From stephen.farrell@cs.tcd.ie Wed Nov 2 09:45:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60B9421F8F18 for ; Wed, 2 Nov 2011 09:45:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.499 X-Spam-Level: X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljC0Hrw57VO4 for ; Wed, 2 Nov 2011 09:45:45 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 4618521F8EE1 for ; Wed, 2 Nov 2011 09:45:44 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 37C25153D3A for ; Wed, 2 Nov 2011 16:45:32 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1320252331; bh=CMB3+/eCY6BgRc5JU2d1s/29 vJA73FVCPZVtInvfFM8=; b=A5VwfmQ0TaCSVhM0nAGoy/13Vsqlw2e96FC3nsj/ 4zQ1sW1M82w1YfoG+VmQwZq2eyaq0N0mp96K97+758RY6WZlVN/KtOcujGZMsZ6q xUkOkumBbgUTaoFht036A5HhbXDTRRs8MRUWx0JVLUh/eJSgI5Qa2scA9FzcL2mt 2mXXuOs35/hOmG+RtDjCwJX+vQ6BrnGwV7p33glSbPltROR0wjuTrFxsutHu5n2c ce+ktM8OZTH9huxHY21LidU4w8IiJSqJg860HRyHbu8Q7q5hdYBj+ZTEz0fU4vc1 tS2LBEv7OqzVtPkc0w+HfmfXU7U/u5lybWaG5O5fhtYwVQ== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id Z0GVXKUACw+t for ; Wed, 2 Nov 2011 16:45:31 +0000 (GMT) Received: from [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c] (unknown [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id ADEDB153D39 for ; Wed, 2 Nov 2011 16:45:31 +0000 (GMT) Message-ID: <4EB173A1.6040209@cs.tcd.ie> Date: Wed, 02 Nov 2011 16:45:21 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "oauth@ietf.org" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [OAUTH-WG] AD review of draft-ietf-oauth-bearer-13 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 16:45:46 -0000 Hi, Good work - another one almost out the door! Thanks. However, I think this one needs a revised ID before we start IETF LC. Nothing hard to change I hope, but I think there are enough changes to make that its best done that way. I reckon items 3,5,7-11 and 13 below need fixing, but are I hope all easy. Not sure about item 4. All my other comments can be considered in conjunction with whatever other IETF LC comments we get, or now, whichever. If you want to argue that the WG already had strong consensus against a change I'm asking for, or that I'm just being dumb, (which happens all the time:-) then please do that and we can discuss it on the list and/or at the meeting. Regards, Stephen. questions/comments: 1) What does the 1st sentence of section 2 mean? What is the 2119 MAY for? Couldn't that sentence be deleted? If not, why not? 2) I think you should warn implementers in 2.3 that using the query string is fairly likely to result in the access token being logged, which is highly undesirable. (That is there later too, but I think deserves to be here.) What does "the only feasible method" mean? I think that needs to be defined, as was done in 2.2. 3) Where's it say what to do with a scope attribute presented by a server? 4) What is the realm attribute in section 3? What is a client expected to do with that? I guess it has to be different from how realm is used with e.g. Basic. (That might be my ignorance of HTTP details though;-) 5) Section 3 ABNF allows "realm=foo;realm=bar;scope=baz;error=123" is that ok? Is processing clear for all cases? I don't think it is. 6) 3.1, invalid_token - the client MAY retry, SHOULD it do that in an infinite loop? Probably not;-) 7) "Assuming" token integrity protection is wrong. You need to make it a MUST. That is, you need to say that resource servers MUST only accept tokens with strong integrity or similar. 8) I think you need to say that TLS is MTI and MUST be used, (i.e. with 2119 language) and it'd be better to put that in the introduction as well as 4.2. 9) As-is 4.2 allows anonymous D-H TLS ciphersuites. I don't think you want that, but yet you only call for ciphersuites that "offer confidentiality." I think that needs to be tightened up. 4.3 does tighten there, but I think 4.2's language also needs fixing. 10) The token validity doesn't have to be "inside." I could e.g. change a token MAC verification key every hour and limit lifetime that way. 11) Two paragraphs in 4.2 contradict one another. 3rd last para say you MUST use TLS, 2nd last para says you MUST have confidentiality "for instance...TLS." I'd ditch the second one I think, but something needs fixing. 12) Why reference 2818 instead of 6125? 13) I think you need to say something here about load balancers and other server side things that terminate TLS, before the resource server and behind which bearer tokens are unprotected. At least say that tokens MUST be protected there and provide guidance as to how to do that well. Lots of people do that badly I think. (At least at first;-) 14) Why are cookies first mentioned in 4.3? Seems like that should have been done earlier. nits: abstract: maybe s/granted resources/the associated resources/? abstract: s/the bearer token needs to/bearer tokens need to/? 1.2: s/abstraction layer/abstraction/ I don't see any layer there 2.1: I (and others) dislike the use of the reference as if it were part of the sentence, e.g. "defined by [I-D.whatever],..." Better would be "defined as part of HTTP authentication [I-D.whatever]" There are multiple occurrences of this. 2.1: s/follows/as follows/ 2.1, last para: I think the SHOULD in the last para of 2.1 and the corresponding rules in 2.2 & 2.3 would be better stated up front. end of p7, s/attribute MUST NOT/attributes MUST NOT/ 4.2, s/recommended/RECOMMENDED/ is better but they mean the same already! From eran@hueniverse.com Wed Nov 2 10:48:33 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C01BD11E80F0 for ; Wed, 2 Nov 2011 10:48:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.504 X-Spam-Level: X-Spam-Status: No, score=-2.504 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwm80td1US7K for ; Wed, 2 Nov 2011 10:48:33 