJiZXJvcwRfdGNwBEJMQTIEQkFTRQAAIQABwAwAIQABAAACWAAe AAAAZABYDHcyazhyMnJvLTE5NARibGEyBGJhc2UAwDwAAQABAAAOEAAErB8JwsA8ABwAAQAA DhAAEP06qqPuh/8JAgAA//4JAZRJAp5ZUewOAGYAAABmAAAAAAAACQABAAAACQBzht1gAAAA ADARQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB5rsANQAwaOB1mwEAAAEAAAAA AAAMdzJrOHIycm8tMTk0BGJsYTIEYmFzZQAAHAABSQKeWa3sDgBSAAAAUgAAAAAAAAkBlAAA AAkAAQgARQAARMmOQABAEQYZrB8JAawfCcIKggA1ADBrQ8TYAQAAAQAAAAAAAAx3Mms4cjJy by0xOTQEYmxhMgRiYXNlAAAcAAFJAp5ZRO0OAG4AAABuAAAAAAAACQABAAAACQGUCABFAABg RRxAAIARSm+sHwnCrB8JAQA1CoIATMwnxNiFgAABAAEAAAAADHcyazhyMnJvLTE5NARibGEy BGJhc2UAABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JAZRJAp5ZjO0OAIIAAACCAAAA AAAACQBzAAAACQABht1gAAAAAEwRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBz ADXmuwBMfc91m4WAAAEAAQAAAAAMdzJrOHIycm8tMTk0BGJsYTIEYmFzZQAAHAABwAwAHAAB AAAOEAAQ/Tqqo+6H/wkCAAD//gkBlEkCnlnV7Q4AWQgAAFkIAAAAAAAJAZQAAAAJAHOG3WAA AAAIIxFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JAZTq2wBYCCM3LmyCCBcwgggT oQMCAQWiAwIBDKOCB3wwggd4MIIE36EDAgEBooIE1gSCBNJuggTOMIIEyqADAgEFoQMCAQ6i BwMFAAAAAACjggQCYYID/jCCA/qgAwIBBaEKGwhCTEEuQkFTRaIeMBygAwIBAqEVMBMbBmty YnRndBsJQkxBMi5CQVNFo4IDxTCCA8GgAwIBF6EDAgELooIDswSCA6+SUEyGuxCs2jL/BMZX 7aaCor4Ac6dUadhEXZDt9PodmYEj5SjN06DAClgzuqS0nif2tIRKbk8d+PX2blinPlxBoGFW xKgwTknTn0Tn5/UEiLnmiskoknWE7eIIc3Z2hJbztmqrCjS9w5EVu5u1ca+vJhoj4P8GWqRj zw72D4KhdHDrZwKwYWKFwI5xWiaGaik3CqDqBzcZSlffcVjc4aGD3sofPQ+d/ZmAeu+kGfPE I/JJY8UF2L7/u470eEA+13Y5lYzvElIiJc2PoYeLNFxDzY/xxoLvwwvfVobwCv53mmDcJg76 LwE2Vq56ixAIcLdU2n4Yt/TPx6qeCgiayesun4kef22Fd9O7O8uvSeSAkeHN60dD0qgFYxyi laCcsqPZVyIPZNWbK6os+a3jTnCGzK8kGGF+350urHG+GFPpGHYeSnp2MbsL22R5WUlauM7S Y9ZtQQ3lPyfhoGQJpMumM3Wm37hllDAGKILu75JwuEdOXL1QMTpZ8o+IGBFq7TCZqlPi6LBY WIEw0hOS59dQVIaTKG5wxIEUQ7bXlFZvwmgxZRKkfNX+QvUAgat6AKFvcuk84J8UtC+MTY1H V1eXzwleBeGWpYyftVr/ElKlRn8FrNLVJ9WNh5vHlYovcruXq+Z5d7ZI74QEzipPaP/lPFpZ CAftb7f5tnXhf+zw0C9akIIGcNPT8PKVybvkS5TmL9ggL3/p0051+SxKCLlXh2ZDamL8mNG8 wWKBiYr+dNC7jFR+LN5Vt5D+8rAJFnmD5g6ZLb9ODGqVWdm3do3NGUIAm6ZL46W7P/duTyYg VXjuApofrOh/r5HAxxnov3v99QZCjtsuBUNUdDtvEg38aTQiZEtOsU7GO1XRm8F/rVNfmueE FBfarD+o3IHi4Rz8rkiEFHav6LNJVepT/rx0sz4M2SJBWhd7w/pwSVBrKkwD5/VXgEjXfg3L R/F+AeFdUU08BpLegcPWvGY/PROLZLJ4rn90tiVaFRXQCi7dptR1LTqefgfvofJbhNCmnZ5k cu0YIVnm/hm9FzrSvsM2NuuuzTn9OtQ0kUmbaZuvI8cgoda1+cGyd0uFX0g74Smlnujrw23F BaI1WpE2O+U0u8asb+sPxYAV6g2tJ7BdAAmF72S6JB53lt19o0s9UPuUVkgUkhh2rnFQ1t1f wAXpC3XxKxxZ5JdkVRC0btA7zxPs9UM9vnXmRGUzqnMi+HpllKretDPWfiSfjHYYl2vuR5zg TtZUyE9iUmk5f2kSpIGuMIGroAMCAReigaMEgaCHnyQKmj8Cyy8ZbRJrcJH3Ubpf+NQPJr25 5Ox0ING17i/GpPIjSK8pWf662/rjRqQdqrb5j9NMZBTS8ptN205pJpMHkPfFF/7IKWZ3R6B3 oUYDBu+V4nHZ0hoV4XN+RZv/zupvV+ONjzBaaMzq0SYuJhn2jC0XeiJM/RWkWwOXPfYLRWC9 4HSPxNeNBJ8HC2L7bu7frcXI4XfHbCsKozKHMIIBx6EEAgIAiKKCAb0EggG5oIIBtTCCAbGh HDAaoAQCAv92oRIEELCcTE16KZ1TBVjy1rR9i8OiggGPMIIBi6ADAgEXooIBggSCAX4LzAWG bwoVhkYh975+Qc9Yax1Vi0r5JVrZq923XYWiGjJN7hzHGIR2hR51lOg7Tsa1GLvxYFQ4C+S1 V0VFT369c9ijvMZb/JggLXXMjHcNnM6N+72FhQ/zfaALqRg4+/Jogg5e3J0WkQeFgjreT0b1 FngRQZ6jxSm7cQ+nKAdX3tefd2qs81WsOSwqLzaYumU1ZMssvuHrQD5duoSCli56Wu0Sypkb JghKP236CtRVfe/ua29d6ylMjrtBWym4WicHIqAaiIoxk3B4PV8r9gUdhuDwjtc/f1beb0zf 3fvibqjPT0kkJgsEPLTr4K7C5z9KepN+3jttDcMkm/lHM3u2tY41C5UibKxCAt/onjsPJVch iORXDDijOl11sVRn7Zvz7FqCkjKEcpAD7rJcALqLkmqvztZyH8FP6vCGtfGO3h5YWKFYK7ry p0JZXqFcm4YWVtzenPFlWLTco9sipJZrCnry3YzPnrm4pki0WZzRpleXfJx93cMB78xIu9pE MF+hBAICAIGiVwRVMFOgGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yoQsbCUJMQTIuQkFT RaIcMBqgBAIC/3ahEgQQz6vPtixXUce58f9ycBv5EKMKGwhLZXJiZXJvczBnoQQCAgCCol8E XTBboDwwOqAGAgRZngJJoRowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqILGwlCTEEyLkJB U0WkBwMFACAAAAChGzAZoAMCAQKhEgQQK3stpCwQFiCmOHPzI1L8cKSBhjCBg6AHAwUAQIEA AKILGwlCTEEyLkJBU0WjJDAioAMCAQqhGzAZGxdmZDIzLTczJEBXNEVET00tTDQuQkFTRaUR GA8yMDE3MDgyNDA4MzEzN1qnBgIEWZ4CSagLMAkCARICARECARepHTAbMBmgAwIBFKESBBBG RDIzLTczICAgICAgICAgSQKeWRr4DgBWAAAAVgAAADMz/wkAcwAAAAkBlIbdYAAAAAAgOv/9 Oqqj7of/CQIAAP/+CQGU/wIAAAAAAAAAAAAB/wkAc4cASIwAAAAA/Tqqo+6H/wkCAAD//gkA cwEBAAAACQGUSQKeWVj4DgBWAAAAVgAAAAAAAAkBlAAAAAkAc4bdYAAAAAAgOv/9Oqqj7of/ CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBlIgAT0FgAAAA/Tqqo+6H/wkCAAD//gkAcwIBAAAA CQBzSQKeWe/4DgCeAAAAngAAAAAAAAkAcwAAAAkBlIbdYAAAAABoEUD9Oqqj7of/CQIAAP/+ CQGU/Tqqo+6H/wkCAAD//gkAcwBY6tsAaM5efl4wXKADAgEFoQMCAR6kERgPMjAxNzA4MjMy MjMxMzdapQUCAwyRl6YDAgE0qQsbCUJMQTIuQkFTRaokMCKgAwIBCqEbMBkbF2ZkMjMtNzMk QFc0RURPTS1MNC5CQVNFSQKeWZn5DgBvAAAAbwAAAAAAAAkAAQAAAAkAc4bdYAAAAAA5EUD9 Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAd0SADUAOcXn+KIBAAABAAAAAAAAEF9r ZXJiZXJvcy1tYXN0ZXIEX3VkcARCTEEyBEJBU0UAACEAAUkCnlkR+g4AWwAAAFsAAAAAAAAJ AZQAAAAJAAEIAEUAAE3Jj0AAQBEGD6wfCQGsHwnCTaAANQA5a0zwbgEAAAEAAAAAAAAQX2tl cmJlcm9zLW1hc3RlcgRfdWRwBEJMQTIEQkFTRQAAIQABSQKeWbD6DgCgAAAAoAAAAAAAAAkA AQAAAAkBlAgARQAAkkUdQACAEUo8rB8JwqwfCQEANU2gAH78FfBuhYMAAQAAAAEAABBfa2Vy YmVyb3MtbWFzdGVyBF91ZHAEQkxBMgRCQVNFAAAhAAEEYmxhMgRiYXNlAAAGAAEAAA4QADAM dzJrOHIycm8tMTk0wDEKaG9zdG1hc3RlcsAxAAAJQwAAA4QAAAJYAAFRgAAADhBJAp5Z9PoO ALQAAAC0AAAAAAAACQBzAAAACQABht1gAAAAAH4RQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/ CQIAAP/+CQBzADXdEgB+oxP4ooWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwBEJM QTIEQkFTRQAAIQABBGJsYTIEYmFzZQAABgABAAAOEAAwDHcyazhyMnJvLTE5NMAxCmhvc3Rt YXN0ZXLAMQAACUMAAAOEAAACWAABUYAAAA4QSQKeWUz7DgBoAAAAaAAAAAAAAAkAAQAAAAkA c4bdYAAAAAAyEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAdKCADUAMu2uXrsB AAABAAAAAAAACV9rZXJiZXJvcwRfdGNwBEJMQTIEQkFTRQAAIQABSQKeWY37DgBUAAAAVAAA AAAAAAkBlAAAAAkAAQgARQAARsmQQABAEQYVrB8JAawfCcIuqAA1ADJrReWTAQAAAQAAAAAA AAlfa2VyYmVyb3MEX3RjcARCTEEyBEJBU0UAACEAAUkCnln8+w4AqgAAAKoAAAAAAAAJAAEA AAAJAZQIAEUAAJxFHkAAgBFKMawfCcKsHwkBADUuqACIjBrlk4WAAAEAAQAAAAIJX2tlcmJl cm9zBF90Y3AEQkxBMgRCQVNFAAAhAAHADAAhAAEAAAJYAB4AAABkAFgMdzJrOHIycm8tMTk0 BGJsYTIEYmFzZQDAPAABAAEAAA4QAASsHwnCwDwAHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkB lEkCnlk2/A4AvgAAAL4AAAAAAAAJAHMAAAAJAAGG3WAAAAAAiBFA/Tqqo+6H/wkAAAAAAAAA Af06qqPuh/8JAgAA//4JAHMANdKCAIitvF67hYAAAQABAAAAAglfa2VyYmVyb3MEX3RjcARC TEEyBEJBU0UAACEAAcAMACEAAQAAAlgAHgAAAGQAWAx3Mms4cjJyby0xOTQEYmxhMgRiYXNl AMA8AAEAAQAADhAABKwfCcLAPAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQGUSQKeWaL8DgBm AAAAZgAAAAAAAAkAAQAAAAkAc4bdYAAAAAAwEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkA AAAAAAAAAaF7ADUAMLTEbvcBAAABAAAAAAAADHcyazhyMnJvLTE5NARibGEyBGJhc2UAABwA AUkCnlnh/A4AUgAAAFIAAAAAAAAJAZQAAAAJAAEIAEUAAETJkUAAQBEGFqwfCQGsHwnCu7kA NQAwa0Pw6gEAAAEAAAAAAAAMdzJrOHIycm8tMTk0BGJsYTIEYmFzZQAAHAABSQKeWVD9DgBu AAAAbgAAAAAAAAkAAQAAAAkBlAgARQAAYEUfQACAEUpsrB8JwqwfCQEANbu5AEzu3fDqhYAA AQABAAAAAAx3Mms4cjJyby0xOTQEYmxhMgRiYXNlAAAcAAHADAAcAAEAAA4QABD9Oqqj7of/ CQIAAP/+CQGUSQKeWY39DgCCAAAAggAAAAAAAAkAcwAAAAkAAYbdYAAAAABMEUD9Oqqj7of/ CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1oXsATMmzbveFgAABAAEAAAAADHcyazhyMnJv LTE5NARibGEyBGJhc2UAABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JAZRJAp5Zy/0O AF4AAABeAAAAAAAACQGUAAAACQBzht1gAAAAACgGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/ CQIAAP/+CQGU1sIAWKJW61kAAAAAoAJwgC8oAAACBAWgBAIICgJt31cAAAAAAQMDB0kCnlk8 /g4AXgAAAF4AAAAAAAAJAHMAAAAJAZSG3WAAAAAAKAZA/Tqqo+6H/wkCAAD//gkBlP06qqPu h/8JAgAA//4JAHMAWNbCTzeJZ6JW61qgEiAAIBAAAAIEBaABAwMIBAIICgOvthoCbd9XSQKe WVn+DgBWAAAAVgAAAAAAAAkBlAAAAAkAc4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQBz/Tqq o+6H/wkCAAD//gkBlNbCAFiiVutaTzeJaIAQAOEvIAAAAQEICgJt31cDr7YaSQKeWWX+DgDq BQAA6gUAAAAAAAkBlAAAAAkAc4bdYAAAAAW0BkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkC AAD//gkBlNbCAFiiVutaTzeJaIAQAOE0tAAAAQEICgJt31cDr7YaAAAIG2yCCBcwgggToQMC AQWiAwIBDKOCB3wwggd4MIIE36EDAgEBooIE1gSCBNJuggTOMIIEyqADAgEFoQMCAQ6iBwMF AAAAAACjggQCYYID/jCCA/qgAwIBBaEKGwhCTEEuQkFTRaIeMBygAwIBAqEVMBMbBmtyYnRn dBsJQkxBMi5CQVNFo4IDxTCCA8GgAwIBF6EDAgELooIDswSCA6+SUEyGuxCs2jL/BMZX7aaC or4Ac6dUadhEXZDt9PodmYEj5SjN06DAClgzuqS0nif2tIRKbk8d+PX2blinPlxBoGFWxKgw TknTn0Tn5/UEiLnmiskoknWE7eIIc3Z2hJbztmqrCjS9w5EVu5u1ca+vJhoj4P8GWqRjzw72 D4KhdHDrZwKwYWKFwI5xWiaGaik3CqDqBzcZSlffcVjc4aGD3sofPQ+d/ZmAeu+kGfPEI/JJ Y8UF2L7/u470eEA+13Y5lYzvElIiJc2PoYeLNFxDzY/xxoLvwwvfVobwCv53mmDcJg76LwE2 Vq56ixAIcLdU2n4Yt/TPx6qeCgiayesun4kef22Fd9O7O8uvSeSAkeHN60dD0qgFYxyilaCc sqPZVyIPZNWbK6os+a3jTnCGzK8kGGF+350urHG+GFPpGHYeSnp2MbsL22R5WUlauM7SY9Zt QQ3lPyfhoGQJpMumM3Wm37hllDAGKILu75JwuEdOXL1QMTpZ8o+IGBFq7TCZqlPi6LBYWIEw 0hOS59dQVIaTKG5wxIEUQ7bXlFZvwmgxZRKkfNX+QvUAgat6AKFvcuk84J8UtC+MTY1HV1eX zwleBeGWpYyftVr/ElKlRn8FrNLVJ9WNh5vHlYovcruXq+Z5d7ZI74QEzipPaP/lPFpZCAft b7f5tnXhf+zw0C9akIIGcNPT8PKVybvkS5TmL9ggL3/p0051+SxKCLlXh2ZDamL8mNG8wWKB iYr+dNC7jFR+LN5Vt5D+8rAJFnmD5g6ZLb9ODGqVWdm3do3NGUIAm6ZL46W7P/duTyYgVXju ApofrOh/r5HAxxnov3v99QZCjtsuBUNUdDtvEg38aTQiZEtOsU7GO1XRm8F/rVNfmueEFBfa rD+o3IHi4Rz8rkiEFHav6LNJVepT/rx0sz4M2SJBWhd7w/pwSVBrKkwD5/VXgEjXfg3LR/F+ AeFdUU08BpLegcPWvGY/PROLZLJ4rn90tiVaFRXQCi7dptR1LTqefgfvofJbhNCmnZ5kcu0Y IVnm/hm9FzrSvsM2NuuuzTn9OtQ0kUmbaZuvI8cgoda1+cGyd0uFX0g74Smlnujrw23FBaI1 WpE2O+U0u8asb+sPxYAV6g2tJ7BdAAmF72S6JB53lt19o0s9UPuUVkgUkhh2rnFQ1t1fwAXp C3XxKxxZ5JdkVRC0btA7zxPs9UM9vnXmRGUzqnMi+HpllKretDPWfiSfjHYYl2vuR5zgTtZU yE9iUmk5f2kSpIGuMIGroAMCAReigaMEgaCHnyQKmj8Cyy8ZbRJrcJH3Ubpf+NQPJr255Ox0 ING17i/GpPIjSK8pWf662/rjRqQdqrb5j9NMZBTS8ptN205pJpMHkPfFF/7IKWZ3R6B3oUYD Bu+V4nHZ0hoV4XN+RZv/zupvV+ONjzBaaMzq0SYuJhn2jC0XeiJM/RWkWwOXPfYLRWC94HSP xNeNBJ8HC2L7bu7frcXI4XfHbCsKozKHMIIBx6EEAgIAiKKCAb0EggG5oIIBtTCCAbGhHDAa oAQCAv92oRIEELCcTE16KZ1TBVjy1rR9i8OiggGPMIIBi6ADAgEXooIBggSCAX4LzAWGbwoV hkYh975+Qc9Yax1Vi0r5JVrZq923XYWiGjJN7hzHGIR2hR51lOg7Tsa1GLvxYFQ4C+S1V0VF T369c9ijvMZbSQKeWXT+DgDhAgAA4QIAAAAAAAkBlAAAAAkAc4bdYAAAAAKrBkD9Oqqj7of/ CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBlNbCAFiiVvDuTzeJaIAYAOExqwAAAQEICgJt31cD r7Ya/JggLXXMjHcNnM6N+72FhQ/zfaALqRg4+/Jogg5e3J0WkQeFgjreT0b1FngRQZ6jxSm7 cQ+nKAdX3tefd2qs81WsOSwqLzaYumU1ZMssvuHrQD5duoSCli56Wu0SypkbJghKP236CtRV fe/ua29d6ylMjrtBWym4WicHIqAaiIoxk3B4PV8r9gUdhuDwjtc/f1beb0zf3fvibqjPT0kk JgsEPLTr4K7C5z9KepN+3jttDcMkm/lHM3u2tY41C5UibKxCAt/onjsPJVchiORXDDijOl11 sVRn7Zvz7FqCkjKEcpAD7rJcALqLkmqvztZyH8FP6vCGtfGO3h5YWKFYK7ryp0JZXqFcm4YW VtzenPFlWLTco9sipJZrCnry3YzPnrm4pki0WZzRpleXfJx93cMB78xIu9pEMF+hBAICAIGi VwRVMFOgGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yoQsbCUJMQTIuQkFTRaIcMBqgBAIC /3ahEgQQz6vPtixXUce58f9ycBv5EKMKGwhLZXJiZXJvczBnoQQCAgCCol8EXTBboDwwOqAG AgRZngJJoRowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqILGwlCTEEyLkJBU0WkBwMFACAA AAChGzAZoAMCAQKhEgQQK3stpCwQFiCmOHPzI1L8cKSBhjCBg6AHAwUAQIEAAKILGwlCTEEy LkJBU0WjJDAioAMCAQqhGzAZGxdmZDIzLTczJEBXNEVET00tTDQuQkFTRaURGA8yMDE3MDgy NDA4MzEzN1qnBgIEWZ4CSagLMAkCARICARECARepHTAbMBmgAwIBFKESBBBGRDIzLTczICAg ICAgICAgSQKeWdT+DgBWAAAAVgAAAAAAAAkAcwAAAAkBlIbdYAAAAAAgBkD9Oqqj7of/CQIA AP/+CQGU/Tqqo+6H/wkCAAD//gkAcwBY1sJPN4loolbzeYAQAQBlqgAAAQEICgOvthoCbd9X SQKeWaEDDwDqBQAA6gUAAAAAAAkAcwAAAAkBlIbdYAAAAAW0BkD9Oqqj7of/CQIAAP/+CQGU /Tqqo+6H/wkCAAD//gkAcwBY1sJPN4loolbzeYAQAQD4DwAAAQEICgOvthoCbd9XAAAGLm2C BiowggYmoAMCAQWhAwIBDaJrMGkwZ6EEAgIAgqJfBF0wW6A8MDqgBgIEWZ4CSaEaMBigAwIB AaERMA8bDWFkbWluaXN0cmF0b3KiCxsJQkxBMi5CQVNFpAcDBQAgAAAAoRswGaADAgECoRIE ECt7LaQsEBYgpjhz8yNS/HCjEBsOVzRFRE9NLUw0LkJBU0WkFTAToAMCAQGhDDAKGwhmZDIz LTczJKWCBCphggQmMIIEIqADAgEFoQsbCUJMQTIuQkFTRaIdMBugAwIBAqEUMBIbBmtyYnRn dBsIQkxBLkJBU0WjggPtMIID6aADAgEXoQMCAQ6iggPbBIID115NHnZ7T3L71z9ZO4w65B6Y gVfly6WpuYD5TAzSHwo7Y8EM5ZQzQQjw0B1Up9hTAE9rBKDeVd1Iyxm7zyYssvoe37CAMi+L dM7lCdYi7aGjLVzjM6e6cOv2AbSxEGZ2ViHJQNq8mcCOQJSsHmapY++0ofjgFOBcQJAMW2v9 7FL9M9OcQ7WW5qEk6BNoU+hFRsN/2YGyMd0ojEk6gc+s5+AqydjCww0VjKD2tBiTnANTOi7v ZzFu7UNPIMg4Z4lOvyF6uAmOHiU8bbXkWbDOywQ3qvRtxsDxNS0Ro/fpNEBWhch6sMPSHbxW wMdc2WmY90c/oBwmT73wehOSVf97RkqgXMLZTERIYkSRXgY3y170TIO8iol/yiQ/bF1q0RlP 9BOvkWEd+rQqN9kAGSI/zr+jt5hd4CZFiF2AXjeOKRT4ZZRD2ubnJ7L4JK21XkQiwW2Nyzy6 iC9FSXnwQNahULpdxTCiG0AagOi0vEE431H7qQjeh5AVJPSxYmb4NA2eweypzVsW/5HpXXiy RY4K46tSelncNpl5jajYPfww3kvNUTnkwfnq8LlafCOcrOzhtkqvbyqeYY0cMBaPmOjlFCaM CsgIRu5cZNT9O+XDJI6QRHvXGZWoFJCjsoatB31KU4nsEC1xUyPFXeKmF+oBYtH4YNUOXWp4 fQVm95CChOM6AGQv/rCawiIpvVYASCktuIJ61PnOIwb+HS+x7J0Y3cfGUd0VSwExXQEYUi0B fjjI69vtJr9Kpmq6FlRGSduUlxQVvkbO1bV4ITCcNeyA3GevQRmc/jPLPaeEUb09AhLn/SJ9 0Q9DyHVeYs5fWY4ntuY37rVdOE9wC5Jp3rMSadmhi3SK3GgyZ1V2Eg50LyLmu4rZsNbMdjtK UivhV3jAytpGW2gD9OA1xddxafN74axLERwa/LXDt/ZP+G1wmtrVa+YOJvf+ifcR982ZheKi wrLxLCBvzfFd6synILBDnqKmOz/bzB1Iv2tAKB89sh5zOmBM5cX+ZjUvXJ+hp5pWC/h5avr4 PSWuumRaI4luZ8af5x3MIV/rXAQ3Uv0+XyZ645T4KRAfVAKejj7BGIWR0pTlG2tIpDlZ/4gf Xo293hfPfmr8H1UDjp9H57AFhiuxk9vD2GUL7fbjDtyEdtOlHc4l4ZDO+RmETXOxP4vLyIwk ISnFb+rl5Uyp5rbMH99Qqkl7iAxedrt/UBIZpPxQDNvOSdCWbSJCKb0gNQz+pHsDFQB5h4nE 6h8QI6+50IBOwK2aDqh8e7f5kt73t+lfk7fhk53K3kU+QkKBadCqs4HkrnqgfzrOpoIBVDCC AVCgAwIBF6KCAUcEggFDkuFG7AnUAkRAv+gj5CNkKgsau7D8kIX8MJn4AdXXlZ5KzANtG3Sx jANLsebI0Qrrt7cmLiMDlLvsKm03V/uUCFRnZYnEFQOBkgTO/C0xt7Mnpwrk+wf67Kwozhbe UjIJnpcSYggwM6ifBX+uoC3v3tJbBWPJNU9ayqkE4H1CdGDFjVJC8WVgQGmlPmGZYnex1Niw B8axrBCEQrBAV56n83tucU2gSQKeWcgDDwBWAAAAVgAAAAAAAAkBlAAAAAkAc4bdYAAAAAAg BkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBlNbCAFiiVvN5TzeO/IAQAPgvIAAA AQEICgJt31gDr7YaSQKeWSAEDwD0AAAA9AAAAAAAAAkAcwAAAAkBlIbdYAAAAAC+BkD9Oqqj 7of/CQIAAP/+CQGU/Tqqo+6H/wkCAAD//gkAcwBY1sJPN478olbzeYAYAQAD/wAAAQEICgOv thoCbd9X9izYbiLH0zU4ep3pYjLsu0+s8i4RpL+QpKh3z/9QCz1H5V2y5e7sezfXetSleyXd royj3ThGESslIsSqjzkpZvrf1luMy/yZVCk3/eiRbWDdahm5MDWDzZt+atRDvCFP9Ap1OIfG WwWv98zFkjhy96xpCMOxdIz5VTD/WNnzolR139oZQexGDs0xe3RRZIyM2aywVMGg0iOHmZwe 3W5JAp5ZMAQPAFYAAABWAAAAAAAACQGUAAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4J AHP9Oqqj7of/CQIAAP/+CQGU1sIAWKJW83lPN4+agBABDi8gAAABAQgKAm3fWAOvthpJAp5Z QgQPAFYAAABWAAAAAAAACQGUAAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj 7of/CQIAAP/+CQGU1sIAWKJW83lPN4+agBEBDi8gAAABAQgKAm3fWAOvthpJAp5ZlAQPAFYA AABWAAAAAAAACQBzAAAACQGUht1gAAAAACAGQP06qqPuh/8JAgAA//4JAZT9Oqqj7of/CQIA AP/+CQBzAFjWwk83j5qiVvN6gBABAF91AAABAQgKA6+2GwJt31hJAp5ZywQPAG8AAABvAAAA AAAACQABAAAACQBzht1gAAAAADkRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAAB pHsANQA5OfG+MQEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNwBEJMQTIEQkFTRQAA IQABSQKeWfwEDwBKAAAASgAAAAAAAAkAcwAAAAkBlIbdYAAAAAAUBkD9Oqqj7of/CQIAAP/+ CQGU/Tqqo+6H/wkCAAD//gkAcwBY1sJPN4+aolbzelAUAAA1GQAASQKeWVcFDwBbAAAAWwAA AAAAAAkBlAAAAAkAAQgARQAATcmSQABAEQYMrB8JAawfCcKh9AA1ADlrTH3SAQAAAQAAAAAA ABBfa2VyYmVyb3MtbWFzdGVyBF90Y3AEQkxBMgRCQVNFAAAhAAFJAp5ZHgYPAKAAAACgAAAA AAAACQABAAAACQGUCABFAACSRSBAAIARSjmsHwnCrB8JAQA1ofQAfhtffdKFgwABAAAAAQAA EF9rZXJiZXJvcy1tYXN0ZXIEX3RjcARCTEEyBEJBU0UAACEAAQRibGEyBGJhc2UAAAYAAQAA DhAAMAx3Mms4cjJyby0xOTTAMQpob3N0bWFzdGVywDEAAAlDAAADhAAAAlgAAVGAAAAOEEkC nllvBg8AtAAAALQAAAAAAAAJAHMAAAAJAAGG3WAAAAAAfhFA/Tqqo+6H/wkAAAAAAAAAAf06 qqPuh/8JAgAA//4JAHMANaR7AH4XHb4xhYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF90 Y3AEQkxBMgRCQVNFAAAhAAEEYmxhMgRiYXNlAAAGAAEAAA4QADAMdzJrOHIycm8tMTk0wDEK aG9zdG1hc3RlcsAxAAAJQwAAA4QAAAJYAAFRgAAADhBJAp5ZfAcPAGcAAABnAAAAAAAACQAB AAAACQBzht1gAAAAADERQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABrAEANQAx 8IRUxwEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHADQkxBBEJBU0UAACEAAUkCnlnWBw8AUwAA AFMAAAAAAAAJAhkAAAAJAAEIAEUAAEUgmkAAQBGu86wfCQGsHwnbbJUANQAxa123tQEAAAEA AAAAAAAJX2tlcmJlcm9zBF91ZHADQkxBBEJBU0UAACEAAUkCnlnHCA8ApgAAAKYAAAAAAAAJ AAEAAAAJAhkIAEUAAJgoIkAAgBFnGKwfCdusHwkBADVslQCE0lS3tYWAAAEAAQAAAAIJX2tl cmJlcm9zBF91ZHADQkxBBEJBU0UAACEAAcAMACEAAQAAAlgAGwAAAGQAWAp3Mms4cjItMjE5 A2JsYQRiYXNlAMA7AAEAAQAADhAABKwfCdvAOwAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQIZ SQKeWQQJDwC6AAAAugAAAAAAAAkAcwAAAAkAAYbdYAAAAACEEUD9Oqqj7of/CQAAAAAAAAAB /Tqqo+6H/wkCAAD//gkAcwA1rAEAhDSUVMeFgAABAAEAAAACCV9rZXJiZXJvcwRfdWRwA0JM QQRCQVNFAAAhAAHADAAhAAEAAAJYABsAAABkAFgKdzJrOHIyLTIxOQNibGEEYmFzZQDAOwAB AAEAAA4QAASsHwnbwDsAHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkCGUkCnllUCQ8AZwAAAGcA AAAAAAAJAAEAAAAJAHOG3WAAAAAAMRFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAA AAG9XgA1ADFqfspxAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3RjcANCTEEEQkFTRQAAIQABSQKe WaUJDwBTAAAAUwAAAAAAAAkCGQAAAAkAAQgARQAARSCbQABAEa7yrB8JAawfCdtFrAA1ADFr XQogAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3RjcANCTEEEQkFTRQAAIQABSQKeWSUKDwCmAAAA pgAAAAAAAAkAAQAAAAkCGQgARQAAmCgjQACAEWcXrB8J26wfCQEANUWsAISn1AoghYAAAQAB AAAAAglfa2VyYmVyb3MEX3RjcANCTEEEQkFTRQAAIQABwAwAIQABAAACWAAbAAAAZABYCncy azhyMi0yMTkDYmxhBGJhc2UAwDsAAQABAAAOEAAErB8J28A7ABwAAQAADhAAEP06qqPuh/8J AgAA//4JAhlJAp5ZYQoPALoAAAC6AAAAAAAACQBzAAAACQABht1gAAAAAIQRQP06qqPuh/8J AAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADW9XgCEro3KcYWAAAEAAQAAAAIJX2tlcmJlcm9z BF90Y3ADQkxBBEJBU0UAACEAAcAMACEAAQAAAlgAGwAAAGQAWAp3Mms4cjItMjE5A2JsYQRi YXNlAMA7AAEAAQAADhAABKwfCdvAOwAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQIZSQKeWcwK DwBjAAAAYwAAAAAAAAkAAQAAAAkAc4bdYAAAAAAtEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkAAAAAAAAAAa5SADUALe/3asgBAAABAAAAAAAACncyazhyMi0yMTkDYmxhBGJhc2UAABwA AUkCnlkLCw8ATwAAAE8AAAAAAAAJAhkAAAAJAAEIAEUAAEEgnEAAQBGu9awfCQGsHwnb4zEA NQAta1m8HAEAAAEAAAAAAAAKdzJrOHIyLTIxOQNibGEEYmFzZQAAHAABSQKeWXYLDwBrAAAA awAAAAAAAAkAAQAAAAkCGQgARQAAXSgkQACAEWdRrB8J26wfCQEANeMxAEnJ5rwchYAAAQAB AAAAAAp3Mms4cjItMjE5A2JsYQRiYXNlAAAcAAHADAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+ CQIZSQKeWbMLDwB/AAAAfwAAAAAAAAkAcwAAAAkAAYbdYAAAAABJEUD9Oqqj7of/CQAAAAAA AAAB/Tqqo+6H/wkCAAD//gkAcwA1rlIASY7XasiFgAABAAEAAAAACncyazhyMi0yMTkDYmxh BGJhc2UAABwAAcAMABwAAQAADhAAEP06qqPuh/8JAgAA//4JAhlJAp5Z6wsPAH8IAAB/CAAA AAAACQIZAAAACQBzht1gAAAACEkRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQIZ tr8AWAhJN9lsggg9MIIIOaEDAgEFogMCAQyjggejMIIHnzCCBQehAwIBAaKCBP4EggT6boIE 9jCCBPKgAwIBBaEDAgEOogcDBQAAAAAAo4IEKmGCBCYwggQioAMCAQWhCxsJQkxBMi5CQVNF oh0wG6ADAgECoRQwEhsGa3JidGd0GwhCTEEuQkFTRaOCA+0wggPpoAMCARehAwIBDqKCA9sE ggPXXk0edntPcvvXP1k7jDrkHpiBV+XLpam5gPlMDNIfCjtjwQzllDNBCPDQHVSn2FMAT2sE oN5V3UjLGbvPJiyy+h7fsIAyL4t0zuUJ1iLtoaMtXOMzp7pw6/YBtLEQZnZWIclA2ryZwI5A lKweZqlj77Sh+OAU4FxAkAxba/3sUv0z05xDtZbmoSToE2hT6EVGw3/ZgbIx3SiMSTqBz6zn 4CrJ2MLDDRWMoPa0GJOcA1M6Lu9nMW7tQ08gyDhniU6/IXq4CY4eJTxtteRZsM7LBDeq9G3G wPE1LRGj9+k0QFaFyHqww9IdvFbAx1zZaZj3Rz+gHCZPvfB6E5JV/3tGSqBcwtlMREhiRJFe BjfLXvRMg7yKiX/KJD9sXWrRGU/0E6+RYR36tCo32QAZIj/Ov6O3mF3gJkWIXYBeN44pFPhl lEPa5ucnsvgkrbVeRCLBbY3LPLqIL0VJefBA1qFQul3FMKIbQBqA6LS8QTjfUfupCN6HkBUk 9LFiZvg0DZ7B7KnNWxb/keldeLJFjgrjq1J6Wdw2mXmNqNg9/DDeS81ROeTB+erwuVp8I5ys 7OG2Sq9vKp5hjRwwFo+Y6OUUJowKyAhG7lxk1P075cMkjpBEe9cZlagUkKOyhq0HfUpTiewQ LXFTI8Vd4qYX6gFi0fhg1Q5danh9BWb3kIKE4zoAZC/+sJrCIim9VgBIKS24gnrU+c4jBv4d L7HsnRjdx8ZR3RVLATFdARhSLQF+OMjr2+0mv0qmaroWVEZJ25SXFBW+Rs7VtXghMJw17IDc Z69BGZz+M8s9p4RRvT0CEuf9In3RD0PIdV5izl9Zjie25jfutV04T3ALkmnesxJp2aGLdIrc aDJnVXYSDnQvIua7itmw1sx2O0pSK+FXeMDK2kZbaAP04DXF13Fp83vhrEsRHBr8tcO39k/4 bXCa2tVr5g4m9/6J9xH3zZmF4qLCsvEsIG/N8V3qzKcgsEOeoqY7P9vMHUi/a0AoHz2yHnM6 YEzlxf5mNS9cn6GnmlYL+Hlq+vg9Ja66ZFojiW5nxp/nHcwhX+tcBDdS/T5fJnrjlPgpEB9U Ap6OPsEYhZHSlOUba0ikOVn/iB9ejb3eF89+avwfVQOOn0fnsAWGK7GT28PYZQvt9uMO3IR2 06UdziXhkM75GYRNc7E/i8vIjCQhKcVv6uXlTKnmtswf31CqSXuIDF52u39QEhmk/FAM285J 0JZtIkIpvSA1DP6kewMVAHmHicTqHxAjr7nQgE7ArZoOqHx7t/mS3ve36V+Tt+GTncreRT5C QoFp0KqzgeSueqB/Os6kga4wgaugAwIBF6KBowSBoKLh7b6MCgo84mXwtWntAGMLy1xTuoN7 M88Lh9kkTruFmRTw9Bf+kvuH+7MsIty9ZNorwYehnm+uwIoEjTFquC3m8wgvZpzvicfg/vZK is3TLVEqjqti6KSlaxeGhzRwE77NJ4UHJVDc8wofM0lncyoh8+DffA87lFhwjJTldtlRe0Dx StfrxVR6MsLQfDuLTDlTXQT7cJ5/l8ar1XD/hXowggHGoQQCAgCIooIBvASCAbigggG0MIIB sKEcMBqgBAIC/3ahEgQQHReRlZeEXyaAxqYJkMrAqKKCAY4wggGKoAMCAReiggGBBIIBfWKu rlx44FiWytvVozbNL2fnKxPFx1ZZpM6PNLR6INuPbc5QDrx9SUaYBUFWMqtbEoY0HSWd7DIL iKtfWp7xIMtzdbMXcjyv7Y0n5Yw1gNb2/FdNO46851gUU5t5KYH1LyoXlYjMyvHadktBDaEJ bpU7YEdzDltutWNnddiuJJfuvZQ+QsDL1AlkNA8IYpD8cBsSYDyJP9h8WoDtbuFEeOEYJuMW 9LNMRFGfCrkvbvBozbB9iRfFDo5dUPzkUhFXDRJ5z950D/k6u7hca1xXHD8eXNTJOtu/TgoE 2uqCQOY0i8k9QK8o+YpAE8dkGJncCvp+urkHc/kXSsvS8AXBIFW++ULRO3S2BGwmOG+SGPyS 5naZD8sM7U32vSXctoDgO7VcOgOkZLjNOUFTi59sDXcOdR21HM7tu9fO2ZkZVaHv4lgvDxAF yK+chjtuWACsmHgbaThLuZ+By3wwSLBvg6wX9z35NKeBfXBAjk1cytWJVhpLTShZx3jNgg7D sTBfoQQCAgCBolcEVTBToBowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqELGwlCTEEyLkJB U0WiHDAaoAQCAv92oRIEEI0KOQc6a6/snmZ7YmPJ8vmjChsIS2VyYmVyb3MwZ6EEAgIAgqJf BF0wW6A8MDqgBgIEWZ4CSaEaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KiCxsJQkxBMi5C QVNFpAcDBQAgAAAAoRswGaADAgECoRIEECt7LaQsEBYgpjhz8yNS/HCkgYUwgYKgBwMFAECB AACiChsIQkxBLkJBU0WjJDAioAMCAQqhGzAZGxdmZDIzLTczJEBXNEVET00tTDQuQkFTRaUR GA8yMDE3MDgyNDA4MzEzN1qnBgIEWZ4CSagLMAkCARICARECARepHTAbMBmgAwIBFKESBBBG RDIzLTczICAgICAgICAgSQKeWVQPDwCdAAAAnQAAAAAAAAkAcwAAAAkCGYbdYAAAAABnEUD9 Oqqj7of/CQIAAP/+CQIZ/Tqqo+6H/wkCAAD//gkAcwBYtr8AZ0Tzfl0wW6ADAgEFoQMCAR6k ERgPMjAxNzA4MjMyMjMxMzdapQUCAwzUTKYDAgE0qQobCEJMQS5CQVNFqiQwIqADAgEKoRsw GRsXZmQyMy03MyRAVzRFRE9NLUw0LkJBU0VJAp5Z5g8PAG4AAABuAAAAAAAACQABAAAACQBz ht1gAAAAADgRQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQAAAAAAAAABsjwANQA40vp2OwEA AAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRfdWRwA0JMQQRCQVNFAAAhAAFJAp5ZWRAPAFoA AABaAAAAAAAACQIZAAAACQABCABFAABMIJ1AAEARrumsHwkBrB8J22kWADUAOGtkjLABAAAB AAAAAAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3VkcANCTEEEQkFTRQAAIQABSQKeWQoRDwCcAAAA nAAAAAAAAAkAAQAAAAkCGQgARQAAjiglQACAEWcfrB8J26wfCQEANWkWAHpcQ4ywhYMAAQAA AAEAABBfa2VyYmVyb3MtbWFzdGVyBF91ZHADQkxBBEJBU0UAACEAAQNibGEEYmFzZQAABgAB AAAOEAAuCncyazhyMi0yMTnAMApob3N0bWFzdGVywDAAABF9AAADhAAAAlgAAVGAAAAOEEkC nllOEQ8AsAAAALAAAAAAAAAJAHMAAAAJAAGG3WAAAAAAehFA/Tqqo+6H/wkAAAAAAAAAAf06 qqPuh/8JAgAA//4JAHMANbI8AHpoT3Y7hYMAAQAAAAEAABBfa2VyYmVyb3MtbWFzdGVyBF91 ZHADQkxBBEJBU0UAACEAAQNibGEEYmFzZQAABgABAAAOEAAuCncyazhyMi0yMTnAMApob3N0 bWFzdGVywDAAABF9AAADhAAAAlgAAVGAAAAOEEkCnlnAEQ8AZwAAAGcAAAAAAAAJAAEAAAAJ AHOG3WAAAAAAMRFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAGZ8wA1ADEUikPR AQAAAQAAAAAAAAlfa2VyYmVyb3MEX3RjcANCTEEEQkFTRQAAIQABSQKeWQMSDwBTAAAAUwAA AAAAAAkCGQAAAAkAAQgARQAARSCeQABAEa7vrB8JAawfCdu0pQA1ADFrXZJCAQAAAQAAAAAA AAlfa2VyYmVyb3MEX3RjcANCTEEEQkFTRQAAIQABSQKeWX8SDwCmAAAApgAAAAAAAAkAAQAA AAkCGQgARQAAmCgmQACAEWcUrB8J26wfCQEANbSlAISwuJJChYAAAQABAAAAAglfa2VyYmVy b3MEX3RjcANCTEEEQkFTRQAAIQABwAwAIQABAAACWAAbAAAAZABYCncyazhyMi0yMTkDYmxh BGJhc2UAwDsAAQABAAAOEAAErB8J28A7ABwAAQAADhAAEP06qqPuh/8JAgAA//4JAhlJAp5Z uxIPALoAAAC6AAAAAAAACQBzAAAACQABht1gAAAAAIQRQP06qqPuh/8JAAAAAAAAAAH9Oqqj 7of/CQIAAP/+CQBzADWZ8wCEWJlD0YWAAAEAAQAAAAIJX2tlcmJlcm9zBF90Y3ADQkxBBEJB U0UAACEAAcAMACEAAQAAAlgAGwAAAGQAWAp3Mms4cjItMjE5A2JsYQRiYXNlAMA7AAEAAQAA DhAABKwfCdvAOwAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQIZSQKeWSsTDwBjAAAAYwAAAAAA AAkAAQAAAAkAc4bdYAAAAAAtEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAc4o ADUALSctE70BAAABAAAAAAAACncyazhyMi0yMTkDYmxhBGJhc2UAABwAAUkCnlltEw8ATwAA AE8AAAAAAAAJAhkAAAAJAAEIAEUAAEEgn0AAQBGu8qwfCQGsHwnbX/8ANQAta1l/mgEAAAEA AAAAAAAKdzJrOHIyLTIxOQNibGEEYmFzZQAAHAABSQKeWdgTDwBrAAAAawAAAAAAAAkAAQAA AAkCGQgARQAAXSgnQACAEWdOrB8J26wfCQEANV//AEmJm3+ahYAAAQABAAAAAAp3Mms4cjIt MjE5A2JsYQRiYXNlAAAcAAHADAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQIZSQKeWRYUDwB/ AAAAfwAAAAAAAAkAcwAAAAkAAYbdYAAAAABJEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkC AAD//gkAcwA1zigAScYME72FgAABAAEAAAAACncyazhyMi0yMTkDYmxhBGJhc2UAABwAAcAM ABwAAQAADhAAEP06qqPuh/8JAgAA//4JAhlJAp5ZVBQPAF4AAABeAAAAAAAACQIZAAAACQBz ht1gAAAAACgGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQIZtMAAWDaxA6IAAAAA oAJwgC+tAAACBAWgBAIICgJt31kAAAAAAQMDB0kCnlm4FA8AXgAAAF4AAAAAAAAJAHMAAAAJ AhmG3WAAAAAAKAZA/Tqqo+6H/wkCAAD//gkCGf06qqPuh/8JAgAA//4JAHMAWLTAAQqspzax A6OgEiAAgOgAAAIEBaABAwMIBAIICgTB8/UCbd9ZSQKeWdIUDwBWAAAAVgAAAAAAAAkCGQAA AAkAc4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkCGbTAAFg2sQOj AQqsqIAQAOEvpQAAAQEICgJt31kEwfP1SQKeWd4UDwDqBQAA6gUAAAAAAAkCGQAAAAkAc4bd YAAAAAW0BkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkCGbTAAFg2sQOjAQqsqIAQ AOE1OQAAAQEICgJt31kEwfP1AAAIQWyCCD0wggg5oQMCAQWiAwIBDKOCB6MwggefMIIFB6ED AgEBooIE/gSCBPpuggT2MIIE8qADAgEFoQMCAQ6iBwMFAAAAAACjggQqYYIEJjCCBCKgAwIB BaELGwlCTEEyLkJBU0WiHTAboAMCAQKhFDASGwZrcmJ0Z3QbCEJMQS5CQVNFo4ID7TCCA+mg AwIBF6EDAgEOooID2wSCA9deTR52e09y+9c/WTuMOuQemIFX5culqbmA+UwM0h8KO2PBDOWU M0EI8NAdVKfYUwBPawSg3lXdSMsZu88mLLL6Ht+wgDIvi3TO5QnWIu2hoy1c4zOnunDr9gG0 sRBmdlYhyUDavJnAjkCUrB5mqWPvtKH44BTgXECQDFtr/exS/TPTnEO1luahJOgTaFPoRUbD f9mBsjHdKIxJOoHPrOfgKsnYwsMNFYyg9rQYk5wDUzou72cxbu1DTyDIOGeJTr8hergJjh4l PG215FmwzssEN6r0bcbA8TUtEaP36TRAVoXIerDD0h28VsDHXNlpmPdHP6AcJk+98HoTklX/ e0ZKoFzC2UxESGJEkV4GN8te9EyDvIqJf8okP2xdatEZT/QTr5FhHfq0KjfZABkiP86/o7eY XeAmRYhdgF43jikU+GWUQ9rm5yey+CSttV5EIsFtjcs8uogvRUl58EDWoVC6XcUwohtAGoDo tLxBON9R+6kI3oeQFST0sWJm+DQNnsHsqc1bFv+R6V14skWOCuOrUnpZ3DaZeY2o2D38MN5L zVE55MH56vC5WnwjnKzs4bZKr28qnmGNHDAWj5jo5RQmjArICEbuXGTU/TvlwySOkER71xmV qBSQo7KGrQd9SlOJ7BAtcVMjxV3iphfqAWLR+GDVDl1qeH0FZveQgoTjOgBkL/6wmsIiKb1W AEgpLbiCetT5ziMG/h0vseydGN3HxlHdFUsBMV0BGFItAX44yOvb7Sa/SqZquhZURknblJcU Fb5GztW1eCEwnDXsgNxnr0EZnP4zyz2nhFG9PQIS5/0ifdEPQ8h1XmLOX1mOJ7bmN+61XThP cAuSad6zEmnZoYt0itxoMmdVdhIOdC8i5ruK2bDWzHY7SlIr4Vd4wMraRltoA/TgNcXXcWnz e+GsSxEcGvy1w7f2T/htcJra1WvmDib3/on3EffNmYXiosKy8Swgb83xXerMpyCwQ56ipjs/ 28wdSL9rQCgfPbIeczpgTOXF/mY1L1yfoaeaVgv4eWr6+D0lrrpkWiOJbmfGn+cdzCFf61wE N1L9Pl8meuOU+CkQH1QCno4+wRiFkdKU5RtrSKQ5Wf+IH16Nvd4Xz35q/B9VA46fR+ewBYYr sZPbw9hlC+324w7chHbTpR3OJeGQzvkZhE1zsT+Ly8iMJCEpxW/q5eVMqea2zB/fUKpJe4gM Xna7f1ASGaT8UAzbzknQlm0iQim9IDUM/qR7AxUAeYeJxOofECOvudCATsCtmg6ofHu3+ZLe 97fpX5O34ZOdyt5FPkJCgWnQqrOB5K56oH86zqSBrjCBq6ADAgEXooGjBIGgouHtvowKCjzi ZfC1ae0AYwvLXFO6g3szzwuH2SROu4WZFPD0F/6S+4f7sywi3L1k2ivBh6Geb67AigSNMWq4 LebzCC9mnO+Jx+D+9kqKzdMtUSqOq2LopKVrF4aHNHATvs0nhQclUNzzCh8zSWdzKiHz4N98 DzuUWHCMlOV22VF7QPFK1+vFVHoywtB8O4tMOVNdBPtwnn+XxqvVcP+FejCCAcahBAICAIii ggG8BIIBuKCCAbQwggGwoRwwGqAEAgL/dqESBBAdF5GVl4RfJoDGpgmQysCoooIBjjCCAYqg AwIBF6KCAYEEggF9Yq6uXHjgWJbK29WjNs0vZ+crE8XHVlmkzo80tHogSQKeWfAUDwAHAwAA BwMAAAAAAAkCGQAAAAkAc4bdYAAAAALRBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD/ /gkCGbTAAFg2sQk3AQqsqIAYAOEyVgAAAQEICgJt31kEwfP1249tzlAOvH1JRpgFQVYyq1sS hjQdJZ3sMguIq19anvEgy3N1sxdyPK/tjSfljDWA1vb8V007jrznWBRTm3kpgfUvKheViMzK 8dp2S0ENoQlulTtgR3MOW261Y2d12K4kl+69lD5CwMvUCWQ0DwhikPxwGxJgPIk/2HxagO1u 4UR44Rgm4xb0s0xEUZ8KuS9u8GjNsH2JF8UOjl1Q/ORSEVcNEnnP3nQP+Tq7uFxrXFccPx5c 1Mk6279OCgTa6oJA5jSLyT1Aryj5ikATx2QYmdwK+n66uQdz+RdKy9LwBcEgVb75QtE7dLYE bCY4b5IY/JLmdpkPywztTfa9Jdy2gOA7tVw6A6RkuM05QVOLn2wNdw51HbUczu27187ZmRlV oe/iWC8PEAXIr5yGO25YAKyYeBtpOEu5n4HLfDBIsG+DrBf3Pfk0p4F9cECOTVzK1YlWGktN KFnHeM2CDsOxMF+hBAICAIGiVwRVMFOgGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yoQsb CUJMQTIuQkFTRaIcMBqgBAIC/3ahEgQQjQo5Bzprr+yeZntiY8ny+aMKGwhLZXJiZXJvczBn oQQCAgCCol8EXTBboDwwOqAGAgRZngJJoRowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqIL GwlCTEEyLkJBU0WkBwMFACAAAAChGzAZoAMCAQKhEgQQK3stpCwQFiCmOHPzI1L8cKSBhTCB gqAHAwUAQIEAAKIKGwhCTEEuQkFTRaMkMCKgAwIBCqEbMBkbF2ZkMjMtNzMkQFc0RURPTS1M NC5CQVNFpREYDzIwMTcwODI0MDgzMTM3WqcGAgRZngJJqAswCQIBEgIBEQIBF6kdMBswGaAD AgEUoRIEEEZEMjMtNzMgICAgICAgICBJAp5ZYBUPAFYAAABWAAAAAAAACQBzAAAACQIZht1g AAAAACAGQP06qqPuh/8JAgAA//4JAhn9Oqqj7of/CQIAAP/+CQBzAFi0wAEKrKg2sQvogBAB AMZcAAABAQgKBMHz9QJt31lJAp5ZcRgPAOoFAADqBQAAAAAACQBzAAAACQIZht1gAAAABbQG QP06qqPuh/8JAgAA//4JAhn9Oqqj7of/CQIAAP/+CQBzAFi0wAEKrKg2sQvogBABACmTAAAB AQgKBMHz9QJt31kAAAZCbYIGPjCCBjqgAwIBBaEDAgENomswaTBnoQQCAgCCol8EXTBboDww OqAGAgRZngJJoRowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqILGwlCTEEyLkJBU0WkBwMF ACAAAAChGzAZoAMCAQKhEgQQK3stpCwQFiCmOHPzI1L8cKMQGw5XNEVET00tTDQuQkFTRaQV MBOgAwIBAaEMMAobCGZkMjMtNzMkpYIEOWGCBDUwggQxoAMCAQWhChsIQkxBLkJBU0WiIzAh oAMCAQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFo4ID9zCCA/OgAwIBF6EDAgEDooID 5QSCA+GWPceHOkz/IZ7bPXYRE2nOA41F32YxvufmEzUTlGCyYmgmNvzvxxqR7BjPOZxzChT3 lnrTvzAxaqNPsgN6H283y5j3xr7SA+sbWkA9A/f/T9iHoQ9ZU29UA/g0+Rq6Ccds2KJDZ2lS tiKRpQXgauonRH0bEGgoCL1HuPu0JGcPBkoyY5DCZS2YuNnNaCCHJi3aK1yGIpqfsy3lKznM xIK2cJyEbIlH9/ZKwi8hZtqzDrkMO57sqmmXn0LAxyl1XmptZ4mRzLZOdhCtZ4taO7ltsGKK Q8EQLYWntAxgpYRIe5rDCT84Qhen3cUm+OSYnMtCdhwNZlxhaM5k9h/2BOqXZK6a1qj38D7c UEs8l4f/qiBrY1cI9tfSfZ6Yi8r2URsZMzHdithmyed6OQvf8qqAx/2R36J6hLbVJPQ5n2KO mKx0vPNEVkfZsBwEJ55+dOsCo2psYSXi7A8SxtrG8MXb7JeJHpVDFz9jS7QiA8nqm3EZSOJe 2/v0uSiXOW953/TWIlA7nw9wumUzTUhOxTGzyxCrZQVwr9LkZTxa9nSH0+bwarMjHNJ6PncY 6mK9pMBpF/4sdPAx2sYQEQx/t81aDh2MZvFfzBuEiHlS+47pDHNLoMAv1GfIaGR026xGdnrX pqw5ObjhqKuQwhH1MRCexbn9sDesSexOx9LETWLuSI5pjm1gsi8caqjD43JTC0CxUF7oNx1d 8RrUZwQCJS5Nopp8Vdb3T9z7tgwi0c5jvnRlUbjdjnMUkoqYyHRoMoKhGQlo8KBRpx3BnirB f6OghXsDuZkCVuTy6o9vfPp8hkNqiSahLBbckqSnZ6IJh/0sf0uJZTm7sB9Y/jJGrMEOcvnD 2LEZaaAL7dV8xO7uAtvRo9Y//QNVb/H32GqV4o17ULx6ZctkXZkfOe6FNaUAxarjOV9lox+l WXTVTAxGUb6WQflPFsSTrsBqYtGptepzLx0OlyggH9N41b+cUA5szaRCpI6iVPwIq0XXOI/l sCdG64tS2JNufbeKjfSUmZ7yclX0f9npGQWSjoJhavCMUvDaU1ezL9jsXKLP4k0WXDI9sYw2 snjPSB28mTz4JG9ALo4Q22KuNwWI6ntF/ZvYwvL+T9V0LGmxRvce3EbVCdN8geHDaTBafYg7 TyHpU4HmBPCCr0co8+i7dqstbijRtayyfUtT0MZW8vOIqkjRRnUym4VoTHEvjsxGyK6ALrp4 OI/VEHicN52mu+kiS1OutZHdCmFbjXxtsn4EcM3PqklZMjWg2PtUzavg0KZB2xJJybLmBvz2 KUmsEuKBEUIqbeUubhv4Vh7RD01SWdhmwd2mggFZMIIBVaADAgEXooIBTASCAUhk+/cce1Ux +VygosY23iJq0qtX3lRL5x6p+2R6TMaNzfRiCBnYaqtNbcZWlSfdDJ8Vad3X9vjdoZTSRogw kB4c1NTI2SNUqKqADIDrXkeGShkB0759fVQ65IpeVzuDn3ydji7eoyjkQ482+qB4obyod+im uv42lHLuXGp9nLRPFSJe9HRXyXu4t4To1QifY2SWRCcLqYJJAp5ZihgPAFYAAABWAAAAAAAA CQIZAAAACQBzht1gAAAAACAGQP06qqPuh/8JAgAA//4JAHP9Oqqj7of/CQIAAP/+CQIZtMAA WDaxC+gBCrI8gBAA+C+lAAABAQgKAm3fWQTB8/VJAp5Z0hgPAAgBAAAIAQAAAAAACQBzAAAA CQIZht1gAAAAANIGQP06qqPuh/8JAgAA//4JAhn9Oqqj7of/CQIAAP/+CQBzAFi0wAEKsjw2 sQvogBgBAMGyAAABAQgKBMHz9QJt31nxY+uwUIfhiz1qEogBF9odLiH/AraPBGYUKsNgQzrH j0I3HEpDHNGK6bfc85D7ZOxzNudhFA4YAnDterFynC+ruZFxCNxfGPSKZTMvSv1yAuAlWX06 uV4lypEA4q9VFe/enMyzNU0QRNeQJV9gXqoczX9pTYd6IXYPlH1VmkicqWiMdQZRVUMI9F1D fXyRS2Fdm9Y/e3y3g5VgqfpB8APf2BIROtivvDv/ZNSMsa6vTArFSQKeWd8YDwBWAAAAVgAA AAAAAAkCGQAAAAkAc4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkC GbTAAFg2sQvoAQqy7oAQAQ4vpQAAAQEICgJt31kEwfP1SQKeWfEYDwBWAAAAVgAAAAAAAAkC GQAAAAkAc4bdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkCGbTAAFg2 sQvoAQqy7oARAQ4vpQAAAQEICgJt31kEwfP1SQKeWSwZDwBWAAAAVgAAAAAAAAkAcwAAAAkC GYbdYAAAAAAgBkD9Oqqj7of/CQIAAP/+CQIZ/Tqqo+6H/wkCAAD//gkAcwBYtMABCrLuNrEL 6YAQAQDAFQAAAQEICgTB8/UCbd9ZSQKeWXMZDwBuAAAAbgAAAAAAAAkAAQAAAAkAc4bdYAAA AAA4EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAeZvADUAOMtTSrABAAABAAAA AAAAEF9rZXJiZXJvcy1tYXN0ZXIEX3RjcANCTEEEQkFTRQAAIQABSQKeWZIZDwBKAAAASgAA AAAAAAkAcwAAAAkCGYbdYAAAAAAUBkD9Oqqj7of/CQIAAP/+CQIZ/Tqqo+6H/wkCAAD//gkA cwBYtMABCrLuNrEL6VAUAADUpgAASQKeWfQZDwBaAAAAWgAAAAAAAAkCGQAAAAkAAQgARQAA TCCgQABAEa7mrB8JAawfCdvwggA1ADhrZDckAQAAAQAAAAAAABBfa2VyYmVyb3MtbWFzdGVy BF90Y3ADQkxBBEJBU0UAACEAAUkCnlnaGg8AnAAAAJwAAAAAAAAJAAEAAAAJAhkIAEUAAI4o KEAAgBFnHKwfCdusHwkBADXwggB6K2Q3JIWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRf dGNwA0JMQQRCQVNFAAAhAAEDYmxhBGJhc2UAAAYAAQAADhAALgp3Mms4cjItMjE5wDAKaG9z dG1hc3RlcsAwAAARfQAAA4QAAAJYAAFRgAAADhBJAp5ZJxsPALAAAACwAAAAAAAACQBzAAAA CQABht1gAAAAAHoRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXmbwB6YKhK sIWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNwA0JMQQRCQVNFAAAhAAEDYmxhBGJh c2UAAAYAAQAADhAALgp3Mms4cjItMjE5wDAKaG9zdG1hc3RlcsAwAAARfQAAA4QAAAJYAAFR gAAADhBJAp5ZPBwPAG0AAABtAAAAAAAACQABAAAACQBzht1gAAAAADcRQP06qqPuh/8JAgAA //4JAHP9Oqqj7of/CQAAAAAAAAAB5WwANQA392RKpAEAAAEAAAAAAAAJX2tlcmJlcm9zBF91 ZHAJVzRFRE9NLUw0BEJBU0UAACEAAUkCnlmWHA8AWQAAAFkAAAAAAAAJAWMAAAAJAAEIAEUA AEtdlEAAQBFyK6wfCQGsHwmjRz0ANQA3ayvhIwEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHAJ VzRFRE9NLUw0BEJBU0UAACEAAUkCnlmxHA8AWQAAAFkAAAAAAAAJATMAAAAJAAEIAEUAAEst H0AAQBGivqwfCQGsHwmFRz0ANQA3aw3hIwEAAAEAAAAAAAAJX2tlcmJlcm9zBF91ZHAJVzRF RE9NLUw0BEJBU0UAACEAAUkCnlnvHQ8ADAEAAAwBAAAAAAAJAAEAAAAJATMIAEUAAP59DkAA gBESHKwfCYWsHwkBADVHPQDqDBThI4WAAAEAAgAAAAQJX2tlcmJlcm9zBF91ZHAJVzRFRE9N LUw0BEJBU0UAACEAAcAMACEAAQAAAlgAIgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVkb20tbDQE YmFzZQDADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0LTE2Mwl3NGVkb20tbDQEYmFzZQDAQQAB AAEAAA4QAASsHwmFwEEAHAABAAAOEAAQ/Tqqo+6H/wkCAAD//gkBM8BvAAEAAQAAA4QABKwf CaPAbwAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjSQKeWSUeDwAgAQAAIAEAAAAAAAkAcwAA AAkAAYbdYAAAAADqEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA15WwA6kLL SqSFgAABAAIAAAAECV9rZXJiZXJvcwRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAHADAAhAAEA AAJYACIAAABkAFgLdzIwMDhyMi0xMzMJdzRlZG9tLWw0BGJhc2UAwAwAIQABAAADhAAhAAAA ZABYCnViMTQwNC0xNjMJdzRlZG9tLWw0BGJhc2UAwEEAAQABAAAOEAAErB8JhcBBABwAAQAA DhAAEP06qqPuh/8JAgAA//4JATPAbwABAAEAAAOEAASsHwmjwG8AHAABAAADhAAQ/Tqqo+6H /wkCAAD//gkBY0kCnllvHg8AbQAAAG0AAAAAAAAJAAEAAAAJAHOG3WAAAAAANxFA/Tqqo+6H /wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAHKMgA1ADe+aZ/aAQAAAQAAAAAAAAlfa2VyYmVy b3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWbQeDwBZAAAAWQAAAAAAAAkBYwAAAAkA AQgARQAAS12VQABAEXIqrB8JAawfCaOAHwA1ADdrKyp1AQAAAQAAAAAAAAlfa2VyYmVyb3ME X3RjcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWcYeDwBZAAAAWQAAAAAAAAkBMwAAAAkAAQgA