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 41C1011E8094 for ; Wed, 2 Nov 2011 10:48:33 -0700 (PDT) Received: (qmail 5529 invoked from network); 2 Nov 2011 17:48:28 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Nov 2011 17:48:28 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Wed, 2 Nov 2011 10:48:20 -0700 From: Eran Hammer-Lahav To: Stephen Farrell , "oauth@ietf.org" Date: Wed, 2 Nov 2011 10:47:32 -0700 Thread-Topic: [OAUTH-WG] AD review of -22 Thread-Index: AcyJy5Q+tkGr+RYzQbigAYqj4zsdKgPu+sLi Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526332101E@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <4E971C36.7050000@cs.tcd.ie> In-Reply-To: <4E971C36.7050000@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 17:48:33 -0000 I have not seen any responses to these items so I assume the group is in ag= reement with the comments made. I will push out a revised ID addressing the= se items in a few days. EHL ________________________________________ From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of Stephen = Farrell [stephen.farrell@cs.tcd.ie] Sent: Thursday, October 13, 2011 10:13 AM To: oauth@ietf.org Subject: [OAUTH-WG] AD review of -22 Hi all, Sorry for having been quite slow with this, but I had a bunch of travel recently. Anyway, my AD comments on -22 are attached. I think that the first list has the ones that need some change before we push this out for IETF LC, there might or might not be something to change as a result of the 2nd list of questions and the rest are really nits can be handled either now or later. Thanks for all your work on this so far - its nearly there IMO and we should be able to get the IETF LC started once these few things are dealt with. Cheers, S.= From julian.reschke@gmx.de Wed Nov 2 11:02:08 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 074061F0CAE for ; Wed, 2 Nov 2011 11:02:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.453 X-Spam-Level: X-Spam-Status: No, score=-104.453 tagged_above=-999 required=5 tests=[AWL=-1.854, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RP+5+5v0jE1A for ; Wed, 2 Nov 2011 11:02:07 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 13B1A1F0C35 for ; Wed, 2 Nov 2011 11:02:06 -0700 (PDT) Received: (qmail invoked by alias); 02 Nov 2011 18:02:05 -0000 Received: from p5DCC9287.dip.t-dialin.net (EHLO [192.168.178.36]) [93.204.146.135] by mail.gmx.net (mp025) with SMTP; 02 Nov 2011 19:02:05 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX19PmpFL4OtPZkOQr55BAcZ/CAZ4hiZwIkb0Nel3hG k6KL2gEnglsSvX Message-ID: <4EB1859B.9030501@gmx.de> Date: Wed, 02 Nov 2011 19:02:03 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Stephen Farrell References: <4EB173A1.6040209@cs.tcd.ie> In-Reply-To: <4EB173A1.6040209@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-bearer-13 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 18:02:08 -0000 On 2011-11-02 17:45, Stephen Farrell wrote: > ... > 4) What is the realm attribute in section 3? What is a > client expected to do with that? I guess it has to be different > from how realm is used with e.g. Basic. (That might be my > ignorance of HTTP details though;-) > ... Is it different? If it is, it MUST NOT be called "realm". Best regards, Julian From torsten@lodderstedt.net Wed Nov 2 12:32:13 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9401F0C95 for ; Wed, 2 Nov 2011 12:32:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.248 X-Spam-Level: X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LflKb7d6XaTM for ; Wed, 2 Nov 2011 12:32:11 -0700 (PDT) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) by ietfa.amsl.com (Postfix) with ESMTP id 076871F0C8C for ; Wed, 2 Nov 2011 12:32:10 -0700 (PDT) Received: from [87.142.252.185] (helo=[192.168.71.26]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1RLgXg-0000J9-LY; Wed, 02 Nov 2011 20:32:08 +0100 Message-ID: <4EB19AB8.6020703@lodderstedt.net> Date: Wed, 02 Nov 2011 20:32:08 +0100 From: Torsten Lodderstedt User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: George Fletcher References: <725EAF50-3A82-4AAE-8C60-6D4C4AE52A79@gmx.net> <20111021005637.Horde.X6nKL0lCcOxOoKclCL3mgBA@webmail.df.eu> <4EA84E97.3020708@lodderstedt.net> <4EA8EA99.4010203@lodderstedt.net> <502551594-1319736794-cardhu_decombobulator_blackberry.rim.net-779525061-@b28.c11.bise7.blackberry> <4EA9BE04.9060607@aol.com> In-Reply-To: <4EA9BE04.9060607@aol.com> Content-Type: multipart/alternative; boundary="------------010905060204010700040805" X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU= Cc: OAuth WG Subject: Re: [OAUTH-WG] Rechartering JSON based request. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 19:32:13 -0000 This is a multi-part message in MIME format. --------------010905060204010700040805 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hi, standard OAuth does not sign request parameters. Does this mean OAuth itself is not secure enough? Or is there a new threat angle against those parameters in the contect of Connect? regards, Torsten. Am 27.10.2011 22:24, schrieb George Fletcher: > The main reason to include the OAuth parameters in the request is to > ensure that the request object was not modified in transit since the > JSON request object can be signed. Agreed that it would be simpler if > OAuth adopted the JSON request style. > > Thanks, > George > > On 10/27/11 1:33 PM, torsten@lodderstedt.net wrote: >> Hi John, >> >> why do you need to include the OAuth request parameters into the JSON >> document? I would expect OpenId Connect to extend OAuth >> none-intrusively. This would mean to use the JSON document for OpenId >> connect specific parameters only. Alternatively, the JSON request >> style could be adopted as part of OAuth. Then, the URI request >> parameters could be omitted. >> >> regards, >> Torsten. >> >> Gesendet mit BlackBerry® Webmail von Telekom Deutschland >> >> ------------------------------------------------------------------------ >> *From: * John Bradley >> *Date: *Thu, 27 Oct 2011 13:52:31 -0300 >> *To: *Torsten Lodderstedt >> *Cc: *Nat Sakimura; OAuth WG >> *Subject: *Re: [OAUTH-WG] Rechartering JSON based request. >> >> Hopefully to make it more compatible with existing OAuth 2 libraries. >> At least leave open the possibility of dealing with it at a higher >> level. >> >> The argument has been made that you probably need to modify the >> library anyway to check that the duplicate parameters are a match. >> >> If there is consensus that the parameters should only be in the JSON >> then we would happily not duplicate them. >> >> It is mostly a case of trying to fit in to the existing OAuth work >> and libraries. >> >> John B. >> >> On 2011-10-27, at 2:22 AM, Torsten Lodderstedt wrote: >> >>> why is it neccessary to duplicate the OAuth request parameters? >>> >>> Am 27.10.2011 00:31, schrieb John Bradley: >>>> Nat and I just refreshed the I-D for draft-sakimura-oauth-requrl. >>>> >>>> It is essentially a standardization of the method we are using in >>>> openID Connect to make signed requests to the Authorization server. >>>> >>>> We do have the issue that parameters in the signed/encrypted >>>> request necessarily duplicate the query parameters to keep it a >>>> valid OAuth request plus an extension. >>>> >>>> Even if it doesn't wind up as a OAuth WG item it is probably worth >>>> people looking at it before the final openID spec is voted on. >>>> >>>> Regards >>>> John B. >>>> >>>> On 2011-10-26, at 3:16 PM, Torsten Lodderstedt wrote: >>>> >>>>> Hi Nat, >>>>> >>>>> I think your proposal would be a useful OAuth enhancement. A >>>>> JSON-based request format would allow for more complex requests >>>>> (e.g. carrying resource server URLs and corresponding scope values >>>>> ;-)). >>>>> >>>>> Please note: I also think the way this mechanism is introduced and >>>>> used in the current OpenID connect spec requires OpenID connect >>>>> clients and servers to handle OAuth request parameters differently >>>>> than for standard OAuth requests. Introducing the JSON based claim >>>>> request capability to OAuth would be a way to cope with this. >>>>> >>>>> regards, >>>>> Torsten. >>>>> >>>>> Am 22.10.2011 16:00, schrieb Nat Sakimura: >>>>>> Hi. >>>>>> >>>>>> Just a clarification: >>>>>> >>>>>> Although my expired draft is 'request by reference', what was >>>>>> proposed through it at the iiw really is a generalized JSON based >>>>>> claim request capability. It could be passed by value as JSON or >>>>>> could be passed by reference. The later is an optimization for >>>>>> bandwidth constrained network as well as strengthening security >>>>>> in some ways. This capability already exists in OpenID Connect >>>>>> but it is actually an underpinning transport, so it probably >>>>>> should belong to OAuth instead. This was the primary reason for >>>>>> the proposal. >>>>>> >>>>>> Nat >>>>>> >>>>>> On Thu, Oct 20, 2011 at 3:56 PM, Torsten Lodderstedt >>>>>> > wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> my prioritization is driven by the goal to make OAuth the >>>>>> authorization framework of choice for any internet standard >>>>>> protocol, such as WebDAV, IMAP, SMTP or SIP. So let me first >>>>>> explain what is missing from my point of view and explain >>>>>> some thoughts how to fill the gaps. >>>>>> >>>>>> A standard protocol is defined in terms of resource types and >>>>>> messages by a body (e.g. IETF, OIDF, OMA), (hopefully) >>>>>> implemented in many places, and used by different but >>>>>> deployment-independent clients. OAuth-based protocol >>>>>> specifications must also define scope values (e.g. read, >>>>>> write, send) and their relation to the resource types and >>>>>> messages. The different deployments expose the standard >>>>>> protocol on different resource server endpoints. In my >>>>>> opinion, it is fundamental to clearly distinguish scope >>>>>> values (standardized, static) and resource server addresses >>>>>> (deployment specific) and to manage their relationships. The >>>>>> current scope definition is much to weak and insufficient. >>>>>> Probably, the UMA concepts of hosts, resources sets, and >>>>>> corresponding scopes could be adopted for that purpose. >>>>>> >>>>>> OAuth today requires clients to register with the service >>>>>> provider before they are deployed. Would you really expect >>>>>> IMAP clients, e.g. Thunderbird, to register with any a-Mail >>>>>> services upfront? So clients should be given a way to >>>>>> register dynamically to the authorization servers. This >>>>>> should also allow us to cover "client instance" aspects. It >>>>>> is interesting to note, that such a mechanism would allow us >>>>>> to get rid of secret-less clients and the one-time usage >>>>>> requirement for authorization codes. >>>>>> >>>>>> We also assume the client to know the URLs of the resource >>>>>> server and the corresponding authorization server and to use >>>>>> HTTPS server authentication to verify the resource server's >>>>>> authenticity. This is impossible in the standard scenario. >>>>>> Clients must be able to discover the authorization server a >>>>>> particular resource server relies on at runtime. The >>>>>> discovery mechanism could be specified by the OAuth WG, but >>>>>> could also be part of an application protocols specification. >>>>>> But we MUST find another way to prevent token phishing by >>>>>> counterfeit resource servers. >>>>>> >>>>>> As one approach, the client could pass the (previously HTTPS >>>>>> validated) resource server's URL with the authorization >>>>>> request. The