RQAASy0gQABAEaK9rB8JAawfCYWAHwA1ADdrDSp1AQAAAQAAAAAAAAlfa2VyYmVyb3MEX3Rj cAlXNEVET00tTDQEQkFTRQAAIQABSQKeWa4fDwAMAQAADAEAAAAAAAkAAQAAAAkBMwgARQAA /n0PQACAERIbrB8JhawfCQEANYAfAOqezyp1hYAAAQACAAAABAlfa2VyYmVyb3MEX3RjcAlX NEVET00tTDQEQkFTRQAAIQABwAwAIQABAAADhAAhAAAAZABYCnViMTQwNC0xNjMJdzRlZG9t LWw0BGJhc2UAwAwAIQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNl AMBBAAEAAQAAA4QABKwfCaPAQQAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjwG4AAQABAAAO EAAErB8JhcBuABwAAQAADhAAEP06qqPuh/8JAgAA//4JATNJAp5ZKSAPACABAAAgAQAAAAAA CQBzAAAACQABht1gAAAAAOoRQP06qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADXK MgDqHb6f2oWAAAEAAgAAAAQJX2tlcmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAcAM ACEAAQAAA4QAIQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAAlgA IgAAAGQAWAt3MjAwOHIyLTEzMwl3NGVkb20tbDQEYmFzZQDAQQABAAEAAAOEAASsHwmjwEEA HAABAAADhAAQ/Tqqo+6H/wkCAAD//gkBY8BuAAEAAQAADhAABKwfCYXAbgAcAAEAAA4QABD9 Oqqj7of/CQIAAP/+CQEzSQKeWfIgDwBqAAAAagAAAAAAAAkAAQAAAAkAc4bdYAAAAAA0EUD9 Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkAAAAAAAAAAbrGADUANMwXw/0BAAABAAAAAAAAC3cy MDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAFJAp5ZjCEPAFYAAABWAAAAAAAACQFjAAAA CQABCABFAABIXZZAAEARciysHwkBrB8Jo4XlADUANGsox9oBAAABAAAAAAAAC3cyMDA4cjIt MTMzCXc0ZWRvbS1sNARiYXNlAAAcAAFJAp5ZpSEPAFYAAABWAAAAAAAACQEzAAAACQABCABF AABILSFAAEARor+sHwkBrB8JhYXlADUANGsKx9oBAAABAAAAAAAAC3cyMDA4cjItMTMzCXc0 ZWRvbS1sNARiYXNlAAAcAAFJAp5ZciIPAHIAAAByAAAAAAAACQABAAAACQEzCABFAABkfRBA AIARErSsHwmFrB8JAQA1heUAUNQEx9qFgAABAAEAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1s NARiYXNlAAAcAAHADAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzSQKeWbQiDwCGAAAAhgAA AAAAAAkAcwAAAAkAAYbdYAAAAABQEUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkA cwA1usYAUOFnw/2FgAABAAEAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAHA DAAcAAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzSQKeWfEiDwB4CAAAeAgAAAAAAAkBMwAAAAkA c4bdYAAAAAhCEUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H/wkCAAD//gkBM8WvAFgIQjbsbIII NjCCCDKhAwIBBaIDAgEMo4IHpzCCB6MwggUWoQMCAQGiggUNBIIFCW6CBQUwggUBoAMCAQWh AwIBDqIHAwUAAAAAAKOCBDlhggQ1MIIEMaADAgEFoQobCEJMQS5CQVNFoiMwIaADAgECoRow GBsGa3JidGd0Gw5XNEVET00tTDQuQkFTRaOCA/cwggPzoAMCARehAwIBA6KCA+UEggPhlj3H hzpM/yGe2z12ERNpzgONRd9mMb7n5hM1E5RgsmJoJjb878cakewYzzmccwoU95Z6078wMWqj T7IDeh9vN8uY98a+0gPrG1pAPQP3/0/Yh6EPWVNvVAP4NPkaugnHbNiiQ2dpUrYikaUF4Grq J0R9GxBoKAi9R7j7tCRnDwZKMmOQwmUtmLjZzWgghyYt2itchiKan7Mt5Ss5zMSCtnCchGyJ R/f2SsIvIWbasw65DDue7Kppl59CwMcpdV5qbWeJkcy2TnYQrWeLWju5bbBiikPBEC2Fp7QM YKWESHuawwk/OEIXp93FJvjkmJzLQnYcDWZcYWjOZPYf9gTql2Sumtao9/A+3FBLPJeH/6og a2NXCPbX0n2emIvK9lEbGTMx3YrYZsnnejkL3/KqgMf9kd+ieoS21ST0OZ9ijpisdLzzRFZH 2bAcBCeefnTrAqNqbGEl4uwPEsbaxvDF2+yXiR6VQxc/Y0u0IgPJ6ptxGUjiXtv79Lkolzlv ed/01iJQO58PcLplM01ITsUxs8sQq2UFcK/S5GU8WvZ0h9Pm8GqzIxzSej53GOpivaTAaRf+ LHTwMdrGEBEMf7fNWg4djGbxX8wbhIh5UvuO6QxzS6DAL9RnyGhkdNusRnZ616asOTm44air kMIR9TEQnsW5/bA3rEnsTsfSxE1i7kiOaY5tYLIvHGqow+NyUwtAsVBe6DcdXfEa1GcEAiUu TaKafFXW90/c+7YMItHOY750ZVG43Y5zFJKKmMh0aDKCoRkJaPCgUacdwZ4qwX+joIV7A7mZ Albk8uqPb3z6fIZDaokmoSwW3JKkp2eiCYf9LH9LiWU5u7AfWP4yRqzBDnL5w9ixGWmgC+3V fMTu7gLb0aPWP/0DVW/x99hqleKNe1C8emXLZF2ZHznuhTWlAMWq4zlfZaMfpVl01UwMRlG+ lkH5TxbEk67AamLRqbXqcy8dDpcoIB/TeNW/nFAObM2kQqSOolT8CKtF1ziP5bAnRuuLUtiT bn23io30lJme8nJV9H/Z6RkFko6CYWrwjFLw2lNXsy/Y7Fyiz+JNFlwyPbGMNrJ4z0gdvJk8 +CRvQC6OENtirjcFiOp7Rf2b2MLy/k/VdCxpsUb3HtxG1QnTfIHhw2kwWn2IO08h6VOB5gTw gq9HKPPou3arLW4o0bWssn1LU9DGVvLziKpI0UZ1MpuFaExxL47MRsiugC66eDiP1RB4nDed prvpIktTrrWR3QphW418bbJ+BHDNz6pJWTI1oNj7VM2r4NCmQdsSScmy5gb89ilJrBLigRFC Km3lLm4b+FYe0Q9NUlnYZsHdpIGuMIGroAMCAReigaMEgaBf1mKCCPzMsm0ARxiSeu0Rxp0L lrS7Ave2Ima/iejeY3zC/TjdXb+OxqVin4GFEY31LNNL0/LZqZAi6PYiU3InrfeosyFyl24q yALoMudRF4wFiBBX6mFsqSzvw3R15ISQaqZ0IGT41gPdasC/jFj7jGP/+iIkeooFxhUI6fCO 5GeETLkKpKdsotgNlBTsKPNtweM5sc92aalxjCUv6gL3MIIBu6EEAgIAiKKCAbEEggGtoIIB qTCCAaWhHDAaoAQCAv92oRIEEIjLoLxSMWi1kd0ervxUlYqiggGDMIIBf6ADAgEXooIBdgSC AXLWqXQofayeJBGoLN1ErkA9PgIICLMg+d9s8bCGPOSVwRQal5rQgWj3SDFSIWuk3Cw93PzF vm9hFK/69TAUIbEzlJAfXRLmwKj86Dr18nWxhsGSg4QiqcLZVEB8ror9qd0boX5XhsL6i22p Q6QwAeAkOA6WhbBgez/nyjnLsbxUm4xprcQ+CrtXPDv7AjwcSUezI1eHPVHPM6Ur4MIQ5hOi goBh1u/6LzAWWp7W+Qrt6IqFgUI1vQ9r6JpHCmtildEG+tGEA59SIksx9Iva/YFr2zr3Unsi r0jWwJvr302MYOjjrc81VMfsZFAm/ZYl4pVCfMiX6y/3Hp9qZj8Mx7Yu0Fdw6v0BpML26Wkb 1OryS6cNY42n0Jyu6Kg85HCx8/iLMhkrcj8rIUBmFev4Vr+udzqEql4/77A8fjSzTXd02cuk NoKIDRP/gsXx2fc4MIb1gLJI4j2FivPVcviYnEQZb9SR84OANZwk+Ocl4whlFTkKMF+hBAIC AIGiVwRVMFOgGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yoQsbCUJMQTIuQkFTRaIcMBqg BAIC/3ahEgQQMOtXOc0M9HRzJbIEzWl3AKMKGwhLZXJiZXJvczBnoQQCAgCCol8EXTBboDww OqAGAgRZngJJoRowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqILGwlCTEEyLkJBU0WkBwMF ACAAAAChGzAZoAMCAQKhEgQQK3stpCwQFiCmOHPzI1L8cKR7MHmgBwMFAECBAACiEBsOVzRF RE9NLUw0LkJBU0WjFTAToAMCAQGhDDAKGwhmZDIzLTczJKURGA8yMDE3MDgyNDA4MzEzN1qn BgIEWZ4CSagLMAkCARICARECARepHTAbMBmgAwIBFKESBBBGRDIzLTczICAgICAgICAgSQKe WaMqDwCUAAAAlAAAAAAAAAkAcwAAAAkBM4bdYAAAAABeEUD9Oqqj7of/CQIAAP/+CQEz/Tqq o+6H/wkCAAD//gkAcwBYxa8AXoSAflQwUqADAgEFoQMCAR6kERgPMjAxNzA4MjMyMjMxMzda pQUCAwzaKKYDAgE0qRAbDlc0RURPTS1MNC5CQVNFqhUwE6ADAgEBoQwwChsIZmQyMy03MyRJ Ap5ZdCsPAHQAAAB0AAAAAAAACQABAAAACQBzht1gAAAAAD4RQP06qqPuh/8JAgAA//4JAHP9 Oqqj7of/CQAAAAAAAAABsVkANQA+UHgtywEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRf dWRwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZACwPAGAAAABgAAAAAAAACQFjAAAACQABCABF AABSXZdAAEARciGsHwkBrB8Jo1pGADUAPmsyU4gBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0 ZXIEX3VkcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWRssDwBgAAAAYAAAAAAAAAkBMwAAAAkA AQgARQAAUi0iQABAEaK0rB8JAawfCYVaRgA1AD5rFFOIAQAAAQAAAAAAABBfa2VyYmVyb3Mt bWFzdGVyBF91ZHAJVzRFRE9NLUw0BEJBU0UAACEAAUkCnlm9LQ8AqQAAAKkAAAAAAAAJAAEA AAAJATMIAEUAAJt9EUAAgBESfKwfCYWsHwkBADVaRgCHYnhTiIWDAAEAAAABAAAQX2tlcmJl cm9zLW1hc3RlcgRfdWRwCVc0RURPTS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYA AQAADhAALwt3MjAwOHIyLTEzM8A2Cmhvc3RtYXN0ZXLANgAAGiwAAAOEAAACWAABUYAAAA4Q SQKeWRYuDwC9AAAAvQAAAAAAAAkAcwAAAAkAAYbdYAAAAACHEUD9Oqqj7of/CQAAAAAAAAAB /Tqqo+6H/wkCAAD//gkAcwA1sVkAh2+JLcuFgwABAAAAAQAAEF9rZXJiZXJvcy1tYXN0ZXIE X3VkcAlXNEVET00tTDQEQkFTRQAAIQABCXc0ZWRvbS1sNARiYXNlAAAGAAEAAA4QAC8LdzIw MDhyMi0xMzPANgpob3N0bWFzdGVywDYAABosAAADhAAAAlgAAVGAAAAOEEkCnlmwLg8AbQAA AG0AAAAAAAAJAAEAAAAJAHOG3WAAAAAANxFA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAAAA AAAAAAGkIAA1ADfNaLbtAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFT RQAAIQABSQKeWREvDwBZAAAAWQAAAAAAAAkBYwAAAAkAAQgARQAAS12YQABAEXInrB8JAawf CaMOlwA1ADdrK0QNAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAA IQABSQKeWSgvDwBZAAAAWQAAAAAAAAkBMwAAAAkAAQgARQAASy0jQABAEaK6rB8JAawfCYUO lwA1ADdrDUQNAQAAAQAAAAAAAAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQAB SQKeWVgwDwAMAQAADAEAAAAAAAkAAQAAAAkBMwgARQAA/n0SQACAERIYrB8JhawfCQEANQ6X AOri0UQNhYAAAQACAAAABAlfa2VyYmVyb3MEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABwAwA IQABAAACWAAiAAAAZABYC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAMAMACEAAQAAA4QA IQAAAGQAWAp1YjE0MDQtMTYzCXc0ZWRvbS1sNARiYXNlAMBBAAEAAQAADhAABKwfCYXAQQAc AAEAAA4QABD9Oqqj7of/CQIAAP/+CQEzwG8AAQABAAADhAAErB8Jo8BvABwAAQAAA4QAEP06 qqPuh/8JAgAA//4JAWNJAp5ZrjAPACABAAAgAQAAAAAACQBzAAAACQABht1gAAAAAOoRQP06 qqPuh/8JAAAAAAAAAAH9Oqqj7of/CQIAAP/+CQBzADWkIADqGM+27YWAAAEAAgAAAAQJX2tl cmJlcm9zBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAcAMACEAAQAAAlgAIgAAAGQAWAt3MjAw OHIyLTEzMwl3NGVkb20tbDQEYmFzZQDADAAhAAEAAAOEACEAAABkAFgKdWIxNDA0LTE2Mwl3 NGVkb20tbDQEYmFzZQDAQQABAAEAAA4QAASsHwmFwEEAHAABAAAOEAAQ/Tqqo+6H/wkCAAD/ /gkBM8BvAAEAAQAAA4QABKwfCaPAbwAcAAEAAAOEABD9Oqqj7of/CQIAAP/+CQFjSQKeWTsx DwBqAAAAagAAAAAAAAkAAQAAAAkAc4bdYAAAAAA0EUD9Oqqj7of/CQIAAP/+CQBz/Tqqo+6H /wkAAAAAAAAAAbatADUANDrLWWMBAAABAAAAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARi YXNlAAAcAAFJAp5ZkjEPAFYAAABWAAAAAAAACQFjAAAACQABCABFAABIXZlAAEARcimsHwkB rB8JoyLPADUANGso23ABAAABAAAAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAc AAFJAp5ZqjEPAFYAAABWAAAAAAAACQEzAAAACQABCABFAABILSRAAEARorysHwkBrB8JhSLP ADUANGsK23ABAAABAAAAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAFJAp5Z PzIPAHIAAAByAAAAAAAACQABAAAACQEzCABFAABkfRNAAIARErGsHwmFrB8JAQA1Is8AUCOF 23CFgAABAAEAAAAAC3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAHADAAcAAEAAA4Q ABD9Oqqj7of/CQIAAP/+CQEzSQKeWYkyDwCGAAAAhgAAAAAAAAkAcwAAAAkAAYbdYAAAAABQ EUD9Oqqj7of/CQAAAAAAAAAB/Tqqo+6H/wkCAAD//gkAcwA1tq0AUFAbWWOFgAABAAEAAAAA C3cyMDA4cjItMTMzCXc0ZWRvbS1sNARiYXNlAAAcAAHADAAcAAEAAA4QABD9Oqqj7of/CQIA AP/+CQEzSQKeWdQyDwBeAAAAXgAAAAAAAAkBMwAAAAkAc4bdYAAAAAAoBkD9Oqqj7of/CQIA AP/+CQBz/Tqqo+6H/wkCAAD//gkBM5iHAFhSBxH5AAAAAKACcIAuxwAAAgQFoAQCCAoCbd9b AAAAAAEDAwdJAp5ZTDMPAF4AAABeAAAAAAAACQBzAAAACQEzht1gAAAAACgGQP06qqPuh/8J AgAA//4JATP9Oqqj7of/CQIAAP/+CQBzAFiYh2lWawRSBxH6oBIgAKblAAACBAWgAQMDCAQC CAoMcJMQAm3fW0kCnlluMw8AVgAAAFYAAAAAAAAJATMAAAAJAHOG3WAAAAAAIAZA/Tqqo+6H /wkCAAD//gkAc/06qqPuh/8JAgAA//4JATOYhwBYUgcR+mlWawWAEADhLr8AAAEBCAoCbd9b DHCTEEkCnll8Mw8A6gUAAOoFAAAAAAAJATMAAAAJAHOG3WAAAAAFtAZA/Tqqo+6H/wkCAAD/ /gkAc/06qqPuh/8JAgAA//4JATOYhwBYUgcR+mlWawWAEADhNFMAAAEBCAoCbd9bDHCTEAAA CDpsggg2MIIIMqEDAgEFogMCAQyjggenMIIHozCCBRahAwIBAaKCBQ0EggUJboIFBTCCBQGg AwIBBaEDAgEOogcDBQAAAAAAo4IEOWGCBDUwggQxoAMCAQWhChsIQkxBLkJBU0WiIzAhoAMC AQKhGjAYGwZrcmJ0Z3QbDlc0RURPTS1MNC5CQVNFo4ID9zCCA/OgAwIBF6EDAgEDooID5QSC A+GWPceHOkz/IZ7bPXYRE2nOA41F32YxvufmEzUTlGCyYmgmNvzvxxqR7BjPOZxzChT3lnrT vzAxaqNPsgN6H283y5j3xr7SA+sbWkA9A/f/T9iHoQ9ZU29UA/g0+Rq6Ccds2KJDZ2lStiKR pQXgauonRH0bEGgoCL1HuPu0JGcPBkoyY5DCZS2YuNnNaCCHJi3aK1yGIpqfsy3lKznMxIK2 cJyEbIlH9/ZKwi8hZtqzDrkMO57sqmmXn0LAxyl1XmptZ4mRzLZOdhCtZ4taO7ltsGKKQ8EQ LYWntAxgpYRIe5rDCT84Qhen3cUm+OSYnMtCdhwNZlxhaM5k9h/2BOqXZK6a1qj38D7cUEs8 l4f/qiBrY1cI9tfSfZ6Yi8r2URsZMzHdithmyed6OQvf8qqAx/2R36J6hLbVJPQ5n2KOmKx0 vPNEVkfZsBwEJ55+dOsCo2psYSXi7A8SxtrG8MXb7JeJHpVDFz9jS7QiA8nqm3EZSOJe2/v0 uSiXOW953/TWIlA7nw9wumUzTUhOxTGzyxCrZQVwr9LkZTxa9nSH0+bwarMjHNJ6PncY6mK9 pMBpF/4sdPAx2sYQEQx/t81aDh2MZvFfzBuEiHlS+47pDHNLoMAv1GfIaGR026xGdnrXpqw5 ObjhqKuQwhH1MRCexbn9sDesSexOx9LETWLuSI5pjm1gsi8caqjD43JTC0CxUF7oNx1d8RrU ZwQCJS5Nopp8Vdb3T9z7tgwi0c5jvnRlUbjdjnMUkoqYyHRoMoKhGQlo8KBRpx3BnirBf6Og hXsDuZkCVuTy6o9vfPp8hkNqiSahLBbckqSnZ6IJh/0sf0uJZTm7sB9Y/jJGrMEOcvnD2LEZ aaAL7dV8xO7uAtvRo9Y//QNVb/H32GqV4o17ULx6ZctkXZkfOe6FNaUAxarjOV9lox+lWXTV TAxGUb6WQflPFsSTrsBqYtGptepzLx0OlyggH9N41b+cUA5szaRCpI6iVPwIq0XXOI/lsCdG 64tS2JNufbeKjfSUmZ7yclX0f9npGQWSjoJhavCMUvDaU1ezL9jsXKLP4k0WXDI9sYw2snjP SB28mTz4JG9ALo4Q22KuNwWI6ntF/ZvYwvL+T9V0LGmxRvce3EbVCdN8geHDaTBafYg7TyHp U4HmBPCCr0co8+i7dqstbijRtayyfUtT0MZW8vOIqkjRRnUym4VoTHEvjsxGyK6ALrp4OI/V EHicN52mu+kiS1OutZHdCmFbjXxtsn4EcM3PqklZMjWg2PtUzavg0KZB2xJJybLmBvz2KUms EuKBEUIqbeUubhv4Vh7RD01SWdhmwd2kga4wgaugAwIBF6KBowSBoF/WYoII/MyybQBHGJJ6 7RHGnQuWtLsC97YiZr+J6N5jfML9ON1dv47GpWKfgYURjfUs00vT8tmpkCLo9iJTciet96iz IXKXbirIAugy51EXjAWIEFfqYWypLO/DdHXkhJBqpnQgZPjWA91qwL+MWPuMY//6IiR6igXG FQjp8I7kZ4RMuQqkp2yi2A2UFOwo823B4zmxz3ZpqXGMJS/qAvcwggG7oQQCAgCIooIBsQSC Aa2gggGpMIIBpaEcMBqgBAIC/3ahEgQQiMugvFIxaLWR3R6u/FSViqKCAYMwggF/oAMCARei ggF2BIIBctapdCh9rJ4kEags3USuQEkCnlmTMw8AAAMAAAADAAAAAAAJATMAAAAJAHOG3WAA AAACygZA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JATOYhwBYUgcXjmlWawWAGADh MWkAAAEBCAoCbd9bDHCTED0+AggIsyD532zxsIY85JXBFBqXmtCBaPdIMVIha6TcLD3c/MW+ b2EUr/r1MBQhsTOUkB9dEubAqPzoOvXydbGGwZKDhCKpwtlUQHyuiv2p3RuhfleGwvqLbalD pDAB4CQ4DpaFsGB7P+fKOcuxvFSbjGmtxD4Ku1c8O/sCPBxJR7MjV4c9Uc8zpSvgwhDmE6KC gGHW7/ovMBZantb5Cu3oioWBQjW9D2vomkcKa2KV0Qb60YQDn1IiSzH0i9r9gWvbOvdSeyKv SNbAm+vfTYxg6OOtzzVUx+xkUCb9liXilUJ8yJfrL/cen2pmPwzHti7QV3Dq/QGkwvbpaRvU 6vJLpw1jjafQnK7oqDzkcLHz+IsyGStyPyshQGYV6/hWv653OoSqXj/vsDx+NLNNd3TZy6Q2 gogNE/+CxfHZ9zgwhvWAskjiPYWK89Vy+JicRBlv1JHzg4A1nCT45yXjCGUVOQowX6EEAgIA gaJXBFUwU6AaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KhCxsJQkxBMi5CQVNFohwwGqAE AgL/dqESBBAw61c5zQz0dHMlsgTNaXcAowobCEtlcmJlcm9zMGehBAICAIKiXwRdMFugPDA6 oAYCBFmeAkmhGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yogsbCUJMQTIuQkFTRaQHAwUA IAAAAKEbMBmgAwIBAqESBBArey2kLBAWIKY4c/MjUvxwpHsweaAHAwUAQIEAAKIQGw5XNEVE T00tTDQuQkFTRaMVMBOgAwIBAaEMMAobCGZkMjMtNzMkpREYDzIwMTcwODI0MDgzMTM3WqcG AgRZngJJqAswCQIBEgIBEQIBF6kdMBswGaADAgEUoRIEEEZEMjMtNzMgICAgICAgICBJAp5Z EjQPAFYAAABWAAAAAAAACQBzAAAACQEzht1gAAAAACAGQP06qqPuh/8JAgAA//4JATP9Oqqj 7of/CQIAAP/+CQBzAFiYh2lWawVSBxo4gBABAOxgAAABAQgKDHCTEAJt31tJAp5ZtDgPAOoF AADqBQAAAAAACQBzAAAACQEzht1gAAAABbQGQP06qqPuh/8JAgAA//4JATP9Oqqj7of/CQIA AP/+CQBzAFiYh2lWawVSBxo4gBABAHGEAAABAQgKDHCTEAJt31sAAAYfbYIGGzCCBhegAwIB BaEDAgENomswaTBnoQQCAgCCol8EXTBboDwwOqAGAgRZngJJoRowGKADAgEBoREwDxsNYWRt aW5pc3RyYXRvcqILGwlCTEEyLkJBU0WkBwMFACAAAAChGzAZoAMCAQKhEgQQK3stpCwQFiCm OHPzI1L8cKMLGwlCTEEyLkJBU0WkGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9ypYIELWGC BCkwggQloAMCAQWhEBsOVzRFRE9NLUw0LkJBU0WiFTAToAMCAQGhDDAKGwhmZDIzLTczJKOC A/MwggPvoAMCARKhAwIBU6KCA+EEggPdnEv7g4Xm16CRKAr9XapLUcAP4uhkdHW/cIsBbonS YzZKOXz0aDTvs+QjWVbLk8/iuoX178IDkwGeR0hvxRmylRkyPkgtZtIVgA8QUPuTCCUEyBsC OtWaCaPVhZ/h7Y8x8g/szjQx1cTqXQsbAhGKmUL8I4TIMYZReRZy+XWtYDEMdn9YDbUFSRYw QBgdAPiPxpPiDNJhoiVhdjbqIAJbZniYmz2ssRFjq3B9htr7VYh0LoMiaoFuMgfjTE8sobSd CGoepwVGCM0tTpC//LRfq8JQZXQjsMs2CiylMN5gC70Mg2rs3FKHCVcpG+L7s1AW+KPa0j0F BUFIeHFUFYbUsRcuZtcYENdWYa1iUmXuAle+t0SlEy7fyATcyfoPWA9bTLYJJcrwfNd9sYgo L0TvIlXNQuhoMX5PjVr+tZeyegAcoI5YWNMkOXUi3pN7iO7PBxpicpzmcyyCYjvKHLftIq4Y f367pzgQPuAPU9UDm3RoIjpiXRhw6CmE43lbndhz6UeiQDVLO72nLorAsYx97XvWnL7q5pV6 asMp1ZQ1glmeVt354yNefLXid3GVuh8XoB7In1FOP3wU1B+grUHL9NChvGDzJ3vqlsL6BcjW ZCyFu8kdy1dHlBJhVGW+j7cN9UQF9+zGiJYbbgEraatTFwl+OcudXT5P4FX0DJ4MBD9VeaOm 0PLsmSej+SomnCS9seKkxkkrDnSb7tIkO8ftbJD2qht7Axq+9QrYjPQXlyoijeI/ZZ9mU9p9 F1D0dEhossQ/wdkh9yKE2VCQ7ebf/0b/rjfhsNFATPldr9Wl8oUMbZr2OKEn//qbancnp/7p oVNoxtqmRks/OFwO8MheYQB7oIurUfyrW2u4MzsEn1B2AoWuMZSf6roJRlTxb/jdrngZWe1N olSF4Iy/Ns6IbzN5gZBfXKyp/X4L0KuIptSrW6GLKRz57Ff9eucSlGl3hQeDDDEMk+/BOC2B umRr90gZWF4HmFxy4XIZ4xCHpUASt0r4JVwqxRwx9BJZoECJ22ormSfUskqM5cfwpjUPcplV hpBrd+pCp42tuF475CFn8B8U1TKhbx64dwUuHKkIwS5v7sDOgcwOeQE4ZfAkDg9U3zQH/dxl x4zaQkYTzOo6I4Oo1Yw9YmR57G+E1MMVBpQrjMdbAvJcloTZpSr4sLM/Ydac2CuRCkWAx2uM e0l0vcn4SUU27+UPmCGGwDVej2V6nkpDWfcigSsWFwM8f/zQI37tEQItoElK0IHzCDPbyeco KiA/sfxq/716DA/D6qubI5Xvpu9oLqjzNkEY0yMqxyDd8NH4orE+XIGmggFCMIIBPqADAgEX ooIBNQSCATF4HOvDEsRq9t3Za4MjhpXbJduTVS994wE75t5QxnWN0Xr5KncW43SO7qHbQEXd 3VYyBRP+BBYlolH0Ltqg29KyAVEtw8kbXBno7qzlfOcnu5Gj6asW0Wk26TmHZIHKGA2trJuv scQbfT/Pwy4gRelQPquoKUTZzRHZHZwjBrf9+cInjVGzs4moJ+CPMU7yHekXHZhV9PdBGNYl t+LAM2gqKIZJAp5Z0zgPAFYAAABWAAAAAAAACQEzAAAACQBzht1gAAAAACAGQP06qqPuh/8J AgAA//4JAHP9Oqqj7of/CQIAAP/+CQEzmIcAWFIHGjhpVnCZgBAA+C6/AAABAQgKAm3fWwxw kxBJAp5ZJDkPAOUAAADlAAAAAAAACQBzAAAACQEzht1gAAAAAK8GQP06qqPuh/8JAgAA//4J ATP9Oqqj7of/CQIAAP/+CQBzAFiYh2lWcJlSBxo4gBgBAO5gAAABAQgKDHCTEAJt31t+YRQZ yhdWgcfEhbIgKG8MLg7By2xuYoiNTkaM48s4a2tZSnImNkRsOjmH03eHZQC1860/O9ncXpab y8/8qC2PqQSu1Ul3PIu5q7wRsDWuYd3fFusW4zM8rgKM6olI17hFlwpT9DfahOGXfN475891 FufBWg1LQQk3SZgHu/A8jg5vgJ2BPyuQNOeVTz8iqUkCnlk3OQ8AVgAAAFYAAAAAAAAJATMA AAAJAHOG3WAAAAAAIAZA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JATOYhwBYUgca OGlWcSiAEAEOLr8AAAEBCAoCbd9bDHCTEEkCnllOOQ8AVgAAAFYAAAAAAAAJATMAAAAJAHOG 3WAAAAAAIAZA/Tqqo+6H/wkCAAD//gkAc/06qqPuh/8JAgAA//4JATOYhwBYUgcaOGlWcSiA EQEOLr8AAAEBCAoCbd9bDHCTEEkCnlmROQ8AVgAAAFYAAAAAAAAJAHMAAAAJATOG3WAAAAAA IAZA/Tqqo+6H/wkCAAD//gkBM/06qqPuh/8JAgAA//4JAHMAWJiHaVZxKFIHGjmAEAEA5jwA AAEBCAoMcJMQAm3fW0kCnlnbOQ8AdAAAAHQAAAAAAAAJAAEAAAAJAHOG3WAAAAAAPhFA/Tqq o+6H/wkCAAD//gkAc/06qqPuh/8JAAAAAAAAAAHIPwA1AD7Dv6SeAQAAAQAAAAAAABBfa2Vy YmVyb3MtbWFzdGVyBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAUkCnlkIOg8ASgAAAEoAAAAA AAAJAHMAAAAJATOG3WAAAAAAFAZA/Tqqo+6H/wkCAAD//gkBM/06qqPuh/8JAgAA//4JAHMA WJiHaVZxKFIHGjlQFAAAoZkAAEkCnllnOg8AYAAAAGAAAAAAAAAJAWMAAAAJAAEIAEUAAFJd mkAAQBFyHqwfCQGsHwmjgk8ANQA+azJ93AEAAAEAAAAAAAAQX2tlcmJlcm9zLW1hc3RlcgRf dGNwCVc0RURPTS1MNARCQVNFAAAhAAFJAp5ZhToPAGAAAABgAAAAAAAACQEzAAAACQABCABF AABSLSVAAEARorGsHwkBrB8JhYJPADUAPmsUfdwBAAABAAAAAAAAEF9rZXJiZXJvcy1tYXN0 ZXIEX3RjcAlXNEVET00tTDQEQkFTRQAAIQABSQKeWVw7DwCpAAAAqQAAAAAAAAkAAQAAAAkB MwgARQAAm30UQACAERJ5rB8JhawfCQEANYJPAIcRHH3chYMAAQAAAAEAABBfa2VyYmVyb3Mt bWFzdGVyBF90Y3AJVzRFRE9NLUw0BEJBU0UAACEAAQl3NGVkb20tbDQEYmFzZQAABgABAAAO EAAvC3cyMDA4cjItMTMzwDYKaG9zdG1hc3RlcsA2AAAaLAAAA4QAAAJYAAFRgAAADhBJAp5Z qzsPAL0AAAC9AAAAAAAACQBzAAAACQABht1gAAAAAIcRQP06qqPuh/8JAAAAAAAAAAH9Oqqj 7of/CQIAAP/+CQBzADXIPwCH4tCknoWDAAEAAAABAAAQX2tlcmJlcm9zLW1hc3RlcgRfdGNw CVc0RURPTS1MNARCQVNFAAAhAAEJdzRlZG9tLWw0BGJhc2UAAAYAAQAADhAALwt3MjAwOHIy LTEzM8A2Cmhvc3RtYXN0ZXLANgAAGiwAAAOEAAACWAABUYAAAA4QSgKeWYgXBgBWAAAAVgAA AAAAAAkAAQAAAAkBZYbdYAAAAAAgOv/+gAAAAAAAAAIAAP/+CQFl/Tqqo+6H/wkAAAAAAAAA AYcASmQAAAAA/Tqqo+6H/wkAAAAAAAAAAQEBAAAACQFlSgKeWeIXBgBOAAAATgAAAAAAAAkB ZQAAAAkAAYbdYAAAAAAYOv/9Oqqj7of/CQAAAAAAAAAB/oAAAAAAAAACAAD//gkBZYgAi9rA AAAA/Tqqo+6H/wkAAAAAAAAAAUoCnlnwrgwAVgAAAFYAAAAAAAAJAWQAAAAJAAGG3WAAAAAA IDr//oAAAAAAAAACAAD//gkAAf6AAAAAAAAAAgAA//4JAWSHAHYzAAAAAP6AAAAAAAAAAgAA //4JAWQBAQAAAAkAAUoCnlkbrwwATgAAAE4AAAAAAAAJAAEAAAAJAWSG3WAAAAAAGDr//oAA AAAAAAACAAD//gkBZP6AAAAAAAAAAgAA//4JAAGIADZGQAAAAP6AAAAAAAAAAgAA//4JAWRL Ap5ZInsFACoAAAAqAAAAAAAACQABAAAACQFgCAYAAQgABgQAAQAAAAkBYKwfCaAAAAAAAACs HwkBSwKeWT57BQAqAAAAKgAAAAAAAAkBYAAAAAkAAQgGAAEIAAYEAAIAAAAJAAGsHwkBAAAA CQFgrB8JoEwCnlkL7wcAKwAAACsAAAAAAAAJAAEAAAAJAZUIAEUCAB1RzQAA/xH01awfCcMy zox6EZQRlAAJAAD/TQKeWbQwCQCaAAAAmgAAAAAAAAkAAQAAAAkBlQgARQAAjE7NAACAEXZp rB8JwzLOjHoRlBGUAHjGBAAAAACvBM/SXBopqd9AprqJQ3DDCBAFAeMp0IwAAABsAZ3TTfor z809ddVKpOqMN4o5r6WLUwtViqfZom6D5ovvafWyuQF4ylJFvIpCKZF8sx6igPserVTHT2TO IIeg7v/jB5voIvY98ZbEOXij9NJNAp5ZbwoMAJoAAACaAAAAAAAACQGVAAAACQABCABFAACM i+pAADQRRUwyzox6rB8JwxGUEZQAeOEaAAAAAK8Ez9JcGimp30CmuolDcMMIEAUBRoi6HAAA AGxZ+nygDj3eJqOJ7ZBUapO9INNI9r+CywOx/1lb2LUmWT+QJHJT1totPtFHniDnIB8uLDbI zoFYn9cNxHe08HZj9Q1PxPgaQEwdVDvDhkWu004Cnlngog4AKgAAACoAAAAAAAAJATMAAAAJ AAEIBgABCAAGBAABAAAACQABrB8JAQAAAAAAAKwfCYVOAp5Z4aIOACoAAAAqAAAAAAAACQAB AAAACQFjCAYAAQgABgQAAQAAAAkBY6wfCaMAAAAAAACsHwkBTgKeWRyjDgAqAAAAKgAAAAAA AAkBYwAAAAkAAQgGAAEIAAYEAAIAAAAJAAGsHwkBAAAACQFjrB8Jo04Cnlnxog4AVgAAAFYA AAAAAAAJAWMAAAAJAHOG3WAAAAAAIDr//oAAAAAAAAACAAD//gkAc/06qqPuh/8JAgAA//4J AWOHAEdyAAAAAP06qqPuh/8JAgAA//4JAWMBAQAAAAkAc04Cnln5og4AVgAAAFYAAAAAAAAJ AHMAAAAJAWOG3WAAAAAAIDr//oAAAAAAAAACAAD//gkBY/06qqPuh/8JAgAA//4JAHOHAEdy AAAAAP06qqPuh/8JAgAA//4JAHMBAQAAAAkBY04CnllCow4ATgAAAE4AAAAAAAAJAHMAAAAJ AWOG3WAAAAAAGDr//Tqqo+6H/wkCAAD//gkBY/6AAAAAAAAAAgAA//4JAHOIAAf3QAAAAP06 qqPuh/8JAgAA//4JAWNOAp5ZS6MOAE4AAABOAAAAAAAACQFjAAAACQBzht1gAAAAABg6//06 qqPuh/8JAgAA//4JAHP+gAAAAAAAAAIAAP/+CQFjiAAI50AAAAD9Oqqj7of/CQIAAP/+CQBz TgKeWYGjDgAqAAAAKgAAAAAAAAkAAQAAAAkBMwgGAAEIAAYEAAIAAAAJATOsHwmFAAAACQAB rB8JAU4Cnlli4Q4AKgAAACoAAAAAAAAJAhkAAAAJAAEIBgABCAAGBAABAAAACQABrB8JAQAA AAAAAKwfCdtOAp5Z4+EOACoAAAAqAAAAAAAACQABAAAACQIZCAYAAQgABgQAAgAAAAkCGawf CdsAAAAJAAGsHwkBTgKeWeEfDwAqAAAAKgAAAAAAAAkBlAAAAAkAAQgGAAEIAAYEAAEAAAAJ AAGsHwkBAAAAAAAArB8Jwk4CnlkFIA8AVgAAAFYAAAAAAAAJAZQAAAAJAHOG3WAAAAAAIDr/ /oAAAAAAAAACAAD//gkAc/06qqPuh/8JAgAA//4JAZSHAEcQAAAAAP06qqPuh/8JAgAA//4J AZQBAQAAAAkAc04CnlmOIA8AKgAAACoAAAAAAAAJAAEAAAAJAZQIBgABCAAGBAACAAAACQGU rB8JwgAAAAkAAawfCQFOAp5ZZiEPAFYAAABWAAAAMzP/CQBzAAAACQGUht1gAAAAACA6//6A AAAAAAAAAgAA//4JAZT/AgAAAAAAAAAAAAH/CQBzhwB2awAAAAD+gAAAAAAAAAIAAP/+CQBz AQEAAAAJAZROAp5ZpCEPAFYAAABWAAAAAAAACQGUAAAACQBzht1gAAAAACA6//6AAAAAAAAA AgAA//4JAHP+gAAAAAAAAAIAAP/+CQGUiAAUEGAAAAD+gAAAAAAAAAIAAP/+CQBzAgEAAAAJ AHNOAp5ZGCIPAFYAAABWAAAAAAAACQBzAAAACQGUht1gAAAAACA6//06qqPuh/8JAgAA//4J AZT+gAAAAAAAAAIAAP/+CQBziADj7mAAAAD9Oqqj7of/CQIAAP/+CQGUAgEAAAAJAZRPAp5Z szYGAFYAAABWAAAAAAAACQFlAAAACQABht1gAAAAACA6//6AAAAAAAAAAgAA//4JAAH+gAAA AAAAAAIAAP/+CQFlhwB2MQAAAAD+gAAAAAAAAAIAAP/+CQFlAQEAAAAJAAFPAp5Z4zYGAE4A AABOAAAAAAAACQABAAAACQFlht1gAAAAABg6//6AAAAAAAAAAgAA//4JAWX+gAAAAAAAAAIA AP/+CQABiAA2REAAAAD+gAAAAAAAAAIAAP/+CQFl --------------D1BADEF6B8D80BB51268BC0C Content-Type: application/octet-stream; name="all-domains.keytab" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="all-domains.keytab" BQIAAAB/AAIADlc0RURPTS1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQA5Q049VzIwMDhSMi0x MzMsT1U9RG9tYWluIENvbnRyb2xsZXJzLERDPXc0ZWRvbS1sNCxEQz1iYXNlAAAAAVi+s3oA AAAADVcyMDA4UjItMTMzJAAAAAAAAAAAAAAAAEUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4 UjItMTMzJAAAAAFYvrN6DwAXABDaXysctuQeCz0XVNLozVWEAAAADwAAAAAAAABVAAEADlc0 RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMyQAAAABWL6zeg8AEgAgVypJ46/OUiXP1yrWoQgI ybVfzteDxAjdeJ9VZK/QI2cAAAAPAAAAAAAAAEUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4 UjItMTMzJAAAAAFYvrN6DwARABCkszSU96hL8sRiHNj5cyjXAAAADwAAAAAAAAA9AAEADlc0 RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMyQAAAABWL6zeg8AAwAIjMRSv8jvjBUAAAAPAAAA AAAAAFUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMzJAAAAAFYvrN6DgASACDqim1j t6ohVOgeZCZfcKcwxBXdnDLDjrr4AK+pja9oTwAAAA4AAAAAAAAARQABAA5XNEVET00tTDQu QkFTRQAMVzIwMDhSMi0xMzMkAAAAAVi+s3oOABEAEFWWXaYnAUKAAC/30raDsKoAAAAOAAAA AAAAAD0AAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMzJAAAAAFYvrN6DgADAAi5bnlR GvG5qwAAAA4AAAAAAAAAVQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzMkAAAAAVi+ s3oNABIAIGadp2CrYvGBsP/pXnGerrI47Odxcs7bkEYMqXKWAgOSAAAADQAAAAAAAABFAAEA Dlc0RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMyQAAAABWL6zeg0AEQAQd7NjMzPFGGvaR0gz +FPvfgAAAA0AAAAAAAAAPQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzMkAAAAAVi+ s3oNAAMACOofevE9s4abAAAADQAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIy LTEzMyQAAAABWL6zeg4AFwAQP28GCFg2EU/V1Px9VjZR6AAAAA4AAAAAAAAARQABAA5XNEVE T00tTDQuQkFTRQAMVzIwMDhSMi0xMzMkAAAAAVi+s3oNABcAEECMQbCGcGIGxtsz99c2C/UA AAANAAAAAAAAAEUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMzJAAAAAFYvrN6DAAX ABDpKp0XLunqJSA1XgW0iGwSAAAADAAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAw OFIyLTEzMyQAAAABWL6zegsAFwAQAjbWwNZ4VS6TJf20IcaL0wAAAAsAAAAAAAAARQABAA5X NEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzMkAAAAAVi+s3oKABcAEPJxn+cFeW/4lWmr/OS5 qO4AAAAKAAAAAAAAAEUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMzJAAAAAFYvrN6 CQAXABAQFRsB2UDrfCssQPWh1MSjAAAACQAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxX MjAwOFIyLTEzMyQAAAABWL6zeggAFwAQWuy66k+atuQizwTQyo6jYwAAAAgAAAAAAAAARQAB AA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzMkAAAAAVi+s3oHABcAED+IMYQEJknM3QDM 9Tga5fIAAAAHAAAAAAAAAEUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMzJAAAAAFY vrN6BgAXABDWAiVSpu8X5FkKuvXKePn2AAAABgAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNF AAxXMjAwOFIyLTEzMyQAAAABWL6zegUAFwAQN7yiHX/BNNCV0JwBQyvGLwAAAAUAAAAAAAAA RQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzMkAAAAAVi+s3oEABcAEAIVU9ZmML+T MkIUao9PV/wAAAAEAAAAAAAAAEUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMzJAAA AAFYvrN6AwAXABAEybnws2cGPWRtCpva0Pb5AAAAAwAAAAAAAABnAAIADlc0RURPTS1MNC5C QVNFAA5TQU1BQ0NPVU5UTkFNRQAnQ049a3JidGd0LENOPVVzZXJzLERDPXc0ZWRvbS1sNCxE Qz1iYXNlAAAAAVi+s3oAAAAAB2tyYnRndAAAAAAAAAAAAAAAAD8AAQAOVzRFRE9NLUw0LkJB U0UABmtyYnRndAAAAAFYvrN6AgAXABDbwNH+qso9WrxnlIV7f2/gAAAAAgAAAAAAAABPAAEA Dlc0RURPTS1MNC5CQVNFAAZrcmJ0Z3QAAAABWL6zegIAEgAgVQrqLqJxnLgch2klaXltGzoJ nUM6k0OPU77nmMwvg74AAAACAAAAAAAAAD8AAQAOVzRFRE9NLUw0LkJBU0UABmtyYnRndAAA AAFYvrN6AgARABB+/QcbDu+byHFLG79UOZntAAAAAgAAAAAAAAA3AAEADlc0RURPTS1MNC5C QVNFAAZrcmJ0Z3QAAAABWL6zegIAAwAIQzdiileFp0AAAAACAAAAAAAAAH0AAgAOVzRFRE9N LUw0LkJBU0UADlNBTUFDQ09VTlROQU1FADhDTj1VQjE0MDQtMTYzLE9VPURvbWFpbiBDb250 cm9sbGVycyxEQz13NGVkb20tbDQsREM9YmFzZQAAAAFYvrN6AAAAAAxVQjE0MDQtMTYzJAAA AAAAAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0xNjMkAAAAAVi+s3oCABcA EKjgdot3acaYEpPwUFLdUmgAAAACAAAAAAAAAFQAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQw NC0xNjMkAAAAAVi+s3oCABIAICJofGmp4qUDRzcgiO25DtJlfISGdr+Q8LTbohJXzn91AAAA AgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYzJAAAAAFYvrN6AgARABBz Ho1vl3vvqob4tkpRDLASAAAAAgAAAAAAAAA8AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQt MTYzJAAAAAFYvrN6AgADAAi65mvsawGbiQAAAAIAAAAAAAAAaQACAA5XNEVET00tTDQuQkFT RQAOU0FNQUNDT1VOVE5BTUUAKENOPVBLIElOSVQsQ049VXNlcnMsREM9dzRlZG9tLWw0LERD PWJhc2UAAAABWL6zegAAAAAIcGtpbml0MQAAAAAAAAAAAAAAAEAAAQAOVzRFRE9NLUw0LkJB U0UAB3BraW5pdDEAAAABWL6zegYAFwAQThUjSSCLGVzmmVsljOd1zgAAAAYAAAAAAAAAdAAC AA5XNEVET00tTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUALkNOPXVzZXIxIHByb2ZpbGUsQ049 VXNlcnMsREM9dzRlZG9tLWw0LERDPWJhc2UAAAABWL6zegAAAAANdXNlcjFwcm9maWxlAAAA AAAAAAAAAAAARQABAA5XNEVET00tTDQuQkFTRQAMdXNlcjFwcm9maWxlAAAAAVi+s3oCABcA EBI+lWOIixICn24rjfaabrMAAAACAAAAAAAAAFUAAQAOVzRFRE9NLUw0LkJBU0UADHVzZXIx cHJvZmlsZQAAAAFYvrN6AgASACBl+0Va7dn0yBZHgDgCvCCfbFWD9IXwiveXWGFzoKSfKQAA AAIAAAAAAAAARQABAA5XNEVET00tTDQuQkFTRQAMdXNlcjFwcm9maWxlAAAAAVi+s3oCABEA ECZ4FAUjO0s9liFcuJ4jDa4AAAACAAAAAAAAAD0AAQAOVzRFRE9NLUw0LkJBU0UADHVzZXIx cHJvZmlsZQAAAAFYvrN6AgADAAgQOOmipJRwwgAAAAIAAAAAAAAAbgACAA5XNEVET00tTDQu QkFTRQAOU0FNQUNDT1VOVE5BTUUAK0NOPWZpcnN0IGxhc3QsQ049VXNlcnMsREM9dzRlZG9t LWw0LERDPWJhc2UAAAABWL6zegAAAAAKZmlyc3RsYXN0AAAAAAAAAAAAAAAAQgABAA5XNEVE T00tTDQuQkFTRQAJZmlyc3RsYXN0AAAAAVi+s3oCABcAEBI+lWOIixICn24rjfaabrMAAAAC AAAAAAAAAFIAAQAOVzRFRE9NLUw0LkJBU0UACWZpcnN0bGFzdAAAAAFYvrN6AgASACBhVk/a vWi7w0WjxDcrAHzO1jmmxidiZ+6dqw8ULaatSAAAAAIAAAAAAAAAQgABAA5XNEVET00tTDQu QkFTRQAJZmlyc3RsYXN0AAAAAVi+s3oCABEAENoVavzhuYNL4sXDIJMTqKAAAAACAAAAAAAA ADoAAQAOVzRFRE9NLUw0LkJBU0UACWZpcnN0bGFzdAAAAAFYvrN6AgADAAjpxKe8Vxn3dQAA AAIAAAAAAAAAhAACAA5XNEVET00tTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUAPENOPXRlc3Rv dW1hY2hpbmUsT1U9Q29tcHV0ZXJzLE9VPVRlc3RPVSxEQz13NGVkb20tbDQsREM9YmFzZQAA AAFYvrN6AAAAAA9URVNUT1VNQUNISU5FJAAAAAAAAAAAAAAAAEcAAQAOVzRFRE9NLUw0LkJB U0UADlRFU1RPVU1BQ0hJTkUkAAAAAVi+s3oCABcAEAtF4khkZvgzvaXX2X1EyFAAAAACAAAA AAAAAFcAAQAOVzRFRE9NLUw0LkJBU0UADlRFU1RPVU1BQ0hJTkUkAAAAAVi+s3oCABIAIJkk xULbUZruLNq8BQtp2SFxVliqIze8CHWdNupK0qzRAAAAAgAAAAAAAABHAAEADlc0RURPTS1M NC5CQVNFAA5URVNUT1VNQUNISU5FJAAAAAFYvrN6AgARABBQL3mlVxnfSOLK1g/sVkoSAAAA AgAAAAAAAAA/AAEADlc0RURPTS1MNC5CQVNFAA5URVNUT1VNQUNISU5FJAAAAAFYvrN6AgAD AAhtteWwT3OSyAAAAAIAAAAAAAAAiAACAA5XNEVET00tTDQuQkFTRQAOU0FNQUNDT1VOVE5B TUUAPkNOPXRlc3RvdWNvbXB1dGVyMSxPVT1Db21wdXRlcnMsT1U9VGVzdE9VLERDPXc0ZWRv bS1sNCxEQz1iYXNlAAAAAVi+s3oAAAAAEVRFU1RPVUNPTVBVVEVSMSQAAAAAAAAAAAAAAABJ AAEADlc0RURPTS1MNC5CQVNFABBURVNUT1VDT01QVVRFUjEkAAAAAVi+s3oCABcAEDVx+YLG 3q0dGpAM7t3jq6sAAAACAAAAAAAAAFkAAQAOVzRFRE9NLUw0LkJBU0UAEFRFU1RPVUNPTVBV VEVSMSQAAAABWL6zegIAEgAg3pymEf51DHDV5eVvg3WgTih9mYVv1VnU0NDqhMFvwtwAAAAC AAAAAAAAAEkAAQAOVzRFRE9NLUw0LkJBU0UAEFRFU1RPVUNPTVBVVEVSMSQAAAABWL6zegIA EQAQECw+tm16qqnLB7zl+3mIQQAAAAIAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAQVEVT VE9VQ09NUFVURVIxJAAAAAFYvrN6AgADAAgf1t/VQ5tr5gAAAAIAAAAAAAAAaQACAA5XNEVE T00tTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUAKENOPWhpc3RvcnksQ049VXNlcnMsREM9dzRl ZG9tLWw0LERDPWJhc2UAAAABWL6zegAAAAAIaGlzdG9yeQAAAAAAAAAAAAAAAEAAAQAOVzRF RE9NLUw0LkJBU0UAB2hpc3RvcnkAAAABWL6zegIAFwAQEj6VY4iLEgKfbiuN9ppuswAAAAIA AAAAAAAAUAABAA5XNEVET00tTDQuQkFTRQAHaGlzdG9yeQAAAAFYvrN6AgASACDevdkZq+wP 3wgD0Rh/8zS4aSPqIN8EQpJWaxDycroMJAAAAAIAAAAAAAAAQAABAA5XNEVET00tTDQuQkFT RQAHaGlzdG9yeQAAAAFYvrN6AgARABCxVLtbAinTtx9H8gNOcy1jAAAAAgAAAAAAAAA4AAEA Dlc0RURPTS1MNC5CQVNFAAdoaXN0b3J5AAAAAVi+s3oCAAMACBDV/jfcLObpAAAAAgAAAAAA AAA4AAEADlc0RURPTS1MNC5CQVNFAAdoaXN0b3J5AAAAAVi+s3oCAAEACBDV/jfcLObpAAAA AgAAAAAAAAByAAIADlc0RURPTS1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAuQ049V0lOWFAt MTk2LENOPUNvbXB1dGVycyxEQz13NGVkb20tbDQsREM9YmFzZQAAAAFYvrN6AAAAAAtXSU5Y UC0xOTYkAAAAAAAAAAAAAAAAQwABAA5XNEVET00tTDQuQkFTRQAKV0lOWFAtMTk2JAAAAAFY vrN6AQAXABCdYW1cz7sjGoWrDaJz/9KAAAAAAQAAAAAAAABTAAEADlc0RURPTS1MNC5CQVNF AApXSU5YUC0xOTYkAAAAAVi+s3oBABIAIJMAweTe8COKsW4NBCs4Qq8nnjmIlCOgPXzvOE2L 4WPwAAAAAQAAAAAAAABDAAEADlc0RURPTS1MNC5CQVNFAApXSU5YUC0xOTYkAAAAAVi+s3oB ABEAEHapp5fPc8LYFTY/xdD0XWkAAAABAAAAAAAAADsAAQAOVzRFRE9NLUw0LkJBU0UACldJ TlhQLTE5NiQAAAABWL6zegEAAwAIupKbNJccKrMAAAABAAAAAAAAADsAAQAOVzRFRE9NLUw0 LkJBU0UACldJTlhQLTE5NiQAAAABWL6zegEAAQAIupKbNJccKrMAAAABAAAAAAAAAHAAAgAO VzRFRE9NLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FACxDTj1NdXN0IENoYW5nZSxDTj1Vc2Vy cyxEQz13NGVkb20tbDQsREM9YmFzZQAAAAFYvrN6AAAAAAttdXN0Y2hhbmdlAAAAAAAAAAAA AAAAQwABAA5XNEVET00tTDQuQkFTRQAKbXVzdGNoYW5nZQAAAAFYvrN6AgAXABAo/IhvVEMA QFOzqxfVgVWEAAAAAgAAAAAAAABTAAEADlc0RURPTS1MNC5CQVNFAAptdXN0Y2hhbmdlAAAA AVi+s3oCABIAIHB6E4dL5CPltzDa0Av34foXLErulqNpoMp1/IZb2zRoAAAAAgAAAAAAAABD AAEADlc0RURPTS1MNC5CQVNFAAptdXN0Y2hhbmdlAAAAAVi+s3oCABEAEAPYHX0ypj4z+EPD Q2B42TYAAAACAAAAAAAAADsAAQAOVzRFRE9NLUw0LkJBU0UACm11c3RjaGFuZ2UAAAABWL6z egIAAwAItmRi+16FHEAAAAACAAAAAAAAAHYAAgAOVzRFRE9NLUw0LkJBU0UADlNBTUFDQ09V TlROQU1FADBDTj1XMjAwOFIyLTEzMixDTj1Db21wdXRlcnMsREM9dzRlZG9tLWw0LERDPWJh c2UAAAABWL6zegAAAAANVzIwMDhSMi0xMzIkAAAAAAAAAAAAAAAARQABAA5XNEVET00tTDQu QkFTRQAMVzIwMDhSMi0xMzIkAAAAAVmS2eYLABcAEHYInxqGe89bR1tz+7ZKnmYAAAALAAAA AAAAAFUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMyJAAAAAFZktnmCwASACDBi3L4 fThwxwiQvqJX0/hrA9DO9EJr8EkCpYCLpXA2JQAAAAsAAAAAAAAARQABAA5XNEVET00tTDQu QkFTRQAMVzIwMDhSMi0xMzIkAAAAAVmS2eYLABEAEJ9WUxj8qGWVcGwyJzHif9UAAAALAAAA AAAAAD0AAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMyJAAAAAFZktnmCwADAAhKs/ee 94qUUQAAAAsAAAAAAAAAPQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzIkAAAAAVmS 2eYLAAEACEqz9573ipRRAAAACwAAAAAAAABVAAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIy LTEzMiQAAAABWL6zegoAEgAgIZd/DDvtlivQNaC7pYIZ6abEzwix2s/Uva6kv+szv4UAAAAK AAAAAAAAAEUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMyJAAAAAFYvrN6CgARABDv R62lMl3Ac17NyTu6LD/8AAAACgAAAAAAAAA9AAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIy LTEzMiQAAAABWL6zegoAAwAI2sG2Mr9YdeUAAAAKAAAAAAAAAD0AAQAOVzRFRE9NLUw0LkJB U0UADFcyMDA4UjItMTMyJAAAAAFYvrN6CgABAAjawbYyv1h15QAAAAoAAAAAAAAAVQABAA5X NEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzIkAAAAAVi+s3oJABIAIMOI3oV2LQ4Fmqq0nWbv Ai9YoP909/dMsF3SmLxJwVmYAAAACQAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAw OFIyLTEzMiQAAAABWL6zegkAEQAQtuXkGj8FofzcVFj1eS5xywAAAAkAAAAAAAAAPQABAA5X NEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzIkAAAAAVi+s3oJAAMACFuMvBUNRbCAAAAACQAA AAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMiQAAAABWZLZ5woAFwAQxO6O 3mfEHatI6cdUVUCpcAAAAAoAAAAAAAAARQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0x MzIkAAAAAVmS2ecJABcAEJpvln2H0kODBsLIFBqpXz8AAAAJAAAAAAAAAEUAAQAOVzRFRE9N LUw0LkJBU0UADFcyMDA4UjItMTMyJAAAAAFZktnnCAAXABBEXmIPx4vzwkLSyvE1ghpHAAAA CAAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMiQAAAABWZLZ5wcAFwAQ OIEZ4/8OasAW50okbihJ4AAAAAcAAAAAAAAARQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhS Mi0xMzIkAAAAAVmS2ecGABcAEOj5AreHGqkz2mucRC2SrrYAAAAGAAAAAAAAAEUAAQAOVzRF RE9NLUw0LkJBU0UADFcyMDA4UjItMTMyJAAAAAFZktnnBQAXABDIQgTBL4Dgv/SHqL99Xb9M AAAABQAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMiQAAAABWZLZ5wQA FwAQEbBjipdA4Bmy8LI2anhfVQAAAAQAAAAAAAAARQABAA5XNEVET00tTDQuQkFTRQAMVzIw MDhSMi0xMzIkAAAAAVmS2ecDABcAEAWnR6p7zxZP0Oy51xAbTnMAAAADAAAAAAAAAEUAAQAO VzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMyJAAAAAFZktnnAgAXABDSdz9jgLAxvAQwLwjM GAYiAAAAAgAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMiQAAAABWZLZ 5wEAFwAQopBQMxXJNxoR6hBwAW6V1wAAAAEAAAAAAAAAbgACAA5XNEVET00tTDQuQkFTRQAO U0FNQUNDT1VOVE5BTUUALENOPWZkMjMtNzMsQ049Q29tcHV0ZXJzLERDPXc0ZWRvbS1sNCxE Qz1iYXNlAAAAAVi+s3oAAAAACWZkMjMtNzMkAAAAAAAAAAAAAAAAQQABAA5XNEVET00tTDQu QkFTRQAIZmQyMy03MyQAAAABWL8p41IAFwAQcQZV7nx5Z0d8g2GmvQ39jgAAAFIAAAAAAAAA UQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p41IAEgAgqmsXYoIOtZtD86JA K3lRyJiUFEnGFsUXT252SYuKClQAAABSAAAAAAAAAEEAAQAOVzRFRE9NLUw0LkJBU0UACGZk MjMtNzMkAAAAAVi/KeNSABEAEIGn3UB4ykbHbPXJQZaJm7sAAABSAAAAAAAAADkAAQAOVzRF RE9NLUw0LkJBU0UACGZkMjMtNzMkAAAAAVi/KeNSAAMACINY+PvNzYAgAAAAUgAAAAAAAABR AAEADlc0RURPTS1MNC5CQVNFAAhmZDIzLTczJAAAAAFYvynjUQASACA8/6woC4Pro+V0olrV SLsTnILmx5EhX+yapt0l7FViOQAAAFEAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQy My03MyQAAAABWL8p41EAEQAQSH1uux/hgA/O1DM2Zj90EAAAAFEAAAAAAAAAOQABAA5XNEVE T00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p41EAAwAIjMdMpyAyDiAAAABRAAAAAAAAAFEA AQAOVzRFRE9NLUw0LkJBU0UACGZkMjMtNzMkAAAAAVi+s3pQABIAIMygugqrDyJQkOIYO8Qi LDNf9FR33mkKEf30DkSIMI6vAAAAUAAAAAAAAABBAAEADlc0RURPTS1MNC5CQVNFAAhmZDIz LTczJAAAAAFYvrN6UAARABDAuU9lSHp/wYuPWoUS6NUTAAAAUAAAAAAAAAA5AAEADlc0RURP TS1MNC5CQVNFAAhmZDIzLTczJAAAAAFYvrN6UAADAAi/C+ZDjE9//QAAAFAAAAAAAAAAQQAB AA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p41EAFwAQFUzjbklDJLHnaaO5NKtI DAAAAFEAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p41AAFwAQ uUZM7YxrMpeRJC82qSTF9wAAAFAAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03 MyQAAAABWL8p408AFwAQlwe+S674GesAfwYHypggqAAAAE8AAAAAAAAAQQABAA5XNEVET00t TDQuQkFTRQAIZmQyMy03MyQAAAABWL8p404AFwAQKCEDHfJDThx2VhWMfyY3XgAAAE4AAAAA AAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p400AFwAQdOt4ipkX33hm ib5dkFxqcwAAAE0AAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p 40wAFwAQdOt4ipkX33hmib5dkFxqcwAAAEwAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAI ZmQyMy03MyQAAAABWL8p40sAFwAQUNvuHV3NDtHOhYGFKeOAigAAAEsAAAAAAAAAQQABAA5X NEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p40oAFwAQ9AE1v2pF5krC3QaDa048NQAA AEoAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p40kAFwAQhKz4 SMOcDWkvNNmU/AKQsAAAAEkAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQA AAABWL8p40gAFwAQBq9v3dboKAjsMLmavrh1CAAAAEgAAAAAAAAAQQABAA5XNEVET00tTDQu QkFTRQAIZmQyMy03MyQAAAABWL8p40cAFwAQDgqvenfVk+s4hh7Wby13xQAAAEcAAAAAAAAA QQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p40YAFwAQioingCL8nmyGoqkI LWCXXgAAAEYAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p40UA FwAQ+OTQNaJbx3vi+Vged6d49wAAAEUAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQy My03MyQAAAABWL8p40QAFwAQrfZCiDpvSs0XcWaGyAT5MwAAAEQAAAAAAAAAQQABAA5XNEVE T00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p40MAFwAQePGFRtCSKuF1jWeaNiD0RwAAAEMA AAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p40IAFwAQ6N2ddU1i jNSk23ZuTB9tSwAAAEIAAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAAB WL8p40EAFwAQsRSslUcpKL6bJevLdlgO7QAAAEEAAAAAAAAAQQABAA5XNEVET00tTDQuQkFT RQAIZmQyMy03MyQAAAABWL8p40AAFwAQ0G0bwx2eMJNzJJqjL+yASgAAAEAAAAAAAAAAQQAB AA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p4z8AFwAQaQsMZvkYsDjsOXVQDYZH 6QAAAD8AAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p4z4AFwAQ vCGgMF2GpHJTEFa3FsEYmwAAAD4AAAAAAAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03 MyQAAAABWL8p4z0AFwAQNe6bIuRiIGWNm1HqMBgsMwAAAD0AAAAAAAAAQQABAA5XNEVET00t TDQuQkFTRQAIZmQyMy03MyQAAAABWL8p4zwAFwAQ2CPLKHUqNpePe1kOV74H8wAAADwAAAAA AAAAQQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL6zejsAFwAQMV3gry5Y5sbN Zy4+SBxkAwAAADsAAAAAAAAAcQACAA5XNEVET00tTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUA LENOPVcyMDEyUjItTDYkLENOPVVzZXJzLERDPXc0ZWRvbS1sNCxEQz1iYXNlAAAAAVmS2eYA AAAADFcyMDEyUjItTDYkAAAAAAAAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJS Mi1MNiQAAAABWZLZ5gIAFwAQ3NwrWtPkr85GEL0eM6EAYAAAAAIAAAAAAAAAVAABAA5XNEVE T00tTDQuQkFTRQALVzIwMTJSMi1MNiQAAAABWL6zegIAEgAgdjSK+JFh7kHtX4w1M+QaBQ+1 WF5CKI8SLBgmS/5+tHUAAAACAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1cyMDEyUjIt TDYkAAAAAVi+s3oCABEAEBmsZX+kTzMuj5QGGG1oGisAAAACAAAAAAAAADwAAQAOVzRFRE9N LUw0LkJBU0UAC1cyMDEyUjItTDYkAAAAAVi+s3oCAAMACODlYc1dN/sIAAAAAgAAAAAAAAB0 AAIADlc0RURPTS1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAvQ049VUIxNjA0LTE2NCxDTj1D b21wdXRlcnMsREM9dzRlZG9tLWw0LERDPWJhc2UAAAABWL6zegAAAAAMVUIxNjA0LTE2NCQA AAAAAAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmyQAX ABAjV8lMIKi+KAbbhjy62UNRAAAAyQAAAAAAAABUAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2 MDQtMTY0JAAAAAFYvrN6yQASACDkIPRWrfsYOO+S29T8KUw9qFlQo48ssEyrD5ia3HJh6wAA AMkAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWL6zeskAEQAQ 2qZCh8A/EOOr4+nZW27A0gAAAMkAAAAAAAAAPAABAA5XNEVET00tTDQuQkFTRQALVUIxNjA0 LTE2NCQAAAABWL6zeskAAwAIARZ8RdU7aJQAAADJAAAAAAAAAFQAAQAOVzRFRE9NLUw0LkJB U0UAC1VCMTYwNC0xNjQkAAAAAVi+s3rIABIAIEcLqweHAIljvFv4HTcUnTKeaOCOCcx40hqD o36gJJgiAAAAyAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFY vrN6yAARABDIFYI/v45Apll0Q9u2NXEYAAAAyAAAAAAAAAA8AAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFYvrN6yAADAAj90CqkNNmi5QAAAMgAAAAAAAAAVAABAA5XNEVE T00tTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWL6zescAEgAgcxnj4mt/NQFqxC2j+47PN7dK hGguzRqX7SUfajxAOuoAAADHAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTYwNC0x NjQkAAAAAVi+s3rHABEAEEKpXSQkQZ8GpTyk03CIjdoAAADHAAAAAAAAADwAAQAOVzRFRE9N LUw0LkJBU0UAC1VCMTYwNC0xNjQkAAAAAVi+s3rHAAMACAhSpCyMhj3QAAAAxwAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmyAAXABDmxg4wLA5lRwXd slabmqHFAAAAyAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZ ktnmxwAXABAMtLXOO7UWCJ+imYB4kTdtAAAAxwAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFZktnmxgAXABAkuAduVrMkQm829q1mbqL1AAAAxgAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmxQAXABBe0Bu+qBQAY+7X 31TypaPUAAAAxQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZ ktnmxAAXABBAKvfsoeKPPxh5UhmOgVUrAAAAxAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFZktnmwwAXABC/DKE6THNeyLU1hKxj9Gk4AAAAwwAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmwgAXABBtdnemZw59SVLU S03KLJK9AAAAwgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZ ktnmwQAXABCX7Asxeq/WfVLA1c5DL5/ZAAAAwQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFZktnmwAAXABBIhZ0o5xayNk60fLQONzICAAAAwAAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmvwAXABA0+8WEKbKWCeMM twPgdenFAAAAvwAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZ ktnmvgAXABCAU8Ut6DPvPskpQS6kKNzJAAAAvgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFZktnmvQAXABC+dTOk5B2rlRMEBRn5u8KiAAAAvQAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmvAAXABBv48L+sAOI7vw/ Axo/UdyBAAAAvAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZ ktnmuwAXABAOxcSNZZ/Nmg6E85IP9AsWAAAAuwAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFZktnmugAXABAS6SpU6/Xi2Rc1T+L63L5BAAAAugAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmuQAXABCVKIXidE0XyPY6 kXR4C1CDAAAAuQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZ ktnmuAAXABCJd8jJZXd2/BFxbp5rLM+5AAAAuAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFZktnmtwAXABBOS/M0WxMz2vl4/r6ekYlGAAAAtwAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmtgAXABBh+YfyDeIu+1Q1 Jvj1O7gNAAAAtgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZ ktnmtQAXABBO4CifcHPzP+0U90SacXsYAAAAtQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE2MDQtMTY0JAAAAAFYvrN6tAAXABD1/eMaUI6lKquoCbUAwI0JAAAAtAAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFYvrN6swAXABCu2qR7cyVxO8RN Vg+Dv3GCAAAAswAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFY vrN6sgAXABC3wK1bBi8/HMNY2JlBxHGeAAAAsgAAAAAAAAB0AAIADlc0RURPTS1MNC5CQVNF AA5TQU1BQ0NPVU5UTkFNRQAvQ049VUIxNDA0LTE2MixDTj1Db21wdXRlcnMsREM9dzRlZG9t LWw0LERDPWJhc2UAAAABWZLZ5gAAAAAMVUIxNDA0LTE2MiQAAAAAAAAAAAAAAABEAAEADlc0 RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6ewAXABDHLm1wCSspmFD7rHvUBGJ3 AAABewAAAAAAAABUAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6ewAS ACBbR97rCSX9nGS3MHleNoGWHHFG76wpBF/pvMyrJxbXZAAAAXsAAAAAAAAARAABAA5XNEVE T00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWL6zensAEQAQ2MH6pGXSdto9x7vBHnSRVAAA AXsAAAAAAAAAPAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWL6zensAAwAI N9nfiviwDSoAAAF7AAAAAAAAAFQAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0xNjIkAAAA AVi+s3p6ABIAIMCkA4tP7W6sqi9QU8xbQyhNvwYJnQSKkazrRyTJYU6WAAABegAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6egARABDdy+XHDn2dU4eS wZ9wYLY3AAABegAAAAAAAAA8AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6egADAAg32d+K+LANKgAAAXoAAAAAAAAAVAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0 LTE2MiQAAAABWL6zenkAEgAgPZrsoo0LLZjNfgS0NcpR0RnrZ5pcfFl+RrRCPS9p1twAAAF5 AAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0xNjIkAAAAAVi+s3p5ABEAEMU0 oYgGLs5HFjkRn7yebRkAAAF5AAAAAAAAADwAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0x NjIkAAAAAVi+s3p5AAMACCObXilhlGidAAABeQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6egAXABBeCjAXQBVy2HG9F+FbzFZ3AAABegAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6eQAXABAuwJ08x06bUDtN 9FLPse+gAAABeQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6eAAXABBjwDJRU1HGQk4BGKwhCtqMAAABeAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6dwAXABBp5q4X7Ww9Wv84jdNvCiF9AAABdwAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6dgAXABC62ZxBMeGmzeBP ZPdfjFlEAAABdgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6dQAXABBDUNc+UpLh+3nlX2lshsvxAAABdQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6dAAXABAmhnt4hYcg3/G1yZ3xrjqBAAABdAAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6cwAXABA+dH9kXGXTqx05 Hdv34bE/AAABcwAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6cgAXABA7b6g+zCIfaQkTBjdPKCZsAAABcgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6cQAXABAsII+mETknUzwLCKplUbJTAAABcQAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6cAAXABAKC47LPN/b9WQz SjFuMgKXAAABcAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6bwAXABCbzD4gw6mxKzWHKCoTyFN4AAABbwAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6bgAXABA3ssj/dfxKem3D12XuVY95AAABbgAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6bQAXABDQgL9CumYJEOHm SdVPfumZAAABbQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6bAAXABCii7kUKTXhfpexXq2+yPjsAAABbAAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6awAXABAA0GwFu5HlzNoPCKatOtH4AAABawAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6agAXABBhKY+ynTlZ7dnf 2xjHE9i6AAABagAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6aQAXABA9caJYPlrjzByUAReIl/flAAABaQAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6aAAXABDtTPk95gIFMxqVECcup7JLAAABaAAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6ZwAXABBbnzAPRuFQCdAT Ejy4ZhaeAAABZwAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrN6ZgAXABBZlRMzPz96IIFh1BgG0JETAAABZgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNF AAtVQjE0MDQtMTYyJAAAAAFYvrN6ZQAXABB2uYPXNCTrURk7o2wcqlpKAAABZQAAAAAAAABE AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFYvrN6ZAAXABBg2XAn/D3BhEyi znnqYPy7AAABZAAAAAAAAAB/AAIADlc0RURPTS1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQA5 Q049VzIwMDhSMi0xMzMsT1U9RG9tYWluIENvbnRyb2xsZXJzLERDPXc0ZWRvbS1sNCxEQz1i YXNlAAAAAVi+s3oAAAAADVcyMDA4UjItMTMzJAAAAAAAAAAAAAAAAH8AAgAOVzRFRE9NLUw0 LkJBU0UADlNBTUFDQ09VTlROQU1FADhDTj1BZG1pbmlzdHJhdG9yLE9VPVVzZXJzLE9VPVRl c3RPVSxEQz13NGVkb20tbDQsREM9YmFzZQAAAAFYvrN6AAAAAA5BZG1pbmlzdHJhdG9yAAAA AAAAAAAAAAAARgABAA5XNEVET00tTDQuQkFTRQANQWRtaW5pc3RyYXRvcgAAAAFYvrN6AQAX ABAFcdQT7eTL7qarPtHBoLh+AAAAAQAAAAAAAAB6AAIADlc0RURPTS1MNC5CQVNFAA5TQU1B Q0NPVU5UTkFNRQA2Q049VGVzdE9VIFVzZXIsT1U9VXNlcnMsT1U9VGVzdE9VLERDPXc0ZWRv bS1sNCxEQz1iYXNlAAAAAVi+s3oAAAAAC3Rlc3RvdXVzZXIAAAAAAAAAAAAAAABDAAEADlc0 RURPTS1MNC5CQVNFAAp0ZXN0b3V1c2VyAAAAAVi+s3oFABcAEC5gxxywXQPEiyk4wA0307cA AAAFAAAAAAAAAFMAAQAOVzRFRE9NLUw0LkJBU0UACnRlc3RvdXVzZXIAAAABWL6zegUAEgAg 8+Mm0LZxXKnZEABU4S6I8Gq8M5Y9NyKizseE3Ig2OroAAAAFAAAAAAAAAEMAAQAOVzRFRE9N LUw0LkJBU0UACnRlc3RvdXVzZXIAAAABWL6zegUAEQAQip6R+jw75K9Hqu+5LZ5W3wAAAAUA AAAAAAAAOwABAA5XNEVET00tTDQuQkFTRQAKdGVzdG91dXNlcgAAAAFYvrN6BQADAAg78UpR sFvabgAAAAUAAAAAAAAAOwABAA5XNEVET00tTDQuQkFTRQAKdGVzdG91dXNlcgAAAAFYvrN6 BQABAAg78UpRsFvabgAAAAUAAAAAAAAAUwABAA5XNEVET00tTDQuQkFTRQAKdGVzdG91dXNl cgAAAAFYvrN6BAASACDPsz7w+3U7c4V+BCUevDzCAzq8knCKgVtPwIPpyRzSNAAAAAQAAAAA AAAAQwABAA5XNEVET00tTDQuQkFTRQAKdGVzdG91dXNlcgAAAAFYvrN6BAARABC8MivUHABb xiJD8Uafwd+dAAAABAAAAAAAAAA7AAEADlc0RURPTS1MNC5CQVNFAAp0ZXN0b3V1c2VyAAAA AVi+s3oEAAMACNnq/iyA7/TvAAAABAAAAAAAAABTAAEADlc0RURPTS1MNC5CQVNFAAp0ZXN0 b3V1c2VyAAAAAVi+s3oDABIAIJnuh/UBk1we1/JuEpTJZqAMk/liLEqswKRktUjoMJKHAAAA AwAAAAAAAABDAAEADlc0RURPTS1MNC5CQVNFAAp0ZXN0b3V1c2VyAAAAAVi+s3oDABEAEN6r 6slZuYthLfvB1xAxJ/gAAAADAAAAAAAAADsAAQAOVzRFRE9NLUw0LkJBU0UACnRlc3RvdXVz ZXIAAAABWL6zegMAAwAIGThdp0YLC48AAAADAAAAAAAAAEMAAQAOVzRFRE9NLUw0LkJBU0UA CnRlc3RvdXVzZXIAAAABWL6zegQAFwAQJ2sCcwH8ajgWms/D+dYufwAAAAQAAAAAAAAAQwAB AA5XNEVET00tTDQuQkFTRQAKdGVzdG91dXNlcgAAAAFYvrN6AwAXABCqTBQCtlgqUVi8Ab0o s5M8AAAAAwAAAAAAAABDAAEADlc0RURPTS1MNC5CQVNFAAp0ZXN0b3V1c2VyAAAAAVi+s3oC ABcAEBI+lWOIixICn24rjfaabrMAAAACAAAAAAAAAH0AAgAOVzRFRE9NLUw0LkJBU0UADlNB TUFDQ09VTlROQU1FADhDTj1VQjE0MDQtMTYzLE9VPURvbWFpbiBDb250cm9sbGVycyxEQz13 NGVkb20tbDQsREM9YmFzZQAAAAFYvrN6AAAAAAxVQjE0MDQtMTYzJAAAAAAAAAAAAAAAAGMA AgAOVzRFRE9NLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FACVDTj1CTEEkLENOPVVzZXJzLERD PXc0ZWRvbS1sNCxEQz1iYXNlAAAAAVi+s3oAAAAABUJMQSQAAAAAAAAAAAAAAAA9AAEADlc0 RURPTS1MNC5CQVNFAARCTEEkAAAAAVmS2ecEABcAENNFyuUGrt2Xc+XNSwfzfh0AAAAEAAAA AAAAAE0AAQAOVzRFRE9NLUw0LkJBU0UABEJMQSQAAAABWL6zegQAEgAgF9t2oJq/lGsY9hqo f6igPmZ8GRdFYwIovnOOcEyW3+0AAAAEAAAAAAAAAD0AAQAOVzRFRE9NLUw0LkJBU0UABEJM QSQAAAABWL6zegQAEQAQrrdtjirHTOl/9hHvnLoCEgAAAAQAAAAAAAAANQABAA5XNEVET00t TDQuQkFTRQAEQkxBJAAAAAFYvrN6BAADAAihRvQj2YmzrgAAAAQAAAAAAAAATQABAA5XNEVE T00tTDQuQkFTRQAEQkxBJAAAAAFYvrN6AwASACAX23agmr+Uaxj2Gqh/qKA+ZnwZF0VjAii+ c45wTJbf7QAAAAMAAAAAAAAAPQABAA5XNEVET00tTDQuQkFTRQAEQkxBJAAAAAFYvrN6AwAR ABCut22OKsdM6X/2Ee+cugISAAAAAwAAAAAAAAA1AAEADlc0RURPTS1MNC5CQVNFAARCTEEk AAAAAVi+s3oDAAMACKFG9CPZibOuAAAAAwAAAAAAAABNAAEADlc0RURPTS1MNC5CQVNFAARC TEEkAAAAAVi+s3oCABIAILncFd9Scb2F5RH1qq+K5qk0tRMos1b7pNV07dyQC5MLAAAAAgAA AAAAAAA9AAEADlc0RURPTS1MNC5CQVNFAARCTEEkAAAAAVi+s3oCABEAEPO0aAb3eDLpj9JB 8SlYgf0AAAACAAAAAAAAADUAAQAOVzRFRE9NLUw0LkJBU0UABEJMQSQAAAABWL6zegIAAwAI 3zg7wsJ6PagAAAACAAAAAAAAAD0AAQAOVzRFRE9NLUw0LkJBU0UABEJMQSQAAAABWZLZ5wMA FwAQ00XK5Qau3Zdz5c1LB/N+HQAAAAMAAAAAAAAAPQABAA5XNEVET00tTDQuQkFTRQAEQkxB JAAAAAFZktnnAgAXABCV5OGblr2TyCScWAd3WpJZAAAAAgAAAAAAAACTAAIADlc0RURPTS1M NC5CQVNFAARVVERWABREQz13NGVkb20tbDQsREM9YmFzZQAAAAFZne8BAAAAAFACAAAAAAAA AAIAAAAAAAAAnDSJJ94ROEW0bjDYgTc0j6pfBwAAAAAAAYCuDwMAAAB9fZ1Vo3YgTI8qylmS EBcY/DAAAAAAAAAAgD7V3rGdAQAAAAAAAAAAAAAAgQACAA9XMjAxMlIyLUw2LkJBU0UADlNB TUFDQ09VTlROQU1FADpDTj1XMjAxMlIyLTE4OCxPVT1Eb21haW4gQ29udHJvbGxlcnMsREM9 dzIwMTJyMi1sNixEQz1iYXNlAAAAAVi+s4AAAAAADVcyMDEyUjItMTg4JAAAAAAAAAAAAAAA AEYAAQAPVzIwMTJSMi1MNi5CQVNFAAxXMjAxMlIyLTE4OCQAAAABWL6zgAUAFwAQgrQtKrNn 3xZuiwUFisWEWAAAAAUAAAAAAAAAVgABAA9XMjAxMlIyLUw2LkJBU0UADFcyMDEyUjItMTg4 JAAAAAFYvrOABQASACCNJrP6Xoo/este9FWXos7hB3ALJ62ZeAX+/z+lCwkM8QAAAAUAAAAA AAAARgABAA9XMjAxMlIyLUw2LkJBU0UADFcyMDEyUjItMTg4JAAAAAFYvrOABQARABBGZ5Za 08s8eOWIU4C11EedAAAABQAAAAAAAAA+AAEAD1cyMDEyUjItTDYuQkFTRQAMVzIwMTJSMi0x ODgkAAAAAVi+s4AFAAMACA6tL7Z1xHWuAAAABQAAAAAAAABWAAEAD1cyMDEyUjItTDYuQkFT RQAMVzIwMTJSMi0xODgkAAAAAVi+s4AEABIAIN851XmheHaq0wb8Wi0j2szi7ECJiXw/jOYG TkbnspCtAAAABAAAAAAAAABGAAEAD1cyMDEyUjItTDYuQkFTRQAMVzIwMTJSMi0xODgkAAAA AVi+s4AEABEAEHzZ4P5aqbpH2XWTtruqLLMAAAAEAAAAAAAAAD4AAQAPVzIwMTJSMi1MNi5C QVNFAAxXMjAxMlIyLTE4OCQAAAABWL6zgAQAAwAIcKGFGgJX5T0AAAAEAAAAAAAAAFYAAQAP VzIwMTJSMi1MNi5CQVNFAAxXMjAxMlIyLTE4OCQAAAABWL6zgAMAEgAgJzd3eW41lr5UgnHA 6ePitAMJrft1xnCm5hX58GdZ+PUAAAADAAAAAAAAAEYAAQAPVzIwMTJSMi1MNi5CQVNFAAxX MjAxMlIyLTE4OCQAAAABWL6zgAMAEQAQL77SxlTAG57T9RoEVf9kfwAAAAMAAAAAAAAAPgAB AA9XMjAxMlIyLUw2LkJBU0UADFcyMDEyUjItMTg4JAAAAAFYvrOAAwADAAgmLBZJhVIl7AAA AAMAAAAAAAAARgABAA9XMjAxMlIyLUw2LkJBU0UADFcyMDEyUjItMTg4JAAAAAFYvrOABAAX ABBp9KhE2Agju/etPtviyIy7AAAABAAAAAAAAABGAAEAD1cyMDEyUjItTDYuQkFTRQAMVzIw MTJSMi0xODgkAAAAAVi+s4ADABcAEETnviQob6PZ54m7/9iTjP8AAAADAAAAAAAAAGkAAgAP VzIwMTJSMi1MNi5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAoQ049a3JidGd0LENOPVVzZXJzLERD PXcyMDEycjItbDYsREM9YmFzZQAAAAFYvrOAAAAAAAdrcmJ0Z3QAAAAAAAAAAAAAAABAAAEA D1cyMDEyUjItTDYuQkFTRQAGa3JidGd0AAAAAVi+s4ACABcAEE5tmcMOX6uQHqcfiJQonTsA AAACAAAAAAAAAFAAAQAPVzIwMTJSMi1MNi5CQVNFAAZrcmJ0Z3QAAAABWL6zgAIAEgAgLrbR RqJlPTM82/tkGk77w96Br0noeOESu09svdc/ylIAAAACAAAAAAAAAEAAAQAPVzIwMTJSMi1M Ni5CQVNFAAZrcmJ0Z3QAAAABWL6zgAIAEQAQYbM3Xc6ClXu+62Ge/KzNlAAAAAIAAAAAAAAA OAABAA9XMjAxMlIyLUw2LkJBU0UABmtyYnRndAAAAAFYvrOAAgADAAg9aKETwTTLUgAAAAIA AAAAAAAAcQACAA9XMjAxMlIyLUw2LkJBU0UADlNBTUFDQ09VTlROQU1FACxDTj1XNEVET00t TDQkLENOPVVzZXJzLERDPXcyMDEycjItbDYsREM9YmFzZQAAAAFYvrOAAAAAAAtXNEVET00t TDQkAAAAAAAAAAAAAAAARAABAA9XMjAxMlIyLUw2LkJBU0UAClc0RURPTS1MNCQAAAABWL6z gAIAFwAQ9e1Ny6Nd+kbYfO9mfOWrwwAAAAIAAAAAAAAAVAABAA9XMjAxMlIyLUw2LkJBU0UA Clc0RURPTS1MNCQAAAABWL6zgAIAEgAgVcIQhn57OnGQuRV6ODaMJwu3CWSqgxchr82Nfb41 MKAAAAACAAAAAAAAAEQAAQAPVzIwMTJSMi1MNi5CQVNFAApXNEVET00tTDQkAAAAAVi+s4AC ABEAEBtaFu0Wdc9wKsPjjveCkYgAAAACAAAAAAAAADwAAQAPVzIwMTJSMi1MNi5CQVNFAApX NEVET00tTDQkAAAAAVi+s4ACAAMACOynMWc+N9n0AAAAAgAAAAAAAACBAAIAD1cyMDEyUjIt TDYuQkFTRQAOU0FNQUNDT1VOVE5BTUUAOkNOPVcyMDEyUjItMTg4LE9VPURvbWFpbiBDb250 cm9sbGVycyxEQz13MjAxMnIyLWw2LERDPWJhc2UAAAABWL6zgAAAAAANVzIwMTJSMi0xODgk AAAAAAAAAAAAAAAAdwACAA9XMjAxMlIyLUw2LkJBU0UADlNBTUFDQ09VTlROQU1FAC9DTj1B ZG1pbmlzdHJhdG9yLENOPVVzZXJzLERDPXcyMDEycjItbDYsREM9YmFzZQAAAAFYvrOAAAAA AA5BZG1pbmlzdHJhdG9yAAAAAAAAAAAAAAAARwABAA9XMjAxMlIyLUw2LkJBU0UADUFkbWlu aXN0cmF0b3IAAAABWL6zgAEAFwAQBXHUE+3ky+6mqz7RwaC4fgAAAAEAAAAAAAAAdQACAA9X MjAxMlIyLUw2LkJBU0UADlNBTUFDQ09VTlROQU1FAC5DTj1sZGFwdGVzdHVzZXIsQ049VXNl cnMsREM9dzIwMTJyMi1sNixEQz1iYXNlAAAAAVi+s4AAAAAADWxkYXB0ZXN0dXNlcgAAAAAA AAAAAAAAAEYAAQAPVzIwMTJSMi1MNi5CQVNFAAxsZGFwdGVzdHVzZXIAAAABWL6zgAMAFwAQ qkwUArZYKlFYvAG9KLOTPAAAAAMAAAAAAAAAVgABAA9XMjAxMlIyLUw2LkJBU0UADGxkYXB0 ZXN0dXNlcgAAAAFYvrOAAwASACDDv0yHoL2p6U2dKzU/oxRxLlchb3t+tP6tpuc0yPD4cgAA AAMAAAAAAAAARgABAA9XMjAxMlIyLUw2LkJBU0UADGxkYXB0ZXN0dXNlcgAAAAFYvrOAAwAR ABCes+Gl+DLLThXCwrRXXN4AAAAAAwAAAAAAAAA+AAEAD1cyMDEyUjItTDYuQkFTRQAMbGRh cHRlc3R1c2VyAAAAAVi+s4ADAAMACEzNC3qzl6QOAAAAAwAAAAAAAABWAAEAD1cyMDEyUjIt TDYuQkFTRQAMbGRhcHRlc3R1c2VyAAAAAVi+s4ACABIAIL82tUY7mUjIw4+4el6eT8+Myurn JH92wM4JLDBwX99QAAAAAgAAAAAAAABGAAEAD1cyMDEyUjItTDYuQkFTRQAMbGRhcHRlc3R1 c2VyAAAAAVi+s4ACABEAEAH6FR+GmkYdpVVMU96cvhgAAAACAAAAAAAAAD4AAQAPVzIwMTJS Mi1MNi5CQVNFAAxsZGFwdGVzdHVzZXIAAAABWL6zgAIAAwAIV7P+FjdhYUAAAAACAAAAAAAA AFYAAQAPVzIwMTJSMi1MNi5CQVNFAAxsZGFwdGVzdHVzZXIAAAABWL6zgAEAEgAgqyGaxWP/ C5mxPNAD+xvivpC+MlSOs4BVYWxbAmLimfQAAAABAAAAAAAAAEYAAQAPVzIwMTJSMi1MNi5C QVNFAAxsZGFwdGVzdHVzZXIAAAABWL6zgAEAEQAQKG2WzDwYyFTDKG7JoyEltQAAAAEAAAAA AAAAPgABAA9XMjAxMlIyLUw2LkJBU0UADGxkYXB0ZXN0dXNlcgAAAAFYvrOAAQADAAjNQ3WY DknBYQAAAAEAAAAAAAAARgABAA9XMjAxMlIyLUw2LkJBU0UADGxkYXB0ZXN0dXNlcgAAAAFY vrOAAgAXABAnawJzAfxqOBaaz8P51i5/AAAAAgAAAAAAAABGAAEAD1cyMDEyUjItTDYuQkFT RQAMbGRhcHRlc3R1c2VyAAAAAVi+s4ABABcAEGMfezqGLgpyUFRHsw0erUMAAAABAAAAAAAA AIEAAgAPVzIwMTJSMi1MNi5CQVNFAA5TQU1BQ0NPVU5UTkFNRQA6Q049VzIwMTJSMi0xODgs T1U9RG9tYWluIENvbnRyb2xsZXJzLERDPXcyMDEycjItbDYsREM9YmFzZQAAAAFYvrOAAAAA AA1XMjAxMlIyLTE4OCQAAAAAAAAAAAAAAAB1AAIAD1cyMDEyUjItTDYuQkFTRQAEVVREVgAV REM9dzIwMTJyMi1sNixEQz1iYXNlAAAAAVi+s4AAAAAAMAIAAAAAAAAAAQAAAAAAAAAhtB7o QKk6T7OuILt0CQnO+3wAAAAAAACARM8OAwAAAAAAAAAAAAAAAAAAcQACAAhCTEEuQkFTRQAO U0FNQUNDT1VOVE5BTUUAMkNOPVcySzhSMi0yMTksT1U9RG9tYWluIENvbnRyb2xsZXJzLERD PWJsYSxEQz1iYXNlAAAAAVi+s4YAAAAADFcySzhSMi0yMTkkAAAAAAAAAAAAAAAAPgABAAhC TEEuQkFTRQALVzJLOFIyLTIxOSQAAAABWL6zhhgAFwAQoC7zMRDqfLG2zFJx9kVwogAAABgA AAAAAAAATgABAAhCTEEuQkFTRQALVzJLOFIyLTIxOSQAAAABWL6zhhgAEgAgD2MGOuqcN1ts cp0rcxicmZB6R2zESkDcylF/7KeFSh4AAAAYAAAAAAAAAD4AAQAIQkxBLkJBU0UAC1cySzhS Mi0yMTkkAAAAAVi+s4YYABEAENeZUAd+YRmJOh0Tb3hCwRkAAAAYAAAAAAAAADYAAQAIQkxB LkJBU0UAC1cySzhSMi0yMTkkAAAAAVi+s4YYAAMACCyulAHNzbaGAAAAGAAAAAAAAABOAAEA CEJMQS5CQVNFAAtXMks4UjItMjE5JAAAAAFYvrOGFwASACBuNP73tyXQIhXh/3U9OrLf+D6X WZrneT+pIlfRj/wTJgAAABcAAAAAAAAAPgABAAhCTEEuQkFTRQALVzJLOFIyLTIxOSQAAAAB WL6zhhcAEQAQgCzw+2OjHjUDtXw0rHs9agAAABcAAAAAAAAANgABAAhCTEEuQkFTRQALVzJL OFIyLTIxOSQAAAABWL6zhhcAAwAIZzg9wYq20xwAAAAXAAAAAAAAAE4AAQAIQkxBLkJBU0UA C1cySzhSMi0yMTkkAAAAAVi+s4YWABIAIG34Pqn4m5pySOrV6otvLjpN+VGy9DNdxG9QvBhe IWZ1AAAAFgAAAAAAAAA+AAEACEJMQS5CQVNFAAtXMks4UjItMjE5JAAAAAFYvrOGFgARABAj rfEIkGwYeiewJ6aaUwMsAAAAFgAAAAAAAAA2AAEACEJMQS5CQVNFAAtXMks4UjItMjE5JAAA AAFYvrOGFgADAAhbVxNe4JEjtgAAABYAAAAAAAAAWwACAAhCTEEuQkFTRQAOU0FNQUNDT1VO VE5BTUUAIUNOPWtyYnRndCxDTj1Vc2VycyxEQz1ibGEsREM9YmFzZQAAAAFYvrOGAAAAAAdr cmJ0Z3QAAAAAAAAAAAAAAAA5AAEACEJMQS5CQVNFAAZrcmJ0Z3QAAAABWL6zhgIAFwAQ6VxA K9Hh7jsv4vOIk2CLmQAAAAIAAAAAAAAASQABAAhCTEEuQkFTRQAGa3JidGd0AAAAAVi+s4YC ABIAIFVWScHP9ZHThn/X+UmEhIR46pAeXRHtLIlgFvwCBk99AAAAAgAAAAAAAAA5AAEACEJM QS5CQVNFAAZrcmJ0Z3QAAAABWL6zhgIAEQAQdmuGfjyQYTnn2TubMGpADAAAAAIAAAAAAAAA MQABAAhCTEEuQkFTRQAGa3JidGd0AAAAAVi+s4YCAAMACFet/a4g1dNtAAAAAgAAAAAAAABk AAIACEJMQS5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAnQ049ZmVkb3JhMTQsQ049Q29tcHV0ZXJz LERDPWJsYSxEQz1iYXNlAAAAAVi+s4YAAAAACmZlZG9yYTE0JAAAAAAAAAAAAAAAADwAAQAI QkxBLkJBU0UACWZlZG9yYTE0JAAAAAFYvrOGEgAXABD6jL72hY7vQ27SEk57IpObAAAAEgAA AAAAAABMAAEACEJMQS5CQVNFAAlmZWRvcmExNCQAAAABWL6zhhIAEgAg2UhuIkDR891jSZDG 9EeBRzcg61nICRtmC9sqzbvczecAAAASAAAAAAAAADwAAQAIQkxBLkJBU0UACWZlZG9yYTE0 JAAAAAFYvrOGEgARABD6tDp9PzoXYJ/XA7326KnMAAAAEgAAAAAAAAA0AAEACEJMQS5CQVNF AAlmZWRvcmExNCQAAAABWL6zhhIAAwAIl4PsASzcf1cAAAASAAAAAAAAAEwAAQAIQkxBLkJB U0UACWZlZG9yYTE0JAAAAAFYvrOGEQASACAb6EYefkVl3Q6Igbun7uLXmakJ/7bs36vFwO8j K3TAMgAAABEAAAAAAAAAPAABAAhCTEEuQkFTRQAJZmVkb3JhMTQkAAAAAVi+s4YRABEAEO2K wlwTy8zybOkfwaQDNB0AAAARAAAAAAAAADQAAQAIQkxBLkJBU0UACWZlZG9yYTE0JAAAAAFY vrOGEQADAAgpxxofAZj9fAAAABEAAAAAAAAATAABAAhCTEEuQkFTRQAJZmVkb3JhMTQkAAAA AVi+s4YQABIAIKf0o2NWwMFfiCI6SgQYyf1pcNHOf11h0w9YPNzr/jHnAAAAEAAAAAAAAAA8 AAEACEJMQS5CQVNFAAlmZWRvcmExNCQAAAABWL6zhhAAEQAQQ+mSN6B0zyBcIASFgVYwrgAA ABAAAAAAAAAANAABAAhCTEEuQkFTRQAJZmVkb3JhMTQkAAAAAVi+s4YQAAMACCkauauPPhwQ AAAAEAAAAAAAAAA8AAEACEJMQS5CQVNFAAlmZWRvcmExNCQAAAABWL6zhhEAFwAQ/HQW+ldQ fm4PsHVH043B0wAAABEAAAAAAAAAPAABAAhCTEEuQkFTRQAJZmVkb3JhMTQkAAAAAVi+s4YQ ABcAEC+kI8F1GAd1z4gjmYGo6iYAAAAQAAAAAAAAADwAAQAIQkxBLkJBU0UACWZlZG9yYTE0 JAAAAAFYvrOGDwAXABAXfZRvaEaPejst6c5PyCZJAAAADwAAAAAAAAA8AAEACEJMQS5CQVNF AAlmZWRvcmExNCQAAAABWL6zhg4AFwAQhtHs+uxDIHlXzqa/MsRh4QAAAA4AAAAAAAAAPAAB AAhCTEEuQkFTRQAJZmVkb3JhMTQkAAAAAVi+s4YNABcAEMBKauzRma8G8a4B9PuBGBsAAAAN AAAAAAAAADwAAQAIQkxBLkJBU0UACWZlZG9yYTE0JAAAAAFYvrOGDAAXABDQNbIKmwRjHCwK OvGH7ASUAAAADAAAAAAAAAA8AAEACEJMQS5CQVNFAAlmZWRvcmExNCQAAAABWL6zhgsAFwAQ GdckGcbuHOT09FTPpeZ3nAAAAAsAAAAAAAAAPAABAAhCTEEuQkFTRQAJZmVkb3JhMTQkAAAA AVi+s4YKABcAEMZLlM4XWzcTuh1S9wmhf2YAAAAKAAAAAAAAADwAAQAIQkxBLkJBU0UACWZl ZG9yYTE0JAAAAAFYvrOGCQAXABCVnkaxoWYekaGDDhysQs03AAAACQAAAAAAAAA8AAEACEJM QS5CQVNFAAlmZWRvcmExNCQAAAABWL6zhggAFwAQerHltiz2oGff4NEqcr7LBgAAAAgAAAAA AAAAPAABAAhCTEEuQkFTRQAJZmVkb3JhMTQkAAAAAVi+s4YHABcAELrfIlYXUiD7bRHDSlzU PQoAAAAHAAAAAAAAADwAAQAIQkxBLkJBU0UACWZlZG9yYTE0JAAAAAFYvrOGBgAXABDhmJli 14ujhc4NQ10+4e2rAAAABgAAAAAAAAA8AAEACEJMQS5CQVNFAAlmZWRvcmExNCQAAAABWL6z hgUAFwAQqngBQAz09jcVVusaYNA+4QAAAAUAAAAAAAAAPAABAAhCTEEuQkFTRQAJZmVkb3Jh MTQkAAAAAVi+s4YEABcAEFy7CNe9jrfZr7hAOLM8gA0AAAAEAAAAAAAAADwAAQAIQkxBLkJB U0UACWZlZG9yYTE0JAAAAAFYvrOGAwAXABDEXGvIwzk7c8+fbx1bLdTeAAAAAwAAAAAAAAA8 AAEACEJMQS5CQVNFAAlmZWRvcmExNCQAAAABWL6zhgIAFwAQvS8SqY3gly92CAtAb458ewAA AAIAAAAAAAAAZQACAAhCTEEuQkFTRQAOU0FNQUNDT1VOVE5BTUUAJkNOPVcyMDEyUjItTDYk LENOPVVzZXJzLERDPWJsYSxEQz1iYXNlAAAAAVi+s4YAAAAADFcyMDEyUjItTDYkAAAAAAAA AAAAAAAAPgABAAhCTEEuQkFTRQALVzIwMTJSMi1MNiQAAAABWL6zhgYAFwAQ80MCeiKFZ3VA COQd2xwViQAAAAYAAAAAAAAATgABAAhCTEEuQkFTRQALVzIwMTJSMi1MNiQAAAABWL6zhgYA EgAgvahgHuk0mUG/z7g3qSBJMS/PkcdPiwUyYSElmaG12iIAAAAGAAAAAAAAAD4AAQAIQkxB LkJBU0UAC1cyMDEyUjItTDYkAAAAAVi+s4YGABEAECpsh9+2Q4OZXJ1xVddaY88AAAAGAAAA AAAAADYAAQAIQkxBLkJBU0UAC1cyMDEyUjItTDYkAAAAAVi+s4YGAAMACMhSUVv9wcSuAAAA BgAAAAAAAABOAAEACEJMQS5CQVNFAAtXMjAxMlIyLUw2JAAAAAFYvrOGBQASACBjomoppvu7 cSJwKYHHXAz2drFgM/+f7YjFECrzbzfYvQAAAAUAAAAAAAAAPgABAAhCTEEuQkFTRQALVzIw MTJSMi1MNiQAAAABWL6zhgUAEQAQnD1WGbE6FJyK3eZICy1ZSwAAAAUAAAAAAAAANgABAAhC TEEuQkFTRQALVzIwMTJSMi1MNiQAAAABWL6zhgUAAwAIa11b9ErmhQIAAAAFAAAAAAAAAE4A AQAIQkxBLkJBU0UAC1cyMDEyUjItTDYkAAAAAVi+s4YEABIAIGOiaimm+7txInApgcdcDPZ2 sWAz/5/tiMUQKvNvN9i9AAAABAAAAAAAAAA+AAEACEJMQS5CQVNFAAtXMjAxMlIyLUw2JAAA AAFYvrOGBAARABCcPVYZsToUnIrd5kgLLVlLAAAABAAAAAAAAAA2AAEACEJMQS5CQVNFAAtX MjAxMlIyLUw2JAAAAAFYvrOGBAADAAhrXVv0SuaFAgAAAAQAAAAAAAAAZAACAAhCTEEuQkFT RQAOU0FNQUNDT1VOVE5BTUUAK0NOPUZpcnN0IEkuIExhc3QgRE4sQ049VXNlcnMsREM9Ymxh LERDPWJhc2UAAAABWL6zhgAAAAAGbG9nb24AAAAAAAAAAAAAAAA4AAEACEJMQS5CQVNFAAVs b2dvbgAAAAFYvrOGCwAXABAQ9V2layrvEBcLEZ2rMCz6AAAACwAAAAAAAABdAAIACEJMQS5C QVNFAA5TQU1BQ0NPVU5UTkFNRQAiQ049UzRYRE9NJCxDTj1Vc2VycyxEQz1ibGEsREM9YmFz ZQAAAAFYvrOGAAAAAAhTNFhET00kAAAAAAAAAAAAAAAAOgABAAhCTEEuQkFTRQAHUzRYRE9N JAAAAAFYvrOGCgAXABARQxw7x7TzBoQQCNF6vuTkAAAACgAAAAAAAABKAAEACEJMQS5CQVNF AAdTNFhET00kAAAAAVmd7w8KABIAIETR390Uzu8vuj5dQnfwiWf2Qo25ITzcw5DkrKZCjtFW AAAACgAAAAAAAAA6AAEACEJMQS5CQVNFAAdTNFhET00kAAAAAVmd7w8KABEAEP/c4cw/wwj3 0Xg7mk8JOdMAAAAKAAAAAAAAADIAAQAIQkxBLkJBU0UAB1M0WERPTSQAAAABWZ3vDwoAAwAI PQjjICbcHEoAAAAKAAAAAAAAAEoAAQAIQkxBLkJBU0UAB1M0WERPTSQAAAABWZ3vDwkAEgAg RNHf3RTO7y+6Pl1Cd/CJZ/ZCjbkhPNzDkOSspkKO0VYAAAAJAAAAAAAAADoAAQAIQkxBLkJB U0UAB1M0WERPTSQAAAABWZ3vDwkAEQAQ/9zhzD/DCPfReDuaTwk50wAAAAkAAAAAAAAAMgAB AAhCTEEuQkFTRQAHUzRYRE9NJAAAAAFZne8PCQADAAg9COMgJtwcSgAAAAkAAAAAAAAASgAB AAhCTEEuQkFTRQAHUzRYRE9NJAAAAAFYvrOGCAASACBE0d/dFM7vL7o+XUJ38Iln9kKNuSE8 3MOQ5KymQo7RVgAAAAgAAAAAAAAAOgABAAhCTEEuQkFTRQAHUzRYRE9NJAAAAAFYvrOGCAAR ABD/3OHMP8MI99F4O5pPCTnTAAAACAAAAAAAAAAyAAEACEJMQS5CQVNFAAdTNFhET00kAAAA AVi+s4YIAAMACD0I4yAm3BxKAAAACAAAAAAAAABZAAIACEJMQS5CQVNFAA5TQU1BQ0NPVU5U TkFNRQAgQ049QkxBMiQsQ049VXNlcnMsREM9YmxhLERDPWJhc2UAAAABWL6zhgAAAAAGQkxB MiQAAAAAAAAAAAAAAAA4AAEACEJMQS5CQVNFAAVCTEEyJAAAAAFYvrOGFwAXABDVoaeOPcB1 T3yW/QwGUYXHAAAAFwAAAAAAAABIAAEACEJMQS5CQVNFAAVCTEEyJAAAAAFYvrOGFwASACBm 4raxbX32RmpzIwlSOOjqY3sMQDnK7bRnqUeF+hlwlgAAABcAAAAAAAAAOAABAAhCTEEuQkFT RQAFQkxBMiQAAAABWL6zhhcAEQAQv0Cn3YG6rZD37L0g8LIYswAAABcAAAAAAAAAMAABAAhC TEEuQkFTRQAFQkxBMiQAAAABWL6zhhcAAwAI2b8jQ3aMGtYAAAAXAAAAAAAAAEgAAQAIQkxB LkJBU0UABUJMQTIkAAAAAVi+s4YWABIAIGbitrFtffZGanMjCVI46OpjewxAOcrttGepR4X6 GXCWAAAAFgAAAAAAAAA4AAEACEJMQS5CQVNFAAVCTEEyJAAAAAFYvrOGFgARABC/QKfdgbqt kPfsvSDwshizAAAAFgAAAAAAAAAwAAEACEJMQS5CQVNFAAVCTEEyJAAAAAFYvrOGFgADAAjZ vyNDdowa1gAAABYAAAAAAAAASAABAAhCTEEuQkFTRQAFQkxBMiQAAAABWL6zhhUAEgAgrm9P Jv4dQvkUoIWvB6f0gArwZ6T60HD6e/RGQgJxEsAAAAAVAAAAAAAAADgAAQAIQkxBLkJBU0UA BUJMQTIkAAAAAVi+s4YVABEAEO4PubjTADJVCVV2v/aBn40AAAAVAAAAAAAAADAAAQAIQkxB LkJBU0UABUJMQTIkAAAAAVi+s4YVAAMACAEIWCxi6hNMAAAAFQAAAAAAAABlAAIACEJMQS5C QVNFAA5TQU1BQ0NPVU5UTkFNRQAmQ049VzIwMTJSMi1MNCQsQ049VXNlcnMsREM9YmxhLERD PWJhc2UAAAABWL6zhgAAAAAMVzIwMTJSMi1MNCQAAAAAAAAAAAAAAAA+AAEACEJMQS5CQVNF AAtXMjAxMlIyLUw0JAAAAAFYvrOGFAAXABBSMpFXkCduHVMBlDnVkXTVAAAAFAAAAAAAAABO AAEACEJMQS5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZne8PFAASACDPj4kipt28KQW47gLcZljS JN3BIT/SnJU92CY0U1/67gAAABQAAAAAAAAAPgABAAhCTEEuQkFTRQALVzIwMTJSMi1MNCQA AAABWZ3vDxQAEQAQ+bJSpYMntkmcjxnOQ87UEQAAABQAAAAAAAAANgABAAhCTEEuQkFTRQAL VzIwMTJSMi1MNCQAAAABWZ3vDxQAAwAIHCXERT6umIAAAAAUAAAAAAAAAE4AAQAIQkxBLkJB U0UAC1cyMDEyUjItTDQkAAAAAVi+s4YTABIAIIpTaBAYXsyAnZR0xlJAJ9MtT3TD1U7G2EUK foYdy3DjAAAAEwAAAAAAAAA+AAEACEJMQS5CQVNFAAtXMjAxMlIyLUw0JAAAAAFYvrOGEwAR ABDQdxUVqk2nCpdT7Hw4vFOOAAAAEwAAAAAAAAA2AAEACEJMQS5CQVNFAAtXMjAxMlIyLUw0 JAAAAAFYvrOGEwADAAgcJcRFPq6YgAAAABMAAAAAAAAATgABAAhCTEEuQkFTRQALVzIwMTJS Mi1MNCQAAAABWL6zhhIAEgAgilNoEBhezICdlHTGUkAn0y1PdMPVTsbYRQp+hh3LcOMAAAAS AAAAAAAAAD4AAQAIQkxBLkJBU0UAC1cyMDEyUjItTDQkAAAAAVi+s4YSABEAENB3FRWqTacK l1PsfDi8U44AAAASAAAAAAAAADYAAQAIQkxBLkJBU0UAC1cyMDEyUjItTDQkAAAAAVi+s4YS AAMACBwlxEU+rpiAAAAAEgAAAAAAAABoAAIACEJMQS5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAp Q049VUIxNDA0LTE2MixDTj1Db21wdXRlcnMsREM9YmxhLERDPWJhc2UAAAABWL6zhgAAAAAM VUIxNDA0LTE2MiQAAAAAAAAAAAAAAAA+AAEACEJMQS5CQVNFAAtVQjE0MDQtMTYyJAAAAAFY vrOGAgAXABD6guHTA2KpX3KlE95yv4R7AAAAAgAAAAAAAABOAAEACEJMQS5CQVNFAAtVQjE0 MDQtMTYyJAAAAAFYvrOGAgASACARbnPdAIg5uT8/Aej/7gswUZ2E/IffiKqdLRi1p4iySgAA AAIAAAAAAAAAPgABAAhCTEEuQkFTRQALVUIxNDA0LTE2MiQAAAABWL6zhgIAEQAQpDRPDgBz bhn2piiFBNJYywAAAAIAAAAAAAAANgABAAhCTEEuQkFTRQALVUIxNDA0LTE2MiQAAAABWL6z hgIAAwAIINnxs3B2O4wAAAACAAAAAAAAAGMAAgAIQkxBLkJBU0UADlNBTUFDQ09VTlROQU1F ACVDTj1XNEVET00tTDQkLENOPVVzZXJzLERDPWJsYSxEQz1iYXNlAAAAAVi+s4YAAAAAC1c0 RURPTS1MNCQAAAAAAAAAAAAAAAA9AAEACEJMQS5CQVNFAApXNEVET00tTDQkAAAAAVi+s4YE ABcAED52XU3hU4ePuM3JOV0KiGAAAAAEAAAAAAAAAE0AAQAIQkxBLkJBU0UAClc0RURPTS1M NCQAAAABWL6zhgQAEgAg7C7guTzKkV4MK5hRNrlD/mPHiKnwP5XTZOo5RxLf+DAAAAAEAAAA AAAAAD0AAQAIQkxBLkJBU0UAClc0RURPTS1MNCQAAAABWL6zhgQAEQAQOZRbl0SIYACa563X QXngOQAAAAQAAAAAAAAANQABAAhCTEEuQkFTRQAKVzRFRE9NLUw0JAAAAAFYvrOGBAADAAhJ Z4MWZwQvaAAAAAQAAAAAAAAATQABAAhCTEEuQkFTRQAKVzRFRE9NLUw0JAAAAAFYvrOGAwAS ACBqQ9XdfDhi4m2EsanM10aV/tT/MTvlAxPt0QAqgNnwagAAAAMAAAAAAAAAPQABAAhCTEEu QkFTRQAKVzRFRE9NLUw0JAAAAAFYvrOGAwARABAOtBNYRHhZ73+RisAyhj15AAAAAwAAAAAA AAA1AAEACEJMQS5CQVNFAApXNEVET00tTDQkAAAAAVi+s4YDAAMACAE0/mgf1V68AAAAAwAA AAAAAABNAAEACEJMQS5CQVNFAApXNEVET00tTDQkAAAAAVi+s4YCABIAIGpD1d18OGLibYSx qczXRpX+1P8xO+UDE+3RACqA2fBqAAAAAgAAAAAAAAA9AAEACEJMQS5CQVNFAApXNEVET00t TDQkAAAAAVi+s4YCABEAEA60E1hEeFnvf5GKwDKGPXkAAAACAAAAAAAAADUAAQAIQkxBLkJB U0UAClc0RURPTS1MNCQAAAABWL6zhgIAAwAIATT+aB/VXrwAAAACAAAAAAAAAGkAAgAIQkxB LkJBU0UADlNBTUFDQ09VTlROQU1FAChDTj1BZG1pbmlzdHJhdG9yLENOPVVzZXJzLERDPWJs YSxEQz1iYXNlAAAAAVi+s4YAAAAADkFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAABAAAEACEJM QS5CQVNFAA1BZG1pbmlzdHJhdG9yAAAAAVi+s4YBABcAEAVx1BPt5Mvupqs+0cGguH4AAAAB AAAAAAAAAGcAAgAIQkxBLkJBU0UABFVURFYADkRDPWJsYSxEQz1iYXNlAAAAAVmd7w8AAAAA MAIAAAAAAAAAAQAAAAAAAAAFyjYNB1ViTqyjNUurDTnhfCMBAAAAAAAPgK4PAwAAAAAAAAAA AAAAAAAAdwACAAlCTEEyLkJBU0UADlNBTUFDQ09VTlROQU1FADVDTj1XMks4UjJSTy0xOTQs T1U9RG9tYWluIENvbnRyb2xsZXJzLERDPWJsYTIsREM9YmFzZQAAAAFYvrOnAAAAAA5XMks4 UjJSTy0xOTQkAAAAAAAAAAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5NCQAAAAB WL6zpw0AFwAQ6jQ9mW4MRDrjgB5L6Ma/VQAAAA0AAAAAAAAAUQABAAlCTEEyLkJBU0UADVcy SzhSMlJPLTE5NCQAAAABWL6zpw0AEgAgWgrbU5lGQ3cb61HLLe9uMMFSSg14dGyZoYbjuPRm mrUAAAANAAAAAAAAAEEAAQAJQkxBMi5CQVNFAA1XMks4UjJSTy0xOTQkAAAAAVi+s6cNABEA EIl+4amYdm84aOjjmIjkLyYAAAANAAAAAAAAADkAAQAJQkxBMi5CQVNFAA1XMks4UjJSTy0x OTQkAAAAAVi+s6cNAAMACM16CFjvJSnBAAAADQAAAAAAAABRAAEACUJMQTIuQkFTRQANVzJL OFIyUk8tMTk0JAAAAAFYvrOnDAASACB24djEYOne96M+xuvRGImm7mAwnOzcrksHr9rxcGx/ BQAAAAwAAAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5NCQAAAABWL6zpwwAEQAQ 2BOomOeEb9hysVVLJQGEYwAAAAwAAAAAAAAAOQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5 NCQAAAABWL6zpwwAAwAIT0rs+MRbRlQAAAAMAAAAAAAAAFEAAQAJQkxBMi5CQVNFAA1XMks4 UjJSTy0xOTQkAAAAAVi+s6cLABIAIHNC5QDkGM5Y/7cHqhdm+PmGFYvOezVDb7yP5OlUo8d9 AAAACwAAAAAAAABBAAEACUJMQTIuQkFTRQANVzJLOFIyUk8tMTk0JAAAAAFYvrOnCwARABAE pvRIhn5AA6K8QnEdPly8AAAACwAAAAAAAAA5AAEACUJMQTIuQkFTRQANVzJLOFIyUk8tMTk0 JAAAAAFYvrOnCwADAAgEAYBkZCq6BAAAAAsAAAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhS MlJPLTE5NCQAAAABWL6zpwwAFwAQIlfaQuTu43stRbnEjx3y9gAAAAwAAAAAAAAAQQABAAlC TEEyLkJBU0UADVcySzhSMlJPLTE5NCQAAAABWL6zpwsAFwAQc9KN3vxRGz0l4y+EBp1HWQAA AAsAAAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5NCQAAAABWL6zpwoAFwAQwLst 99Q9zuDUkZTTrV8IIQAAAAoAAAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5NCQA AAABWL6zpwkAFwAQjESZK+w1Ugp/CGF5OQpEKgAAAAkAAAAAAAAAQQABAAlCTEEyLkJBU0UA DVcySzhSMlJPLTE5NCQAAAABWL6zpwgAFwAQ50CMtPvUQ6yI3sUZDpr/sQAAAAgAAAAAAAAA QQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5NCQAAAABWL6zpwcAFwAQSWvDhrJBhx4ICqAE q92HHgAAAAcAAAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5NCQAAAABWL6zpwYA FwAQZs3GNAjzJzHUguev4i+X3gAAAAYAAAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhSMlJP LTE5NCQAAAABWL6zpwUAFwAQhiXdYRa6L1eDhBlQ8+9J3AAAAAUAAAAAAAAAQQABAAlCTEEy LkJBU0UADVcySzhSMlJPLTE5NCQAAAABWL6zpwQAFwAQsuRfQXDxtS1Il2UqGD37EgAAAAQA AAAAAAAAQQABAAlCTEEyLkJBU0UADVcySzhSMlJPLTE5NCQAAAABWL6zpwMAFwAQAnJoXoGc UumiQ0EBi2we9AAAAAMAAAAAAAAAXQACAAlCTEEyLkJBU0UADlNBTUFDQ09VTlROQU1FACJD Tj1rcmJ0Z3QsQ049VXNlcnMsREM9YmxhMixEQz1iYXNlAAAAAVi+s6cAAAAAB2tyYnRndAAA AAAAAAAAAAAAADoAAQAJQkxBMi5CQVNFAAZrcmJ0Z3QAAAABWL6zpwIAFwAQvS2toI07Jqeg D0/PI2h/kgAAAAIAAAAAAAAASgABAAlCTEEyLkJBU0UABmtyYnRndAAAAAFYvrOnAgASACA6 vQt2v4FoIUwxgYZ0qzxCLEtNWw6IBsv95vBzJR+V5wAAAAIAAAAAAAAAOgABAAlCTEEyLkJB U0UABmtyYnRndAAAAAFYvrOnAgARABDijqMa8Beoo2jbttKJrL5dAAAAAgAAAAAAAAAyAAEA CUJMQTIuQkFTRQAGa3JidGd0AAAAAVi+s6cCAAMACBYIPc6RzfLCAAAAAgAAAAAAAABdAAIA CUJMQTIuQkFTRQAOU0FNQUNDT1VOVE5BTUUAIkNOPUYgSS4gTCxDTj1Vc2VycyxEQz1ibGEy LERDPWJhc2UAAAABWL6zpwAAAAAHbG9nb24yAAAAAAAAAAAAAAAAOgABAAlCTEEyLkJBU0UA BmxvZ29uMgAAAAFYvrOnAgAXABAFcdQT7eTL7qarPtHBoLh+AAAAAgAAAAAAAABKAAEACUJM QTIuQkFTRQAGbG9nb24yAAAAAVi+s6cCABIAIBEWzZcFOh7LdIrMzP1aXlU1mhzTM0LwCSl7 Zs8kdtUIAAAAAgAAAAAAAAA6AAEACUJMQTIuQkFTRQAGbG9nb24yAAAAAVi+s6cCABEAEO+A 4eHGTD/HDxHcuiQ/V7gAAAACAAAAAAAAADIAAQAJQkxBMi5CQVNFAAZsb2dvbjIAAAABWL6z pwIAAwAISXkqhuWhwrUAAAACAAAAAAAAAFkAAgAJQkxBMi5CQVNFAA5TQU1BQ0NPVU5UTkFN RQAgQ049QkxBJCxDTj1Vc2VycyxEQz1ibGEyLERDPWJhc2UAAAABWL6zpwAAAAAFQkxBJAAA AAAAAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgXABcAEK/k3YiX4f5S7KRz jV4xBukAAAAXAAAAAAAAAEgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVi+s6cXABIAIMUOtLX3 8ehnjNWxKKDP8qivxa1D0aJDhSvcKohJtlhWAAAAFwAAAAAAAAA4AAEACUJMQTIuQkFTRQAE QkxBJAAAAAFYvrOnFwARABC4GJbsfFF3sJBKURX4uAeuAAAAFwAAAAAAAAAwAAEACUJMQTIu QkFTRQAEQkxBJAAAAAFYvrOnFwADAAh/HNBG6uzcIwAAABcAAAAAAAAASAABAAlCTEEyLkJB U0UABEJMQSQAAAABWL6zpxYAEgAgn/5pwnAQvDTxY9lFs/PNNjTcCxtb20Rx7ThiIGAuNiIA AAAWAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVi+s6cWABEAENeTsA/GqUE1FoSZ xWI/HNoAAAAWAAAAAAAAADAAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVi+s6cWAAMACOYvbf3a bda2AAAAFgAAAAAAAABIAAEACUJMQTIuQkFTRQAEQkxBJAAAAAFYvrOnFQASACCf/mnCcBC8 NPFj2UWz8802NNwLG1vbRHHtOGIgYC42IgAAABUAAAAAAAAAOAABAAlCTEEyLkJBU0UABEJM QSQAAAABWL6zpxUAEQAQ15OwD8apQTUWhJnFYj8c2gAAABUAAAAAAAAAMAABAAlCTEEyLkJB U0UABEJMQSQAAAABWL6zpxUAAwAI5i9t/dpt1rYAAAAVAAAAAAAAADgAAQAJQkxBMi5CQVNF AARCTEEkAAAAAVmd7wgWABcAEP+vJc82IsO6QP4pa1dVZT8AAAAWAAAAAAAAADgAAQAJQkxB Mi5CQVNFAARCTEEkAAAAAVmd7wgVABcAEP+vJc82IsO6QP4pa1dVZT8AAAAVAAAAAAAAADgA AQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgUABcAEEYyljmFNWVDxBaf9rhvUp8AAAAUAAAA AAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgTABcAEEYyljmFNWVDxBaf9rhvUp8A AAATAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgSABcAEMw7KtBNa833YSvD fWI5cVoAAAASAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgRABcAEMw7KtBN a833YSvDfWI5cVoAAAARAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgQABcA EGEIH1IKsdwhAb0xT4AhU48AAAAQAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd 7wgPABcAEGEIH1IKsdwhAb0xT4AhU48AAAAPAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEk AAAAAVmd7wgOABcAEFOTrd4hUbj5e0wQbaodt1EAAAAOAAAAAAAAADgAAQAJQkxBMi5CQVNF AARCTEEkAAAAAVmd7wgNABcAEFOTrd4hUbj5e0wQbaodt1EAAAANAAAAAAAAADgAAQAJQkxB Mi5CQVNFAARCTEEkAAAAAVmd7wgMABcAEId9SAot51aYqCG2B2WedJEAAAAMAAAAAAAAADgA AQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgLABcAEId9SAot51aYqCG2B2WedJEAAAALAAAA AAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgKABcAEAceKf7sGgav6UTcLcvFbmAA AAAKAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgJABcAEAceKf7sGgav6UTc LcvFbmAAAAAJAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgIABcAEKKJ1H/i PF3N2x+K5nMwrxUAAAAIAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgHABcA EIyIyV1W1Cw1l4JRNs2RsCQAAAAHAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd 7wgGABcAEIyIyV1W1Cw1l4JRNs2RsCQAAAAGAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEk AAAAAVmd7wgFABcAENBJTjg+KFIaPG/Z75plV8EAAAAFAAAAAAAAADgAAQAJQkxBMi5CQVNF AARCTEEkAAAAAVmd7wgEABcAEArHBC2zCFKooIl/yYbw3ggAAAAEAAAAAAAAADgAAQAJQkxB Mi5CQVNFAARCTEEkAAAAAVi+s6cDABcAEArHBC2zCFKooIl/yYbw3ggAAAADAAAAAAAAADgA AQAJQkxBMi5CQVNFAARCTEEkAAAAAVi+s6cCABcAEJTyTgvoL95SENGB4qxtrFAAAAACAAAA AAAAAGsAAgAJQkxBMi5CQVNFAA5TQU1BQ0NPVU5UTkFNRQApQ049QWRtaW5pc3RyYXRvcixD Tj1Vc2VycyxEQz1ibGEyLERDPWJhc2UAAAABWL6zpwAAAAAOQWRtaW5pc3RyYXRvcgAAAAAA AAAAAAAAAEEAAQAJQkxBMi5CQVNFAA1BZG1pbmlzdHJhdG9yAAAAAVi+s6cBABcAEAVx1BPt 5Mvupqs+0cGguH4AAAABAAAAAAAAAGoAAgAJQkxBMi5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAq Q049VUIxNDA0LTE2MixDTj1Db21wdXRlcnMsREM9YmxhMixEQz1iYXNlAAAAAVi+s6cAAAAA DFVCMTQwNC0xNjIkAAAAAAAAAAAAAAAAPwABAAlCTEEyLkJBU0UAC1VCMTQwNC0xNjIkAAAA AVi+s6cDABcAENJtEKfcpVbdNJuqjAe5ZugAAAADAAAAAAAAAE8AAQAJQkxBMi5CQVNFAAtV QjE0MDQtMTYyJAAAAAFYvrOnAwASACAtwVy95EOfvzMCazzDpqp43xoU8OLq389n4xnYBrsl cwAAAAMAAAAAAAAAPwABAAlCTEEyLkJBU0UAC1VCMTQwNC0xNjIkAAAAAVi+s6cDABEAEAYU J5Si6TOqjjGRhEKbLFUAAAADAAAAAAAAADcAAQAJQkxBMi5CQVNFAAtVQjE0MDQtMTYyJAAA AAFYvrOnAwADAAjgbkY4FiWhugAAAAMAAAAAAAAATwABAAlCTEEyLkJBU0UAC1VCMTQwNC0x NjIkAAAAAVi+s6cCABIAIJpMgSs47jm8O1G+/EXH6WowYcMAaHmUIUyxzzdzVUZKAAAAAgAA AAAAAAA/AAEACUJMQTIuQkFTRQALVUIxNDA0LTE2MiQAAAABWL6zpwIAEQAQJ38MYXhJWtWs hNE1T4KgHwAAAAIAAAAAAAAANwABAAlCTEEyLkJBU0UAC1VCMTQwNC0xNjIkAAAAAVi+s6cC AAMACDJhAYmdpICeAAAAAgAAAAAAAAA/AAEACUJMQTIuQkFTRQALVUIxNDA0LTE2MiQAAAAB WL6zpwIAFwAQNapxfjDFFLAlbS6tmdivfwAAAAIAAAAAAAAAaQACAAlCTEEyLkJBU0UABFVU RFYAD0RDPWJsYTIsREM9YmFzZQAAAAFZne8IAAAAADACAAAAAAAAAAEAAAAAAAAALOsJPIqO oUWM3N42R1lPC0KwAAAAAAAACICuDwMAAAAAAAAAAAAAAAAAAIEAAgAPVzIwMTJSMi1MNC5C QVNFAA5TQU1BQ0NPVU5UTkFNRQA6Q049VzIwMTJSMi0xODMsT1U9RG9tYWluIENvbnRyb2xs ZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrOvAAAAAA1XMjAxMlIyLTE4MyQAAAAA AAAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+s68cABcA EMgWSxeiz6m2E/9rYIQn2Q4AAAAcAAAAAAAAAFYAAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAx MlIyLTE4MyQAAAABWL6zrxwAEgAgRUaTb8WNyvsXKw+G7rsiItVBfhmyaMxreMuw3wKlrMoA AAAcAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAxMlIyLTE4MyQAAAABWL6zrxwA EQAQbui43yIJv27tIjfbyLs9uQAAABwAAAAAAAAAPgABAA9XMjAxMlIyLUw0LkJBU0UADFcy MDEyUjItMTgzJAAAAAFYvrOvHAADAAinrQcCsCN6oQAAABwAAAAAAAAAVgABAA9XMjAxMlIy LUw0LkJBU0UADFcyMDEyUjItMTgzJAAAAAFYvrOvGwASACDJtwhVOkpNNcqUSXWLBJdRpzuQ lZusJ8J6sxb+heXdgwAAABsAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFcyMDEyUjIt MTgzJAAAAAFYvrOvGwARABC9HZ8NmItY540x70bHNCnBAAAAGwAAAAAAAAA+AAEAD1cyMDEy UjItTDQuQkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+s68bAAMACMSzJoB2066uAAAAGwAAAAAA AABWAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+s68aABIAIKizRcXv S/lOO9rygr2jXhbVEc7b1n5H1U6SR/i37fGjAAAAGgAAAAAAAABGAAEAD1cyMDEyUjItTDQu QkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+s68aABEAEOVfH6fu+zFwMxMa64/cAj4AAAAaAAAA AAAAAD4AAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAxMlIyLTE4MyQAAAABWL6zrxoAAwAItrxM xOkIGY8AAAAaAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAxMlIyLTE4MyQAAAAB WL6zrxsAFwAQjA6teh/Uwqx+IZjerkgJ8QAAABsAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJB U0UADFcyMDEyUjItMTgzJAAAAAFYvrOvGgAXABCIQHLHTDqMqAw7//Wny+zdAAAAGgAAAAAA AABGAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+s68ZABcAEMeXJXE4 RczYxMmt6d4j35AAAAAZAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAxMlIyLTE4 MyQAAAABWL6zrxgAFwAQzG41t7zdiHNsAIND1UPAxAAAABgAAAAAAAAARgABAA9XMjAxMlIy LUw0LkJBU0UADFcyMDEyUjItMTgzJAAAAAFYvrOvFwAXABCsEoC5HWC1G3ElTitOGUNgAAAA FwAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+s68WABcA EBqrJ8zPezSbbe2bAVLenmAAAAAWAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAx MlIyLTE4MyQAAAABWL6zrxUAFwAQHuJuc+LNnMKuWJrGYSfiGgAAABUAAAAAAAAARgABAA9X MjAxMlIyLUw0LkJBU0UADFcyMDEyUjItMTgzJAAAAAFYvrOvFAAXABD14wAExGbGKyMlIzLk 4C2WAAAAFAAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+ s68TABcAEI99y+Xb2Hgz/5xxK6U+mpIAAAATAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNF AAxXMjAxMlIyLTE4MyQAAAABWL6zrxIAFwAQcFJ/lipeM1iyTr27bS8togAAABIAAAAAAAAA RgABAA9XMjAxMlIyLUw0LkJBU0UADFcyMDEyUjItMTgzJAAAAAFYvrOvEQAXABB1k9+kXQEF lI296lgo8dR8AAAAEQAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJSMi0xODMk AAAAAVi+s68QABcAEGaFUAoHNxlgAVi77qZiNiIAAAAQAAAAAAAAAEYAAQAPVzIwMTJSMi1M NC5CQVNFAAxXMjAxMlIyLTE4MyQAAAABWL6zrw8AFwAQK04anbUepZxQ4AC3KOh0tgAAAA8A AAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFcyMDEyUjItMTgzJAAAAAFYvrOvDgAXABAP WQdRQTiE/evmqe4aVDQgAAAADgAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJS Mi0xODMkAAAAAVi+s68NABcAEGbxabDb/73wmuu7N38DlpUAAAANAAAAAAAAAEYAAQAPVzIw MTJSMi1MNC5CQVNFAAxXMjAxMlIyLTE4MyQAAAABWL6zrwwAFwAQJMrOZtIqmljsnKjci+Xx FgAAAAwAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFcyMDEyUjItMTgzJAAAAAFYvrOv CwAXABBtFZngU84YgIu5pCHz6NFIAAAACwAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAM VzIwMTJSMi0xODMkAAAAAVi+s68KABcAEN0pZOa6yi1Gy1UNNrc9y+IAAAAKAAAAAAAAAEYA AQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAxMlIyLTE4MyQAAAABWL6zrwkAFwAQ2aKyVKiIMUUP Xbxot2EAdQAAAAkAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFcyMDEyUjItMTgzJAAA AAFYvrOvCAAXABA+rSmekk4RrZ9f7Zzg/Ai5AAAACAAAAAAAAABGAAEAD1cyMDEyUjItTDQu QkFTRQAMVzIwMTJSMi0xODMkAAAAAVi+s68HABcAEPNNKNlbBL6XJE0ouJKRmZwAAAAHAAAA AAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAxMlIyLTE4MyQAAAABWL6zrwYAFwAQA9TY TjQ8KcslXIAfPIRQOwAAAAYAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFcyMDEyUjIt MTgzJAAAAAFYvrOvBQAXABDZYdMuhf+bLXTNUJp+7ACUAAAABQAAAAAAAABpAAIAD1cyMDEy UjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUAKENOPWtyYnRndCxDTj1Vc2VycyxEQz13MjAx MnIyLWw0LERDPWJhc2UAAAABWL6zrwAAAAAHa3JidGd0AAAAAAAAAAAAAAAAQAABAA9XMjAx MlIyLUw0LkJBU0UABmtyYnRndAAAAAFYvrOvAgAXABC5965xRl21WWxtf0mk10PqAAAAAgAA AAAAAABQAAEAD1cyMDEyUjItTDQuQkFTRQAGa3JidGd0AAAAAVi+s68CABIAIGD739zLlQTl 1rzra5vTYun0xYD3sb0dcCFq5orTkTvlAAAAAgAAAAAAAABAAAEAD1cyMDEyUjItTDQuQkFT RQAGa3JidGd0AAAAAVi+s68CABEAEHkjqxg9z+k5jwY/MDTMYnEAAAACAAAAAAAAADgAAQAP VzIwMTJSMi1MNC5CQVNFAAZrcmJ0Z3QAAAABWL6zrwIAAwAIBxXxtmg304UAAAACAAAAAAAA AG0AAgAPVzIwMTJSMi1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAqQ049RlJFRUlQQSQsQ049 VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s68AAAAACUZSRUVJUEEkAAAAAAAA AAAAAAAAQgABAA9XMjAxMlIyLUw0LkJBU0UACEZSRUVJUEEkAAAAAVi+s68EABcAEOGLy0R9 b0sFFf5vKUPMs/8AAAAEAAAAAAAAAFIAAQAPVzIwMTJSMi1MNC5CQVNFAAhGUkVFSVBBJAAA AAFYvrOvBAASACDj5T7gwRoSzk/JxqCv7r+/zvilguWzCMef2HPxGL7PQAAAAAQAAAAAAAAA QgABAA9XMjAxMlIyLUw0LkJBU0UACEZSRUVJUEEkAAAAAVi+s68EABEAECpQn3+0Rf5dNO97 zFBkS5UAAAAEAAAAAAAAADoAAQAPVzIwMTJSMi1MNC5CQVNFAAhGUkVFSVBBJAAAAAFYvrOv BAADAAhd4PcaAc2K1QAAAAQAAAAAAAAAUgABAA9XMjAxMlIyLUw0LkJBU0UACEZSRUVJUEEk AAAAAVi+s68DABIAIOPlPuDBGhLOT8nGoK/uv7/O+KWC5bMIx5/Yc/EYvs9AAAAAAwAAAAAA AABCAAEAD1cyMDEyUjItTDQuQkFTRQAIRlJFRUlQQSQAAAABWL6zrwMAEQAQKlCff7RF/l00 73vMUGRLlQAAAAMAAAAAAAAAOgABAA9XMjAxMlIyLUw0LkJBU0UACEZSRUVJUEEkAAAAAVi+ s68DAAMACF3g9xoBzYrVAAAAAwAAAAAAAABSAAEAD1cyMDEyUjItTDQuQkFTRQAIRlJFRUlQ QSQAAAABWL6zrwIAEgAg4+U+4MEaEs5Pycagr+6/v874pYLlswjHn9hz8Ri+z0AAAAACAAAA AAAAAEIAAQAPVzIwMTJSMi1MNC5CQVNFAAhGUkVFSVBBJAAAAAFYvrOvAgARABAqUJ9/tEX+ XTTve8xQZEuVAAAAAgAAAAAAAAA6AAEAD1cyMDEyUjItTDQuQkFTRQAIRlJFRUlQQSQAAAAB WL6zrwIAAwAIXeD3GgHNitUAAAACAAAAAAAAAEIAAQAPVzIwMTJSMi1MNC5CQVNFAAhGUkVF SVBBJAAAAAFYvrOvAwAXABDhi8tEfW9LBRX+bylDzLP/AAAAAwAAAAAAAABCAAEAD1cyMDEy UjItTDQuQkFTRQAIRlJFRUlQQSQAAAABWL6zrwIAFwAQ4YvLRH1vSwUV/m8pQ8yz/wAAAAIA AAAAAAAAcQACAA9XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FACxDTj1OVDRET00x OTMkLENOPVVzZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrOvAAAAAAtOVDRET00x OTMkAAAAAAAAAAAAAAAARAABAA9XMjAxMlIyLUw0LkJBU0UACk5UNERPTTE5MyQAAAABWL6z rwIAFwAQtT+VmWd3UPWzbk+TQdXlSwAAAAIAAAAAAAAAVAABAA9XMjAxMlIyLUw0LkJBU0UA Ck5UNERPTTE5MyQAAAABWL6zrwIAEgAgnq1elKHgSEV8oJtDQgzF1m6pDX/jUmEgJfzcalkc fAQAAAACAAAAAAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApOVDRET00xOTMkAAAAAVi+s68C ABEAEFFb0he34Mx0zNGrVSeNqekAAAACAAAAAAAAADwAAQAPVzIwMTJSMi1MNC5CQVNFAApO VDRET00xOTMkAAAAAVi+s68CAAMACJuXuYqJZ2uDAAAAAgAAAAAAAAB6AAIAD1cyMDEyUjIt TDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUAMkNOPWtkYy1jb21wdXRlcixDTj1Db21wdXRlcnMs REM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s68AAAAADktEQy1DT01QVVRFUiQAAAAAAAAA AAAAAABHAAEAD1cyMDEyUjItTDQuQkFTRQANS0RDLUNPTVBVVEVSJAAAAAFYvrOvAwAXABAH mUYVzTPW9Z4HipvU6VFUAAAAAwAAAAAAAABXAAEAD1cyMDEyUjItTDQuQkFTRQANS0RDLUNP TVBVVEVSJAAAAAFYvrOvAwASACCPVYTyzOuWXDinmnzi18dfQLge9mS8CAZxv/k2W54m7QAA AAMAAAAAAAAARwABAA9XMjAxMlIyLUw0LkJBU0UADUtEQy1DT01QVVRFUiQAAAABWL6zrwMA EQAQzKBhSET0TLnfXzo1HDwZ4wAAAAMAAAAAAAAAPwABAA9XMjAxMlIyLUw0LkJBU0UADUtE Qy1DT01QVVRFUiQAAAABWL6zrwMAAwAISWsxjD30NMgAAAADAAAAAAAAAFcAAQAPVzIwMTJS Mi1MNC5CQVNFAA1LREMtQ09NUFVURVIkAAAAAVi+s68CABIAIAcVYcGrVIgd8hQ4474XGO6S GOC3cEYnr/eRty4JW8hJAAAAAgAAAAAAAABHAAEAD1cyMDEyUjItTDQuQkFTRQANS0RDLUNP TVBVVEVSJAAAAAFYvrOvAgARABChVA3s/4K93lCfFUr4e7hwAAAAAgAAAAAAAAA/AAEAD1cy MDEyUjItTDQuQkFTRQANS0RDLUNPTVBVVEVSJAAAAAFYvrOvAgADAAjcAoZ2tkUp2gAAAAIA AAAAAAAARwABAA9XMjAxMlIyLUw0LkJBU0UADUtEQy1DT01QVVRFUiQAAAABWL6zrwIAFwAQ kQS6J/zkn2tzUYaDJ4JOjAAAAAIAAAAAAAAAawACAA9XMjAxMlIyLUw0LkJBU0UADlNBTUFD Q09VTlROQU1FAC5DTj1CasO2cm4gSmFja2UsQ049VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1i YXNlAAAAAVi+s68AAAAAA2JqAAAAAAAAAAAAAAAAPAABAA9XMjAxMlIyLUw0LkJBU0UAAmJq AAAAAVi+s68CABcAEDHWz+DRaukxtzxZ1+DAicAAAAACAAAAAAAAAEwAAQAPVzIwMTJSMi1M NC5CQVNFAAJiagAAAAFYvrOvAgASACD3i4tx/Xl/0nuhdsu4SbE5GFPV3cBkkCqKFSb1Fkv5 UQAAAAIAAAAAAAAAPAABAA9XMjAxMlIyLUw0LkJBU0UAAmJqAAAAAVi+s68CABEAEN59xmyl L1BrIfewucnW7IYAAAACAAAAAAAAADQAAQAPVzIwMTJSMi1MNC5CQVNFAAJiagAAAAFYvrOv AgADAAiGN1E9T4qPGQAAAAIAAAAAAAAAdQACAA9XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09V TlROQU1FAC5DTj10ZXN0YWRtaW5wdzgsQ049VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1iYXNl AAAAAVi+s68AAAAADXRlc3RhZG1pbnB3OAAAAAAAAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5C QVNFAAx0ZXN0YWRtaW5wdzgAAAABWL6zrwIAFwAQEj6VY4iLEgKfbiuN9ppuswAAAAIAAAAA AAAAVgABAA9XMjAxMlIyLUw0LkJBU0UADHRlc3RhZG1pbnB3OAAAAAFYvrOvAgASACDd+0b1 tkItzxMUlkqMNpyeYsogZF5GmawSBwbdnlEAFAAAAAIAAAAAAAAARgABAA9XMjAxMlIyLUw0 LkJBU0UADHRlc3RhZG1pbnB3OAAAAAFYvrOvAgARABC4/AomKAdw0yBxTOXq1IXMAAAAAgAA AAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFkbWlucHc4AAAAAVi+s68CAAMACJjq ddNXKfsvAAAAAgAAAAAAAABoAAIAD1cyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUA J0NOPWYxIGwxLENOPVVzZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrOvAAAAAAdt ZXR6ZTEAAAAAAAAAAAAAAABAAAEAD1cyMDEyUjItTDQuQkFTRQAGbWV0emUxAAAAAVi+s68C ABcAEDHWz+DRaukxtzxZ1+DAicAAAAACAAAAAAAAAFAAAQAPVzIwMTJSMi1MNC5CQVNFAAZt ZXR6ZTEAAAABWL6zrwIAEgAgG+v1e+VlP794keG7mpGRariStNmV0CbxM/mmDP1Pb80AAAAC AAAAAAAAAEAAAQAPVzIwMTJSMi1MNC5CQVNFAAZtZXR6ZTEAAAABWL6zrwIAEQAQF72k9RBu w42XupTjDMyVvwAAAAIAAAAAAAAAOAABAA9XMjAxMlIyLUw0LkJBU0UABm1ldHplMQAAAAFY vrOvAgADAAgVwexhPWdn2gAAAAIAAAAAAAAAcgACAA9XMjAxMlIyLUw0LkJBU0UADlNBTUFD Q09VTlROQU1FAC5DTj1maXJzdDYgbGFzdDYsQ049VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1i YXNlAAAAAVi+s68AAAAACnRlc3R1c2VyNgAAAAAAAAAAAAAAAEMAAQAPVzIwMTJSMi1MNC5C QVNFAAl0ZXN0dXNlcjYAAAABWL6zrwIAFwAQEj6VY4iLEgKfbiuN9ppuswAAAAIAAAAAAAAA UwABAA9XMjAxMlIyLUw0LkJBU0UACXRlc3R1c2VyNgAAAAFYvrOvAgASACCpVj5Be9Wu71By iv/knpHH8I72eLXBR/Vi/3FBNzBnqQAAAAIAAAAAAAAAQwABAA9XMjAxMlIyLUw0LkJBU0UA CXRlc3R1c2VyNgAAAAFYvrOvAgARABCtmOQS/xTTsowEYJ1VbtEiAAAAAgAAAAAAAAA7AAEA D1cyMDEyUjItTDQuQkFTRQAJdGVzdHVzZXI2AAAAAVi+s68CAAMACDEEnUCkDdMxAAAAAgAA AAAAAAByAAIAD1cyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUALkNOPWZpcnN0NyBs YXN0NyxDTj1Vc2VycyxEQz13MjAxMnIyLWw0LERDPWJhc2UAAAABWL6zrwAAAAAKdGVzdHVz ZXI3AAAAAAAAAAAAAAAAQwABAA9XMjAxMlIyLUw0LkJBU0UACXRlc3R1c2VyNwAAAAFYvrOv AgAXABASPpVjiIsSAp9uK432mm6zAAAAAgAAAAAAAABTAAEAD1cyMDEyUjItTDQuQkFTRQAJ dGVzdHVzZXI3AAAAAVi+s68CABIAIFToZbeRKuNpkW9xhFyGe/Mj3GIpjhp/LpAN4AFwz+wM AAAAAgAAAAAAAABDAAEAD1cyMDEyUjItTDQuQkFTRQAJdGVzdHVzZXI3AAAAAVi+s68CABEA EFXe/APa+i1HHKTj1UL48xIAAAACAAAAAAAAADsAAQAPVzIwMTJSMi1MNC5CQVNFAAl0ZXN0 dXNlcjcAAAABWL6zrwIAAwAIm1jmSvhex0UAAAACAAAAAAAAAHwAAgAPVzIwMTJSMi1MNC5C QVNFAA5TQU1BQ0NPVU5UTkFNRQAtQ049cHdkbGFzdHNldDIsQ049VXNlcnMsREM9dzIwMTJy Mi1sNCxEQz1iYXNlAAAAAVi+s68AAAAAFSRGSTMwMDAtQjBJTkMzRzc2SkI2AAAAAAAAAAAA AAAATgABAA9XMjAxMlIyLUw0LkJBU0UAFCRGSTMwMDAtQjBJTkMzRzc2SkI2AAAAAVi+s68B ABcAEBI+lWOIixICn24rjfaabrMAAAABAAAAAAAAAF4AAQAPVzIwMTJSMi1MNC5CQVNFABQk RkkzMDAwLUIwSU5DM0c3NkpCNgAAAAFYvrOvAQASACA7Df3xm5q0GBD9811nFgS8teDA+Czn Xemt8aB6wl2yxAAAAAEAAAAAAAAATgABAA9XMjAxMlIyLUw0LkJBU0UAFCRGSTMwMDAtQjBJ TkMzRzc2SkI2AAAAAVi+s68BABEAEKvZVCXIya8LVvT1Vdz92YoAAAABAAAAAAAAAEYAAQAP VzIwMTJSMi1MNC5CQVNFABQkRkkzMDAwLUIwSU5DM0c3NkpCNgAAAAFYvrOvAQADAAhz9w15 WKETEwAAAAEAAAAAAAAAfAACAA9XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FAC1D Tj1wd2RsYXN0c2V0MyxDTj1Vc2VycyxEQz13MjAxMnIyLWw0LERDPWJhc2UAAAABWL6zrwAA AAAVJEdJMzAwMC1DTUYyN0IzTUZMSkMAAAAAAAAAAAAAAABOAAEAD1cyMDEyUjItTDQuQkFT RQAUJEdJMzAwMC1DTUYyN0IzTUZMSkMAAAABWL6zrwEAFwAQEj6VY4iLEgKfbiuN9ppuswAA AAEAAAAAAAAAXgABAA9XMjAxMlIyLUw0LkJBU0UAFCRHSTMwMDAtQ01GMjdCM01GTEpDAAAA AVi+s68BABIAIApSTbZwDR4eE5RynbFB7ibMTWAdr2n+a/7Y1e41F/8vAAAAAQAAAAAAAABO AAEAD1cyMDEyUjItTDQuQkFTRQAUJEdJMzAwMC1DTUYyN0IzTUZMSkMAAAABWL6zrwEAEQAQ oc3AoAbyaQ0Vvi7plQEaOAAAAAEAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UAFCRHSTMw MDAtQ01GMjdCM01GTEpDAAAAAVi+s68BAAMACLMVhZI30GhiAAAAAQAAAAAAAAB8AAIAD1cy MDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUALUNOPXB3ZGxhc3RzZXQxLENOPVVzZXJz LERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrOvAAAAABUkRUkzMDAwLVA4QUFKTVZERVZI TQAAAAAAAAAAAAAAAE4AAQAPVzIwMTJSMi1MNC5CQVNFABQkRUkzMDAwLVA4QUFKTVZERVZI TQAAAAFYvrOvBAAXABASPpVjiIsSAp9uK432mm6zAAAABAAAAAAAAABeAAEAD1cyMDEyUjIt TDQuQkFTRQAUJEVJMzAwMC1QOEFBSk1WREVWSE0AAAABWL6zrwQAEgAgL/qCeb6TS7Jxf54/ +1pdbssHUkbUVAqIRzj8E4c9bd0AAAAEAAAAAAAAAE4AAQAPVzIwMTJSMi1MNC5CQVNFABQk RUkzMDAwLVA4QUFKTVZERVZITQAAAAFYvrOvBAARABAWTT1hvt5wn4XhqojSg6qSAAAABAAA AAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAUJEVJMzAwMC1QOEFBSk1WREVWSE0AAAABWL6z rwQAAwAIxOnmDpgHMhkAAAAEAAAAAAAAAF4AAQAPVzIwMTJSMi1MNC5CQVNFABQkRUkzMDAw LVA4QUFKTVZERVZITQAAAAFYvrOvAwASACAv+oJ5vpNLsnF/nj/7Wl1uywdSRtRUCohHOPwT hz1t3QAAAAMAAAAAAAAATgABAA9XMjAxMlIyLUw0LkJBU0UAFCRFSTMwMDAtUDhBQUpNVkRF VkhNAAAAAVi+s68DABEAEBZNPWG+3nCfheGqiNKDqpIAAAADAAAAAAAAAEYAAQAPVzIwMTJS Mi1MNC5CQVNFABQkRUkzMDAwLVA4QUFKTVZERVZITQAAAAFYvrOvAwADAAjE6eYOmAcyGQAA AAMAAAAAAAAAXgABAA9XMjAxMlIyLUw0LkJBU0UAFCRFSTMwMDAtUDhBQUpNVkRFVkhNAAAA AVi+s68CABIAIC/6gnm+k0uycX+eP/taXW7LB1JG1FQKiEc4/BOHPW3dAAAAAgAAAAAAAABO AAEAD1cyMDEyUjItTDQuQkFTRQAUJEVJMzAwMC1QOEFBSk1WREVWSE0AAAABWL6zrwIAEQAQ Fk09Yb7ecJ+F4aqI0oOqkgAAAAIAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UAFCRFSTMw MDAtUDhBQUpNVkRFVkhNAAAAAVi+s68CAAMACMTp5g6YBzIZAAAAAgAAAAAAAABOAAEAD1cy MDEyUjItTDQuQkFTRQAUJEVJMzAwMC1QOEFBSk1WREVWSE0AAAABWL6zrwMAFwAQEj6VY4iL EgKfbiuN9ppuswAAAAMAAAAAAAAATgABAA9XMjAxMlIyLUw0LkJBU0UAFCRFSTMwMDAtUDhB QUpNVkRFVkhNAAAAAVi+s7ACABcAEBI+lWOIixICn24rjfaabrMAAAACAAAAAAAAAHUAAgAP VzIwMTJSMi1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAuQ049dGVzdGFkbWlucHc3LENOPVVz ZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrOwAAAAAA10ZXN0YWRtaW5wdzcAAAAA AAAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFkbWlucHc3AAAAAVi+s7AUABcA ECfZ07b8hUtpd+PFjbypFSQAAAAUAAAAAAAAAFYAAQAPVzIwMTJSMi1MNC5CQVNFAAx0ZXN0 YWRtaW5wdzcAAAABWL6zsBQAEgAg+iFEQX+X4BU1qEnuZtL5MjsN92dgsdQZHVAdxDyzmv0A AAAUAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAx0ZXN0YWRtaW5wdzcAAAABWL6zsBQA EQAQjmkR3qm4bITvGQ9Gj0KNGQAAABQAAAAAAAAAPgABAA9XMjAxMlIyLUw0LkJBU0UADHRl c3RhZG1pbnB3NwAAAAFYvrOwFAADAAhYlyD4T+CrgwAAABQAAAAAAAAAVgABAA9XMjAxMlIy LUw0LkJBU0UADHRlc3RhZG1pbnB3NwAAAAFYvrOwEwASACBbne+POO3o/VQXr42s9vFpe/iT kpSwTx9Kl1GNUvE3qAAAABMAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADHRlc3RhZG1p bnB3NwAAAAFYvrOwEwARABDhHfJbHzk2TZRqUdZhJqqlAAAAEwAAAAAAAAA+AAEAD1cyMDEy UjItTDQuQkFTRQAMdGVzdGFkbWlucHc3AAAAAVi+s7ATAAMACNl//VI98WLaAAAAEwAAAAAA AABWAAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFkbWlucHc3AAAAAVi+s7ASABIAIGPk1yOm 37EutpQWoVbJiz0gXHg3wt0porjyPTffnf3dAAAAEgAAAAAAAABGAAEAD1cyMDEyUjItTDQu QkFTRQAMdGVzdGFkbWlucHc3AAAAAVi+s7ASABEAEKJt0aQaVr/vhEnhgHYKOUQAAAASAAAA AAAAAD4AAQAPVzIwMTJSMi1MNC5CQVNFAAx0ZXN0YWRtaW5wdzcAAAABWL6zsBIAAwAI90yM IF1wdSoAAAASAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAx0ZXN0YWRtaW5wdzcAAAAB WL6zsBMAFwAQdFbI3SYcYN3unfS2ID7V6wAAABMAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJB U0UADHRlc3RhZG1pbnB3NwAAAAFYvrOwEgAXABArKjzKMSadG8eSyN1J8v5UAAAAEgAAAAAA AABGAAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFkbWlucHc3AAAAAVi+s7ARABcAEIMek01N bDkb825nZcT8mH0AAAARAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAx0ZXN0YWRtaW5w dzcAAAABWL6zsBAAFwAQI1H8G7RJI0hhi6QHLPAH3wAAABAAAAAAAAAARgABAA9XMjAxMlIy LUw0LkJBU0UADHRlc3RhZG1pbnB3NwAAAAFYvrOwDwAXABB2+6Dgqk4CciP9LlUpAvb3AAAA DwAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFkbWlucHc3AAAAAVi+s7AOABcA EF+CFIELPUeFNsAfSfKbPwkAAAAOAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAx0ZXN0 YWRtaW5wdzcAAAABWL6zsA0AFwAQxn+ml9L1tNVGDBDDb7/huQAAAA0AAAAAAAAARgABAA9X MjAxMlIyLUw0LkJBU0UADHRlc3RhZG1pbnB3NwAAAAFYvrOwDAAXABAzdsPFSKeYh0I6FDTT c91FAAAADAAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFkbWlucHc3AAAAAVi+ s7ALABcAEBifdzbNISjdTjkLk0QpnikAAAALAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNF AAx0ZXN0YWRtaW5wdzcAAAABWL6zsAoAFwAQaY1S7sI7mogCx8wVa1rAEQAAAAoAAAAAAAAA RgABAA9XMjAxMlIyLUw0LkJBU0UADHRlc3RhZG1pbnB3NwAAAAFYvrOwCQAXABCRyPNw1ngz 963OJPKddqscAAAACQAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFkbWlucHc3 AAAAAVi+s7AIABcAEMXvJWx490RvDXtV1kVnot8AAAAIAAAAAAAAAEYAAQAPVzIwMTJSMi1M NC5CQVNFAAx0ZXN0YWRtaW5wdzcAAAABWL6zsAcAFwAQ31I4l6kPrXfxUzK+qgkuFgAAAAcA AAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADHRlc3RhZG1pbnB3NwAAAAFYvrOwBgAXABD3 6+cZwZ5LlnEDLYqw0n6JAAAABgAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMdGVzdGFk bWlucHc3AAAAAVi+s7AFABcAEInXiKzDx7TcdXjaxhF9CeAAAAAFAAAAAAAAAEYAAQAPVzIw MTJSMi1MNC5CQVNFAAx0ZXN0YWRtaW5wdzcAAAABWL6zsAQAFwAQHGczI9jJbWNDFsiE339L uQAAAAQAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADHRlc3RhZG1pbnB3NwAAAAFYvrOw AwAXABAcZzMj2MltY0MWyITff0u5AAAAAwAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAM dGVzdGFkbWlucHc3AAAAAVi+s7ACABcAEBI+lWOIixICn24rjfaabrMAAAACAAAAAAAAAHwA AgAPVzIwMTJSMi1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAtQ049cHdkbGFzdHNldDQsQ049 VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7AAAAAAFSRISTMwMDAtMjRUQjA2 OUI3QUtHAAAAAAAAAAAAAAAATgABAA9XMjAxMlIyLUw0LkJBU0UAFCRISTMwMDAtMjRUQjA2 OUI3QUtHAAAAAVi+s7ACABcAEJkkk7LRgap62yz0f4l5PpcAAAACAAAAAAAAAHwAAgAPVzIw MTJSMi1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAtQ049cHdkbGFzdHNldDYsQ049VXNlcnMs REM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7AAAAAAFSRVSTMwMDAtM1ZPRUM4REpFUjFC AAAAAAAAAAAAAAAATgABAA9XMjAxMlIyLUw0LkJBU0UAFCRVSTMwMDAtM1ZPRUM4REpFUjFC AAAAAVi+s7ABABcAEMGVPhWRQK7NhAg9u+a/QZwAAAABAAAAAAAAAHYAAgAPVzIwMTJSMi1M NC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAwQ049VzJLU1A0LTE5MixDTj1Db21wdXRlcnMsREM9 dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7AAAAAADFcyS1NQNC0xOTIkAAAAAAAAAAAAAAAA RQABAA9XMjAxMlIyLUw0LkJBU0UAC1cyS1NQNC0xOTIkAAAAAVi+s7ACABcAEHrxTvOaVFWW 6xNcqYTWtMMAAAACAAAAAAAAAFUAAQAPVzIwMTJSMi1MNC5CQVNFAAtXMktTUDQtMTkyJAAA AAFYvrOwAgASACBqwDOQ1WyNaSFnTu/x+dK02Nv97TJjcXUwDocnfp/eVQAAAAIAAAAAAAAA RQABAA9XMjAxMlIyLUw0LkJBU0UAC1cyS1NQNC0xOTIkAAAAAVi+s7ACABEAEKTF+1Um2bOj NVttqANaeToAAAACAAAAAAAAAD0AAQAPVzIwMTJSMi1MNC5CQVNFAAtXMktTUDQtMTkyJAAA AAFYvrOwAgADAAibOFGwq8sqYQAAAAIAAAAAAAAAbwACAA9XMjAxMlIyLUw0LkJBU0UADlNB TUFDQ09VTlROQU1FACtDTj10ZXN0dXNlcjEsQ049VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1i YXNlAAAAAVi+s7AAAAAACnRlc3R1c2VyMQAAAAAAAAAAAAAAAEMAAQAPVzIwMTJSMi1MNC5C QVNFAAl0ZXN0dXNlcjEAAAABWL6zsAIAFwAQrez9CyD5/OOE5HimQWrH7wAAAAIAAAAAAAAA UwABAA9XMjAxMlIyLUw0LkJBU0UACXRlc3R1c2VyMQAAAAFYvrOwAgASACAns0P6sIuhrdn3 vV0ETfmSDCDzyaLLmoKYUNhWmNa50AAAAAIAAAAAAAAAQwABAA9XMjAxMlIyLUw0LkJBU0UA CXRlc3R1c2VyMQAAAAFYvrOwAgARABD7g9A0ro8TiWd//9OsPeuhAAAAAgAAAAAAAAA7AAEA D1cyMDEyUjItTDQuQkFTRQAJdGVzdHVzZXIxAAAAAVi+s7ACAAMACLbaYmLymBlhAAAAAgAA AAAAAAB/AAIAD1cyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUAOUNOPVVCMTYwNC0x NjUsT1U9RG9tYWluIENvbnRyb2xsZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrOw AAAAAAxVQjE2MDQtMTY1JAAAAAAAAAAAAAAAAEUAAQAPVzIwMTJSMi1MNC5CQVNFAAtVQjE2 MDQtMTY1JAAAAAFYvrOwAgAXABCdhTxKUVH0EIjdVGa+IqmMAAAAAgAAAAAAAABVAAEAD1cy MDEyUjItTDQuQkFTRQALVUIxNjA0LTE2NSQAAAABWL6zsAIAEgAgEW5RwuEif/Dy/URsBO54 Q0UlvmHRNHXAq4EUshZv7sYAAAACAAAAAAAAAEUAAQAPVzIwMTJSMi1MNC5CQVNFAAtVQjE2 MDQtMTY1JAAAAAFYvrOwAgARABCZR0Z3RMdQLdrP0wpR9dxBAAAAAgAAAAAAAAA9AAEAD1cy MDEyUjItTDQuQkFTRQALVUIxNjA0LTE2NSQAAAABWL6zsAIAAwAIobBeSW3VUXAAAAACAAAA AAAAAHkAAgAPVzIwMTJSMi1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAwQ049cmVzdG9yZXB3 X3VzZXIsQ049VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7AAAAAAD3Jlc3Rv cmVwd191c2VyAAAAAAAAAAAAAAAASAABAA9XMjAxMlIyLUw0LkJBU0UADnJlc3RvcmVwd191 c2VyAAAAAVi+s7ADABcAEE+OUPUt5v5BGtZ/QrVzfFcAAAADAAAAAAAAAFgAAQAPVzIwMTJS Mi1MNC5CQVNFAA5yZXN0b3JlcHdfdXNlcgAAAAFYvrOwAwASACDxCPKcnMTtFZEYMpECIZIf 4FjfV2GCPYVNkMV+xb23RAAAAAMAAAAAAAAASAABAA9XMjAxMlIyLUw0LkJBU0UADnJlc3Rv cmVwd191c2VyAAAAAVi+s7ADABEAEEEDOF2T8DcOftEvkvzus14AAAADAAAAAAAAAEAAAQAP VzIwMTJSMi1MNC5CQVNFAA5yZXN0b3JlcHdfdXNlcgAAAAFYvrOwAwADAAjxEKva9NxG/QAA AAMAAAAAAAAAcwACAA9XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FAC1DTj10ZXN0 YWRtaW5wdyxDTj1Vc2VycyxEQz13MjAxMnIyLWw0LERDPWJhc2UAAAABWL6zsAAAAAAMdGVz dGFkbWlucHcAAAAAAAAAAAAAAABFAAEAD1cyMDEyUjItTDQuQkFTRQALdGVzdGFkbWlucHcA AAABWL6zsAIAFwAQEj6VY4iLEgKfbiuN9ppuswAAAAIAAAAAAAAAVQABAA9XMjAxMlIyLUw0 LkJBU0UAC3Rlc3RhZG1pbnB3AAAAAVi+s7ACABIAICwCKXXxzjoQs/MmM2xpkC/PEz0+9osG eypYc36qdOpmAAAAAgAAAAAAAABFAAEAD1cyMDEyUjItTDQuQkFTRQALdGVzdGFkbWlucHcA AAABWL6zsAIAEQAQWlnDLksYSACYPH9GFtQEkQAAAAIAAAAAAAAAPQABAA9XMjAxMlIyLUw0 LkJBU0UAC3Rlc3RhZG1pbnB3AAAAAVi+s7ACAAMACGIq054Cj+PaAAAAAgAAAAAAAABrAAIA D1cyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUAKUNOPVM0WERPTSQsQ049VXNlcnMs REM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVmd81cAAAAACFM0WERPTSQAAAAAAAAAAAAAAABB AAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwCgAXABBxaW8RgolvCzhEs7tk sJtxAAAACgAAAAAAAABRAAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwCgAS ACAinQY1z7WfaYNqObTx7rrJYnGtXN/+0L93HEcUN6rdNwAAAAoAAAAAAAAAQQABAA9XMjAx MlIyLUw0LkJBU0UAB1M0WERPTSQAAAABWL6zsAoAEQAQNTsEaUVMmsAcowQbiG1ZZAAAAAoA AAAAAAAAOQABAA9XMjAxMlIyLUw0LkJBU0UAB1M0WERPTSQAAAABWL6zsAoAAwAIL3U+IB9o jOYAAAAKAAAAAAAAAFEAAQAPVzIwMTJSMi1MNC5CQVNFAAdTNFhET00kAAAAAVi+s7AJABIA ICKdBjXPtZ9pg2o5tPHuuslica1c3/7Qv3ccRxQ3qt03AAAACQAAAAAAAABBAAEAD1cyMDEy UjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwCQARABA1OwRpRUyawByjBBuIbVlkAAAACQAA AAAAAAA5AAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwCQADAAgvdT4gH2iM 5gAAAAkAAAAAAAAAUQABAA9XMjAxMlIyLUw0LkJBU0UAB1M0WERPTSQAAAABWL6zsAgAEgAg Ip0GNc+1n2mDajm08e66yWJxrVzf/tC/dxxHFDeq3TcAAAAIAAAAAAAAAEEAAQAPVzIwMTJS Mi1MNC5CQVNFAAdTNFhET00kAAAAAVi+s7AIABEAEDU7BGlFTJrAHKMEG4htWWQAAAAIAAAA AAAAADkAAQAPVzIwMTJSMi1MNC5CQVNFAAdTNFhET00kAAAAAVi+s7AIAAMACC91PiAfaIzm AAAACAAAAAAAAABBAAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwCQAXABBx aW8RgolvCzhEs7tksJtxAAAACQAAAAAAAABBAAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9N JAAAAAFYvrOwCAAXABBxaW8RgolvCzhEs7tksJtxAAAACAAAAAAAAABBAAEAD1cyMDEyUjIt TDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwBwAXABBxaW8RgolvCzhEs7tksJtxAAAABwAAAAAA AABBAAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwBgAXABBxaW8RgolvCzhE s7tksJtxAAAABgAAAAAAAABBAAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOw BQAXABBxaW8RgolvCzhEs7tksJtxAAAABQAAAAAAAABBAAEAD1cyMDEyUjItTDQuQkFTRQAH UzRYRE9NJAAAAAFYvrOwBAAXABBxaW8RgolvCzhEs7tksJtxAAAABAAAAAAAAABBAAEAD1cy MDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFYvrOwAwAXABBxaW8RgolvCzhEs7tksJtxAAAA AwAAAAAAAABBAAEAD1cyMDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFZnfNXAgAXABBZB6x9 SMmrxT7zl7URtBT1AAAAAgAAAAAAAABlAAIAD1cyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VO VE5BTUUAJkNOPUJMQSQsQ049VXNlcnMsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7AA AAAABUJMQSQAAAAAAAAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNX FAAXABDWHglwm3bgkV/VbCzcjaPMAAAAFAAAAAAAAABOAAEAD1cyMDEyUjItTDQuQkFTRQAE QkxBJAAAAAFYvrOwFAASACCs0CW7caAUQJpnjFXNeUkdvrY61JK1bRiFwoaZllTGjwAAABQA AAAAAAAAPgABAA9XMjAxMlIyLUw0LkJBU0UABEJMQSQAAAABWL6zsBQAEQAQuSE85N2npn+A PqISEBgY/QAAABQAAAAAAAAANgABAA9XMjAxMlIyLUw0LkJBU0UABEJMQSQAAAABWL6zsBQA AwAIIGQZq2SSXUoAAAAUAAAAAAAAAE4AAQAPVzIwMTJSMi1MNC5CQVNFAARCTEEkAAAAAVi+ s7ATABIAIKzQJbtxoBRAmmeMVc15SR2+tjrUkrVtGIXChpmWVMaPAAAAEwAAAAAAAAA+AAEA D1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFYvrOwEwARABC5ITzk3aemf4A+ohIQGBj9AAAA EwAAAAAAAAA2AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFYvrOwEwADAAggZBmrZJJd SgAAABMAAAAAAAAATgABAA9XMjAxMlIyLUw0LkJBU0UABEJMQSQAAAABWL6zsBIAEgAgh3/W dt6So+hC2p36HzHdazDoHuKVTGKAuhmu0Aue/GcAAAASAAAAAAAAAD4AAQAPVzIwMTJSMi1M NC5CQVNFAARCTEEkAAAAAVi+s7ASABEAEPlgRgNnA5Ca23PV2J2ZsukAAAASAAAAAAAAADYA AQAPVzIwMTJSMi1MNC5CQVNFAARCTEEkAAAAAVi+s7ASAAMACLo3rnUEy+DWAAAAEgAAAAAA AAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXEwAXABDWHglwm3bgkV/VbCzc jaPMAAAAEwAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXEgAXABCl CCfudmAUD8mC7E06bmn3AAAAEgAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAA AAFZnfNXEQAXABClCCfudmAUD8mC7E06bmn3AAAAEQAAAAAAAAA+AAEAD1cyMDEyUjItTDQu QkFTRQAEQkxBJAAAAAFZnfNXEAAXABA/+FwxUrKmdFG6l2Pjf0SBAAAAEAAAAAAAAAA+AAEA D1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXDwAXABDFz79gCFUOrFJPS/rKLv57AAAA DwAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXDgAXABDFz79gCFUO rFJPS/rKLv57AAAADgAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNX DQAXABDFz79gCFUOrFJPS/rKLv57AAAADQAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAE QkxBJAAAAAFZnfNXDAAXABDZeU7G1nAJgizAo/HXF7roAAAADAAAAAAAAAA+AAEAD1cyMDEy UjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXCwAXABDZeU7G1nAJgizAo/HXF7roAAAACwAAAAAA AAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXCgAXABAtOikRB4vSZwZhUXls gYSFAAAACgAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXCQAXABAz skcQoJv1aezGj2cyKnN9AAAACQAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAA AAFZnfNXCAAXABAzskcQoJv1aezGj2cyKnN9AAAACAAAAAAAAAA+AAEAD1cyMDEyUjItTDQu QkFTRQAEQkxBJAAAAAFZnfNXBwAXABAzskcQoJv1aezGj2cyKnN9AAAABwAAAAAAAAA+AAEA D1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXBgAXABByOJORKbdMZ7AhgGrA5V7NAAAA BgAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXBQAXABCOB5UyUuaT 0pKihknNCTheAAAABQAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNX BAAXABCOB5UyUuaT0pKihknNCTheAAAABAAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAE QkxBJAAAAAFZnfNXAwAXABCOB5UyUuaT0pKihknNCTheAAAAAwAAAAAAAAA+AAEAD1cyMDEy UjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXAgAXABCEWM8kpwXS0YcmQOvy+LQlAAAAAgAAAAAA AAB1AAIAD1cyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUALkNOPVMxLVcyMDEyLUw0 JCxDTj1Vc2VycyxEQz13MjAxMnIyLWw0LERDPWJhc2UAAAABWL6zsAAAAAANUzEtVzIwMTIt TDQkAAAAAAAAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZ nfNXJAAXABCM2MXL88LAHFGp1vgYhjt7AAAAJAAAAAAAAABWAAEAD1cyMDEyUjItTDQuQkFT RQAMUzEtVzIwMTItTDQkAAAAAVi+s7AkABIAIA/PXYJILeAaMFm1fEtlNhxJ80TFuVH2Lxqj fFdra/IZAAAAJAAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAA AVi+s7AkABEAEBVZvaQsLf7mTZwphf4kKqIAAAAkAAAAAAAAAD4AAQAPVzIwMTJSMi1MNC5C QVNFAAxTMS1XMjAxMi1MNCQAAAABWL6zsCQAAwAI6bbT5Rk0JooAAAAkAAAAAAAAAFYAAQAP VzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWL6zsCMAEgAg1ZMcRrDAv335SNUS Q4kPiMBeWMCvCDLgQOi4xqq+lsAAAAAjAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxT MS1XMjAxMi1MNCQAAAABWL6zsCMAEQAQ1/+XnFr5jy+YqjgevpId3QAAACMAAAAAAAAAPgAB AA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFYvrOwIwADAAjm08SwXSoZogAA ACMAAAAAAAAAVgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFYvrOwIgAS ACDVkxxGsMC/fflI1RJDiQ+IwF5YwK8IMuBA6LjGqr6WwAAAACIAAAAAAAAARgABAA9XMjAx MlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFYvrOwIgARABDX/5ecWvmPL5iqOB6+kh3d AAAAIgAAAAAAAAA+AAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVi+s7Ai AAMACObTxLBdKhmiAAAAIgAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTIt TDQkAAAAAVmd81cjABcAEB2omTaMFwiDknrqOp2ha+MAAAAjAAAAAAAAAEYAAQAPVzIwMTJS Mi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zVyIAFwAQHaiZNowXCIOSeuo6naFr4wAA ACIAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNXIQAX ABBSqQNlJm6OB0iCEh6r/Z/mAAAAIQAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMUzEt VzIwMTItTDQkAAAAAVmd81cgABcAEFKpA2Umbo4HSIISHqv9n+YAAAAgAAAAAAAAAEYAAQAP VzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zVx8AFwAQUqkDZSZujgdIghIe q/2f5gAAAB8AAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZ nfNXHgAXABC/03bH1k0qJ7E9tOMvINCoAAAAHgAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFT RQAMUzEtVzIwMTItTDQkAAAAAVmd81cdABcAEL/TdsfWTSonsT204y8g0KgAAAAdAAAAAAAA AEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zVxwAFwAQJXWS8IT7 a5CcCwkCdnjtrwAAABwAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0 JAAAAAFZnfNXGwAXABBJttXf7dtBs9iz9l4osqmQAAAAGwAAAAAAAABGAAEAD1cyMDEyUjIt TDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81caABcAEEm21d/t20Gz2LP2XiiyqZAAAAAa AAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zVxkAFwAQ SbbV3+3bQbPYs/ZeKLKpkAAAABkAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcy MDEyLUw0JAAAAAFZnfNXGAAXABAh/Ympzy5ViumbgqnA+NhDAAAAGAAAAAAAAABGAAEAD1cy MDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81cXABcAECH9ianPLlWK6ZuCqcD4 2EMAAAAXAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3z VxYAFwAQLijc1BpTqkyp+U0//bkJXAAAABYAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UA DFMxLVcyMDEyLUw0JAAAAAFZnfNXFQAXABAuKNzUGlOqTKn5TT/9uQlcAAAAFQAAAAAAAABG AAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81cUABcAEEwmueLBHvxO j5x2XO+2Ty0AAAAUAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQA AAABWZ3zVxMAFwAQTCa54sEe/E6PnHZc77ZPLQAAABMAAAAAAAAARgABAA9XMjAxMlIyLUw0 LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFYvrOwEgAXABCWmrjqplToqroHf/rNgRHQAAAAEgAA AAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVi+s7ARABcAEJaa uOqmVOiqugd/+s2BEdAAAAARAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAx Mi1MNCQAAAABWL6zsBAAFwAQphNwf0tXf+ek1/JjTHakDAAAABAAAAAAAAAARgABAA9XMjAx MlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFYvrOwDwAXABCmE3B/S1d/56TX8mNMdqQM AAAADwAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVi+s7AO ABcAEG7KRdVkw50aljqT3lDkNokAAAAOAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxT MS1XMjAxMi1MNCQAAAABWL6zsA0AFwAQTVJTTgNkB0kkdRwbgln34AAAAA0AAAAAAAAAcQAC AA9XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FACxDTj1XNEVET00tTDQkLENOPVVz ZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvyncAAAAAAtXNEVET00tTDQkAAAAAAAA AAAAAAAARAABAA9XMjAxMlIyLUw0LkJBU0UAClc0RURPTS1MNCQAAAABWZ3zVwIAFwAQZ+YU AdKvAAcAxaNkRM7nNgAAAAIAAAAAAAAAVAABAA9XMjAxMlIyLUw0LkJBU0UAClc0RURPTS1M NCQAAAABWL8p3AIAEgAgJ/oRvulZP7bJYmqLZ66l4CDSXjiYFTHGolhz3ceIv5UAAAACAAAA AAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVET00tTDQkAAAAAVi/KdwCABEAEPC+mMCC