authorization server should then refuse such >>>>>> requests for any unknown (counterfeit) resource servers. Such >>>>>> an additional parameter could also serve as namespace for >>>>>> scope values and enable service providers to run multiple >>>>>> instances of the same service within a single deployment. >>>>>> >>>>>> If the additional data enlarges the request payload to much, >>>>>> we could consider to adopt the "request by reference" proposal. >>>>>> >>>>>> Let's now assume, OAuth is successful in the world of >>>>>> standard protocols and we will see plenty of deployments with >>>>>> a bunch of different OAuth protected resource servers. Shall >>>>>> this servers all be accessible with a single token? In my >>>>>> opinion, this would cause security, privacy and/or >>>>>> scalability/performance problems. To give just the most >>>>>> obvious example, the target audience of such a token cannot >>>>>> be restricted enough, which may allow a resource server (or >>>>>> an attacker in control of it) to abuse the token on other >>>>>> servers. But the current design of the code grant type forces >>>>>> deployments to use the same token for all services. What is >>>>>> needed from my point of view is a way to request and issue >>>>>> multiple server-specific access tokens with a single >>>>>> authorization process. >>>>>> >>>>>> I've been advocating this topic for a long time now and I'm >>>>>> still convinced this is required to really complete the core >>>>>> design. We at Deutsche Telekom needed and implemented this >>>>>> function on top of the existing core. In my opinion, a core >>>>>> enhancement would be easier to handle and more powerful. If >>>>>> others support this topic, I would be willed to submit an I-D >>>>>> describing a possible solution. >>>>>> >>>>>> If we take standards really seriously, then service providers >>>>>> should be given the opportunity to implement their service by >>>>>> utilizing standard server implementations. This creates the >>>>>> challenge to find a standardized protocol between >>>>>> authorization server and resource server to exchange >>>>>> authorization data. Depending on the token design >>>>>> (self-contained vs. handle) this could be solved by either >>>>>> standardizing a token format (JWT) or an authorization API. >>>>>> >>>>>> Based on the rationale given above, my list is as follows >>>>>> (topics w/o I-D are marked with *): >>>>>> >>>>>> - Revocation (low hanging fruit since I-D is ready and >>>>>> implemented in some places) >>>>>> - Resource server notion* >>>>>> - Multiple access tokens* >>>>>> - Dynamic client registration >>>>>> >>>>>> 1) Dynamic Client Registration Protocol >>>>>> 4) Client Instance Extension >>>>>> - Discovery >>>>>> (10) Simple Web Discovery, probably other specs as well >>>>>> - (6) JSON Web Token >>>>>> - (7) JSON Web Token (JWT) Bearer Profile >>>>>> - 8) User Experience Extension >>>>>> - Device flow >>>>>> - 9) Request by Reference >>>>>> (depending resource server notion and multiple access tokens) >>>>>> >>>>>> regards, >>>>>> Torsten. >>>>>> Zitat von Hannes Tschofenig >>>>> >: >>>>>> >>>>>> >>>>>> Hi all, >>>>>> >>>>>> in preparation of the upcoming IETF meeting Barry and I >>>>>> would like to start a re-chartering discussion. We both >>>>>> are currently attending the Internet Identity Workshop >>>>>> and so we had the chance to solicit input from the >>>>>> participants. This should serve as a discussion starter. >>>>>> >>>>>> Potential future OAuth charter items (in random order): >>>>>> >>>>>> ---------------- >>>>>> >>>>>> 1) Dynamic Client Registration Protocol >>>>>> >>>>>> Available document: >>>>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-dynreg/ >>>>>> >>>>>> 2) Token Revocation >>>>>> >>>>>> Available document: >>>>>> http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/ >>>>>> >>>>>> 3) UMA >>>>>> >>>>>> Available document: >>>>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/ >>>>>> >>>>>> 4) Client Instance Extension >>>>>> >>>>>> Available document: >>>>>> http://tools.ietf.org/id/draft-richer-oauth-instance-00.txt >>>>>> >>>>>> 5) XML Encoding >>>>>> >>>>>> Available document: >>>>>> http://tools.ietf.org/id/draft-richer-oauth-xml-00.txt >>>>>> >>>>>> 6) JSON Web Token >>>>>> >>>>>> Available document: >>>>>> http://tools.ietf.org/html/draft-jones-json-web-token-05 >>>>>> >>>>>> 7) JSON Web Token (JWT) Bearer Profile >>>>>> >>>>>> Available document: >>>>>> http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00 >>>>>> >>>>>> 8) User Experience Extension >>>>>> >>>>>> Available document: >>>>>> http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00 >>>>>> >>>>>> 9) Request by Reference >>>>>> >>>>>> Available document: >>>>>> http://tools.ietf.org/html/draft-sakimura-oauth-requrl-00 >>>>>> >>>>>> 10) Simple Web Discovery >>>>>> >>>>>> Available document: >>>>>> http://tools.ietf.org/html/draft-jones-simple-web-discovery-00 >>>>>> >>>>>> ---------------- >>>>>> >>>>>> We have the following questions: >>>>>> >>>>>> a) Are you interested in any of the above-listed items? >>>>>> (as a reviewer, co-author, implementer, or someone who >>>>>> would like to deploy). It is also useful to know if you >>>>>> think that we shouldn't work on a specific item. >>>>>> >>>>>> b) Are there other items you would like to see the group >>>>>> working on? >>>>>> >>>>>> Note: In case your document is expired please re-submit it. >>>>>> >>>>>> Ciao >>>>>> Hannes & Barry >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nat Sakimura (=nat) >>>>>> Chairman, OpenID Foundation >>>>>> http://nat.sakimura.org/ >>>>>> @_nat_en >>>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > --------------010905060204010700040805 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi,

standard OAuth does not sign request parameters. Does this mean OAuth itself is not secure enough? Or is there a new threat angle against those parameters in the contect of Connect?

regards,
Torsten.

Am 27.10.2011 22:24, schrieb George Fletcher:
The main reason to include the OAuth parameters in the request is to ensure that the request object was not modified in transit since the JSON request object can be signed. Agreed that it would be simpler if OAuth adopted the JSON request style.

Thanks,
George

On 10/27/11 1:33 PM, torsten@lodderstedt.net wrote:
Hi John,

why do you need to include the OAuth request parameters into the JSON document? I would expect OpenId Connect to extend OAuth none-intrusively. This would mean to use the JSON document for OpenId connect specific parameters only. Alternatively, the JSON request style could be adopted as part of OAuth. Then, the URI request parameters could be omitted.

regards,
Torsten.

Gesendet mit BlackBerry® Webmail von Telekom Deutschland

From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 27 Oct 2011 13:52:31 -0300
To: Torsten Lodderstedt<torsten@lodderstedt.net>
Cc: Nat Sakimura<sakimura@gmail.com>; OAuth WG<oauth@ietf.org>
Subject: Re: [OAUTH-WG] Rechartering JSON based request.

Hopefully to make it more compatible with existing OAuth 2 libraries.    At least leave open the possibility of dealing with it at a higher level.

The argument has been made that you probably need to modify the library anyway to check that the duplicate parameters are a match.

If there is consensus that the parameters should only be in the JSON then we would happily not duplicate them.

It is mostly a case of trying to fit in to the existing OAuth work and libraries.

John B.

On 2011-10-27, at 2:22 AM, Torsten Lodderstedt wrote:

why is it neccessary to duplicate the OAuth request parameters?

Am 27.10.2011 00:31, schrieb John Bradley:
Nat and I just refreshed the I-D for draft-sakimura-oauth-requrl.

It is essentially  a standardization of the method we are using in openID Connect to make signed requests to the Authorization server.

We do have the issue that parameters in the signed/encrypted request necessarily duplicate the query parameters to keep it a valid OAuth request plus an extension.

Even if it doesn't wind up as a OAuth WG item it is probably worth people looking at it before the final openID spec is voted on.

Regards
John B.

On 2011-10-26, at 3:16 PM, Torsten Lodderstedt wrote:

Hi Nat,

I think your proposal would be a useful OAuth enhancement. A JSON-based request format would allow for more complex requests (e.g. carrying resource server URLs and corresponding scope values ;-)).

Please note: I also think the way this mechanism is introduced and used in the current OpenID connect spec requires OpenID connect clients and servers to handle OAuth request parameters differently than for standard OAuth requests. Introducing the JSON based claim request capability to OAuth would be a way to cope with this.

regards,
Torsten.

Am 22.10.2011 16:00, schrieb Nat Sakimura:
Hi. 

Just a clarification: 

Although my expired draft is 'request by reference', what was proposed through it at the iiw really is a generalized JSON based claim request capability. It could be passed by value as JSON or could be passed by reference. The later is an optimization for bandwidth constrained network as well as strengthening security in some ways. This capability already exists in OpenID Connect but it is actually an underpinning transport, so it probably should belong to OAuth instead. This was the primary reason for the proposal. 

Nat

On Thu, Oct 20, 2011 at 3:56 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Hi all,

my prioritization is driven by the goal to make OAuth the authorization framework of choice for any internet standard protocol, such as WebDAV, IMAP, SMTP or SIP. So let me first explain what is missing from my point of view and explain some thoughts how to fill the gaps.

A standard protocol is defined in terms of resource types and messages by a body (e.g. IETF, OIDF, OMA), (hopefully) implemented in many places, and used by different but deployment-independent clients. OAuth-based protocol specifications must also define scope values (e.g. read, write, send) and their relation to the resource types and messages. The different deployments expose the standard protocol on different resource server endpoints. In my opinion, it is fundamental to clearly distinguish scope values (standardized, static) and  resource server addresses (deployment specific) and to manage their relationships. The current scope definition is much to weak and insufficient. Probably, the UMA concepts of hosts, resources sets, and corresponding scopes could be adopted for that purpose.

OAuth today requires clients to register with the service provider before they are deployed. Would you really expect IMAP clients, e.g. Thunderbird, to register with any a-Mail services upfront? So clients should be given a way to register dynamically to the authorization servers. This should also allow us to cover "client instance" aspects. It is interesting to note, that such a mechanism would allow us to get rid of secret-less clients and the one-time usage requirement for authorization codes.

We also assume the client to know the URLs of the resource server and the corresponding authorization server and to use HTTPS server authentication to verify the resource server's authenticity. This is impossible in the standard scenario. Clients must be able to discover the authorization server a particular resource server relies on at runtime. The discovery mechanism could be specified by the OAuth WG, but could also be part of an application protocols specification. But we MUST find another way to prevent token phishing by counterfeit resource servers.

As one approach, the client could pass the (previously HTTPS validated) resource server's URL with the authorization request. The authorization server should then refuse such requests for any unknown (counterfeit) resource servers. Such an additional parameter could also serve as namespace for scope values and enable service providers to run multiple instances of the same service within a single deployment.

If the additional data enlarges the request payload to much, we could consider to adopt the "request by reference" proposal.

Let's now assume, OAuth is successful in the world of standard protocols and we will see plenty of deployments with a bunch of different OAuth protected resource servers. Shall this servers all be accessible with a single token? In my opinion, this would cause security, privacy and/or scalability/performance problems. To give just the most obvious example, the target audience of such a token cannot be restricted enough, which may allow a resource server (or an attacker in control of it) to abuse the token on other servers. But the current design of the code grant type forces deployments to use the same token for all services. What is needed from my point of view is a way to request and issue multiple server-specific access tokens with a single authorization process.

I've been advocating this topic for a long time now and I'm still convinced this is required to really complete the core design. We at Deutsche Telekom needed and implemented this function on top of the existing core. In my opinion, a core enhancement would be easier to handle and more powerful. If others support this topic, I would be willed to submit an I-D describing a possible solution.

If we take standards really seriously, then service providers should be given the opportunity to implement their service by utilizing standard server implementations. This creates the challenge to find a standardized protocol between authorization server and resource server to exchange authorization data. Depending on the token design (self-contained vs. handle) this could be solved by either standardizing a token format (JWT) or an authorization API.