Sz2UgShFcznr8PsAAAACAAAAAAAAADwAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVET00tTDQk AAAAAVi/KdwCAAMACC8TsAv7BI/9AAAAAgAAAAAAAAB3AAIAD1cyMDEyUjItTDQuQkFTRQAO U0FNQUNDT1VOVE5BTUUAL0NOPUFkbWluaXN0cmF0b3IsQ049VXNlcnMsREM9dzIwMTJyMi1s NCxEQz1iYXNlAAAAAVi+s7AAAAAADkFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAABHAAEAD1cy MDEyUjItTDQuQkFTRQANQWRtaW5pc3RyYXRvcgAAAAFYvrOwAQAXABAFcdQT7eTL7qarPtHB oLh+AAAAAQAAAAAAAAB1AAIAD1cyMDEyUjItTDQuQkFTRQAEVVREVgAVREM9dzIwMTJyMi1s NCxEQz1iYXNlAAAAAVmd81cAAAAAMAIAAAAAAAAAAQAAAAAAAADFujKRnjDaS5OBxDSgBGQ9 qqUGAAAAAABXhK4PAwAAAAAAAAAAAAAAAAAAmAACABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0UADlNBTUFDQ09VTlROQU1FAEdDTj1XMjAxMi0xODEsT1U9RG9tYWluIENvbnRyb2xs ZXJzLERDPXMxLXcyMDEyLWw0LERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrO1AAAAAAtX MjAxMi0xODEkAAAAAAAAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UA ClcyMDEyLTE4MSQAAAABWL6ztRQAFwAQ/9QyRYpFCAezwgiVBozvNQAAABQAAAAAAAAAYAAB ABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztRQAEgAg VxaNYCYQ3iRes/OUgPB9wsmmibRkt/51/bcqo28e/bcAAAAUAAAAAAAAAFAAAQAbUzEtVzIw MTItTDQuVzIwMTJSMi1MNC5CQVNFAApXMjAxMi0xODEkAAAAAVi+s7UUABEAEBJiNVvzlZSc 66VOV0mB6xMAAAAUAAAAAAAAAEgAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAApX MjAxMi0xODEkAAAAAVi+s7UUAAMACINty0xX/YlUAAAAFAAAAAAAAABgAAEAG1MxLVcyMDEy LUw0LlcyMDEyUjItTDQuQkFTRQAKVzIwMTItMTgxJAAAAAFYvrO1EwASACDsEDFTreejP943 QpbDeBtyD1uHr1/lSrnZr2G/MqV5WQAAABMAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztRMAEQAQ/IJFw15rlkqs9aCu+NeJhgAA ABMAAAAAAAAASAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQA AAABWL6ztRMAAwAIQ+nm5ZQZJdAAAAATAAAAAAAAAGAAAQAbUzEtVzIwMTItTDQuVzIwMTJS Mi1MNC5CQVNFAApXMjAxMi0xODEkAAAAAVi+s7USABIAINuSu9v/gaxjlqsJ6QJuPpxCBAdQ ZW0VdY5qGllWDCjVAAAAEgAAAAAAAABQAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQAKVzIwMTItMTgxJAAAAAFYvrO1EgARABBqLpoXr8GI317Ioy1it0KpAAAAEgAAAAAAAABI AAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAKVzIwMTItMTgxJAAAAAFYvrO1EgAD AAh1hgv9tm2DrQAAABIAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UA ClcyMDEyLTE4MSQAAAABWL6ztRMAFwAQ2OoEkKUetWiacdnlSY0txgAAABMAAAAAAAAAUAAB ABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztRIAFwAQ 7x6ktCQI49Oc4dfIeOaebAAAABIAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztREAFwAQCMzuPVXcqNtiGVMFQxmf9wAAABEAAAAA AAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6z tRAAFwAQxzIghWTjQoFdXZDxVIIvOwAAABAAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztQ8AFwAQfj21hf8OxKCT8saPWfrskwAA AA8AAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQA AAABWL6ztQ4AFwAQsVcA1k7U5iufTq/vvBTh7wAAAA4AAAAAAAAAUAABABtTMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztQ0AFwAQ2x+RnPrUHWB6cC4T vEIrfQAAAA0AAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEy LTE4MSQAAAABWL6ztQwAFwAQ2yTZKHhhlCSq9f9089SFOgAAAAwAAAAAAAAAUAABABtTMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztQsAFwAQCYlV+5FN 3ymvo2Q8k6V4tQAAAAsAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UA ClcyMDEyLTE4MSQAAAABWL6ztQoAFwAQc1AaAModuAdvsKEyHgt1awAAAAoAAAAAAAAAUAAB ABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztQkAFwAQ ZlP6abkT7uZDnOs5nnTXrgAAAAkAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztQgAFwAQZ3pMeLNW3Xcagd0O8/POBAAAAAgAAAAA AAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6z tQcAFwAQSwKg0aeOZRDwrLpj6/8VCgAAAAcAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztQYAFwAQn6OTC5mdjX7A+p/q/zKOTQAA AAYAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQA AAABWL6ztQUAFwAQs/HD5zAeQ7Slie2l4iTk3QAAAAUAAAAAAAAAUAABABtTMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MSQAAAABWL6ztQQAFwAQwLUdtOQxAxTtNHe9 kfHy4wAAAAQAAAAAAAAAUAABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEy LTE4MSQAAAABWL6ztQMAFwAQMmUAfvfx3Bo2/OhlwLnkVQAAAAMAAAAAAAAAhAACABtTMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FADdDTj1rcmJ0Z3QsQ049 VXNlcnMsREM9czEtdzIwMTItbDQsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7UAAAAA B2tyYnRndAAAAAAAAAAAAAAAAEwAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAZr cmJ0Z3QAAAABWL6ztQIAFwAQ5EmlC06IXsNlCUVIr8Z3tAAAAAIAAAAAAAAAXAABABtTMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UABmtyYnRndAAAAAFYvrO1AgASACBfqBov7Vr2gpwd RO6jD8bsqsz3lzNTuIYng+Qyu9H1BAAAAAIAAAAAAAAATAABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UABmtyYnRndAAAAAFYvrO1AgARABAXz2t8CAFb/QU2m/NaxLH7AAAAAgAA AAAAAABEAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAGa3JidGd0AAAAAVi+s7UC AAMACBmznWvNdlj3AAAAAgAAAAAAAACLAAIAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQAOU0FNQUNDT1VOVE5BTUUAO0NOPWZpcnN0IGxhc3QsQ049VXNlcnMsREM9czEtdzIwMTIt bDQsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7UAAAAACmZpcnN0bGFzdAAAAAAAAAAA AAAAAE8AAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAlmaXJzdGxhc3QAAAABWL6z tQMAFwAQ4JwR/cxbyHZiBBUHVSbXSwAAAAMAAAAAAAAAXwABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UACWZpcnN0bGFzdAAAAAFYvrO1AwASACArKNfrvpbJKrbECyWKC+/mI8QL b0WwnMl5rlf4S1YCjAAAAAMAAAAAAAAATwABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UACWZpcnN0bGFzdAAAAAFYvrO1AwARABD0zR1qBl1d2RXQyFkAvuI5AAAAAwAAAAAAAABH AAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAJZmlyc3RsYXN0AAAAAVi+s7UDAAMA CDebTOO5hYyYAAAAAwAAAAAAAABfAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAJ Zmlyc3RsYXN0AAAAAVi+s7UCABIAIG+URNxrYryiOUHfFnE1X3rtDroWj/VqM+2bW3cfftdt AAAAAgAAAAAAAABPAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAJZmlyc3RsYXN0 AAAAAVi+s7UCABEAEKTSJkPAi/SDA/vJf3pShZUAAAACAAAAAAAAAEcAAQAbUzEtVzIwMTIt TDQuVzIwMTJSMi1MNC5CQVNFAAlmaXJzdGxhc3QAAAABWL6ztQIAAwAIE+oaQA5dCOYAAAAC AAAAAAAAAE8AAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAlmaXJzdGxhc3QAAAAB WL6ztQIAFwAQEj6VY4iLEgKfbiuN9ppuswAAAAIAAAAAAAAAkAACABtTMS1XMjAxMi1MNC5X MjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FAD1DTj1TMi1XMjAxMi1MNCQsQ049VXNl cnMsREM9czEtdzIwMTItbDQsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7UAAAAADVMy LVcyMDEyLUw0JAAAAAAAAAAAAAAAAFIAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNF AAxTMi1XMjAxMi1MNCQAAAABWZ3zXyEAFwAQrKHtBVrKA4q3WNCaT+P/3QAAACEAAAAAAAAA YgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFYvrO1 IQASACAkHfKAvyrKSE+OK6gqQA7D/sRbj4pQ1PXCdTLIxneeugAAACEAAAAAAAAAUgABABtT MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFYvrO1IQARABBg MuJBJccW/cWVuBF2FZ2yAAAAIQAAAAAAAABKAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRQAMUzItVzIwMTItTDQkAAAAAVi+s7UhAAMACNYlFdVY7LAmAAAAIQAAAAAAAABiAAEA G1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVi+s7UgABIA IBVN/y7aUml1KB8RNPvSNKUfMzN7tVsRZ2/llvbtmArdAAAAIAAAAAAAAABSAAEAG1MxLVcy MDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVi+s7UgABEAEI7D76Zs uO7DWCeNnXdD7VEAAAAgAAAAAAAAAEoAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNF AAxTMi1XMjAxMi1MNCQAAAABWL6ztSAAAwAIODIv+7MVReYAAAAgAAAAAAAAAGIAAQAbUzEt VzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWL6ztR8AEgAgFU3/ LtpSaXUoHxE0+9I0pR8zM3u1WxFnb+WW9u2YCt0AAAAfAAAAAAAAAFIAAQAbUzEtVzIwMTIt TDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWL6ztR8AEQAQjsPvpmy47sNY J42dd0PtUQAAAB8AAAAAAAAASgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMy LVcyMDEyLUw0JAAAAAFYvrO1HwADAAg4Mi/7sxVF5gAAAB8AAAAAAAAAUgABABtTMS1XMjAx Mi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfIAAXABDNappv3Zmr +IRIkh0M8POuAAAAIAAAAAAAAABSAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAM UzItVzIwMTItTDQkAAAAAVmd818fABcAEM1qmm/dmav4hEiSHQzw864AAAAfAAAAAAAAAFIA AQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWZ3zXx4A FwAQzWqab92Zq/iESJIdDPDzrgAAAB4AAAAAAAAAUgABABtTMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfHQAXABAI5Q+80HXCJediiuMGUTwEAAAA HQAAAAAAAABSAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQk AAAAAVmd818cABcAEAjlD7zQdcIl52KK4wZRPAQAAAAcAAAAAAAAAFIAAQAbUzEtVzIwMTIt TDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWZ3zXxsAFwAQCOUPvNB1wiXn YorjBlE8BAAAABsAAAAAAAAAUgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMy LVcyMDEyLUw0JAAAAAFZnfNfGgAXABCatVYlqQ2egBwc2X+BQbyyAAAAGgAAAAAAAABSAAEA G1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVmd818ZABcA EG6KjuMnMJgBcn6ZeN6ZjE8AAAAZAAAAAAAAAFIAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1M NC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWZ3zXxgAFwAQboqO4ycwmAFyfpl43pmMTwAAABgA AAAAAAAAUgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAA AAFZnfNfFwAXABBuio7jJzCYAXJ+mXjemYxPAAAAFwAAAAAAAABSAAEAG1MxLVcyMDEyLUw0 LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVmd818WABcAEE8vA9Ec7cREVutO NC6olB0AAAAWAAAAAAAAAFIAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1X MjAxMi1MNCQAAAABWZ3zXxUAFwAQTy8D0RztxERW6040LqiUHQAAABUAAAAAAAAAUgABABtT MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfFAAXABBo gum7PUppJ/6wyJOGG3shAAAAFAAAAAAAAABSAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRQAMUzItVzIwMTItTDQkAAAAAVmd818TABcAEGiC6bs9Smkn/rDIk4YbeyEAAAATAAAA AAAAAFIAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAAB WZ3zXxIAFwAQyAAdxVYbGDOjHq+xGck40gAAABIAAAAAAAAAUgABABtTMS1XMjAxMi1MNC5X MjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfEQAXABAXZ9hoxh11rCQpR4Dl 0K1HAAAAEQAAAAAAAABSAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIw MTItTDQkAAAAAVmd818QABcAEBdn2GjGHXWsJClHgOXQrUcAAAAQAAAAAAAAAFIAAQAbUzEt VzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWL6ztQ8AFwAQmUl1 m0VPaZzpyL+4sW+3ggAAAA8AAAAAAAAAUgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UADFMyLVcyMDEyLUw0JAAAAAFYvrO1DgAXABCZSXWbRU9pnOnIv7ixb7eCAAAADgAAAAAA AABSAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVi+ s7UNABcAEHAcALIBSm/JXF6mfKrrdysAAAANAAAAAAAAAFIAAQAbUzEtVzIwMTItTDQuVzIw MTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWL6ztQwAFwAQcBwAsgFKb8lcXqZ8qut3 KwAAAAwAAAAAAAAAUgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEy LUw0JAAAAAFYvrO1CwAXABBwHACyAUpvyVxepnyq63crAAAACwAAAAAAAABSAAEAG1MxLVcy MDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVi+s7UKABcAEKYVmMrI prEz7GFgJSw+7HoAAAAKAAAAAAAAAI4AAgAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNF AA5TQU1BQ0NPVU5UTkFNRQA8Q049VzIwMTJSMi1MNCQsQ049VXNlcnMsREM9czEtdzIwMTIt bDQsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7UAAAAADFcyMDEyUjItTDQkAAAAAAAA AAAAAAAAUQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAA AVmd818kABcAEKbWBRrBz+VVjLy3h+XjPcwAAAAkAAAAAAAAAGEAAQAbUzEtVzIwMTItTDQu VzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFYvrO1JAASACAZOtxqJOaLH48GUb6D jAfNERb5N+aRtExIghVTOS7/TwAAACQAAAAAAAAAUQABABtTMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVi+s7UkABEAEI1Z6PBr6iriRFDQF07dUxgAAAAk AAAAAAAAAEkAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAA AAFYvrO1JAADAAiwMTgjnVGdRgAAACQAAAAAAAAAYQABABtTMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVi+s7UjABIAIBk63Gok5osfjwZRvoOMB80RFvk3 5pG0TEiCFVM5Lv9PAAAAIwAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQALVzIwMTJSMi1MNCQAAAABWL6ztSMAEQAQjVno8GvqKuJEUNAXTt1TGAAAACMAAAAAAAAA SQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVi+s7Uj AAMACLAxOCOdUZ1GAAAAIwAAAAAAAABhAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQALVzIwMTJSMi1MNCQAAAABWL6ztSIAEgAg2ccRYP9RhSmKRfEbYYXeYaf2uuxU5Xn3JWyM H0dXYr8AAAAiAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAx MlIyLUw0JAAAAAFYvrO1IgARABDxQeQxT2yLESSD6Q+xQjx1AAAAIgAAAAAAAABJAAEAG1Mx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWL6ztSIAAwAI/tPg kXPxOO8AAAAiAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAx MlIyLUw0JAAAAAFZnfNfIwAXABCm1gUawc/lVYy8t4fl4z3MAAAAIwAAAAAAAABRAAEAG1Mx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZ3zXyIAFwAQ6Okv B5OzaLPK91ufHU+STQAAACIAAAAAAAAAUQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UAC1cyMDEyUjItTDQkAAAAAVmd818hABcAEIc975CldyDK5xRoCAjxMUcAAAAhAAAAAAAA AFEAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZnfNf IAAXABCHPe+QpXcgyucUaAgI8TFHAAAAIAAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEy UjItTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZ3zXx8AFwAQgSa4ZlDdYypPtOtYoNUe0gAA AB8AAAAAAAAAUQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQk AAAAAVmd818eABcAEIEmuGZQ3WMqT7TrWKDVHtIAAAAeAAAAAAAAAFEAAQAbUzEtVzIwMTIt TDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZnfNfHQAXABBxt3JBabjqT6Jd XdedOIOxAAAAHQAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIw MTJSMi1MNCQAAAABWZ3zXxwAFwAQcbdyQWm46k+iXV3XnTiDsQAAABwAAAAAAAAAUQABABtT MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd818bABcAEHG3 ckFpuOpPol1d1504g7EAAAAbAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAAtXMjAxMlIyLUw0JAAAAAFZnfNfGgAXABDsVge3uA79CD/kSSh/IkMlAAAAGgAAAAAA AABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZ3z XxkAFwAQkLnd3xDWI8hJQrUU0rpeawAAABkAAAAAAAAAUQABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd818YABcAEJC53d8Q1iPISUK1FNK6XmsA AAAYAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0 JAAAAAFZnfNfFwAXABB662saK00BHE9JRtiEVHSOAAAAFwAAAAAAAABRAAEAG1MxLVcyMDEy LUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZ3zXxYAFwAQeutrGitNARxP SUbYhFR0jgAAABYAAAAAAAAAUQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cy MDEyUjItTDQkAAAAAVmd818VABcAEIqPJlFaolBVqYwdXcGQrJsAAAAVAAAAAAAAAFEAAQAb UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZnfNfFAAXABCK jyZRWqJQVamMHV3BkKybAAAAFAAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRQALVzIwMTJSMi1MNCQAAAABWZ3zXxMAFwAQ/M/WcJ+7XUxtbHlBSROvqgAAABMAAAAA AAAAUQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVi+ s7USABcAEPzP1nCfu11MbWx5QUkTr6oAAAASAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIw MTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFYvrO1EQAXABABzvUCsPhTO5tWGCZi3RqG AAAAEQAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1M NCQAAAABWL6ztRAAFwAQAc71ArD4UzubVhgmYt0ahgAAABAAAAAAAAAAUQABABtTMS1XMjAx Mi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVi+s7UPABcAEP4k2insT/tp +rtNXmBECS4AAAAPAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtX MjAxMlIyLUw0JAAAAAFYvrO1DgAXABD+JNop7E/7afq7TV5gRAkuAAAADgAAAAAAAABRAAEA G1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWL6ztQ0AFwAQ /iTaKexP+2n6u01eYEQJLgAAAA0AAAAAAAAAkgACABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0UADlNBTUFDQ09VTlROQU1FAD5DTj1BZG1pbmlzdHJhdG9yLENOPVVzZXJzLERDPXMx LXcyMDEyLWw0LERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrO1AAAAAA5BZG1pbmlzdHJh dG9yAAAAAAAAAAAAAAAAUwABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADUFkbWlu aXN0cmF0b3IAAAABWL6ztQEAFwAQBXHUE+3ky+6mqz7RwaC4fgAAAAEAAAAAAAAAkQACABtT MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FAD9DTj1VQjE0MDQt MTYyLENOPUNvbXB1dGVycyxEQz1zMS13MjAxMi1sNCxEQz13MjAxMnIyLWw0LERDPWJhc2UA AAABWL6ztQAAAAAMVUIxNDA0LTE2MiQAAAAAAAAAAAAAAABRAAEAG1MxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWL6ztQIAFwAQq5GaMxgePWIy91nPNpbB EAAAAAIAAAAAAAAAYQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1VCMTQwNC0x NjIkAAAAAVi+s7UCABIAIMpHxxv2+Xjp+jY29Eo3vdURogC+oFyGwWtKfasIuKpNAAAAAgAA AAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WL6ztQIAEQAQRWk7tLTOKofyA4km17DOIQAAAAIAAAAAAAAASQABABtTMS1XMjAxMi1MNC5X MjAxMlIyLUw0LkJBU0UAC1VCMTQwNC0xNjIkAAAAAVi+s7UCAAMACG1GHBWRWJRtAAAAAgAA AAAAAACQAAIAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAEVVREVgAkREM9czEtdzIw MTItbDQsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVmd818AAAAAMAIAAAAAAAAAAQAAAAAA AACwORDazyOmRJyhKjKecpfwLvMCAAAAAABfhK4PAwAAAAAAAAAAAAAAAAAAswACACdTMi1X MjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FAFZD Tj1XMjAxMi0xODIsT1U9RG9tYWluIENvbnRyb2xsZXJzLERDPXMyLXcyMDEyLWw0LERDPXMx LXcyMDEyLWw0LERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrO5AAAAAAtXMjAxMi0xODIk AAAAAAAAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UAClcyMDEyLTE4MiQAAAABWL6zuRMAFwAQ1acy+9iE8cmtMgbipAyE7gAAABMAAAAAAAAA bAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4 MiQAAAABWL6zuRMAEgAgxmrQ0dlUbQlq923e3grh/U+YQcnamHS6/EaiROzvPJIAAAATAAAA AAAAAFwAAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAApXMjAx Mi0xODIkAAAAAVi+s7kTABEAENnbGfw0c+N1AwGD5xYp7P0AAAATAAAAAAAAAFQAAQAnUzIt VzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAApXMjAxMi0xODIkAAAAAVi+ s7kTAAMACHORs8LNH27yAAAAEwAAAAAAAABsAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0 LlcyMDEyUjItTDQuQkFTRQAKVzIwMTItMTgyJAAAAAFYvrO5EgASACBSbz7eZriQOsuAkb1y Wsg5xPnUFebwJEhY0JbS+DZjMwAAABIAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAx Mi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuRIAEQAQMsTzy60Upfa+ yB70Wd2U7QAAABIAAAAAAAAAVAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuRIAAwAI/mK5QMKbx+kAAAASAAAAAAAAAGwA AQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAApXMjAxMi0xODIk AAAAAVi+s7kRABIAIFSRFUIXb8PlcyNZyGtQr2N3YYc6JGBBVnyyBFub1V6GAAAAEQAAAAAA AABcAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAKVzIwMTIt MTgyJAAAAAFYvrO5EQARABALATuj2xHnblNMrdBj0UeTAAAAEQAAAAAAAABUAAEAJ1MyLVcy MDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAKVzIwMTItMTgyJAAAAAFYvrO5 EQADAAhh09BASU92WAAAABEAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5X MjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuRIAFwAQxrdEoJGP/cLszDdHv2HZ RgAAABIAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UAClcyMDEyLTE4MiQAAAABWL6zuREAFwAQyO/Iup3ZQVVWRu6cW0QtlAAAABEAAAAAAAAA XAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4 MiQAAAABWL6zuRAAFwAQF3uVfmrxVMoGMrwhdIQRGgAAABAAAAAAAAAAXAABACdTMi1XMjAx Mi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQ8A FwAQ1IdCOFipzwmMBbqb2ml2tgAAAA8AAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAx Mi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQ4AFwAQzGf7a+82hq3t xCua7y4i7QAAAA4AAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQ0AFwAQlQ1fJcX/5hkEfCYgHknOmwAAAA0A AAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcy MDEyLTE4MiQAAAABWL6zuQwAFwAQkm8E9Pz21tFQHMKcjEK5YwAAAAwAAAAAAAAAXAABACdT Mi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAAB WL6zuQsAFwAQMCxoTPCgCqHEgODPHeZRWQAAAAsAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5T MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQoAFwAQaGoW 3jYJuDy64s24VulQbwAAAAoAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5X MjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQkAFwAQaRlJxnWrgIDRnMTTWMMw HAAAAAkAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UAClcyMDEyLTE4MiQAAAABWL6zuQgAFwAQIHg/3jZLUWTVAGlBJV2j0wAAAAgAAAAAAAAA XAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4 MiQAAAABWL6zuQcAFwAQIwaQ//sl+cSKXCQdevApDwAAAAcAAAAAAAAAXAABACdTMi1XMjAx Mi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQYA FwAQT6HpL/CNmGDbwRsIetE+GgAAAAYAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAx Mi1MNC5XMjAxMlIyLUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQUAFwAQXwvisFHNaECk JhQ1VnXJhQAAAAUAAAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UAClcyMDEyLTE4MiQAAAABWL6zuQQAFwAQff9n/2WmIBEHvuqjDV68IAAAAAQA AAAAAAAAXAABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAClcy MDEyLTE4MiQAAAABWL6zuQMAFwAQyBL8Py0VhFoqEfiVXadWOwAAAAMAAAAAAAAAnwACACdT Mi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1F AEZDTj1rcmJ0Z3QsQ049VXNlcnMsREM9czItdzIwMTItbDQsREM9czEtdzIwMTItbDQsREM9 dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7kAAAAAB2tyYnRndAAAAAAAAAAAAAAAAFgAAQAn UzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAZrcmJ0Z3QAAAABWL6z uQIAFwAQriDorJbNM/sRJJuc9sSzUQAAAAIAAAAAAAAAaAABACdTMi1XMjAxMi1MNC5TMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UABmtyYnRndAAAAAFYvrO5AgASACAnfLRl21Qk1+qi 1OW1LC3U5u5Yw+/kwDf0YbJPtgqZLQAAAAIAAAAAAAAAWAABACdTMi1XMjAxMi1MNC5TMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UABmtyYnRndAAAAAFYvrO5AgARABBn1uNS738ThvVs JCJ7ytYqAAAAAgAAAAAAAABQAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjIt TDQuQkFTRQAGa3JidGd0AAAAAVi+s7kCAAMACOkq43q/KnwTAAAAAgAAAAAAAACoAAIAJ1My LVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUA TENOPVdJTjctMTk1LENOPUNvbXB1dGVycyxEQz1zMi13MjAxMi1sNCxEQz1zMS13MjAxMi1s NCxEQz13MjAxMnIyLWw0LERDPWJhc2UAAAABWL6zuQAAAAAKV0lONy0xOTUkAAAAAAAAAAAA AAAAWwABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UACVdJTjct MTk1JAAAAAFYvrO5AQAXABBLQ8owAWo+bHLO8w2p5N8vAAAAAQAAAAAAAABrAAEAJ1MyLVcy MDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAJV0lONy0xOTUkAAAAAVi+s7kB ABIAIF7L1PT16N00gsBGWUfdiojvjy0k71VRk1Md10queLknAAAAAQAAAAAAAABbAAEAJ1My LVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAJV0lONy0xOTUkAAAAAVi+ s7kBABEAEEdDG8BrX2kPQPDizHPmWvIAAAABAAAAAAAAAFMAAQAnUzItVzIwMTItTDQuUzEt VzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAlXSU43LTE5NSQAAAABWL6zuQEAAwAIZG1hOGI4 Ya4AAAABAAAAAAAAAKMAAgAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAA5TQU1BQ0NPVU5UTkFNRQBLQ049Rmlyc3QxIExhc3QsQ049VXNlcnMsREM9czItdzIw MTItbDQsREM9czEtdzIwMTItbDQsREM9dzIwMTJyMi1sNCxEQz1iYXNlAAAAAVi+s7kAAAAA BnVzZXIxAAAAAAAAAAAAAAAAVwABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UABXVzZXIxAAAAAVi+s7kCABcAEBI+lWOIixICn24rjfaabrMAAAACAAAAAAAA AGcAAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAV1c2VyMQAA AAFYvrO5AgASACBM+C+Jh6d/y7M5PDhDpP2jhK63ROnSimbl3SlRa5fQRAAAAAIAAAAAAAAA VwABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UABXVzZXIxAAAA AVi+s7kCABEAENyiXQTgMKubHjU0W1yfGIsAAAACAAAAAAAAAE8AAQAnUzItVzIwMTItTDQu UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAV1c2VyMQAAAAFYvrO5AgADAAidVGIN/g47 gwAAAAIAAAAAAAAArQACACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UADlNBTUFDQ09VTlROQU1FAE1DTj1zZWN1cml0eXRlc3QxLENOPVVzZXJzLERDPXMyLXcy MDEyLWw0LERDPXMxLXcyMDEyLWw0LERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrO5AAAA AA5zZWN1cml0eXRlc3QxAAAAAAAAAAAAAAAAXwABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0UADXNlY3VyaXR5dGVzdDEAAAABWL6zuQIAFwAQEj6VY4iLEgKf biuN9ppuswAAAAIAAAAAAAAAbwABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UADXNlY3VyaXR5dGVzdDEAAAABWL6zuQIAEgAgqTYw+4/6R2deUEOj/L9I72ra XCSwsnZIvtFWYCP8x7IAAAACAAAAAAAAAF8AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQu VzIwMTJSMi1MNC5CQVNFAA1zZWN1cml0eXRlc3QxAAAAAVi+s7kCABEAEIDLVMk2IYxt+5ma j2/TYWMAAAACAAAAAAAAAFcAAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1M NC5CQVNFAA1zZWN1cml0eXRlc3QxAAAAAVi+s7kCAAMACD4VsH8mEHxUAAAAAgAAAAAAAACs AAIAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VO VE5BTUUATkNOPXViMTYwNC0xNjQsQ049Q29tcHV0ZXJzLERDPXMyLXcyMDEyLWw0LERDPXMx LXcyMDEyLWw0LERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrO5AAAAAAx1YjE2MDQtMTY0 JAAAAAAAAAAAAAAAAF0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAAt1YjE2MDQtMTY0JAAAAAFYvrO5DAAXABBD++DsFxsxivRTDc72ZVBWAAAADAAAAAAA AABtAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNjA0 LTE2NCQAAAABWL6zuQwAEgAgvBIrDHXRQNBLlyh0LNeBg2SZscOzuXjq3DRngzJFDQkAAAAM AAAAAAAAAF0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1 YjE2MDQtMTY0JAAAAAFYvrO5DAARABCAf9Y5F2bLMr46wmOgDxQpAAAADAAAAAAAAABVAAEA J1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNjA0LTE2NCQA AAABWL6zuQwAAwAIYmEOJT7mB4kAAAAMAAAAAAAAAG0AAQAnUzItVzIwMTItTDQuUzEtVzIw MTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE2MDQtMTY0JAAAAAFYvrO5CwASACBF6J+grb6k TCBXoXt/DPfZmEO47LbAKnykm+i9MJ7e6QAAAAsAAAAAAAAAXQABACdTMi1XMjAxMi1MNC5T MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3ViMTYwNC0xNjQkAAAAAVi+s7kLABEAEME8 UVbqnnqIS5eTN+Lw3/kAAAALAAAAAAAAAFUAAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQu VzIwMTJSMi1MNC5CQVNFAAt1YjE2MDQtMTY0JAAAAAFYvrO5CwADAAg+y3a6x9lGfAAAAAsA AAAAAAAAbQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3Vi MTYwNC0xNjQkAAAAAVi+s7kKABIAIOnf/WnuEFHFmAuJCrHsBQ4H2o4DYli7wE8HggPndr93 AAAACgAAAAAAAABdAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQALdWIxNjA0LTE2NCQAAAABWL6zuQoAEQAQLFXMWy+LAwaBV7+W0NxC5wAAAAoAAAAAAAAA VQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3ViMTYwNC0x NjQkAAAAAVi+s7kKAAMACNZkBAuesEbZAAAACgAAAAAAAABdAAEAJ1MyLVcyMDEyLUw0LlMx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNjA0LTE2NCQAAAABWL6zuQsAFwAQ1M+H julW0Vd32kP1OcDD7gAAAAsAAAAAAAAAXQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5X MjAxMlIyLUw0LkJBU0UAC3ViMTYwNC0xNjQkAAAAAVi+s7kKABcAEMSTwK3JYIJaRhPx4t9z f1sAAAAKAAAAAAAAAF0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAAt1YjE2MDQtMTY0JAAAAAFYvrO5CQAXABD4nVFpnLM6D5SOZpJ1n17aAAAACQAAAAAA AABdAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNjA0 LTE2NCQAAAABWL6zuQgAFwAQtRhn75qiClpkTp+recTSlAAAAAgAAAAAAAAAXQABACdTMi1X MjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3ViMTYwNC0xNjQkAAAAAVi+ s7kHABcAEPZLx9NQNZBkkiE7+wNPKMAAAAAHAAAAAAAAAF0AAQAnUzItVzIwMTItTDQuUzEt VzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE2MDQtMTY0JAAAAAFYvrO5BgAXABAfNT/G oQGmun1bSMfMCaxSAAAABgAAAAAAAABdAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRQALdWIxNjA0LTE2NCQAAAABWL6zuQUAFwAQ3MrdyPTYKisZBJ97FnNH xwAAAAUAAAAAAAAAXQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJB U0UAC3ViMTYwNC0xNjQkAAAAAVi+s7kEABcAEPaO+CaxxhLTlI03/GU5GqwAAAAEAAAAAAAA AF0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE2MDQt MTY0JAAAAAFYvrO5AwAXABBZQ6tnpoF9bZWZ+iBX4qOsAAAAAwAAAAAAAABdAAEAJ1MyLVcy MDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNjA0LTE2NCQAAAABWL6z uQIAFwAQjcV5ZCfCAfDjps6Hc5BhFwAAAAIAAAAAAAAAtgACACdTMi1XMjAxMi1MNC5TMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FAFJDTj1zbWFydGNhcmQg cmVxdWlyZWQsQ049VXNlcnMsREM9czItdzIwMTItbDQsREM9czEtdzIwMTItbDQsREM9dzIw MTJyMi1sNCxEQz1iYXNlAAAAAVi+s7kAAAAAEnNtYXJ0Y2FyZHJlcXVpcmVkAAAAAAAAAAAA AAAAYwABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAEXNtYXJ0 Y2FyZHJlcXVpcmVkAAAAAVi+s7kHABcAEOq5rEtmRPzpbeqy1FdKNtAAAAAHAAAAAAAAAK0A AgAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAA5TQU1BQ0NPVU5U TkFNRQBNQ049QWRtaW5pc3RyYXRvcixDTj1Vc2VycyxEQz1zMi13MjAxMi1sNCxEQz1zMS13 MjAxMi1sNCxEQz13MjAxMnIyLWw0LERDPWJhc2UAAAABWL6zuQAAAAAOQWRtaW5pc3RyYXRv cgAAAAAAAAAAAAAAAF8AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAA1BZG1pbmlzdHJhdG9yAAAAAVi+s7kBABcAEAVx1BPt5Mvupqs+0cGguH4AAAABAAAA AAAAAKsAAgAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAA5TQU1B Q0NPVU5UTkFNRQBMQ049UzEtVzIwMTItTDQkLENOPVVzZXJzLERDPXMyLXcyMDEyLWw0LERD PXMxLXcyMDEyLWw0LERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFYvrO5AAAAAA1TMS1XMjAx Mi1MNCQAAAAAAAAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjIt TDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd82QhABcAEJVCKKOo55IwJqDuK/4QnokAAAAh AAAAAAAAAG4AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxT MS1XMjAxMi1MNCQAAAABWL6zuSEAEgAgJsi+XXokYCRAMPc6XYtU3NrPnF8iCf+TsKjb6L9n qQEAAAAhAAAAAAAAAF4AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAAxTMS1XMjAxMi1MNCQAAAABWL6zuSEAEQAQJ3Ro86rvj31urxxS/DwuyAAAACEAAAAA AAAAVgABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcy MDEyLUw0JAAAAAFYvrO5IQADAAhSKcjv8imXgAAAACEAAAAAAAAAbgABACdTMi1XMjAxMi1M NC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFYvrO5IAAS ACAmyL5deiRgJEAw9zpdi1Tc2s+cXyIJ/5OwqNvov2epAQAAACAAAAAAAAAAXgABACdTMi1X MjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFY vrO5IAARABAndGjzqu+PfW6vHFL8PC7IAAAAIAAAAAAAAABWAAEAJ1MyLVcyMDEyLUw0LlMx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVi+s7kgAAMACFIp yO/yKZeAAAAAIAAAAAAAAABuAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjIt TDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVi+s7kfABIAINqWjJxxJ5B0SpMWY9sbHxZGfOfE QYZX0JiXhPjcWO2zAAAAHwAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVi+s7kfABEAEO9FvfRkff0NovOmofmu Qs4AAAAfAAAAAAAAAFYAAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAAxTMS1XMjAxMi1MNCQAAAABWL6zuR8AAwAISoMgO+xoRc4AAAAfAAAAAAAAAF4AAQAn UzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQA AAABWZ3zZCAAFwAQlUIoo6jnkjAmoO4r/hCeiQAAACAAAAAAAAAAXgABACdTMi1XMjAxMi1M NC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkHwAX ABBplCUlY+OLgUXP6rCjueeMAAAAHwAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEy LUw0LlcyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd82QeABcAEKr3zWQ2UkSG XqSNBUIlgjEAAAAeAAAAAAAAAF4AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJS Mi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zZB0AFwAQqvfNZDZSRIZepI0FQiWCMQAA AB0AAAAAAAAAXgABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UA DFMxLVcyMDEyLUw0JAAAAAFZnfNkHAAXABAZrbx7630T9rHFucvIT/N1AAAAHAAAAAAAAABe AAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTIt TDQkAAAAAVmd82QbABcAEFUWkeeXUqhVGEeFwPANc28AAAAbAAAAAAAAAF4AAQAnUzItVzIw MTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3z ZBoAFwAQVRaR55dSqFUYR4XA8A1zbwAAABoAAAAAAAAAXgABACdTMi1XMjAxMi1MNC5TMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkGQAXABBVFpHn l1KoVRhHhcDwDXNvAAAAGQAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd82QYABcAEA5sZ3MpnV+1wfMM+tXd zRgAAAAYAAAAAAAAAF4AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zZBcAFwAQwvlJCRgWeE47NviRWtsE/AAAABcAAAAA AAAAXgABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcy MDEyLUw0JAAAAAFZnfNkFgAXABDC+UkJGBZ4Tjs2+JFa2wT8AAAAFgAAAAAAAABeAAEAJ1My LVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAA AVmd82QVABcAEPtIHGn6HDpknEL/X5sySDUAAAAVAAAAAAAAAF4AAQAnUzItVzIwMTItTDQu UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zZBQAFwAQ +0gcafocOmScQv9fmzJINQAAABQAAAAAAAAAXgABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkEwAXABDUKMqcD8bV2lgM KocrscEYAAAAEwAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjIt TDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd82QSABcAENQoypwPxtXaWAwqhyuxwRgAAAAS AAAAAAAAAF4AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxT MS1XMjAxMi1MNCQAAAABWZ3zZBEAFwAQ1CjKnA/G1dpYDCqHK7HBGAAAABEAAAAAAAAAXgAB ACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0 JAAAAAFZnfNkEAAXABC09XAj23gPTXNunQDGr91BAAAAEAAAAAAAAABeAAEAJ1MyLVcyMDEy LUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVi+s7kP ABcAELT1cCPbeA9Nc26dAMav3UEAAAAPAAAAAAAAAF4AAQAnUzItVzIwMTItTDQuUzEtVzIw MTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWL6zuQ4AFwAQ5zV1GeYL PJ6HX8HuVZHfLQAAAA4AAAAAAAAAXgABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFYvrO5DQAXABDnNXUZ5gs8nodfwe5Vkd8t AAAADQAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQAMUzEtVzIwMTItTDQkAAAAAVi+s7kMABcAEHiw4ViBJXim4QlRzJqyj0EAAAAMAAAAAAAA AF4AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAx Mi1MNCQAAAABWL6zuQsAFwAQC2Lwus0PiANd+kOeAQFatgAAAAsAAAAAAAAAXgABACdTMi1X MjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFY vrO5CgAXABALYvC6zQ+IA136Q54BAVq2AAAACgAAAAAAAACsAAIAJ1MyLVcyMDEyLUw0LlMx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAOU0FNQUNDT1VOVE5BTUUATkNOPXViMTQwNC0x NjIsQ049Q29tcHV0ZXJzLERDPXMyLXcyMDEyLWw0LERDPXMxLXcyMDEyLWw0LERDPXcyMDEy cjItbDQsREM9YmFzZQAAAAFYvrO6AAAAAAx1YjE0MDQtMTYyJAAAAAAAAAAAAAAAAF0AAQAn UzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE0MDQtMTYyJAAA AAFYvrO6EgAXABAo5Q2+7L19B9tijBILSdoWAAAAEgAAAAAAAABtAAEAJ1MyLVcyMDEyLUw0 LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNDA0LTE2MiQAAAABWL6zuhIAEgAg irVXKLoLd+U2ZM1l41P3Trj8qayDpfkHrO9UZlsAAyEAAAASAAAAAAAAAF0AAQAnUzItVzIw MTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE0MDQtMTYyJAAAAAFYvrO6 EgARABDKUtvvJGFsr9BXFqNSkJvuAAAAEgAAAAAAAABVAAEAJ1MyLVcyMDEyLUw0LlMxLVcy MDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNDA0LTE2MiQAAAABWL6zuhIAAwAI+BrxCLlS 5QgAAAASAAAAAAAAAG0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5C QVNFAAt1YjE0MDQtMTYyJAAAAAFYvrO6EQASACCE2HZG3eyP33j93UdmOi2Hs1gki6dlEQUW YlMh79RMbAAAABEAAAAAAAAAXQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIy LUw0LkJBU0UAC3ViMTQwNC0xNjIkAAAAAVi+s7oRABEAEMywYB1endLS+BKyfDImadgAAAAR AAAAAAAAAFUAAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1 YjE0MDQtMTYyJAAAAAFYvrO6EQADAAjZoTs+sExtQwAAABEAAAAAAAAAbQABACdTMi1XMjAx Mi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3ViMTQwNC0xNjIkAAAAAVi+s7oQ ABIAIH+zIrJPenDfdnmzlECm4qXjJ7iDFPvpaG2Va8symERrAAAAEAAAAAAAAABdAAEAJ1My LVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNDA0LTE2MiQAAAAB WL6zuhAAEQAQK78hS+I8QERvKst5n+MgqAAAABAAAAAAAAAAVQABACdTMi1XMjAxMi1MNC5T MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3ViMTQwNC0xNjIkAAAAAVi+s7oQAAMACNmh Oz6wTG1DAAAAEAAAAAAAAABdAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjIt TDQuQkFTRQALdWIxNDA0LTE2MiQAAAABWL6zuhEAFwAQeiz60/7FdhlWrECta2ZSPwAAABEA AAAAAAAAXQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3Vi MTQwNC0xNjIkAAAAAVi+s7oQABcAECH3l02xIKp6tzNWJPRzTLQAAAAQAAAAAAAAAF0AAQAn UzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE0MDQtMTYyJAAA AAFYvrO6DwAXABCG8vZidkDsS9jXcidoc4akAAAADwAAAAAAAABdAAEAJ1MyLVcyMDEyLUw0 LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNDA0LTE2MiQAAAABWL6zug4AFwAQ lHa2gnmrMImLPQo09ph6oAAAAA4AAAAAAAAAXQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0UAC3ViMTQwNC0xNjIkAAAAAVi+s7oNABcAEO1nEYpMX2WR8l2E yLRdzScAAAANAAAAAAAAAF0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1M NC5CQVNFAAt1YjE0MDQtMTYyJAAAAAFYvrO6DAAXABCEiXV5ttRiOiiWjMf99PH/AAAADAAA AAAAAABdAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIx NDA0LTE2MiQAAAABWL6zugsAFwAQYFqSIdc8IWd6kYAHs/p3owAAAAsAAAAAAAAAXQABACdT Mi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3ViMTQwNC0xNjIkAAAA AVi+s7oKABcAEO7YscrF55am96M8f7NAOVAAAAAKAAAAAAAAAF0AAQAnUzItVzIwMTItTDQu UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE0MDQtMTYyJAAAAAFYvrO6CQAXABCW IaEQLIW699HGg/G0P1leAAAACQAAAAAAAABdAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0 LlcyMDEyUjItTDQuQkFTRQALdWIxNDA0LTE2MiQAAAABWL6zuggAFwAQvm8dCkegKX4pTy++ 3yaW9QAAAAgAAAAAAAAAXQABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0UAC3ViMTQwNC0xNjIkAAAAAVi+s7oHABcAELdgCczRm9bPPiJshI4TI0QAAAAHAAAA AAAAAF0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAt1YjE0 MDQtMTYyJAAAAAFYvrO6BgAXABDvgkpYMDZezvygE/xdhDwmAAAABgAAAAAAAABdAAEAJ1My LVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALdWIxNDA0LTE2MiQAAAAB WL6zugUAFwAQzZCxaFreRrCQ4cId4jD58AAAAAUAAAAAAAAAXQABACdTMi1XMjAxMi1MNC5T MS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC3ViMTQwNC0xNjIkAAAAAVi+s7oEABcAECXm mFfmW7zWKOBMsHnWWuUAAAAEAAAAAAAAAF0AAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQu VzIwMTJSMi1MNC5CQVNFAAt1YjE0MDQtMTYyJAAAAAFYvrO6AwAXABC56NA/E5jEwzYtmFUn sz4/AAAAAwAAAAAAAABdAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRQALdWIxNDA0LTE2MiQAAAABWL6zugIAFwAQwNK22om5D5MxJeekmg75mAAAAAIAAAAA AAAAqwACACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UABFVURFYA M0RDPXMyLXcyMDEyLWw0LERDPXMxLXcyMDEyLWw0LERDPXcyMDEycjItbDQsREM9YmFzZQAA AAFZnfNkAAAAADACAAAAAAAAAAEAAAAAAAAAZA+l2d/aEU+Y9PYQuWAFuuEKAwAAAAAAZISu DwMAAAAAAAAAAAAAAAAAAHEAAgAOVzRFRE9NLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FACxD Tj1XMjAxMlIyLUw0JCxDTj1Vc2VycyxEQz13NGVkb20tbDQsREM9YmFzZQAAAAFYvynjAAAA AAxXMjAxMlIyLUw0JAAAAAAAAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1cyMDEyUjIt TDQkAAAAAVmS2eYCABcAEGfmFAHSrwAHAMWjZETO5zYAAAACAAAAAAAAAFQAAQAOVzRFRE9N LUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVi/KeMCABIAIOmBhLZoja4kzpyOh0F+L37f+iGO iBlh/yQ40z+eBlgEAAAAAgAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtXMjAxMlIyLUw0 JAAAAAFYvynjAgARABCdDYXYg1ZEpV9O/6SVWFdKAAAAAgAAAAAAAAA8AAEADlc0RURPTS1M NC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFYvynjAgADAAjOYZ6SoT7p0wAAAAIAAAAAAAAAQQAB AA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p41MAFwAQVYnDuDC5veYJVqh9o1TA 4AAAAFMAAAAAAAAAUQABAA5XNEVET00tTDQuQkFTRQAIZmQyMy03MyQAAAABWL8p41MAEgAg hJ6bvAlRDVDxtGQV/YFEeNWF/aaWZoQTF6tpGYdtAXIAAABTAAAAAAAAAEEAAQAOVzRFRE9N LUw0LkJBU0UACGZkMjMtNzMkAAAAAVi/KeNTABEAECVGqDz0q6wIew57V9CE+UsAAABTAAAA AAAAADkAAQAOVzRFRE9NLUw0LkJBU0UACGZkMjMtNzMkAAAAAVi/KeNTAAMACFc0hrzqxKdr AAAAUwAAAAAAAABvAAIADlc0RURPTS1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQAvQ049U2Fs dCBOLiBQZXBwZXIsQ049VXNlcnMsREM9dzRlZG9tLWw0LERDPWJhc2UAAAABWZLZ5gAAAAAH cGVwcGVyAAAAAAAAAAAAAAAAPwABAA5XNEVET00tTDQuQkFTRQAGcGVwcGVyAAAAAVmS2eYE ABcAEBI+lWOIixICn24rjfaabrMAAAAEAAAAAAAAAE8AAQAOVzRFRE9NLUw0LkJBU0UABnBl cHBlcgAAAAFZktnmBAASACAsSEg9NaKuA9luRy65GMGIFjFcCek5wJNbvlz+Nj3DqQAAAAQA AAAAAAAAPwABAA5XNEVET00tTDQuQkFTRQAGcGVwcGVyAAAAAVmS2eYEABEAEPjI2Zc486fp WMj6LVYMO4kAAAAEAAAAAAAAADcAAQAOVzRFRE9NLUw0LkJBU0UABnBlcHBlcgAAAAFZktnm BAADAAi8+4xhYty1WAAAAAQAAAAAAAAATwABAA5XNEVET00tTDQuQkFTRQAGcGVwcGVyAAAA AVmS2eYDABIAID6v7wTy2MtHdqgrvtw5vNF9xqAxAgIHja601RKcqMYbAAAAAwAAAAAAAAA/ AAEADlc0RURPTS1MNC5CQVNFAAZwZXBwZXIAAAABWZLZ5gMAEQAQ0MehsA1o+6C5PXVfWwTa 4gAAAAMAAAAAAAAANwABAA5XNEVET00tTDQuQkFTRQAGcGVwcGVyAAAAAVmS2eYDAAMACEA9 cwFGj3OiAAAAAwAAAAAAAABPAAEADlc0RURPTS1MNC5CQVNFAAZwZXBwZXIAAAABWZLZ5gIA EgAgUDq4gxuTToWtWZbowEsVXnNkNbnSDlJDds/I2Ar+p2QAAAACAAAAAAAAAD8AAQAOVzRF RE9NLUw0LkJBU0UABnBlcHBlcgAAAAFZktnmAgARABDFXhEoZHbJ6GkEYnfy5qiaAAAAAgAA AAAAAAA3AAEADlc0RURPTS1MNC5CQVNFAAZwZXBwZXIAAAABWZLZ5gIAAwAIbf00CPT0NCkA AAACAAAAAAAAAD8AAQAOVzRFRE9NLUw0LkJBU0UABnBlcHBlcgAAAAFZktnmAwAXABAFcdQT 7eTL7qarPtHBoLh+AAAAAwAAAAAAAAA/AAEADlc0RURPTS1MNC5CQVNFAAZwZXBwZXIAAAAB WZLZ5gIAFwAQEj6VY4iLEgKfbiuN9ppuswAAAAIAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5iMAFwAQfnCrrTeZIXJKylCJoFdHIwAAACMAAAAAAAAA VAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5iMAEgAgsVOsbYOgT3qJ L7MUASjcHeFfpxnCmWaC9FWCP4HvH7MAAAAjAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UA C1VCMTQwNC0xNjIkAAAAAVmS2eYjABEAEKaDYz1JGQOmss1TBwfMu5YAAAAjAAAAAAAAADwA AQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0xNjIkAAAAAVmS2eYjAAMACEUsMUnE1iqbAAAA IwAAAAAAAAA8AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFZktnmIwABAAhF LDFJxNYqmwAAACMAAAAAAAAAVAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5iIAEgAgkMRqoatfL7rhex3ufOKdjRx70J+wmjgZoB74t+r0sSoAAAAiAAAAAAAAAEQA AQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0xNjIkAAAAAVmS2eYiABEAEB8IA8Ukga5ajPr8 9J4a/IgAAAAiAAAAAAAAADwAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0xNjIkAAAAAVmS 2eYiAAMACNltMYYI/cFKAAAAIgAAAAAAAAA8AAEADlc0RURPTS1MNC5CQVNFAAtVQjE0MDQt MTYyJAAAAAFZktnmIgABAAjZbTGGCP3BSgAAACIAAAAAAAAAVAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5iEAEgAgBBBp3b5Md9m/P8wJ+O9RS24/gQYJ1CP3SdbB P4JsEkwAAAAhAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTQwNC0xNjIkAAAAAVmS 2eYhABEAEE6D5ZKYA51DYQj3FaN7xakAAAAhAAAAAAAAADwAAQAOVzRFRE9NLUw0LkJBU0UA C1VCMTQwNC0xNjIkAAAAAVmS2eYhAAMACJ5kwWcOg0yDAAAAIQAAAAAAAAA8AAEADlc0RURP TS1MNC5CQVNFAAtVQjE0MDQtMTYyJAAAAAFZktnmIQABAAieZMFnDoNMgwAAACEAAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5iIAFwAQXEjLq+IQH6AF aanHPkdh5AAAACIAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5iEAFwAQ76NBat1kIGpkJDsNzPuAhQAAACEAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5iAAFwAQDn6J4Cc5OCnDMul75e1mtQAAACAAAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5h8AFwAQMc0P2rS+I/Wg r3RcdtxC5gAAAB8AAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5h4AFwAQm4dbdy4f52ETaz3vfd0k/AAAAB4AAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5h0AFwAQ910SN2+i6O4YulFJLQMeDQAAAB0AAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5hwAFwAQW0knKU/m5uK1 z1dQrTR61gAAABwAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5hsAFwAQmMWVpyi+Yiyszab6L8ayggAAABsAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5hoAFwAQKhQ40cYgQN2Gm29px4rhywAAABoAAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5hkAFwAQmv+RlHgyaInU rW3FPD6t5wAAABkAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5hgAFwAQVSSGWwlujfL/HRFDQlPYMQAAABgAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5hcAFwAQknxwt6+J7mOWN/Dkj3xyawAAABcAAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5hYAFwAQiZJDrKKtBDoO jAOhRLL1UwAAABYAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5hUAFwAQUkzs0bdtq7RsibRwwP9UyQAAABUAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5hQAFwAQSCeDebgXCD4evwcY61rLFAAAABQAAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5hMAFwAQB35c5NnOmJoI x64aduuG1AAAABMAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5hIAFwAQeaIrZS4TdUMfUvW0I2kgsQAAABIAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5hEAFwAQXgV7BTITMtcIpZh3EcGKuwAAABEAAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5hAAFwAQimPB2FdL4io9 3o/chQUbNgAAABAAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5g8AFwAQTeQHTZmPdo5uAltLer8T9wAAAA8AAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVUIxNDA0LTE2MiQAAAABWZLZ5g4AFwAQHHwfemWTUjh0f/l4rX8LDQAAAA4AAAAAAAAA RAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAABWZLZ5g0AFwAQn+RLLP9dHOaF Erz8xksYVgAAAA0AAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNDA0LTE2MiQAAAAB WZLZ5gwAFwAQpYoHgV+sIHq/RPHnigbTHgAAAAwAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVzIwMTJSMi1MNCQAAAABWZLZ5ggAFwAQkOpgllzYPdq74I7J2vVFAwAAAAgAAAAAAAAA VAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZLZ5ggAEgAgNcBYFH715/P7 /jB3Gxw2VEz+mu/OlTWtJuZkpr5LmJoAAAAIAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UA C1cyMDEyUjItTDQkAAAAAVmS2eYIABEAEG7me0gcksRTjOp8o9v4YKEAAAAIAAAAAAAAADwA AQAOVzRFRE9NLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmS2eYIAAMACObmhZ2Sep6uAAAA CAAAAAAAAABUAAEADlc0RURPTS1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZktnmBwASACA1 wFgUfvXn8/v+MHcbHDZUTP6a786VNa0m5mSmvkuYmgAAAAcAAAAAAAAARAABAA5XNEVET00t TDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZLZ5gcAEQAQbuZ7SBySxFOM6nyj2/hgoQAAAAcA AAAAAAAAPAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZLZ5gcAAwAI5uaF nZJ6nq4AAAAHAAAAAAAAAFQAAQAOVzRFRE9NLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmS 2eYGABIAINEuS8LsciT6v4WIDnoL3KX2n3g+gX7IlyPYSYhJaMPKAAAABgAAAAAAAABEAAEA Dlc0RURPTS1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZktnmBgARABDzeiIRDIBJPpTatz4f mT3fAAAABgAAAAAAAAA8AAEADlc0RURPTS1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZktnm BgADAAjH4y8mWM40MgAAAAYAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJSMi1M NCQAAAABWZLZ5gcAFwAQkOpgllzYPdq74I7J2vVFAwAAAAcAAAAAAAAARAABAA5XNEVET00t TDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZLZ5gYAFwAQmwkd1sLuwov0yjSNKIX1bAAAAAYA AAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZLZ5gUAFwAQmwkd 1sLuwov0yjSNKIX1bAAAAAUAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJSMi1M NCQAAAABWZLZ5gQAFwAQx5bPtaTm150o9/w7bJJOtQAAAAQAAAAAAAAARAABAA5XNEVET00t TDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZLZ5gMAFwAQx5bPtaTm150o9/w7bJJOtQAAAAMA AAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWZLZ5swAFwAQke07 8roZGEJzmSsMHJVLqQAAAMwAAAAAAAAAVAABAA5XNEVET00tTDQuQkFTRQALVUIxNjA0LTE2 NCQAAAABWZLZ5swAEgAgWFgNtpTOx0BY1ue122vzbS9CLit4khTGrY0/+sMWCjUAAADMAAAA AAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTYwNC0xNjQkAAAAAVmS2ebMABEAEPk8dQzO rjeMgJDaybc9aO0AAADMAAAAAAAAADwAAQAOVzRFRE9NLUw0LkJBU0UAC1VCMTYwNC0xNjQk AAAAAVmS2ebMAAMACATaibyo2nUcAAAAzAAAAAAAAABUAAEADlc0RURPTS1MNC5CQVNFAAtV QjE2MDQtMTY0JAAAAAFZktnmywASACDq23Tp1ZzGtwwMN8Ft2zJHR8IA+hA2mB2y9zltv3dW KgAAAMsAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWZLZ5ssA EQAQNVvFU/M5pxbeIDMn8xG3bgAAAMsAAAAAAAAAPAABAA5XNEVET00tTDQuQkFTRQALVUIx NjA0LTE2NCQAAAABWZLZ5ssAAwAI5QE+Hz7ZSl4AAADLAAAAAAAAAFQAAQAOVzRFRE9NLUw0 LkJBU0UAC1VCMTYwNC0xNjQkAAAAAVmS2ebKABIAIEpD3HDsZbAY5ld261/IpZcmpONVUllq Syjwta781zCLAAAAygAAAAAAAABEAAEADlc0RURPTS1MNC5CQVNFAAtVQjE2MDQtMTY0JAAA AAFZktnmygARABDmjywpaKoTU1PMLh/oARAoAAAAygAAAAAAAAA8AAEADlc0RURPTS1MNC5C QVNFAAtVQjE2MDQtMTY0JAAAAAFZktnmygADAAhKdVL9kQjEzgAAAMoAAAAAAAAARAABAA5X NEVET00tTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWZLZ5ssAFwAQ9sn1M3c4ucek0WR4biNI OgAAAMsAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWZLZ5soA FwAQ1GstZLmzDxaeZl8GI2g+TwAAAMoAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVzIw MTJSMi1MNiQAAAABWZLZ5gUAFwAQvIbvyR+djCfWSxUPXc42bQAAAAUAAAAAAAAAVAABAA5X NEVET00tTDQuQkFTRQALVzIwMTJSMi1MNiQAAAABWZLZ5gUAEgAgwPB8cx+GKDX1Djg16TP1 DE6tCVW/6DYbHCrMOWhaNVoAAAAFAAAAAAAAAEQAAQAOVzRFRE9NLUw0LkJBU0UAC1cyMDEy UjItTDYkAAAAAVmS2eYFABEAEDZJ8vM8ijr7VP/LSxCzJw0AAAAFAAAAAAAAADwAAQAOVzRF RE9NLUw0LkJBU0UAC1cyMDEyUjItTDYkAAAAAVmS2eYFAAMACOnauXCRNLB2AAAABQAAAAAA AABUAAEADlc0RURPTS1MNC5CQVNFAAtXMjAxMlIyLUw2JAAAAAFZktnmBAASACDA8HxzH4Yo NfUOODXpM/UMTq0JVb/oNhscKsw5aFo1WgAAAAQAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVzIwMTJSMi1MNiQAAAABWZLZ5gQAEQAQNkny8zyKOvtU/8tLELMnDQAAAAQAAAAAAAAA PAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJSMi1MNiQAAAABWZLZ5gQAAwAI6dq5cJE0sHYA AAAEAAAAAAAAAFQAAQAOVzRFRE9NLUw0LkJBU0UAC1cyMDEyUjItTDYkAAAAAVmS2eYDABIA IGjtccChpRwxOtu/fJEDIfid7m280XMSoR0DKFJaTY2RAAAAAwAAAAAAAABEAAEADlc0RURP TS1MNC5CQVNFAAtXMjAxMlIyLUw2JAAAAAFZktnmAwARABAxln6SKCYt8p1TQqq+NbQKAAAA AwAAAAAAAAA8AAEADlc0RURPTS1MNC5CQVNFAAtXMjAxMlIyLUw2JAAAAAFZktnmAwADAAjZ y9nghSWRxwAAAAMAAAAAAAAARAABAA5XNEVET00tTDQuQkFTRQALVzIwMTJSMi1MNiQAAAAB WZLZ5gQAFwAQvIbvyR+djCfWSxUPXc42bQAAAAQAAAAAAAAARAABAA5XNEVET00tTDQuQkFT RQALVzIwMTJSMi1MNiQAAAABWZLZ5gMAFwAQ3NwrWtPkr85GEL0eM6EAYAAAAAMAAAAAAAAA RQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzIkAAAAAVmS2eYNABcAEJyJXMMu7Loq ro60D52Klb8AAAANAAAAAAAAAFUAAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMyJAAA AAFZktnmDQASACDig8apKzVxhQp21clGT2UGSbfZG5Nn/Cv8h5nrv2Ot/AAAAA0AAAAAAAAA RQABAA5XNEVET00tTDQuQkFTRQAMVzIwMDhSMi0xMzIkAAAAAVmS2eYNABEAEHj8nZ3bjBa1 oYqMQP1nA70AAAANAAAAAAAAAD0AAQAOVzRFRE9NLUw0LkJBU0UADFcyMDA4UjItMTMyJAAA AAFZktnmDQADAAhS7xVtGsGYZAAAAA0AAAAAAAAAVQABAA5XNEVET00tTDQuQkFTRQAMVzIw MDhSMi0xMzIkAAAAAVmS2eYMABIAIG+iOWAZGJSDEdmQA/W2Ebv2yyAsSet/zK/bfMV1SVFe AAAADAAAAAAAAABFAAEADlc0RURPTS1MNC5CQVNFAAxXMjAwOFIyLTEzMiQAAAABWZLZ5gwA EQAQ0jAAbJSGyZ5YJd4RRcXZ3gAAAAwAAAAAAAAAPQABAA5XNEVET00tTDQuQkFTRQAMVzIw MDhSMi0xMzIkAAAAAVmS2eYMAAMACAIZpy+8ONksAAAADAAAAAAAAABFAAEADlc0RURPTS1M NC5CQVNFAAxXMjAwOFIyLTEzMiQAAAABWZLZ5gwAFwAQA7AvBjDsERuTJDDsUSPA5QAAAAwA AAAAAAAAPQABAA5XNEVET00tTDQuQkFTRQAEQkxBJAAAAAFZktnnCAAXABDJspFyGYuQlOKi Xdm3hjP0AAAACAAAAAAAAABNAAEADlc0RURPTS1MNC5CQVNFAARCTEEkAAAAAVmS2ecIABIA IO4Bmv7nuucIjJAC0xyb6dIuORzsjGPglifW3TL4dfO3AAAACAAAAAAAAAA9AAEADlc0RURP TS1MNC5CQVNFAARCTEEkAAAAAVmS2ecIABEAEDuXKf6m6jxTvxY/Me34r4YAAAAIAAAAAAAA ADUAAQAOVzRFRE9NLUw0LkJBU0UABEJMQSQAAAABWZLZ5wgAAwAIoUb0I9mJs64AAAAIAAAA AAAAAE0AAQAOVzRFRE9NLUw0LkJBU0UABEJMQSQAAAABWZLZ5wcAEgAg7gGa/ue65wiMkALT HJvp0i45HOyMY+CWJ9bdMvh187cAAAAHAAAAAAAAAD0AAQAOVzRFRE9NLUw0LkJBU0UABEJM QSQAAAABWZLZ5wcAEQAQO5cp/qbqPFO/Fj8x7fivhgAAAAcAAAAAAAAANQABAA5XNEVET00t TDQuQkFTRQAEQkxBJAAAAAFZktnnBwADAAihRvQj2YmzrgAAAAcAAAAAAAAATQABAA5XNEVE T00tTDQuQkFTRQAEQkxBJAAAAAFZktnnBgASACACReSIYsK324sWnm3VTAcKLE/wctfy0lwd FHzkGWvacgAAAAYAAAAAAAAAPQABAA5XNEVET00tTDQuQkFTRQAEQkxBJAAAAAFZktnnBgAR ABCbtC8KA/F5Z32y6bnvfDHFAAAABgAAAAAAAAA1AAEADlc0RURPTS1MNC5CQVNFAARCTEEk AAAAAVmS2ecGAAMACIpuvG2uXr8gAAAABgAAAAAAAAA9AAEADlc0RURPTS1MNC5CQVNFAARC TEEkAAAAAVmS2ecHABcAEMmykXIZi5CU4qJd2beGM/QAAAAHAAAAAAAAAD0AAQAOVzRFRE9N LUw0LkJBU0UABEJMQSQAAAABWZLZ5wYAFwAQi3ms2kjpmcwcDYy0z4B7WwAAAAYAAAAAAAAA PQABAA5XNEVET00tTDQuQkFTRQAEQkxBJAAAAAFZktnnBQAXABCLeazaSOmZzBwNjLTPgHtb AAAABQAAAAAAAABqAAIACUJMQTIuQkFTRQAOU0FNQUNDT1VOVE5BTUUAKkNOPVVCMTYwNC0x NjQsQ049Q29tcHV0ZXJzLERDPWJsYTIsREM9YmFzZQAAAAFZne8IAAAAAAxVQjE2MDQtMTY0 JAAAAAAAAAAAAAAAAD8AAQAJQkxBMi5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZne8IAgAXABC+ S7yhyor59Ew+kYBSWV4CAAAAAgAAAAAAAABPAAEACUJMQTIuQkFTRQALVUIxNjA0LTE2NCQA AAABWZ3vCAIAEgAgAZz9AZp251l7JiIlR5XUtf85dNe311emUg1XVxwjBnUAAAACAAAAAAAA AD8AAQAJQkxBMi5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZne8IAgARABCgrKxwgfhgxOUvNN/n x7E7AAAAAgAAAAAAAAA3AAEACUJMQTIuQkFTRQALVUIxNjA0LTE2NCQAAAABWZ3vCAIAAwAI iu/scPLxQ/QAAAACAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgbABcAELYd b9pn48+1nEDGtQt+Lh0AAAAbAAAAAAAAAEgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgb ABIAIKSkbtWclfhpSXpURD8yzhtKLj54+zwRx0966LcrVNtoAAAAGwAAAAAAAAA4AAEACUJM QTIuQkFTRQAEQkxBJAAAAAFZne8IGwARABCB9vr+MKZVOyezqdP+mDxRAAAAGwAAAAAAAAAw AAEACUJMQTIuQkFTRQAEQkxBJAAAAAFZne8IGwADAAiRa7z+Uc4s9AAAABsAAAAAAAAASAAB AAlCTEEyLkJBU0UABEJMQSQAAAABWZ3vCBoAEgAgut6mCVlnBgWnWCywfNbmDEhkEqAbXFsh c7S4/BjxKfkAAAAaAAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgaABEAEL10 E7g3ifAEUwyNNqU+/gsAAAAaAAAAAAAAADAAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wga AAMACOkHWG7Zp8IpAAAAGgAAAAAAAABIAAEACUJMQTIuQkFTRQAEQkxBJAAAAAFZne8IGQAS ACC63qYJWWcGBadYLLB81uYMSGQSoBtcWyFztLj8GPEp+QAAABkAAAAAAAAAOAABAAlCTEEy LkJBU0UABEJMQSQAAAABWZ3vCBkAEQAQvXQTuDeJ8ARTDI02pT7+CwAAABkAAAAAAAAAMAAB AAlCTEEyLkJBU0UABEJMQSQAAAABWZ3vCBkAAwAI6QdYbtmnwikAAAAZAAAAAAAAADgAAQAJ QkxBMi5CQVNFAARCTEEkAAAAAVmd7wgaABcAEA6h31XFJwKa/+2NAy6nRwsAAAAaAAAAAAAA ADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgZABcAEA6h31XFJwKa/+2NAy6nRwsAAAAZ AAAAAAAAADgAAQAJQkxBMi5CQVNFAARCTEEkAAAAAVmd7wgYABcAEK/k3YiX4f5S7KRzjV4x BukAAAAYAAAAAAAAADoAAQAIQkxBLkJBU0UAB1M0WERPTSQAAAABWZ3vDwsAFwAQEUMcO8e0 8waEEAjRer7k5AAAAAsAAAAAAAAASgABAAhCTEEuQkFTRQAHUzRYRE9NJAAAAAFZne8PCwAS ACBE0d/dFM7vL7o+XUJ38Iln9kKNuSE83MOQ5KymQo7RVgAAAAsAAAAAAAAAOgABAAhCTEEu QkFTRQAHUzRYRE9NJAAAAAFZne8PCwARABD/3OHMP8MI99F4O5pPCTnTAAAACwAAAAAAAAAy AAEACEJMQS5CQVNFAAdTNFhET00kAAAAAVmd7w8LAAMACD0I4yAm3BxKAAAACwAAAAAAAAA+ AAEACEJMQS5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZne8PFgAXABB4lFYIQVJ6BN//Zy7tQxJB AAAAFgAAAAAAAABOAAEACEJMQS5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZne8PFgASACDW60UP Y1Zi1ecgUGZkN8Ddz1gzKMlVH2sAMpzsstniOwAAABYAAAAAAAAAPgABAAhCTEEuQkFTRQAL VzIwMTJSMi1MNCQAAAABWZ3vDxYAEQAQsn+gKtZmJvgtBrmHgdRo8AAAABYAAAAAAAAANgAB AAhCTEEuQkFTRQALVzIwMTJSMi1MNCQAAAABWZ3vDxYAAwAIsN9zH5hzQ8IAAAAWAAAAAAAA AE4AAQAIQkxBLkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd7w8VABIAIM+PiSKm3bwpBbjuAtxm WNIk3cEhP9KclT3YJjRTX/ruAAAAFQAAAAAAAAA+AAEACEJMQS5CQVNFAAtXMjAxMlIyLUw0 JAAAAAFZne8PFQARABD5slKlgye2SZyPGc5DztQRAAAAFQAAAAAAAAA2AAEACEJMQS5CQVNF AAtXMjAxMlIyLUw0JAAAAAFZne8PFQADAAgcJcRFPq6YgAAAABUAAAAAAAAAOAABAAhCTEEu QkFTRQAFQkxBMiQAAAABWZ3vDxsAFwAQdvvZS3MsKMdYDYq2eOYZ3wAAABsAAAAAAAAASAAB AAhCTEEuQkFTRQAFQkxBMiQAAAABWZ3vDxsAEgAgP/IpJPpTgqgkkukFVOLSzamRVepiccHR gu8mExLcowsAAAAbAAAAAAAAADgAAQAIQkxBLkJBU0UABUJMQTIkAAAAAVmd7w8bABEAEDXN xMJveaQtAgsYo+V3WG4AAAAbAAAAAAAAADAAAQAIQkxBLkJBU0UABUJMQTIkAAAAAVmd7w8b AAMACGhudmTCp/7NAAAAGwAAAAAAAABIAAEACEJMQS5CQVNFAAVCTEEyJAAAAAFZne8PGgAS ACA/8ikk+lOCqCSS6QVU4tLNqZFV6mJxwdGC7yYTEtyjCwAAABoAAAAAAAAAOAABAAhCTEEu QkFTRQAFQkxBMiQAAAABWZ3vDxoAEQAQNc3Ewm95pC0CCxij5XdYbgAAABoAAAAAAAAAMAAB AAhCTEEuQkFTRQAFQkxBMiQAAAABWZ3vDxoAAwAIaG52ZMKn/s0AAAAaAAAAAAAAAEgAAQAI QkxBLkJBU0UABUJMQTIkAAAAAVmd7w8ZABIAIGdaAYGN09C1XiQelIXe6Ge69uOfd1UmADBw y32S3ezcAAAAGQAAAAAAAAA4AAEACEJMQS5CQVNFAAVCTEEyJAAAAAFZne8PGQARABASfeIZ vtVhtTJ7Dipv/bjJAAAAGQAAAAAAAAAwAAEACEJMQS5CQVNFAAVCTEEyJAAAAAFZne8PGQAD AAiF1ZQlDf7BVAAAABkAAAAAAAAAPQABAAhCTEEuQkFTRQAKVzRFRE9NLUw0JAAAAAFZne8P CAAXABClgOpLjz5OxhYNTeD4nE3RAAAACAAAAAAAAABNAAEACEJMQS5CQVNFAApXNEVET00t TDQkAAAAAVmd7w8IABIAIGSoKcTnNSbdbahd/ggfJsynqBvB73ErxetOS7f3yviIAAAACAAA AAAAAAA9AAEACEJMQS5CQVNFAApXNEVET00tTDQkAAAAAVmd7w8IABEAELfYvIlYJJqhGs1h MHzk/lYAAAAIAAAAAAAAADUAAQAIQkxBLkJBU0UAClc0RURPTS1MNCQAAAABWZ3vDwgAAwAI SWeDFmcEL2gAAAAIAAAAAAAAAE0AAQAIQkxBLkJBU0UAClc0RURPTS1MNCQAAAABWZ3vDwcA EgAgodgXtnNDl5r9UqPRYlQHSdBiI7FE8oEoOCytzmC6iAQAAAAHAAAAAAAAAD0AAQAIQkxB LkJBU0UAClc0RURPTS1MNCQAAAABWZ3vDwcAEQAQJGiYa8HQiV52p6kCDQsesQAAAAcAAAAA AAAANQABAAhCTEEuQkFTRQAKVzRFRE9NLUw0JAAAAAFZne8PBwADAAgZy0ydKm15fwAAAAcA AAAAAAAATQABAAhCTEEuQkFTRQAKVzRFRE9NLUw0JAAAAAFZne8PBgASACCh2Be2c0OXmv1S o9FiVAdJ0GIjsUTygSg4LK3OYLqIBAAAAAYAAAAAAAAAPQABAAhCTEEuQkFTRQAKVzRFRE9N LUw0JAAAAAFZne8PBgARABAkaJhrwdCJXnanqQINCx6xAAAABgAAAAAAAAA1AAEACEJMQS5C QVNFAApXNEVET00tTDQkAAAAAVmd7w8GAAMACBnLTJ0qbXl/AAAABgAAAAAAAABRAAEAD1cy MDEyUjItTDQuQkFTRQAHUzRYRE9NJAAAAAFZnfNXAgASACCk18Szgcj3qtnpl3SLn001Yp1f Qdboax14qWSK8lX3aAAAAAIAAAAAAAAAQQABAA9XMjAxMlIyLUw0LkJBU0UAB1M0WERPTSQA AAABWZ3zVwIAEQAQOQ4ArvINJ96U281ERB1ejgAAAAIAAAAAAAAAOQABAA9XMjAxMlIyLUw0 LkJBU0UAB1M0WERPTSQAAAABWZ3zVwIAAwAIjL/BheZ5KSwAAAACAAAAAAAAAIEAAgAPVzIw MTJSMi1MNC5CQVNFAA5TQU1BQ0NPVU5UTkFNRQA6Q049VzIwMTJSMi0xMzAsT1U9RG9tYWlu IENvbnRyb2xsZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFZnfNXAAAAAA1XMjAxMlIy LTEzMCQAAAAAAAAAAAAAAABGAAEAD1cyMDEyUjItTDQuQkFTRQAMVzIwMTJSMi0xMzAkAAAA AVmd81cCABcAEG3+8ypTypFdMAGmH3O2PuwAAAACAAAAAAAAAFYAAQAPVzIwMTJSMi1MNC5C QVNFAAxXMjAxMlIyLTEzMCQAAAABWZ3zVwIAEgAgJUESp0n3b/IFbhsFXrccWps42Neu5UnD rxRVP+0codIAAAACAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxXMjAxMlIyLTEzMCQA AAABWZ3zVwIAEQAQjixCpSJ4fDH4kyfI0I+TrQAAAAIAAAAAAAAAPgABAA9XMjAxMlIyLUw0 LkJBU0UADFcyMDEyUjItMTMwJAAAAAFZnfNXAgADAAi5GmgOSUlAbgAAAAIAAAAAAAAAcQAC AA9XMjAxMlIyLUw0LkJBU0UADlNBTUFDQ09VTlROQU1FACxDTj1rcmJ0Z3RfNzM1LENOPVVz ZXJzLERDPXcyMDEycjItbDQsREM9YmFzZQAAAAFZnfNXAAAAAAtrcmJ0Z3RfNzM1AAAAAAAA AAAAAAAARAABAA9XMjAxMlIyLUw0LkJBU0UACmtyYnRndF83MzUAAAABWZ3zVwEAFwAQBXjF 8kaC7GGeyakicELp5gAAAAEAAAAAAAAAVAABAA9XMjAxMlIyLUw0LkJBU0UACmtyYnRndF83 MzUAAAABWZ3zVwEAEgAgMjYeGCqRjvIMf4UdfFxrZmUArCARKhlIgRvz+c40kP4AAAABAAAA AAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAAprcmJ0Z3RfNzM1AAAAAVmd81cBABEAEP+O9nR4 Ot9hcanDqRbJA8UAAAABAAAAAAAAADwAAQAPVzIwMTJSMi1MNC5CQVNFAAprcmJ0Z3RfNzM1 AAAAAVmd81cBAAMACKK50xBiScv3AAAAAQAAAAAAAAB2AAIAD1cyMDEyUjItTDQuQkFTRQAO U0FNQUNDT1VOVE5BTUUAMENOPVVCMTYwNC0xNjQsQ049Q29tcHV0ZXJzLERDPXcyMDEycjIt bDQsREM9YmFzZQAAAAFZnfNXAAAAAAxVQjE2MDQtMTY0JAAAAAAAAAAAAAAAAEUAAQAPVzIw MTJSMi1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZnfNXAgAXABAp9IqVjeFZc9T1lF5e15t3 AAAAAgAAAAAAAABVAAEAD1cyMDEyUjItTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWZ3zVwIA EgAgIffKqGrA/NER4JZx8zDrBqGhGwa8t9jovperweamVpkAAAACAAAAAAAAAEUAAQAPVzIw MTJSMi1MNC5CQVNFAAtVQjE2MDQtMTY0JAAAAAFZnfNXAgARABD0FnQbEycix/ur+s/n133a AAAAAgAAAAAAAAA9AAEAD1cyMDEyUjItTDQuQkFTRQALVUIxNjA0LTE2NCQAAAABWZ3zVwIA AwAIUXaUIwKzRYUAAAACAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1M NCQAAAABWZ3zVyoAFwAQMkINGeXETZ4mvrjXR5wjAAAAACoAAAAAAAAAVgABAA9XMjAxMlIy LUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNXKgASACDq+0tC75FQwIwvUEV+PcCGDqC2 +88xd/bgcmyxc8QiUAAAACoAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEy LUw0JAAAAAFZnfNXKgARABBLafV/3/xYPSeZ99aiqQxrAAAAKgAAAAAAAAA+AAEAD1cyMDEy UjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81cqAAMACDc9jzfLINlPAAAAKgAAAAAA AABWAAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81cpABIAIN/8koav YFScz1JSzTY5EEIo0ppgx+EqDF5F9aR9CJGuAAAAKQAAAAAAAABGAAEAD1cyMDEyUjItTDQu QkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81cpABEAEAPpuPzclVPkyFvx+/gJ73sAAAApAAAA AAAAAD4AAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zVykAAwAI0wKF nQg3vx8AAAApAAAAAAAAAFYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAAB WZ3zVygAEgAg3/yShq9gVJzPUlLNNjkQQijSmmDH4SoMXkX1pH0Ika4AAAAoAAAAAAAAAEYA AQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zVygAEQAQA+m4/NyVU+TI W/H7+AnvewAAACgAAAAAAAAAPgABAA9XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAA AAFZnfNXKAADAAjTAoWdCDe/HwAAACgAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJBU0UADFMx LVcyMDEyLUw0JAAAAAFZnfNXKQAXABCLDu3sh+0kALPNeaenqupOAAAAKQAAAAAAAABGAAEA D1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81coABcAEIsO7eyH7SQAs815 p6eq6k4AAAAoAAAAAAAAAEYAAQAPVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAAB WZ3zVycAFwAQiw7t7IftJACzzXmnp6rqTgAAACcAAAAAAAAARgABAA9XMjAxMlIyLUw0LkJB U0UADFMxLVcyMDEyLUw0JAAAAAFZnfNXJgAXABCVoSLFabF4OFqrREYVjo56AAAAJgAAAAAA AABGAAEAD1cyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd81clABcAEJWhIsVp sXg4WqtERhWOjnoAAAAlAAAAAAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVET00tTDQk AAAAAVmd81cJABcAEF0a5rR5t5e14bXIymn2dlgAAAAJAAAAAAAAAFQAAQAPVzIwMTJSMi1M NC5CQVNFAApXNEVET00tTDQkAAAAAVmd81cJABIAIAsxb/vKM46BE/iLKpdqHU/joRuiWEoX 26D5JzeP+BOtAAAACQAAAAAAAABEAAEAD1cyMDEyUjItTDQuQkFTRQAKVzRFRE9NLUw0JAAA AAFZnfNXCQARABAkC9J205u+pfay4Y7yAuqfAAAACQAAAAAAAAA8AAEAD1cyMDEyUjItTDQu QkFTRQAKVzRFRE9NLUw0JAAAAAFZnfNXCQADAAhrazJR1ZRP+wAAAAkAAAAAAAAAVAABAA9X MjAxMlIyLUw0LkJBU0UAClc0RURPTS1MNCQAAAABWZ3zVwgAEgAgapHmpFuX9LYswepKsaKr IV9xzC9ijSnyCmuvCYruZxEAAAAIAAAAAAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVE T00tTDQkAAAAAVmd81cIABEAEDGG8Y87Om5S4KeN2gqm9vUAAAAIAAAAAAAAADwAAQAPVzIw MTJSMi1MNC5CQVNFAApXNEVET00tTDQkAAAAAVmd81cIAAMACGtrMlHVlE/7AAAACAAAAAAA AABUAAEAD1cyMDEyUjItTDQuQkFTRQAKVzRFRE9NLUw0JAAAAAFZnfNXBwASACBi+tZey/aS sbQcSikiZNm1V61mXtydCSJSi0VCh60sRAAAAAcAAAAAAAAARAABAA9XMjAxMlIyLUw0LkJB U0UAClc0RURPTS1MNCQAAAABWZ3zVwcAEQAQQ/b1Ylvm0pg0mJe4EqJ45AAAAAcAAAAAAAAA PAABAA9XMjAxMlIyLUw0LkJBU0UAClc0RURPTS1MNCQAAAABWZ3zVwcAAwAIPrb+JuxYua4A AAAHAAAAAAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVET00tTDQkAAAAAVmd81cIABcA EE/PQKX7xAVb9KArnbtxygUAAAAIAAAAAAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVE T00tTDQkAAAAAVmd81cHABcAEJdnJEf292unItQ/zB13UcgAAAAHAAAAAAAAAEQAAQAPVzIw MTJSMi1MNC5CQVNFAApXNEVET00tTDQkAAAAAVmd81cGABcAEJdnJEf292unItQ/zB13UcgA AAAGAAAAAAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVET00tTDQkAAAAAVmd81cFABcA EG9C72LQD00KclZueg4DiWsAAAAFAAAAAAAAAEQAAQAPVzIwMTJSMi1MNC5CQVNFAApXNEVE T00tTDQkAAAAAVmd81cEABcAEG9C72LQD00KclZueg4DiWsAAAAEAAAAAAAAAEQAAQAPVzIw MTJSMi1MNC5CQVNFAApXNEVET00tTDQkAAAAAVmd81cDABcAEGfmFAHSrwAHAMWjZETO5zYA AAADAAAAAAAAAD4AAQAPVzIwMTJSMi1MNC5CQVNFAARCTEEkAAAAAVmd81cXABcAEDk8D0om YMm+pqGVJ4BNwrUAAAAXAAAAAAAAAE4AAQAPVzIwMTJSMi1MNC5CQVNFAARCTEEkAAAAAVmd 81cXABIAIOqpf9ZYNdX+o6/Exwcd+zIZRMVavuxCDNRJgGqAocCWAAAAFwAAAAAAAAA+AAEA D1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXFwARABAitCd9kr5QtVlwNOHyDy4bAAAA FwAAAAAAAAA2AAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXFwADAAjfMXnv/oDj igAAABcAAAAAAAAATgABAA9XMjAxMlIyLUw0LkJBU0UABEJMQSQAAAABWZ3zVxYAEgAgnjq9 oNkNNaX8RvKcvQepbZjJlLHIGu0oKnBOg4UqOgUAAAAWAAAAAAAAAD4AAQAPVzIwMTJSMi1M NC5CQVNFAARCTEEkAAAAAVmd81cWABEAENI5y8Y3tnVl9O68ayk/j2gAAAAWAAAAAAAAADYA AQAPVzIwMTJSMi1MNC5CQVNFAARCTEEkAAAAAVmd81cWAAMACEoWrQtUDdXEAAAAFgAAAAAA AABOAAEAD1cyMDEyUjItTDQuQkFTRQAEQkxBJAAAAAFZnfNXFQASACCeOr2g2Q01pfxG8py9 B6ltmMmUscga7SgqcE6DhSo6BQAAABUAAAAAAAAAPgABAA9XMjAxMlIyLUw0LkJBU0UABEJM QSQAAAABWZ3zVxUAEQAQ0jnLxje2dWX07rxrKT+PaAAAABUAAAAAAAAANgABAA9XMjAxMlIy LUw0LkJBU0UABEJMQSQAAAABWZ3zVxUAAwAIShatC1QN1cQAAAAVAAAAAAAAAD4AAQAPVzIw MTJSMi1MNC5CQVNFAARCTEEkAAAAAVmd81cWABcAEA675sDpkgR/d1SUA+Z23XYAAAAWAAAA AAAAAD4AAQAPVzIwMTJSMi1MNC5CQVNFAARCTEEkAAAAAVmd81cVABcAEA675sDpkgR/d1SU A+Z23XYAAAAVAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAx MlIyLUw0JAAAAAFZnfNfKgAXABBtgPctf+QbsjmINGrOHt12AAAAKgAAAAAAAABhAAEAG1Mx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1MNCQAAAABWZ3zXyoAEgAgoYpS TbhfUDWWlkVr5JcUBqerO7CNVbzd3P8Izn0VpyMAAAAqAAAAAAAAAFEAAQAbUzEtVzIwMTIt TDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZnfNfKgARABDMikt/4zPXhL/B PYEsEwq9AAAAKgAAAAAAAABJAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIw MTJSMi1MNCQAAAABWZ3zXyoAAwAIhg5UtVe/9wgAAAAqAAAAAAAAAGEAAQAbUzEtVzIwMTIt TDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZnfNfKQASACChilJNuF9QNZaW RWvklxQGp6s7sI1VvN3c/wjOfRWnIwAAACkAAAAAAAAAUQABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd818pABEAEMyKS3/jM9eEv8E9gSwTCr0A AAApAAAAAAAAAEkAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0 JAAAAAFZnfNfKQADAAiGDlS1V7/3CAAAACkAAAAAAAAAYQABABtTMS1XMjAxMi1MNC5XMjAx MlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd818oABIAIF1/uwJ+6wkY7kwQk2ykweec 9Bu2fZEr20O2a+vc/VDtAAAAKAAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRQALVzIwMTJSMi1MNCQAAAABWZ3zXygAEQAQKZ4auBJGwpMEtGp3FyCyGAAAACgAAAAA AAAASQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd 818oAAMACGcpGhpK+BABAAAAKAAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQu QkFTRQALVzIwMTJSMi1MNCQAAAABWZ3zXykAFwAQbYD3LX/kG7I5iDRqzh7ddgAAACkAAAAA AAAAUQABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd 818oABcAEA+t8HhkkqHkC1U8y6DhIvYAAAAoAAAAAAAAAFEAAQAbUzEtVzIwMTItTDQuVzIw MTJSMi1MNC5CQVNFAAtXMjAxMlIyLUw0JAAAAAFZnfNfJwAXABAJud+VKa7TxW531a63cKdd AAAAJwAAAAAAAABRAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQALVzIwMTJSMi1M NCQAAAABWZ3zXyYAFwAQCbnflSmu08Vud9Wut3CnXQAAACYAAAAAAAAAUQABABtTMS1XMjAx Mi1MNC5XMjAxMlIyLUw0LkJBU0UAC1cyMDEyUjItTDQkAAAAAVmd818lABcAEKbWBRrBz+VV jLy3h+XjPcwAAAAlAAAAAAAAAFIAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxT Mi1XMjAxMi1MNCQAAAABWZ3zXycAFwAQx6dHb1O3TvazI7bNsgnp6wAAACcAAAAAAAAAYgAB ABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfJwAS ACBwUKqUPJieJhsb2b8+xsPiH75TWDCOvrj7P2ntpW+8QQAAACcAAAAAAAAAUgABABtTMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfJwARABDkPII7 9yy/Km81xCo7uZbTAAAAJwAAAAAAAABKAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQAMUzItVzIwMTItTDQkAAAAAVmd818nAAMACFtnHwhUm3VeAAAAJwAAAAAAAABiAAEAG1Mx LVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVmd818mABIAIHBQ qpQ8mJ4mGxvZvz7Gw+IfvlNYMI6+uPs/ae2lb7xBAAAAJgAAAAAAAABSAAEAG1MxLVcyMDEy LUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAAAVmd818mABEAEOQ8gjv3LL8q bzXEKju5ltMAAAAmAAAAAAAAAEoAAQAbUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxT Mi1XMjAxMi1MNCQAAAABWZ3zXyYAAwAIW2cfCFSbdV4AAAAmAAAAAAAAAGIAAQAbUzEtVzIw MTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWZ3zXyUAEgAg4hxqVE1O rjdOvIDpLoC70S/DFwUsZoKTsgGmz1A6RvUAAAAlAAAAAAAAAFIAAQAbUzEtVzIwMTItTDQu VzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWZ3zXyUAEQAQbXuK4IOpL+QmZB0x NFiU2gAAACUAAAAAAAAASgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMyLVcy MDEyLUw0JAAAAAFZnfNfJQADAAjfN4wCoc1FjAAAACUAAAAAAAAAUgABABtTMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfJgAXABDHp0dvU7dO9rMj ts2yCenrAAAAJgAAAAAAAABSAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzIt VzIwMTItTDQkAAAAAVmd818lABcAEPDnWSdJYbn5x94QKc6zgaIAAAAlAAAAAAAAAFIAAQAb UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMi1XMjAxMi1MNCQAAAABWZ3zXyQAFwAQ p8LYRE4kDY1oHQWhIF+zAgAAACQAAAAAAAAAUgABABtTMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0UADFMyLVcyMDEyLUw0JAAAAAFZnfNfIwAXABCnwthETiQNjWgdBaEgX7MCAAAAIwAA AAAAAABSAAEAG1MxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzItVzIwMTItTDQkAAAA AVmd818iABcAEKyh7QVaygOKt1jQmk/j/90AAAAiAAAAAAAAAF4AAQAnUzItVzIwMTItTDQu UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zZCcAFwAQ 4UUoXcIBjO/KEuunwb/TcAAAACcAAAAAAAAAbgABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1M NC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkJwASACDO+6IQmw5MrQML Z88T8HRN1gz7NeKY9NUiRlwwBC3LLwAAACcAAAAAAAAAXgABACdTMi1XMjAxMi1MNC5TMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkJwARABA0ZXYm jetmhvSe0oGIBrtsAAAAJwAAAAAAAABWAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0Llcy MDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd82QnAAMACB9tWDhXod9SAAAAJwAA AAAAAABuAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzEt VzIwMTItTDQkAAAAAVmd82QmABIAIPU1+kCV6CuWp1SBADpl9clt+iC533q9eLnH6Y6p3BoL AAAAJgAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFT RQAMUzEtVzIwMTItTDQkAAAAAVmd82QmABEAECtaH+YgcyEsHOpsfNU+HNcAAAAmAAAAAAAA AFYAAQAnUzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAx Mi1MNCQAAAABWZ3zZCYAAwAIy5iD6bUTgF0AAAAmAAAAAAAAAG4AAQAnUzItVzIwMTItTDQu UzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3zZCUAEgAg 9TX6QJXoK5anVIEAOmX1yW36ILnfer14ucfpjqncGgsAAAAlAAAAAAAAAF4AAQAnUzItVzIw MTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQAAAABWZ3z ZCUAEQAQK1of5iBzISwc6mx81T4c1wAAACUAAAAAAAAAVgABACdTMi1XMjAxMi1MNC5TMS1X MjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkJQADAAjLmIPp tROAXQAAACUAAAAAAAAAXgABACdTMi1XMjAxMi1MNC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0 LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkJgAXABBqHQ54OsntjmxHr9QM/USrAAAAJgAA AAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEyLUw0LlcyMDEyUjItTDQuQkFTRQAMUzEt VzIwMTItTDQkAAAAAVmd82QlABcAEGodDng6ye2ObEev1Az9RKsAAAAlAAAAAAAAAF4AAQAn UzItVzIwMTItTDQuUzEtVzIwMTItTDQuVzIwMTJSMi1MNC5CQVNFAAxTMS1XMjAxMi1MNCQA AAABWZ3zZCQAFwAQah0OeDrJ7Y5sR6/UDP1EqwAAACQAAAAAAAAAXgABACdTMi1XMjAxMi1M NC5TMS1XMjAxMi1MNC5XMjAxMlIyLUw0LkJBU0UADFMxLVcyMDEyLUw0JAAAAAFZnfNkIwAX ABCNLuNMWo3G0vaHtg1PyTq+AAAAIwAAAAAAAABeAAEAJ1MyLVcyMDEyLUw0LlMxLVcyMDEy LUw0LlcyMDEyUjItTDQuQkFTRQAMUzEtVzIwMTItTDQkAAAAAVmd82QiABcAEI0u40xajcbS 9oe2DU/JOr4AAAAiAAAAAA== --------------D1BADEF6B8D80BB51268BC0C-- --cCt1DiXAlsJnrld8FJAiN1TfASCRHLIfn-- --djj89QPn1Uuhprxagavw4fjXIuCkt3fmg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJZnglbAAoJEA219WEoab1W1zoP/R9GoacoHyWjh3UfLghxu6jZ eVmqnmr9fVFd4lm6/HQOfpXFkhBP216hHIoDJIrwcFWg0ErQkJQ38//IsfAEdWNT naYRcDS5Lzd2BBHBIMLRCh0jLoRh6z6eHnIn2vcPzmVeYunYpRTUTY1J//JUKG/m tYoNzt9faZEOBq+h8yye1t6OXIYsX41I4DsKLZgK6r/esrXhOuNPqSKCyQvJiWvP P9w/OUVDdpCjMVdOaftGIvdVUGyA7YPW7AjhqX3LhIaB/g/g18G64by5BhW3HePw s85ZQ2e8ZY8uqpZxi7j3wcSKFbFzwE1iEcUzUsewCpOYtlfFvt3LsTwnaWYh/M/j hhJ4nAFQinfwrcRx9aBml4qaHP51aE6yr8dJSmxTdIX2n2/lAUT3JH3ZRfQ4nxgR IQsGrd8K97u25BeoME6LnMrOT9ee5afS3FB6tvX01CthBlH5C7qXWf4UJd81Vafa EVMYSleG8lv7BD7cxMrb9Iv09LZB47CrVzZeGrV65SWjijx5JYJBiFZ7kOVWzOp4 GXAhBS+58/QwKmE/VJgTVLFksuYPh+rS9VdJ8cbJlzSQSe0sjVKweVprVGh1LrT6 sKaFFhPiRAHB9RfLNiRVWOBYizgrH9Nlwk4nabDXpJn99jUuibtTEXEvp+gaTXom +eVM0ykhyQznRMRgl8lo =96Z/ -----END PGP SIGNATURE----- --djj89QPn1Uuhprxagavw4fjXIuCkt3fmg-- From nobody Wed Aug 23 17:38:30 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475AF132A92 for ; Wed, 23 Aug 2017 17:38:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGsqtjMrcoRd for ; Wed, 23 Aug 2017 17:38:14 -0700 (PDT) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5E781200B9 for ; Wed, 23 Aug 2017 17:38:14 -0700 (PDT) X-AuditID: 12074422-44bff7000000158d-97-599e1ff36334 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 6F.7C.05517.3FF1E995; Wed, 23 Aug 2017 20:38:11 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7O0cAkT018476; Wed, 23 Aug 2017 20:38:11 -0400 Received: from [18.101.8.119] (VPN-18-101-8-119.MIT.EDU [18.101.8.119]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7O0c7ML024924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 23 Aug 2017 20:38:09 -0400 To: Stefan Metzmacher , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> From: Greg Hudson Message-ID: Date: Wed, 23 Aug 2017 20:38:07 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixG6novtZfl6kwYUWM4tVvR1sFkc3r2Kx uLjsJ4vFnyX72R1YPI59vsLosWTJTyaP+bNnMXnM3dXHGMASxWWTkpqTWZZapG+XwJVx//9S toLdHBWH/19kaWB8wtbFyMkhIWAicfTVZGYQW0hgMZPEux2uXYxcQPZGRonL054zQThHmSQW bj/M2MXIwSEsUC5xa1MoSFxE4CGjRMPzpcwQRS1MEpOWTWECGcUmoCyxfv9WFhCbV8BKYnrj arAVLAKqEv/ebgJbLSoQIfGwcxc7RI2gxMmZT8DqOQVsJSa/6wazmQX0JHZc/8UKYctLbH87 h3kCI/8sJC2zkJTNQlK2gJF5FaNsSm6Vbm5iZk5xarJucXJiXl5qka6pXm5miV5qSukmRnDo uijtYJz4z+sQowAHoxIPr8aSuZFCrIllxZW5hxglOZiURHmfSM+LFOJLyk+pzEgszogvKs1J LT7EKMHBrCTCmyQHlONNSaysSi3Kh0lJc7AoifOKazRGCAmkJ5akZqemFqQWwWRlODiUJHid QRoFi1LTUyvSMnNKENJMHJwgw3mAhruCDS8uSMwtzkyHyJ9iVJQS550PkhAASWSU5sH1glNL Kkf5K0ZxoFeEefeDVPEA0xJc9yugwUxAgyedmAMyuCQRISXVwGi9sS57advjC4dOh+2Q8TWc ECoS0yl80elR6v9Z5RpMzUZlr//+FUp4xPXHT+CrgLb/F121mAtiCn4G20tXzU7/aNTPtJhD lWfxGu43+w90aYpISs52mtEjkHN/bWmo8E/DXz7SHpy5Dt5z5s+QnfLYuLArPOSTYe+sN3Pn swiGq+qHzG/iVWIpzkg01GIuKk4EAP1MbXkIAwAA Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2017 00:38:16 -0000 On 08/23/2017 07:01 PM, Stefan Metzmacher wrote: >> I think we should first consider whether it would be sufficient for MIT >> krb5 to suppress the rd_req transited check if the >> TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and Heimdal >> KDCs both appear to perform the transited check and set the flag by default. > > But Windows KDCs doesn't set this bit (I guess because it's just not > useful). I don't agree at all that the bit isn't useful. That bit is how a KDC communicates that it vouches for the transited path. Unfortunately, you do appear to be correct about Windows KDCs. MS-KILE says: The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICYCHECKED flag. which basically means Microsoft has declined to conform to RFC 4120 in this area, instead requiring servers to implement PACs to interoperate in a cross-realm environment. I guess the proposed credential option is necessary, in that case. From nobody Thu Aug 24 05:36:30 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99210132392 for ; Thu, 24 Aug 2017 05:36:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kivx347OvhS6 for ; Thu, 24 Aug 2017 05:36:27 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 477B11321DC for ; Thu, 24 Aug 2017 05:36:26 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 111A881DE5; Thu, 24 Aug 2017 12:36:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 111A881DE5 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=simo@redhat.com Received: from ovpn-117-60.phx2.redhat.com (ovpn-117-60.phx2.redhat.com [10.3.117.60]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 38A7D7D51D; Thu, 24 Aug 2017 12:36:25 +0000 (UTC) Message-ID: <1503578184.3428.19.camel@redhat.com> From: Simo Sorce To: Greg Hudson , Stefan Metzmacher , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Date: Thu, 24 Aug 2017 08:36:24 -0400 In-Reply-To: References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> Organization: Red Hat, Inc. Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 24 Aug 2017 12:36:26 +0000 (UTC) Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2017 12:36:28 -0000 On Wed, 2017-08-23 at 20:38 -0400, Greg Hudson wrote: > On 08/23/2017 07:01 PM, Stefan Metzmacher wrote: > > > I think we should first consider whether it would be sufficient > > > for MIT > > > krb5 to suppress the rd_req transited check if the > > > TRANSITED-POLICY-CHECKED flag is set in the ticket.  MIT and > > > Heimdal > > > KDCs both appear to perform the transited check and set the flag > > > by default. > > > > But Windows KDCs doesn't set this bit (I guess because it's just > > not > > useful). > > I don't agree at all that the bit isn't useful.  That bit is how a > KDC > communicates that it vouches for the transited path.  Unfortunately, > you > do appear to be correct about Windows KDCs.  MS-KILE says: > >     The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE >     MUST NOT check for transited domains on servers or a KDC. >     Application servers MUST ignore the TRANSITED-POLICYCHECKED flag. > > which basically means Microsoft has declined to conform to RFC 4120 > in > this area, instead requiring servers to implement PACs to > interoperate > in a cross-realm environment. > > I guess the proposed credential option is necessary, in that case. > I think in this case ignoring the flag should probably be conditional to whether a PAC is present. My2c. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From nobody Thu Aug 24 06:11:26 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DCF7132937 for ; Thu, 24 Aug 2017 06:11:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQQJhZdXqbgf for ; Thu, 24 Aug 2017 06:11:23 -0700 (PDT) Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6404713295E for ; Thu, 24 Aug 2017 06:11:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=yu5h3LrLkw3o2i/CkwL1ERpic9Fep0ge0nNLIV5mVy0=; b=VYSNh9GB11RN19U+Z9yUzxFjXY yYfAk3yQ+JBcmclXjwdfz/2FqCY69kpQiQsX+Pgbdugf1cQC2i/1Sx/Tk3wC1loQr/lKSTQu7Evjz z/DhKCy7l3mlHDriQ3NAllPgWb2G2DJWyxB1SmUiECl6wOo8EUqWzeRuen3G7GM8eRMA=; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1dkrup-0004qX-Sy; Thu, 24 Aug 2017 13:11:20 +0000 To: Simo Sorce , Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <1503578184.3428.19.camel@redhat.com> From: Stefan Metzmacher Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4 Message-ID: Date: Thu, 24 Aug 2017 15:11:16 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <1503578184.3428.19.camel@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V9pwCB94eJpShPt1V5HKEaEoTkekOP32" Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2017 13:11:25 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3V9pwCB94eJpShPt1V5HKEaEoTkekOP32 Content-Type: multipart/mixed; boundary="lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI"; protected-headers="v1" From: Stefan Metzmacher To: Simo Sorce , Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Message-ID: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <1503578184.3428.19.camel@redhat.com> In-Reply-To: <1503578184.3428.19.camel@redhat.com> --lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi Simo, >> I guess the proposed credential option is necessary, in that case. >> >=20 > I think in this case ignoring the flag should probably be conditional > to whether a PAC is present. We should enforce a PAC always to be present, as we don't support trusted domains with LSA_TRUST_TYPE_MIT anyway. metze --lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI-- --3V9pwCB94eJpShPt1V5HKEaEoTkekOP32 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJZntB3AAoJEA219WEoab1WeBgQAIO4n8HBpj69AZnYyyUrORDc d39uVAUjjSsOFxVCSdC1p2U6UH+vHQ3TU5FrNIS4+YsZ4+Q3yW9pUwo7MyxGCtcV kjGHt7mdjid7q2qQ/5xjc6NSBw0tlpwBC/pYDsOdGbF7cRny5ZePyPGsFHhRpCNt arVyHLrdab5em8Ni4RDP+Ux7n+SGFr8XLoLD66gL9fTrEj3TimKcC07yf+47jt5u G2vz+GLVWB04gJJDPneez6CaSMQgp1v/aoz4wO9XklTHS/kqa9CgN/fmEu2CSoor yJWwYSWxJdw+biFIRtMyxLNSz+AMk5dYqgBeEG6m5JKf3Qy/4yBw7envpP7IaFv4 EM5PMtiGSFEl7QfAipHBmCUKnnQlqIeQtsfWTtMw0eu/QBiW5pm5Qlh6K947pGkn 3CdL+QSWV2rmuG2urgOVVNgQ5RFs67gVRi5rWtYAb2iWmOKsRt8K70pI2xaFCLin ZqChGQD43Uum+hBekFLIrTa2EGkK7HeyOGwOipyruaPd2QKBkPkr4gmsmho13uP+ wKN0iQMXXj8Y3JrHunKVoBYOUdMtOyn/fRYEmy2YHLNRLl7+nGyOXKEzZKLSvLvp NH1vVqYGoSxCAW9f++B5fQupA4QeGi6nBvG22cEy0MlsXjEXJbtmIpbKdM9SAyIg H4E2rLsWyT6drUCEiZF8 =nLfj -----END PGP SIGNATURE----- --3V9pwCB94eJpShPt1V5HKEaEoTkekOP32-- From nobody Thu Aug 24 10:36:36 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82E43132646 for ; Thu, 24 Aug 2017 10:36:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzYaf6Qe6wGf for ; Thu, 24 Aug 2017 10:36:32 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64DE313247A for ; Thu, 24 Aug 2017 10:36:32 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E6A57404338; Thu, 24 Aug 2017 17:36:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E6A57404338 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=simo@redhat.com Received: from ovpn-117-60.phx2.redhat.com (ovpn-117-60.phx2.redhat.com [10.3.117.60]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 980ED7F80C; Thu, 24 Aug 2017 17:36:30 +0000 (UTC) Message-ID: <1503596189.3428.26.camel@redhat.com> From: Simo Sorce To: Stefan Metzmacher , Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Date: Thu, 24 Aug 2017 13:36:29 -0400 In-Reply-To: References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <1503578184.3428.19.camel@redhat.com> Organization: Red Hat, Inc. Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 24 Aug 2017 17:36:32 +0000 (UTC) Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2017 17:36:34 -0000 On Thu, 2017-08-24 at 15:11 +0200, Stefan Metzmacher wrote: > Hi Simo, > > > > I guess the proposed credential option is necessary, in that > > > case. > > > > > > > I think in this case ignoring the flag should probably be > > conditional > > to whether a PAC is present. > > We should enforce a PAC always to be present, as we don't support > trusted domains with LSA_TRUST_TYPE_MIT anyway. In samba, yes, but that option can be used in other clients that can connect to multiple types of servers so in case they do not get a PAC the flag should be respected. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From nobody Thu Aug 24 13:47:06 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE7B613238E for ; Thu, 24 Aug 2017 13:47:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGr4bjR_9Cyz for ; Thu, 24 Aug 2017 13:47:03 -0700 (PDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CC5F1321A3 for ; Thu, 24 Aug 2017 13:47:03 -0700 (PDT) Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 999337A3302 for ; Thu, 24 Aug 2017 20:47:01 +0000 (UTC) (envelope-from viktor1dane@dukhovni.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Viktor Dukhovni In-Reply-To: <1503596189.3428.26.camel@redhat.com> Date: Thu, 24 Aug 2017 16:47:01 -0400 Content-Transfer-Encoding: 7bit Reply-To: kitten@ietf.org Message-Id: References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <1503578184.3428.19.camel@redhat.com> <1503596189.3428.26.camel@redhat.com> To: kitten@ietf.org X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2017 20:47:05 -0000 [ Just kitten, as either not subcribed or subscribed with a different address to some of the other lists. ] > On Aug 24, 2017, at 1:36 PM, Simo Sorce wrote: > >> We should enforce a PAC always to be present, as we don't support >> trusted domains with LSA_TRUST_TYPE_MIT anyway. > > In samba, yes, but that option can be used in other clients that can > connect to multiple types of servers so in case they do not get a PAC > the flag should be respected. Does the Kerberos library know whether whether the application is going to look at PACs and SIDs or just use the client principal name? I am guessing it does not. Thus in Samba, one might need a dedicated krb5.conf configuration file that disables the transit check. Other applications should still apply transit check even if a PAC happens to be present, as AFAIK it may well remain unused. -- Viktor. From nobody Thu Aug 24 15:29:43 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863A7132719 for ; Thu, 24 Aug 2017 15:29:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iRwK9frudYZp for ; Thu, 24 Aug 2017 15:29:39 -0700 (PDT) Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D77A13219C for ; Thu, 24 Aug 2017 15:29:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=EZHamunlB2pZGuxuPreynrYT2veV+d2whupHPlCJjzc=; b=J3aRvotRqHg2RXEL08zP9oFZJf DVEUN7uxnKdufySqzOjBNJBKKV8CBBiNA/H4znrlurXXM6CY95EvQM6+rZW1KgQrfDXknZtcdIgPK nOXwVK3BARVjIio2/TN1EuXqLyAlpXc0mNld6Tgx2+DffycDVaP8lqISP/M6li/UzsMQ=; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1dl0d3-0002Lu-99; Thu, 24 Aug 2017 22:29:33 +0000 To: kitten@ietf.org, Viktor Dukhovni , Samba Technical References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <1503578184.3428.19.camel@redhat.com> <1503596189.3428.26.camel@redhat.com> From: Stefan Metzmacher Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4 Message-ID: <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> Date: Fri, 25 Aug 2017 00:29:27 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KSAgShrCFKmj0fAhFUaQ83kUfX1xbwA1b" Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2017 22:29:41 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KSAgShrCFKmj0fAhFUaQ83kUfX1xbwA1b Content-Type: multipart/mixed; boundary="STfdRlnbQREpvulbhjaBQQaUXNcbSQgaK"; protected-headers="v1" From: Stefan Metzmacher To: kitten@ietf.org, Viktor Dukhovni , Samba Technical Message-ID: <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <1503578184.3428.19.camel@redhat.com> <1503596189.3428.26.camel@redhat.com> In-Reply-To: --STfdRlnbQREpvulbhjaBQQaUXNcbSQgaK Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Am 24.08.2017 um 22:47 schrieb Viktor Dukhovni: >=20 > [ Just kitten, as either not subcribed or subscribed with a different > address to some of the other lists. ] >=20 >> On Aug 24, 2017, at 1:36 PM, Simo Sorce wrote: >> >>> We should enforce a PAC always to be present, as we don't support >>> trusted domains with LSA_TRUST_TYPE_MIT anyway. >> >> In samba, yes, but that option can be used in other clients that can >> connect to multiple types of servers so in case they do not get a PAC >> the flag should be respected. >=20 > Does the Kerberos library know whether whether the application is going= > to look at PACs and SIDs or just use the client principal name? I am > guessing it does not. Thus in Samba, one might need a dedicated > krb5.conf configuration file that disables the transit check. Other > applications should still apply transit check even if a PAC happens > to be present, as AFAIK it may well remain unused. My idea was that Samba would use gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to indicate the the transited list should not be checked. metze --STfdRlnbQREpvulbhjaBQQaUXNcbSQgaK-- --KSAgShrCFKmj0fAhFUaQ83kUfX1xbwA1b Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJZn1NMAAoJEA219WEoab1W04QQAKr6Ys4lzcNlbsHbftHsXVq9 Qcr537nNVZvD4e4zozWm4vtUR+FExprl1iWHUP9IrZZ3KgvaNLVDPQJ1SbcgTFYA OaA5dN6DAcwWrA6RBqbnDkwkfu4QVFf23ot3uJIUcKhy70fb4shKWCh3WMaptHxJ g3iUNlKjYF075gSkr+TEWxbXAjL1ZGiaN16BSSNR3nwzIrzzyFk7vETYm/i+NKX+ jQKx1rrWgsdrsSCzYN4soQaiDX6CeEHmmvSZGrvaqToF5OCahyYTC5p0P/UuF0mt P+tvuzg2cn6OfUgPWz3f7pGVx+qtsqiixAnyRlOQCqc3cj0vpthkE14Zlu+XL5MR Jb2QJB7IQt40eo5MsVN03RoqNRnJuPobxJQ00NhH+Zb+C+ptOReAdmWJCG/EfdKY S0UKon3s8fKsWjbbVUS+ewz/zQBs2e9o3e/sReuLZOBBaQ9RPQBkenITBMU+Sz13 +NTB7EpEib53DqGuQVVe2gaN5ElnpahJHYYImqyTgrIPhfTcyh5P6NZLIIMuRxmd MmHDJdMA8t620P019FwSqTLNSuGZMA8rvkft4HtRLlPW0SaOlq54+pSsS+2g1S2+ 0Vh/YhbZB6Rx10I/Cxqr1vyGjTvIywaLS1fejpaDh/VxQNhxZJ1TIf3ne23SsCL5 mEyzYU2kVSU+FPo2UfGb =UYb3 -----END PGP SIGNATURE----- --KSAgShrCFKmj0fAhFUaQ83kUfX1xbwA1b-- From nobody Thu Aug 24 16:10:25 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E9401329C5 for ; Thu, 24 Aug 2017 16:10:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1sEMZ8j1bQ5O for ; Thu, 24 Aug 2017 16:10:22 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60B3513219A for ; Thu, 24 Aug 2017 16:10:20 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 70ED2C058EC4; Thu, 24 Aug 2017 23:10:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 70ED2C058EC4 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=simo@redhat.com Received: from ovpn-117-60.phx2.redhat.com (ovpn-117-60.phx2.redhat.com [10.3.117.60]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D30F039C1; Thu, 24 Aug 2017 23:10:18 +0000 (UTC) Message-ID: <1503616217.3428.33.camel@redhat.com> From: Simo Sorce To: Stefan Metzmacher , kitten@ietf.org, Viktor Dukhovni , Samba Technical Date: Thu, 24 Aug 2017 19:10:17 -0400 In-Reply-To: <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> References: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <1503578184.3428.19.camel@redhat.com> <1503596189.3428.26.camel@redhat.com> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> Organization: Red Hat, Inc. Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 24 Aug 2017 23:10:19 +0000 (UTC) Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2017 23:10:24 -0000 On Fri, 2017-08-25 at 00:29 +0200, Stefan Metzmacher wrote: > Am 24.08.2017 um 22:47 schrieb Viktor Dukhovni: > > > > [ Just kitten, as either not subcribed or subscribed with a > > different > >   address to some of the other lists. ] > > > > > On Aug 24, 2017, at 1:36 PM, Simo Sorce wrote: > > > > > > > We should enforce a PAC always to be present, as we don't > > > > support > > > > trusted domains with LSA_TRUST_TYPE_MIT anyway. > > > > > > In samba, yes, but that option can be used in other clients that > > > can > > > connect to multiple types of servers so in case they do not get a > > > PAC > > > the flag should be respected. > > > > Does the Kerberos library know whether whether the application is > > going > > to look at PACs and SIDs or just use the client principal name?  I > > am > > guessing it does not.  Thus in Samba, one might need a dedicated > > krb5.conf configuration file that disables the transit > > check.  Other > > applications should still apply transit check even if a PAC happens > > to be present, as AFAIK it may well remain unused. > > My idea was that Samba would use > gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to indicate > the the transited list should not be checked. It's my idea as well, but if you are operating in a mixed environment and the ticket happens to come without a PAC the transited list should probably be checked instead. A service *may* decide to bail out if no PAC is present but it shouldn't have to. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From nobody Mon Aug 28 08:08:03 2017 Return-Path: X-Original-To: kitten@ietf.org Delivered-To: kitten@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A542A132C4B; Mon, 28 Aug 2017 08:07:55 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.58.0 Auto-Submitted: auto-generated Precedence: bulk CC: draft-ietf-kitten-rfc5653bis@ietf.org, kitten@ietf.org, ekr@rtfm.com, kitten-chairs@ietf.org, mrogers@redhat.com Reply-To: ietf@ietf.org Sender: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <150393287567.9887.607781019425031654.idtracker@ietfa.amsl.com> Date: Mon, 28 Aug 2017 08:07:55 -0700 Archived-At: Subject: [kitten] Last Call: (Generic Security Service API Version 2: Java Bindings Update) to Proposed Standard X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2017 15:07:56 -0000 The IESG has received a request from the Common Authentication Technology Next Generation WG (kitten) to consider the following document: - 'Generic Security Service API Version 2: Java Bindings Update' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2017-09-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The Generic Security Services Application Program Interface (GSS-API) offers application programmers uniform access to security services atop a variety of underlying cryptographic mechanisms. This document updates the Java bindings for the GSS-API that are specified in "Generic Security Service API Version 2 : Java Bindings Update" (RFC 5653). This document obsoletes RFC 5653 by adding a new output token field to the GSSException class so that when the initSecContext or acceptSecContext methods of the GSSContext class fails it has a chance to emit an error token which can be sent to the peer for debugging or informational purpose. The stream-based GSSContext methods are also removed in this version. The GSS-API is described at a language-independent conceptual level in "Generic Security Service Application Program Interface Version 2, Update 1" (RFC 2743). The GSS-API allows a caller application to authenticate a principal identity, to delegate rights to a peer, and to apply security services such as confidentiality and integrity on a per-message basis. Examples of security mechanisms defined for GSS- API are "The Simple Public-Key GSS-API Mechanism" (RFC 2025) and "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2" (RFC 4121). The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc5653bis/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-kitten-rfc5653bis/ballot/ No IPR declarations have been submitted directly on this I-D. From nobody Mon Aug 28 18:07:50 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5014A1320C9 for ; Mon, 28 Aug 2017 18:07:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7HB7YiP2v_N for ; Mon, 28 Aug 2017 18:07:47 -0700 (PDT) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91CCD124207 for ; Mon, 28 Aug 2017 18:07:47 -0700 (PDT) X-AuditID: 12074425-12fff70000000ce5-ff-59a4be62d137 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 31.8F.03301.26EB4A95; Mon, 28 Aug 2017 21:07:46 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v7T17iBb024128; Mon, 28 Aug 2017 21:07:45 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7T17efV016890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 28 Aug 2017 21:07:43 -0400 Date: Mon, 28 Aug 2017 20:07:40 -0500 From: Benjamin Kaduk To: Robbie Harwood Cc: Greg Hudson , kitten@ietf.org Message-ID: <20170829010740.GL96685@kduck.kaduk.org> References: <3be44bb4-270e-64b7-4987-450c36885425@mit.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKKsWRmVeSWpSXmKPExsUixCmqrZu0b0mkQXODgMXRzatYLHb2NLE6 MHksWfKTyeP9vqtsAUxRXDYpqTmZZalF+nYJXBlLZ3oVbBSp2Dv/M3sD42eBLkZODgkBE4mf 2zezdTFycQgJLGaS6Lg3iQXC2cgosWHheUYI5yqTxK+Wc+wgLSwCqhInV39jBbHZBFQkGrov M4PYIgIaEn07VjGB2MwCRhJb246ygdjCAhYSay7/B6vnBVo37cJEFhBbSGABo8T1z9wQcUGJ kzOfAMU5gHrLJGYc9YQwpSWW/+MAqeAU0JSY1jaBEcQWFVCWmLdvFdsERoFZSJpnITTPQmie BXaOlsSNfy+ZMIS1JZYtfM0MYdtKrFv3nmUBI/sqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXQu9 3MwSvdSU0k2MoPBnd1HdwTjnr9chRgEORiUe3hXWSyKFWBPLiitzDzFKcjApifLmbAMK8SXl p1RmJBZnxBeV5qQWH2JUAdr1aMPqC4xSLHn5ealKIrzBe4HqeFMSK6tSi/JhyqQ5WJTEecU1 GiOEBNITS1KzU1MLUotgsjIcHEoSvDNBGgWLUtNTK9Iyc0oQ0kwcnIcYJTh4gIZHgw0vLkjM Lc5Mh8ifYjTmePJm+28mjpa3QFII7A4pcd6WPUClAiClGaV5cNNAqU0ie3/NK0ZxoEeFeW+D DOQBpkW4ea+AVjEBrVIUXAiyqiQRISXVwNhXdFRg9aV/Nd8Eyhrvfjd/tsP82Ik9BxPq7BJf /b7yp9FvwzvRW799vi76k3pGR2dl73zzRmc9k7JZTka7Aq/XPFl/8qTWzH0CLtKBE7e8muFp bWPH+kzoiLVnduf3SpnuuDuL/u9UWMmssnTGTflNKQHL51w3kpR7Nm9bi4XTJEfFg0tECpuV WIozEg21mIuKEwE5Wo7KSAMAAA== Archived-At: Subject: Re: [kitten] SPAKE and not replying to requests X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 01:07:49 -0000 --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 23, 2017 at 04:33:44PM -0400, Robbie Harwood wrote: > Greg Hudson writes: >=20 > > On 08/22/2017 02:16 PM, Robbie Harwood wrote: > >>> I propose to change this text to: > >>> > >>> [...] If either factor fails to validate, the KDC SHOULD respond > >>> with an appropriate KRB-ERROR message. The KDC MAY choose not to > >>> respond to the request, with the expectation that the client will > >>> retry against other KDC servers within the realm. > >>=20 > >> I wonder if we should be more explicit about what the client should do > >> if it doesn't get a reply from the server here. Maybe something like, > >> e.g., "The KDC MAY choose not to respond to the request, at which point > >> the client SHOULD retry against other KDC servers within the realm." or > >> so? > > > > I would prefer that this document not get into the weeds of client-KDC > > network communication, but looking at RFC 4120, I think you are right > > that nothing really says what the client should do in the face of a > > timeout. There are also cases where a client might not be able to reach > > all KDC processes for a realm (network load balancers, MIT krb5 KDC > > worker processes, etc.), so perhaps black-holing requests is a hack we > > shouldn't encourage in the standard. > > > > With that in mind, I guess I just want the text to say: > > > > If either factor fails to validate, the KDC SHOULD respond with an > > appropriate KRB-ERROR message. > > > > with no further discussion of what a KDC might choose to do instead. >=20 > Agreed, that makes sense to me. It makes sense to me as well. -Ben --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQG3BAABCgAdFiEE2WGV4E2ARf9BYP0XKNmm82TrdRIFAlmkvjYACgkQKNmm82Tr dRLWsgwdFsT1cRNFWQCNx6NAZFOiGEgxFR3P71nxSNFZbKpRllenPyayn0SgyDin NS9G6gecZpEuqs5cDZNtQMwueqpkshbLyj9l5ycRBWkEfoKMKoDymIDhx0EtvxtZ ra77Ib9BX/pg8q0A3vvIOTASKXqKZp8uh2XALrjAQ9whqj+CnzSzp0+KO125MSQo t/sWisH3tzfQVQfGyRrXmjnbrryzeltlm7s7MFgiJFD51Z200QH7lEm/XkPboKiH ATrsXtQxZGFS5BXrUvDu3YryOSMFeh/dEgFmaSwFe0ZnBZFIssfes+ptmdWBFlvb OZLBN9QE2vcfv4n4aqa5Z09R7SM8fcyyH9E3NkIOcQ6PNVR9hmBcO5sZ8yfOLRIk spq4FbJFbaXoOgz1dwK4F5Hs0nUkqFNRNDxpndblM1TvHIG75fpVZXIqeSrvVyvW aK31Xfa2nCLp0vXbbR8df9p0qzNE/Cla7ReFka8B69WNE4mUKCJ6ph2FFKTzM8YW 1g4vm+Joq/+EDw== =SR5q -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- From nobody Mon Aug 28 18:23:47 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 915731323A2; Mon, 28 Aug 2017 18:23:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCYhB4vzi2lL; Mon, 28 Aug 2017 18:23:45 -0700 (PDT) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19A9C1321EC; Mon, 28 Aug 2017 18:23:45 -0700 (PDT) X-AuditID: 12074424-0f9ff700000042cd-f5-59a4c21f36a6 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id EA.31.17101.F12C4A95; Mon, 28 Aug 2017 21:23:43 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v7T1NgLR000422; Mon, 28 Aug 2017 21:23:42 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7T1Nc1s020872 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 28 Aug 2017 21:23:41 -0400 Date: Mon, 28 Aug 2017 20:23:38 -0500 From: Benjamin Kaduk To: Greg Hudson Cc: Robbie Harwood , kitten@ietf.org, draft-ietf-kitten-krb-spake-preauth@ietf.org Message-ID: <20170829012338.GM96685@kduck.kaduk.org> References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPIsWRmVeSWpSXmKPExsUixCmqrCt/aEmkwbvZehaPt3xmtDi6eRWL xc6eJlYHZo8lS34yebzfd5UtgCmKyyYlNSezLLVI3y6BK2PhwTmMBS85Kz51XWZrYHzK3sXI ySEhYCKx5+QTti5GLg4hgcVMEj92rWGEcDYySnxfcRMqc5VJYuWce6wgLSwCqhIL1+1hA7HZ BFQkGrovM4PYIgKKEs9WzWUBsZkFCiRe3X4PFhcWcJO4tH4JUxcjBwcv0Lrri5UhZm5llGjc 8oQRpIZXQFDi5MwnUL1aEjf+vQSrZxaQllj+jwPE5BSwlnj5swikQlRAWWLevlVsExgFZiFp noWkeRZC8wJG5lWMsim5Vbq5iZk5xanJusXJiXl5qUW65nq5mSV6qSmlmxhB4cruorKDsbvH +xCjAAejEg8vg92SSCHWxLLiytxDjJIcTEqivDnbgEJ8SfkplRmJxRnxRaU5qcWHGCU4mJVE eIP3AuV4UxIrq1KL8mFS0hwsSuK84hqNEUIC6YklqdmpqQWpRTBZGQ4OJQnepgNAjYJFqemp FWmZOSUIaSYOTpDhPEDDv+8HGV5ckJhbnJkOkT/FqCglztsBkhAASWSU5sH1gtKJRPb+mleM 4kCvCPPagKzgAaYiuO5XQIOZgAYrCi4EGVySiJCSamA8+bzrduK7jby2FUevCq6sqbr9K/HV k4QjRyauXZjwk9uvktFgRmiFsojSg4PX+gKE7h/QePTKnOGo2pmHC4TlM1avy9SddnHRpUSZ YCl9Fj7d1woNkXeW3r24tKh/ztVFqilxHF9nbWD9GbdGbFa88DrfE/tm3W0POuNp++JorT/7 7reScSYnlViKMxINtZiLihMBt/toBwIDAAA= Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 01:23:47 -0000 Sorry for the slow reply; I was on vacation last week. On Tue, Aug 22, 2017 at 06:49:58PM -0400, Greg Hudson wrote: > On 08/22/2017 06:30 PM, Robbie Harwood wrote: > >> I tend to agree that any mandatory-to-implement policy should be > >> written into this draft, and not be part of the registry. > > > > The disadvantage of having mandatory-to-implement items defined but not > > in the registry is that it fragments the numbering. For example, in our > > Kerberos SPAKE Groups registry, currently P-256 is required, and > > assigned ID Number: 1. If we remove it from the registry, it won't have > > an ID Number. (Unless we give it one a different way.) > > I think I miscommunicated. P-256 should be in the registry, but if we > want to specify that it is mandatory-to-implement, I believe we should > say that in the RFC outside of the IANA registry. That's my understanding as well -- the MTI items should still be in the registry, but the registry is not the best place to specify the MTI nature. Making something MTI for a standards-track document "should" require standards-action, so there's not much value in having a field in the registry when there will have to be a new document for such things anyway. -Ben From nobody Mon Aug 28 18:43:14 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7479E1323A3; Mon, 28 Aug 2017 18:43:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOOL_W4671VQ; Mon, 28 Aug 2017 18:43:10 -0700 (PDT) Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4F271321AC; Mon, 28 Aug 2017 18:43:09 -0700 (PDT) X-AuditID: 1209190f-c0dff700000071f5-37-59a4c6acff1a Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id A3.14.29173.CA6C4A95; Mon, 28 Aug 2017 21:43:08 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v7T1h7PV025194; Mon, 28 Aug 2017 21:43:07 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7T1h3SR026524 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 28 Aug 2017 21:43:05 -0400 Date: Mon, 28 Aug 2017 20:43:03 -0500 From: Benjamin Kaduk To: Greg Hudson Cc: kitten@ietf.org, draft-ietf-kitten-krb-spake-preauth@ietf.org Message-ID: <20170829014303.GN96685@kduck.kaduk.org> References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> User-Agent: Mutt/1.8.3 (2017-05-23) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRmVeSWpSXmKPExsUixG6nrrvm2JJIg6uzlC0eb/nMaHF08yoW ByaPJUt+MgUwRnHZpKTmZJalFunbJXBlzLh4n7FgfjNjxbazm1gaGB+ldzFyckgImEjsn9nE 3MXIxSEksJhJ4sii50wQzkZGiTc/5kI5V5kkrh1/wA7SwiKgKvF/0gYWEJtNQEWiofsyM4gt IqAo8WzVXLA4s4CjxKcfj1hBbGEBW4lj026C1fACrVt65SgTiC0kkCqx/fcZqLigxMmZT6B6 tSRu/HsJVMMBZEtLLP/HARLmFLCWeHFsN1iJqICyxLx9q9gmMArMQtI9C0n3LITuBYzMqxhl U3KrdHMTM3OKU5N1i5MT8/JSi3RN9HIzS/RSU0o3MYLCk1OSfwfjnAbvQ4wCHIxKPLwMdksi hVgTy4orcw8xSnIwKYny5mwDCvEl5adUZiQWZ8QXleakFh9ilOBgVhLhDd4LlONNSaysSi3K h0lJc7AoifOKazRGCAmkJ5akZqemFqQWwWRlODiUJHibDgA1ChalpqdWpGXmlCCkmTg4QYbz AA3/vh9keHFBYm5xZjpE/hSjopQ4bwdIQgAkkVGaB9cLSh8S2ftrXjGKA70izFsJsoIHmHrg ul8BDWYCGqwouBBkcEkiQkqqgdHw2+/31TpxS2onXXh9ZdYv28f6Kbs9PMvKloeKcm672Hpw 1gkWb9l1h3u5RaaafPYU+yzyZd2pVG4vdv/ZawL7rjAdFhCWDbFvMLYrbF32U+Zr0/crb2ZP OHs14W6M3Z7mpRsi/t9+/0iKwevhsRmnjyT+9ijc7lN7YVL3ouP1p6sl3pqI6U1VYinOSDTU Yi4qTgQAAqvP3PoCAAA= Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 01:43:13 -0000 Thanks for the detailed reply. I'll try to trim some uncontroversial bits. On Sat, Aug 19, 2017 at 02:17:44PM -0400, Greg Hudson wrote: > On 08/18/2017 02:10 PM, Benjamin Kaduk wrote: > > Our transcript hash covers just the SPAKE negotiation messages (and > > excludes the rest of the AS-REQ/AS-REP bodies, even the SPAKE second > > factor messages as well?!), though the final KDC-REQ-BODY does get > > included in the key derivation. I haven't thought too hard about > > whether this is potentially problematic, but are there reasons why > > it would be difficult to hash everything for the transcript? > > Oh, or is the claim that since the KDC-REQ-BODY goes into the K' > > calculation that we get confirmation of "everything" anyway? > > The transcript checksum is a vehicle for key derivation. The primary > requirement for key derivation (from the SPAKE2 algorithm) is that it > must take into account the identities of both parties, both public > values, the initial secret, and the computed shared group element. The > final KDC-REQ-BODY gives us the party identities (with the ancillary > bonus of including other request parameters), and the transcript > checksum includes the public values (with the ancillary bonus of > including the advertised group numbers from the client if a SPAKESupport > message was part of the exchange, in case there was a downgrade attack). Ah, yes, I was making assumptions that the checksum would keep going, but I now see that it's supposed to stop after a fixed number of inputs (some of which are skipped depending on which optimizations are in use). > Things we could include in the transcript checksum but currently do not > include: > > * Other pa-data values in the request. Including these would be > difficult to implement, and would present a chicken-and-egg problem if > other pa-data types want to do the same thing. > > * KDC-REQ-BODY encodings other than the final one. I don't see a > problem