Based on the rationale given above, my list is as follows (topics w/o I-D are marked with *):

- Revocation (low hanging fruit since I-D is ready and implemented in some places)
- Resource server notion*
- Multiple access tokens*
- Dynamic client registration

 1) Dynamic Client Registration Protocol
 4) Client Instance Extension
- Discovery
 (10) Simple Web Discovery, probably other specs as well
- (6) JSON Web Token
- (7) JSON Web Token (JWT) Bearer Profile
- 8) User Experience Extension
- Device flow
- 9) Request by Reference
 (depending resource server notion and multiple access tokens)

regards,
Torsten.
Zitat von Hannes Tschofenig <hannes.tschofenig@gmx.net>:


Hi all,

in preparation of the upcoming IETF meeting Barry and I would like to start a re-chartering discussion.  We both are currently attending the Internet Identity Workshop and so we had the chance to solicit input from the participants. This should serve as a discussion starter.

Potential future OAuth charter items (in random order):

----------------

1) Dynamic Client Registration Protocol

Available document:
http://datatracker.ietf.org/doc/draft-hardjono-oauth-dynreg/

2) Token Revocation

Available document:
http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/

3) UMA

Available document:
http://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/

4) Client Instance Extension

Available document:
http://tools.ietf.org/id/draft-richer-oauth-instance-00.txt

5) XML Encoding

Available document:
http://tools.ietf.org/id/draft-richer-oauth-xml-00.txt

6) JSON Web Token

Available document:
http://tools.ietf.org/html/draft-jones-json-web-token-05

7) JSON Web Token (JWT) Bearer Profile

Available document:
http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00

8) User Experience Extension

Available document:
http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00

9) Request by Reference

Available document:
http://tools.ietf.org/html/draft-sakimura-oauth-requrl-00

10) Simple Web Discovery

Available document:
http://tools.ietf.org/html/draft-jones-simple-web-discovery-00

----------------

We have the following questions:

a) Are you interested in any of the above-listed items? (as a reviewer, co-author, implementer, or someone who would like to deploy). It is also useful to know if you think that we shouldn't work on a specific item.

b) Are there other items you would like to see the group working on?

Note: In case your document is expired please re-submit it.

Ciao
Hannes & Barry

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------010905060204010700040805-- From torsten@lodderstedt.net Wed Nov 2 12:45:24 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8087111E8177 for ; Wed, 2 Nov 2011 12:45:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.248 X-Spam-Level: X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aweeq2VV0KV6 for ; Wed, 2 Nov 2011 12:45:23 -0700 (PDT) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.96]) by ietfa.amsl.com (Postfix) with ESMTP id 8968C11E8172 for ; Wed, 2 Nov 2011 12:45:23 -0700 (PDT) Received: from [87.142.252.185] (helo=[192.168.71.26]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1RLgkU-0002cm-Im; Wed, 02 Nov 2011 20:45:22 +0100 Message-ID: <4EB19DD1.6050904@lodderstedt.net> Date: Wed, 02 Nov 2011 20:45:21 +0100 From: Torsten Lodderstedt User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Stephen Farrell References: <4E971C36.7050000@cs.tcd.ie> In-Reply-To: <4E971C36.7050000@cs.tcd.ie> Content-Type: multipart/alternative; boundary="------------070004090002090404030709" X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU= Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 19:45:24 -0000 This is a multi-part message in MIME format. --------------070004090002090404030709 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Stephen, I'm concerned about your proposal (7) to make support for MAC a MUST for clients and BEARER a MAY only. In my opinion, this does not reflect the group's consensus. Beside this, the security threat analysis justifies usage of BEARER for nearly all use cases as long as HTTPS (incl. server authentication) can be utilized. regards, Torsten. Am 13.10.2011 19:13, schrieb Stephen Farrell: > > Hi all, > > Sorry for having been quite slow with this, but I had a bunch > of travel recently. > > Anyway, my AD comments on -22 are attached. I think that the > first list has the ones that need some change before we push > this out for IETF LC, there might or might not be something > to change as a result of the 2nd list of questions and the > rest are really nits can be handled either now or later. > > Thanks for all your work on this so far - its nearly there > IMO and we should be able to get the IETF LC started once > these few things are dealt with. > > Cheers, > S. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------070004090002090404030709 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi Stephen,

I'm concerned about your proposal (7) to make support for MAC a MUST for clients and BEARER a MAY only. In my opinion, this does not reflect the group's consensus. Beside this, the security threat analysis justifies usage of BEARER for nearly all use cases as long as HTTPS (incl. server authentication) can be utilized.
regards,
Torsten.

Am 13.10.2011 19:13, schrieb Stephen Farrell:

Hi all,

Sorry for having been quite slow with this, but I had a bunch
of travel recently.

Anyway, my AD comments on -22 are attached. I think that the
first list has the ones that need some change before we push
this out for IETF LC, there might or might not be something
to change as a result of the 2nd list of questions and the
rest are really nits can be handled either now or later.

Thanks for all your work on this so far - its nearly there
IMO and we should be able to get the IETF LC started once
these few things are dealt with.

Cheers,
S. 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--------------070004090002090404030709-- From ve7jtb@ve7jtb.com Wed Nov 2 13:04:55 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1BF1F0C56 for ; Wed, 2 Nov 2011 13:04:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.248 X-Spam-Level: X-Spam-Status: No, score=-3.248 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_81=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b799IFnQXIvO for ; Wed, 2 Nov 2011 13:04:53 -0700 (PDT) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB2B1F0CBA for ; Wed, 2 Nov 2011 13:04:53 -0700 (PDT) Received: by ggnv1 with SMTP id v1so564516ggn.31 for ; Wed, 02 Nov 2011 13:04:52 -0700 (PDT) Received: by 10.150.170.10 with SMTP id s10mr6927719ybe.86.1320264292645; Wed, 02 Nov 2011 13:04:52 -0700 (PDT) Received: from [192.168.1.213] ([190.22.4.104]) by mx.google.com with ESMTPS id v5sm10194334anf.3.2011.11.02.13.04.43 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Nov 2011 13:04:50 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_E85127A9-0C86-4DE0-BF81-98AD9FCB594B"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: <4EB19AB8.6020703@lodderstedt.net> Date: Wed, 2 Nov 2011 17:04:38 -0300 Message-Id: <70FB711D-96D2-4917-B61E-9EFDF37200C1@ve7jtb.com> References: <725EAF50-3A82-4AAE-8C60-6D4C4AE52A79@gmx.net> <20111021005637.Horde.X6nKL0lCcOxOoKclCL3mgBA@webmail.df.eu> <4EA84E97.3020708@lodderstedt.net> <4EA8EA99.4010203@lodderstedt.net> <502551594-1319736794-cardhu_decombobulator_blackberry.rim.net-779525061-@b28.c11.bise7.blackberry> <4EA9BE04.9060607@aol.com> <4EB19AB8.6020703@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: Apple Mail (2.1251.1) Cc: OAuth WG Subject: Re: [OAUTH-WG] Rechartering JSON based request. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:04:55 -0000 --Apple-Mail=_E85127A9-0C86-4DE0-BF81-98AD9FCB594B Content-Type: multipart/alternative; boundary="Apple-Mail=_6BABA5D4-7367-4A9D-8001-A16DA0C4DCC4" --Apple-Mail=_6BABA5D4-7367-4A9D-8001-A16DA0C4DCC4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 In the general OAuth case the user doesn't have much incentive to modify = the request parameters. In Connect the user is also authenticating to the client. There may be = cases where the user attempts to modify the request to escalate = privileges. I suspect state might be something someone would look at modifying = depending on what the RP is passing. Things that are Connect specific like authentication context requests = need to be signed, so signing the other parts at the same time is not a = big deal. When FICAM looks at OAUTH 2.0 to replace SAML attribute query, I am = betting someone is going to be looking for signed requests,m based on = defence ion depth even if there are know obvious attacks. John B. On 2011-11-02, at 4:32 PM, Torsten Lodderstedt wrote: > Hi, >=20 > standard OAuth does not sign request parameters. Does this mean OAuth = itself is not secure enough? Or is there a new threat angle against = those parameters in the contect of Connect? >=20 > regards, > Torsten. >=20 > Am 27.10.2011 22:24, schrieb George Fletcher: >>=20 >> The main reason to include the OAuth parameters in the request is to = ensure that the request object was not modified in transit since the = JSON request object can be signed. Agreed that it would be simpler if = OAuth adopted the JSON request style. >>=20 >> Thanks, >> George >>=20 >> On 10/27/11 1:33 PM, torsten@lodderstedt.net wrote: >>>=20 >>> Hi John, >>>=20 >>> why do you need to include the OAuth request parameters into the = JSON document? I would expect OpenId Connect to extend OAuth = none-intrusively. This would mean to use the JSON document for OpenId = connect specific parameters only. Alternatively, the JSON request style = could be adopted as part of OAuth. Then, the URI request parameters = could be omitted. >>>=20 >>> regards, >>> Torsten. >>> Gesendet mit BlackBerry=AE Webmail von Telekom Deutschland >>>=20 >>> From: John Bradley >>> Date: Thu, 27 Oct 2011 13:52:31 -0300 >>> To: Torsten Lodderstedt >>> Cc: Nat Sakimura; OAuth WG >>> Subject: Re: [OAUTH-WG] Rechartering JSON based request. >>>=20 >>> Hopefully to make it more compatible with existing OAuth 2 = libraries. At least leave open the possibility of dealing with it at = a higher level. >>>=20 >>> The argument has been made that you probably need to modify the = library anyway to check that the duplicate parameters are a match. >>>=20 >>> If there is consensus that the parameters should only be in the JSON = then we would happily not duplicate them. >>>=20 >>> It is mostly a case of trying to fit in to the existing OAuth work = and libraries. >>>=20 >>> John B. >>>=20 >>> On 2011-10-27, at 2:22 AM, Torsten Lodderstedt wrote: >>>=20 >>>> why is it neccessary to duplicate the OAuth request parameters? >>>>=20 >>>> Am 27.10.2011 00:31, schrieb John Bradley: >>>>>=20 >>>>> Nat and I just refreshed the I-D for draft-sakimura-oauth-requrl. >>>>>=20 >>>>> It is essentially a standardization of the method we are using in = openID Connect to make signed requests to the Authorization server. >>>>>=20 >>>>> We do have the issue that parameters in the signed/encrypted = request necessarily duplicate the query parameters to keep it a valid = OAuth request plus an extension. >>>>>=20 >>>>> Even if it doesn't wind up as a OAuth WG item it is probably worth = people looking at it before the final openID spec is voted on. >>>>>=20 >>>>> Regards >>>>> John B. >>>>>=20 >>>>> On 2011-10-26, at 3:16 PM, Torsten Lodderstedt wrote: >>>>>=20 >>>>>> Hi Nat, >>>>>>=20 >>>>>> I think your proposal would be a useful OAuth enhancement. A = JSON-based request format would allow for more complex requests (e.g. = carrying resource server URLs and corresponding scope values ;-)).=20 >>>>>>=20 >>>>>> Please note: I also think the way this mechanism is introduced = and used in the current OpenID connect spec requires OpenID connect = clients and servers to handle OAuth request parameters differently than = for standard OAuth requests. Introducing the JSON based claim request = capability to OAuth would be a way to cope with this. >>>>>>=20 >>>>>> regards, >>>>>> Torsten. >>>>>>=20 >>>>>> Am 22.10.2011 16:00, schrieb Nat Sakimura: >>>>>>>=20 >>>>>>> Hi.