with including these in the transcript hash, but I don't see an > advantage either. > > * More parts of intermediate KRB-ERRORs than the SPAKE pa-data. The > only part of an intermediate KRB-ERROR used by the client is the error > code (PREAUTH_REQUIRED or MORE_PREAUTH_DATA_REQUIRED), and I don't see > any wiggle room for the attacker in manipulating that. > > * Second-factor messages. In the current design, the same transcript > checksum is used for all K'[n] derivations, and the first derivation is > used to encrypt the first SPAKESecondFactor, before any other > second-factor messages are created. Changing the design to include a > variable transcript hash would, I think, make the standard harder to > understand and implement. > > * Parts of the AS-REP. No SPAKE message accompanies the AS-REP, so this > could only be used for the derivation of the final reply key used to > encrypt the enc-part. As for the previous bullet, including any part of > the AS-REP would require changing the transcript checksum for different > key derivations. Most of the AS-REP contents (everything but the > ticket) are redundant or couldn't be included in the derivation for one > reason or another anyway. Thanks for listing these out; I'm now convinced that I agree with your analysis, and we don't gain much by expanding the scope of the transcript. > > We do reply key strengthening with K'[0] at present. It seems like > > using K'[last-n-of-proper-parity] would include more transcript > > checksum and thus nominally be "better"; is that flawed reasoning? > > As noted above, the transcript checksum does not depend on n. n is just > a numeric parameter that feeds into the key derivation function. > > Obviously this aspect of the design needs to be more explicit. I > propose to add this sentence to section 6 after the sentence beginning > "It therefore incorporates...": > > Once the transcript checksum is finalized, it is used without > change for all key derivations (section 7). That would probably help, thanks. > > We should have test vectors before final publication. > > Agreed. I have the ability to generate test vectors (using a separate > Python implementation, not the C implementation for MIT krb5), but they > will change when key usage values are assigned, so I haven't included > any in the draft yet. It seems likely that this document will advance before draft-ietf-kitten-kerberos-iana-registries. Do I understand correctly that the Kerberos Registrar role has been transferred to you? Any comment on when you would feel comfortable making an official assignment? > > I'm not sure that the registry policies make sense, most notably > > with respect to marking things as Required (to implement). > > I tend to agree that any mandatory-to-implement policy should be written > into this draft, and not be part of the registry. > > > In a weaker sense, anything adding values > > in these registries could be seen as adding to the ASN.1 module > > To my mind, the ASN.1 module only defines the wire encoding of > particular data inputs. That encoding does not change when new groups > are added. That's the interpretation I'm inclined to use; I just mentioned the other for discussion. > > In section 1.1, item (4) (either side can store password or equivalent) > > makes it sound like only one side needs to store anything. Maybe it's > > supposed to say that "Each side has freedom to pick whether to store > > a password or password-equivalent"? > > I am not personally sure what this bullet point means; I will make a > note to discuss it. Thanks. > > I'll also note that OpenSSL has recently changed its documentation to > > refer to the more-vague "randomness" since it can be hard to use "entropy" > > in a technically correct way. But that decision seems to fall squarely > > within editorial discretion, even if I had a strong opinion about it > > (which I don't). > > I have seen people quibble with using "entropy" the way that some > cryptographic documents do (very roughly, to mean the number of equally > likely values a state variable could have given all of the information > available to an attacker), but I never saw how "randomness" was better. It's definitely not clear-cut; leaving "entropy" seems fine to me. > > I wonder to some extent whether all of section 1.2 is needed for a final > > document. > > This section hasn't necessarily aged well, as there are other PAKE > algorithms not described within. I would be okay with shortening it, > perhaps not to name any specific alternatives. Not naming any specific alternatives is probably the right thing to do, given the advances you mention. > > Section 1.2 should probably compare the single-round-trip nature of > > SPAKE against the round-trip count of ENC_TIMESTAMP. > > I am not sure there's any concise comparison to be made for this > section. The way we are using SPAKE (with the KDC presenting the > initial public value) means we might use one more round trip than > encrypted timestamp, or we might use the same number if one of the > described optimizations is used. I was imagining something like: [... single round trip, allowing SPAKE preauthentication to occur in the same number of round trips as encrypted timestamp, if either optimization from section 4.6 is used. If neither optimization is used, an additional round trip is incurred, but in consideration of all the above properties, SPAKE remains an ideal PAKE for use in Kerberos pre-authentication. > > Section 1.3 notes that we allow secure transfer of material from client > > to KDC for verification; while reviewing I noted that (the initial > > challenge) from KDC to client remains unauthenticated; do we want to > > mention that limitation explicitly here? > > It is pointed out in the security considerations. I can see how section > 1.3 as currently written could be a little deceptive; however, at this > point the text is speaking generally about how a PAKE can be used in the > design of Kerberos two-factor authentication. As we haven't even > started talking concretely about the SPAKE preauth mech, I'm not > comfortable adding that caveat here. Okay. > > It seems like we're mostly just justifying the scheme here > > We currently refer normatively to the CFRG SPAKE2 document. Someone who > has read that document needs to know how this protocol relates to it. > Here we are saying that we use a custom key derivation function, as > allowed by that draft. That seems clear to me now; maybe it was just the "also" that got me confused. > (As the CFRG draft hasn't advanced for many months, Nathaniel and I have > discussed the possibility of not using it normatively, and describing > the algorithm in this document instead. But that's a wider topic.) I can put my chair hat on an ask the CFRG chairs for a status update. > > I thought a little bit about proposing to exclude the ASN.1 extension > > marker from PA-SPAKE, but the argument for doing so is fairly weak > > and it doesn't really have a downside, so I guess it should stay. > > (We could perhaps be clear that an "empty" value is a zero-length > > OCTET STRING.) > > I'm a bit paranoid about tricking implementors into putting 04 00 into > the padata-value, rather than using 04 00 as the padata-value. In my > mental model, RFC 4120 already specifies that padata-value is a > non-optional OCTET STRING, and that's not really within the purview of > this document. I know that other people have their own models, but I am > not really worried about an implementor leaving out the padata-value > entirely as that would quickly be discovered in interop testing. Seems reasonable enough to me. > > Section 4.1 seems like it could be read as saying that the client > > should send an AS-REQ with no PA-DATA, and then the KDC responds with > > a KRB-ERROR and only the PA-SPAKE METHOD-DATA (and no others) > > I will add a parenthetical "(possibly in addition to other PA-DATA > elements)". Thanks. > > Section 4.2 lets ("MAY") the KDC pick a group not listed by the client; > > do we ever expect this to result in a working connection? > > I can bring that up again for discussion; I know I've talked about it > with Nathaniel before, but I can't remember the details. One possible > use is to communicate to the client what it would have to > implement/enable to interop with the KDC, even if we don't expect it to > work for this particular exchange. Okay. I don't object to keeping the current text. > > In section 4.6, a forward reference to section 6 when mentioning the > > transcript hash could be helpful. > > We have a forward reference in the first use of "transcript checksum" in > section 4.2, and not for the second use in section 4.2 or the use in > section 4.3. As section 4.6 describes a modification of 4.1/4.2/4.3, > I'm not sure we need another forward reference. Okay. > I did note that we inconsistently use "transcript hash" and "transcript > checksum". I will standardize on "transcript checksum". Thanks! > > I would consider moving the note that the PRF+ used here is the > > RFC6113 one earlier, perhaps even to the introduction if not the > > start of section 7 where we talk about "PRF+ input". > > We use PRF+ in two places (section 5 and section 7). In both places, we > refer to RFC 6113 right after we use the function. It is true that in > section 7 we talk at some length about the PRF+ input string before > actually invoking PRF+ and including the reference, but I don't see that > as a problem--it would be pretty hard for an implementor to miss the > reference and use the wrong PRF+. I would be okay with just defining > the "input string" without referencing PRF+ until afterwards, if that > would be clearer. I think that would alleviate my concern, yes. > > Section 9 fourth paragraph could perhaps say a bit more about why > > the client cannot be a signing oracle. > > Can you be more specific or propose text? I don't know how to act on > this feedback item. Well, I'm not sure I completely understand it myself, so it's hard to propose text. Namely, the client is a "signing oracle" in that it will happily sign whatever is put in front of it ... but this is believed to not be a problem, because the key used for the signing depends on the message being signed in a way that is (hoped to be) specific to this protocol and would not be usable in a different context. If that's correct, it's probably worth calling out the message-dependence of the signing key and consequent non-transferrability of the signature. > > Also in section 9, now on page 14, second paragraph, I'm not > > entirely sure what is at risk of compromise, which also leaves me > > confused as to whether the "non-" part of "non-negligible" is > > correct. > > That paragraph seems vague and could possibly be removed. If an > implementation doesn't derive the right encryption keys, it won't > interop or match the (forthcoming) test vectors anyway. I think it is probably safe to remove. > > Just below, for the paragraph after the list of forbidden checksum > > types, we talk of the EncryptedData messages having potential side > > channels. It seems that this may apply to both the encdata arm of > > the PA-SPAKE CHOICE and the SpakeResponse factor; should we make > > this more explicti? > > Both of those use EncryptedData (and are the only uses of EncryptedData > in the spec), so yes, it's intended to apply to both. I'll propose this > text: > > Both the size of the EncryptedData and the number of > EncryptedData messages used for second-factor data (including the > factor field of the SPAKEResponse message and messages using the > encdata PA-SPAKE choice) may reveal information about the second > factor used in an authentication. Sounds good. > > The next paragraph talks of an attacker being able to replay the > > final message to any of the realm's KDCs, but does not comment > > on whether multiple replays are possible at a given KDC. (As I > > understand it, MIT's lookaside cache would be expected to trigger > > and not incur additional authentication being logged, but I don't > > know that that's universal.) > > I think this was my text, and my intent was to include both the same KDC > and other KDCs. I wouldn't expect the lookaside cache to be much > protection, as the attacker could probably make small manipulations to > the request so that it doesn't match byte-for-byte. I'm not sure the > text needs to make that any more explicit. Okay. (I do agree that the current text does apply to the same KDC as well as other KDCs.) > > Later in the same paragraph, maybe > > s/instead/in contrast/, and specify that the key exchange is an > > asymmetric one, since we do a lot of symmetric key exchange in Kerberos. > > I will use "in contrast", but I'm not sure it would add clarity to say > that the SPAKE key exchange is asymmetric--it does, after all, result in > a symmetric key. Fair enough. > > The first paragraph/sentence of section 5 is rather ungainly; could > > it be reworded and/or split in twain? > > I will just remove the middle part, so that it says: > > Group elements are converted to octet strings using the > serialization method defined in the IANA "Kerberos SPAKE Groups" > registry created by this document. That works for me! > > Item 2 should probably also clarify that there is no trailing 0 included. > > Disagree. It would be very noisy to explicitly disclaim trailing 0 > bytes every time IETF standards talk about strings. This is true, though I seem to see it fairly often. > > Page 15, second-to-last paragraph, "is weaker than the secret key" > > could include a secret key derived from a weak password, whose > > brute-force resistance is quite low (and part of the justification > > for this behavior). It's probably better to talk about the key size > > of the secret key and the strength attributed to keys of that size, > > than just the strength of the key itself. > > I propose: > > The selected group's resistance to offline brute-force attacks > may not correspond to the size of the reply key. For performance > reasons, a KDC MAY select a group whose brute-force work factor is > less than the reply key length. [...] That addresses my concern, thanks. Is there anything else we need to discuss before an -01 can be issued? Thanks again, Ben From nobody Tue Aug 29 06:49:06 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D94113293C for ; Tue, 29 Aug 2017 06:49:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUE00SaUDSde for ; Tue, 29 Aug 2017 06:49:03 -0700 (PDT) Received: from mail-io0-f179.google.com (mail-io0-f179.google.com [209.85.223.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7240D132CEA for ; Tue, 29 Aug 2017 06:41:18 -0700 (PDT) Received: by mail-io0-f179.google.com with SMTP id d81so19464475ioj.4 for ; Tue, 29 Aug 2017 06:41:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nhp4WDewgQ5wguSntimCrwWQ2KQM1BrbJYgHzMm4msY=; b=E3ifJa1ZqZOefvTTehpVam5+5t1dXZPVm574CeHO5plJwPXD5aBT2QU0gTGhUdkP8R 0YuGLTuKrExU+yUxylOtVN+NNvA8a/lGlkaiXCuD1rCavQgO8d6Q6vm0EpyeiUadnHAL QIb5RReISO4odsCwcp35e7YbThYbrPEV82KUJpNbwHSpk7fggiEo2YaepQuYxURJdA3z IzDExMnksdSX2fZ1Vux+/jmMEOoqg+1K1xbdDk8sxlNFnvY7ZmAi93vsj34H3If+OpOB 3hELf5kUAuBNcc7PQzG8GB6RATu2DvW/wPCcEGxcwLkfexOLmJnAto6OFYo7YyglVxhH EKaA== X-Gm-Message-State: AHYfb5hSXbNg3/w/FU1+tauz4T+SNvS3FjLz8KQhf8NikhxAOGPRyTnl UpwyRqSXetVHFEGNWZzFFq1jabQwV/ii X-Google-Smtp-Source: ADKCNb6Mef25fDoZjTZsCwndmlB/zD+rNtFGm81cP0H3bU+YdLSJQ5FjX0BSeN4p6Ox5iTiXHO0c4G6yFCCp+k9RCQ4= X-Received: by 10.107.55.136 with SMTP id e130mr3766461ioa.148.1504014077628; Tue, 29 Aug 2017 06:41:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.62.66 with HTTP; Tue, 29 Aug 2017 06:41:16 -0700 (PDT) In-Reply-To: <20170829014303.GN96685@kduck.kaduk.org> References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> <20170829014303.GN96685@kduck.kaduk.org> From: Nathaniel McCallum Date: Tue, 29 Aug 2017 09:41:16 -0400 Message-ID: To: Benjamin Kaduk Cc: Greg Hudson , kitten@ietf.org, draft-ietf-kitten-krb-spake-preauth@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 13:49:05 -0000 On Mon, Aug 28, 2017 at 9:43 PM, Benjamin Kaduk wrote: > Thanks for the detailed reply. I'll try to trim some uncontroversial > bits. > > On Sat, Aug 19, 2017 at 02:17:44PM -0400, Greg Hudson wrote: >> On 08/18/2017 02:10 PM, Benjamin Kaduk wrote: >> (As the CFRG draft hasn't advanced for many months, Nathaniel and I have >> discussed the possibility of not using it normatively, and describing >> the algorithm in this document instead. But that's a wider topic.) > > I can put my chair hat on an ask the CFRG chairs for a status update. Please do. That would help. >> > Section 9 fourth paragraph could perhaps say a bit more about why >> > the client cannot be a signing oracle. >> >> Can you be more specific or propose text? I don't know how to act on >> this feedback item. > > Well, I'm not sure I completely understand it myself, so it's hard to > propose text. Namely, the client is a "signing oracle" in that it > will happily sign whatever is put in front of it ... but this is > believed to not be a problem, because the key used for the signing > depends on the message being signed in a way that is (hoped to be) > specific to this protocol and would not be usable in a different > context. If that's correct, it's probably worth calling out the > message-dependence of the signing key and consequent non-transferrability > of the signature. An attacker who wished to use the client as an encryption/signing oracle would have to already know the LTK. Without this, the client produces an invalid signature. And since the LTK is the target of the attack, this is logically precluded. From nobody Tue Aug 29 08:28:36 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169E1132D0B; Tue, 29 Aug 2017 08:28:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZH98AMt3RF25; Tue, 29 Aug 2017 08:28:33 -0700 (PDT) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 542C6132C3B; Tue, 29 Aug 2017 08:28:33 -0700 (PDT) X-AuditID: 1209190c-53bff70000005ea2-dc-59a588209cd5 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id DE.04.24226.02885A95; Tue, 29 Aug 2017 11:28:32 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7TFSV1O014468; Tue, 29 Aug 2017 11:28:31 -0400 Received: from [18.101.8.82] (VPN-18-101-8-82.MIT.EDU [18.101.8.82]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7TFSSu1022134 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 29 Aug 2017 11:28:30 -0400 To: Benjamin Kaduk References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> <20170829014303.GN96685@kduck.kaduk.org> Cc: kitten@ietf.org, draft-ietf-kitten-krb-spake-preauth@ietf.org From: Greg Hudson Message-ID: <8bfdfb7c-9cc4-d6ee-125b-91713bdc2925@mit.edu> Date: Tue, 29 Aug 2017 11:28:28 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170829014303.GN96685@kduck.kaduk.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRmVeSWpSXmKPExsUixG6noqvQsTTS4Ph6UYvHWz4zWhzdvIrF gcljyZKfTAGMUVw2Kak5mWWpRfp2CVwZLxZLFzwVrOjZfYGtgXE7XxcjJ4eEgInEqSermLsY uTiEBBYzSXxpgXE2MkpsvrGADcI5xCQx60wLM0iLsICtxLFpN8FsEQElicVnW6CKJjBKfGhe CZZgFnCU+PTjESuIzSagLLF+/1YWEJtXwEriZ9srNhCbRUBV4uPxZnYQW1QgQuJh5y52iBpB iZMznwDVc3BwCphKXO+MgBipJ7Hj+i9WCFteYvvbOcwTGAVmIemYhaRsFpKyBYzMqxhlU3Kr dHMTM3OKU5N1i5MT8/JSi3QN9XIzS/RSU0o3MYLCk1OSZwfjmTdehxgFOBiVeHh3li6NFGJN LCuuzD3EKMnBpCTK29gIFOJLyk+pzEgszogvKs1JLT7EKMHBrCTC29wGlONNSaysSi3Kh0lJ c7AoifNKaDRGCAmkJ5akZqemFqQWwWRlODiUJHgl24EaBYtS01Mr0jJzShDSTBycIMN5gIaL g9TwFhck5hZnpkPkTzEqSonzPm8FSgiAJDJK8+B6wekjlSPoFaM40CvCvE4g7TzA1APX/Qpo MBPQ4FgvsMEliQgpqQbGG/fm3m14c9XR51A//+S5m1OefP1hfoSF+1DC2iecu35c2HY7RfC+ zbkCt8WlPF0ardc+W+1Q5K85HdDUsadePCTi3LsPvkctLdbPLjZYduvsxw6LGxwTLp2+Itgk 3r9q+Rr/T5J9B08Gn9vNy730WuGS38nvPhy7lyqmnfZs3+H/O2R2B9WKuiqxFGckGmoxFxUn AgC8olB1+gIAAA== Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 15:28:35 -0000 On 08/28/2017 09:43 PM, Benjamin Kaduk wrote: >> Agreed. I have the ability to generate test vectors (using a separate >> Python implementation, not the C implementation for MIT krb5), but they >> will change when key usage values are assigned, so I haven't included >> any in the draft yet. > > It seems likely that this document will advance before > draft-ietf-kitten-kerberos-iana-registries. Do I understand correctly > that the Kerberos Registrar role has been transferred to you? Any > comment on when you would feel comfortable making an official assignment? I would like a sense of consensus on the material aspects of the protocol (as opposed to its presentation), to avoid having to reassign the numbers and deprecate the old ones. Having reviews from you and Hank that don't propose material changes (now that the transcript checksum issue is resolved) is helpful there. I would also like to propose adding an ed25519 group (as I have put together a decent implementation of one by borrowing code from BoringSSL) and perhaps making it the only mandatory-to-implement group; that should probably happen before assigning numbers. That should of course be discussed in a separate thread. >>> Section 1.2 should probably compare the single-round-trip nature of >>> SPAKE against the round-trip count of ENC_TIMESTAMP. >> >> I am not sure there's any concise comparison to be made for this >> section. The way we are using SPAKE (with the KDC presenting the >> initial public value) means we might use one more round trip than >> encrypted timestamp, or we might use the same number if one of the >> described optimizations is used. > > I was imagining something like: > > [... single round trip, allowing SPAKE preauthentication to occur in > the same number of round trips as encrypted timestamp, if either > optimization from section 4.6 is used. If neither optimization is used, > an additional round trip is incurred, but in consideration of all the > above properties, SPAKE remains an ideal PAKE for use in Kerberos > pre-authentication. As this section is still just talking about general PAKE algorithms, I think it would be confusing to start diving into the weeds of the specific protocol this early. From nobody Tue Aug 29 11:08:54 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA7B132C37; Tue, 29 Aug 2017 11:08:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.92 X-Spam-Level: X-Spam-Status: No, score=-6.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1NjR77kx2_Z; Tue, 29 Aug 2017 11:08:51 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611801321AF; Tue, 29 Aug 2017 11:08:51 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0353481236; Tue, 29 Aug 2017 18:08:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0353481236 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=rharwood@redhat.com Received: from localhost (ovpn-66-67.rdu2.redhat.com [10.10.66.67]) by smtp.corp.redhat.com (Postfix) with ESMTP id B97595D98C; Tue, 29 Aug 2017 18:08:50 +0000 (UTC) From: Robbie Harwood To: Benjamin Kaduk , Greg Hudson Cc: kitten@ietf.org, draft-ietf-kitten-krb-spake-preauth@ietf.org In-Reply-To: <20170829012338.GM96685@kduck.kaduk.org> References: <20170818181043.GC35188@kduck.kaduk.org> <59e6271c-5970-5cb7-209a-73a1e02cc5f8@mit.edu> <20170829012338.GM96685@kduck.kaduk.org> Date: Tue, 29 Aug 2017 14:09:26 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 29 Aug 2017 18:08:51 +0000 (UTC) Archived-At: Subject: Re: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 18:08:53 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Benjamin Kaduk writes: > On Tue, Aug 22, 2017 at 06:49:58PM -0400, Greg Hudson wrote: >> On 08/22/2017 06:30 PM, Robbie Harwood wrote: >> >> I tend to agree that any mandatory-to-implement policy should be >> >> written into this draft, and not be part of the registry. >> >=20 >> > The disadvantage of having mandatory-to-implement items defined but not >> > in the registry is that it fragments the numbering. For example, in o= ur >> > Kerberos SPAKE Groups registry, currently P-256 is required, and >> > assigned ID Number: 1. If we remove it from the registry, it won't ha= ve >> > an ID Number. (Unless we give it one a different way.) >>=20 >> I think I miscommunicated. P-256 should be in the registry, but if we >> want to specify that it is mandatory-to-implement, I believe we should >> say that in the RFC outside of the IANA registry. > > That's my understanding as well -- the MTI items should still be in > the registry, but the registry is not the best place to specify the > MTI nature. Making something MTI for a standards-track document > "should" require standards-action, so there's not much value in having > a field in the registry when there will have to be a new document > for such things anyway. Thanks for clarifying. Language changes have been proposed. =2D-Robbie --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlmlrdYACgkQJTL5F2qV pELFlA//d5r9IuPWYPlmt+wcNchyNWGa1cfkHafIS0l+nc0MJG6czIgm3aSRM57i BgCx2lccALbS1sVxakxaiMs24AhZjdJR92bGUOSi2rWdJVIc5UR6OIRB41s7HNzL EZjaIJK807HkDhRJ4aak2zfFOEk16N/odECiipSRxbFvv4fy3n3kzx4LnMEmztIh 0kqDeIS4JsAPlvUtDhUMh9MRFJqUeVhahdeiK+0dCd8rlrRdl9AOKnSRxXuoWSPZ yLN3CfuAwplMjOzXowKuuwq46LwWjdPti70HoaeR5O0s5Q1nJrT1G68zaxEO2O2Y rw4rekdOtRjAUCeUGsX1sTLkhRBGdJdHO0X79iqgjN4mKWoRw4ClKracOlZAGLf8 LmVKJ87nEk7NLTQy3XBpXRtgaAH/g/vPbnpLURc7t/RJqOn5hvPbrjnitpS2NNRg b8Pmk7hhgWYiCTzUnbzEH+IsoD62v5DhrWEdmyql2Xx8K0ORf/jtr5hypa4wOu3I OeBRBGKkTaO1ZpDwVmOuuRDm86dexkeur6oM4Ylw/zrhLUL9llzx2hIINDJgcmYt I1LpVHI7j8NNAjjF0Gu73yj8asIAK5CMSjcYOJnHCRNuc9ohasbA6hGqSDKxDyYb Ka9QRGKCdbc/pgGGQJUKMaME2wrEHJ/i4kQIT+42aMJJ+tKxz9U= =xZP+ -----END PGP SIGNATURE----- --=-=-=-- From nobody Tue Aug 29 16:51:42 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD63132B9B for ; Tue, 29 Aug 2017 16:51:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.534 X-Spam-Level: X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcYxzyRlBoCO for ; Tue, 29 Aug 2017 16:51:39 -0700 (PDT) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC5E5132A94 for ; Tue, 29 Aug 2017 16:51:39 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id D7361C961B; Tue, 29 Aug 2017 23:51:38 +0000 (UTC) Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo01-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uzymYfvJ0jTX; Tue, 29 Aug 2017 23:51:38 +0000 (UTC) Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 4D001C961A; Tue, 29 Aug 2017 23:51:34 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: "Henry B (Hank) Hotz, CISSP" In-Reply-To: <20170829010740.GL96685@kduck.kaduk.org> Date: Tue, 29 Aug 2017 16:51:33 -0700 Cc: Robbie Harwood , kitten@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <2BC5553D-F37C-4F6A-88C9-FDBDADFDEA26@oxy.edu> References: <3be44bb4-270e-64b7-4987-450c36885425@mit.edu> <20170829010740.GL96685@kduck.kaduk.org> To: Benjamin Kaduk X-Mailer: Apple Mail (2.2104) Archived-At: Subject: Re: [kitten] SPAKE and not replying to requests X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 23:51:42 -0000 =E2=80=98sarright. ;-) > On Aug 28, 2017, at 6:07 PM, Benjamin Kaduk wrote: >=20 > On Wed, Aug 23, 2017 at 04:33:44PM -0400, Robbie Harwood wrote: >> Greg Hudson writes: >>=20 >>> On 08/22/2017 02:16 PM, Robbie Harwood wrote: >>>>> I propose to change this text to: >>>>>=20 >>>>> [...] If either factor fails to validate, the KDC SHOULD = respond >>>>> with an appropriate KRB-ERROR message. The KDC MAY choose not = to >>>>> respond to the request, with the expectation that the client = will >>>>> retry against other KDC servers within the realm. >>>>=20 >>>> I wonder if we should be more explicit about what the client should = do >>>> if it doesn't get a reply from the server here. Maybe something = like, >>>> e.g., "The KDC MAY choose not to respond to the request, at which = point >>>> the client SHOULD retry against other KDC servers within the = realm." or >>>> so? >>>=20 >>> I would prefer that this document not get into the weeds of = client-KDC >>> network communication, but looking at RFC 4120, I think you are = right >>> that nothing really says what the client should do in the face of a >>> timeout. There are also cases where a client might not be able to = reach >>> all KDC processes for a realm (network load balancers, MIT krb5 KDC >>> worker processes, etc.), so perhaps black-holing requests is a hack = we >>> shouldn't encourage in the standard. >>>=20 >>> With that in mind, I guess I just want the text to say: >>>=20 >>> If either factor fails to validate, the KDC SHOULD respond with = an >>> appropriate KRB-ERROR message. >>>=20 >>> with no further discussion of what a KDC might choose to do instead. >>=20 >> Agreed, that makes sense to me. >=20 > It makes sense to me as well. >=20 > -Ben > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten Personal email. hbhotz@oxy.edu From nobody Wed Aug 30 15:37:38 2017 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1980313294B for ; Wed, 30 Aug 2017 15:37:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.921 X-Spam-Level: X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F93rbrZn14vY for ; Wed, 30 Aug 2017 15:37:35 -0700 (PDT) Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C75261200F3 for ; Wed, 30 Aug 2017 15:37:34 -0700 (PDT) Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 3xjL3w6kxvz1HBc; Thu, 31 Aug 2017 00:37:32 +0200 (CEST) X-purgate-ID: 152705::1504132652-00000805-1EE4DD83/0/0 X-purgate-size: 2274 X-purgate: clean X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate-type: clean X-SAP-SPAM-Status: clean Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3xjL3w3GgTzGnyY; Thu, 31 Aug 2017 00:37:32 +0200 (CEST) Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 6A91B1A6EC; Thu, 31 Aug 2017 00:37:32 +0200 (CEST) In-Reply-To: To: Stefan Metzmacher Date: Thu, 31 Aug 2017 00:37:32 +0200 (CEST) CC: Simo Sorce , Greg Hudson , heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" , "kitten@ietf.org" , Samba Technical Reply-To: mrex@sap.com X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20170830223732.6A91B1A6EC@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) Archived-At: Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2017 22:37:37 -0000 Stefan Metzmacher wrote: > >>> I guess the proposed credential option is necessary, in that case. >>> >> >> I think in this case ignoring the flag should probably be conditional >> to whether a PAC is present. > > We should enforce a PAC always to be present, as we don't support > trusted domains with LSA_TRUST_TYPE_MIT anyway. I haven't really followed the discussion here, but Microsoft PACs are a royal PITA, wasting huge amounts of network bandwidth, creating bad latency on authentication, causing spurious authentication failures during high-load situations and completely breaking certain rfc4559 HTTP Negotiate scenarios when users are assigned to lots of groups in Microsoft AD. Bottlenecks in LSA PAC verifications are extremely annoying, such as using Outlook&Exchange with 50k+ Users and at least once an hour an Outlook Password logon prompt pops up because one of the crazy many rfc4559 Kerberos authentications failed between Outlook and Exchange. (Hitting cancel on the popup and toggling offline/online in the Outlook window status bar retries Kerberos authentication and typically succeeds... Simply disabling PACs on the service account for service tickets solves all of the hard and annoying problems, by enabling the bit UF_NO_AUTH_DATA_REQUIRED (0x02000000) in the UserAccountControl property of the service account. Without setting this bit to omit the crazy PACs, common problems with heavy (mindless) Group membership usage are this: https://blogs.technet.microsoft.com/shanecothran/2010/07/16/maxtokensize-and-kerberos-token-bloat/ Reasons why the myriads of PAC verfications occasionally fail: https://blogs.technet.microsoft.com/instan/2011/11/14/the-return-of-pac-mania-aka-some-reasons-why-pac-verification-can-fail/ and btw. huge kerberos tickets can also make rfc4559 fail because of the excessive size of the HTTP header field to carry the AP_REQ with the kerberos ticket. Whenever authorization isn't actually managed through PACs, i.e. pretty much 100% of the time when the backend is a database and access through rfc4559 HTTP Negotiate, omitting PACs from Kerberos tickets comes close to a universal panacea for a huge amount of "occasional" failures. -Martin