=20 >>>>>>>=20 >>>>>>> Just a clarification:=20 >>>>>>>=20 >>>>>>> Although my expired draft is 'request by reference', what was = proposed through it at the iiw really is a generalized JSON based claim = request capability. It could be passed by value as JSON or could be = passed by reference. The later is an optimization for bandwidth = constrained network as well as strengthening security in some ways. This = capability already exists in OpenID Connect but it is actually an = underpinning transport, so it probably should belong to OAuth instead. = This was the primary reason for the proposal.=20 >>>>>>>=20 >>>>>>> Nat >>>>>>>=20 >>>>>>> On Thu, Oct 20, 2011 at 3:56 PM, Torsten Lodderstedt = wrote: >>>>>>> Hi all, >>>>>>>=20 >>>>>>> my prioritization is driven by the goal to make OAuth the = authorization framework of choice for any internet standard protocol, = such as WebDAV, IMAP, SMTP or SIP. So let me first explain what is = missing from my point of view and explain some thoughts how to fill the = gaps. >>>>>>>=20 >>>>>>> A standard protocol is defined in terms of resource types and = messages by a body (e.g. IETF, OIDF, OMA), (hopefully) implemented in = many places, and used by different but deployment-independent clients. = OAuth-based protocol specifications must also define scope values (e.g. = read, write, send) and their relation to the resource types and = messages. The different deployments expose the standard protocol on = different resource server endpoints. In my opinion, it is fundamental to = clearly distinguish scope values (standardized, static) and resource = server addresses (deployment specific) and to manage their = relationships. The current scope definition is much to weak and = insufficient. Probably, the UMA concepts of hosts, resources sets, and = corresponding scopes could be adopted for that purpose. >>>>>>>=20 >>>>>>> OAuth today requires clients to register with the service = provider before they are deployed. Would you really expect IMAP clients, = e.g. Thunderbird, to register with any a-Mail services upfront? So = clients should be given a way to register dynamically to the = authorization servers. This should also allow us to cover "client = instance" aspects. It is interesting to note, that such a mechanism = would allow us to get rid of secret-less clients and the one-time usage = requirement for authorization codes. >>>>>>>=20 >>>>>>> We also assume the client to know the URLs of the resource = server and the corresponding authorization server and to use HTTPS = server authentication to verify the resource server's authenticity. This = is impossible in the standard scenario. Clients must be able to discover = the authorization server a particular resource server relies on at = runtime. The discovery mechanism could be specified by the OAuth WG, but = could also be part of an application protocols specification. But we = MUST find another way to prevent token phishing by counterfeit resource = servers. >>>>>>>=20 >>>>>>> As one approach, the client could pass the (previously HTTPS = validated) resource server's URL with the authorization request. The = authorization server should then refuse such requests for any unknown = (counterfeit) resource servers. Such an additional parameter could also = serve as namespace for scope values and enable service providers to run = multiple instances of the same service within a single deployment. >>>>>>>=20 >>>>>>> If the additional data enlarges the request payload to much, we = could consider to adopt the "request by reference" proposal. >>>>>>>=20 >>>>>>> Let's now assume, OAuth is successful in the world of standard = protocols and we will see plenty of deployments with a bunch of = different OAuth protected resource servers. Shall this servers all be = accessible with a single token? In my opinion, this would cause = security, privacy and/or scalability/performance problems. To give just = the most obvious example, the target audience of such a token cannot be = restricted enough, which may allow a resource server (or an attacker in = control of it) to abuse the token on other servers. But the current = design of the code grant type forces deployments to use the same token = for all services. What is needed from my point of view is a way to = request and issue multiple server-specific access tokens with a single = authorization process. >>>>>>>=20 >>>>>>> I've been advocating this topic for a long time now and I'm = still convinced this is required to really complete the core design. We = at Deutsche Telekom needed and implemented this function on top of the = existing core. In my opinion, a core enhancement would be easier to = handle and more powerful. If others support this topic, I would be = willed to submit an I-D describing a possible solution. >>>>>>>=20 >>>>>>> If we take standards really seriously, then service providers = should be given the opportunity to implement their service by utilizing = standard server implementations. This creates the challenge to find a = standardized protocol between authorization server and resource server = to exchange authorization data. Depending on the token design = (self-contained vs. handle) this could be solved by either standardizing = a token format (JWT) or an authorization API. >>>>>>>=20 >>>>>>> Based on the rationale given above, my list is as follows = (topics w/o I-D are marked with *): >>>>>>>=20 >>>>>>> - Revocation (low hanging fruit since I-D is ready and = implemented in some places) >>>>>>> - Resource server notion* >>>>>>> - Multiple access tokens* >>>>>>> - Dynamic client registration >>>>>>>=20 >>>>>>> 1) Dynamic Client Registration Protocol >>>>>>> 4) Client Instance Extension >>>>>>> - Discovery >>>>>>> (10) Simple Web Discovery, probably other specs as well >>>>>>> - (6) JSON Web Token >>>>>>> - (7) JSON Web Token (JWT) Bearer Profile >>>>>>> - 8) User Experience Extension >>>>>>> - Device flow >>>>>>> - 9) Request by Reference >>>>>>> (depending resource server notion and multiple access tokens) >>>>>>>=20 >>>>>>> regards, >>>>>>> Torsten. >>>>>>> Zitat von Hannes Tschofenig : >>>>>>>=20 >>>>>>>=20 >>>>>>> Hi all, >>>>>>>=20 >>>>>>> in preparation of the upcoming IETF meeting Barry and I would = like to start a re-chartering discussion. We both are currently = attending the Internet Identity Workshop and so we had the chance to = solicit input from the participants. This should serve as a discussion = starter. >>>>>>>=20 >>>>>>> Potential future OAuth charter items (in random order): >>>>>>>=20 >>>>>>> ---------------- >>>>>>>=20 >>>>>>> 1) Dynamic Client Registration Protocol >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-dynreg/ >>>>>>>=20 >>>>>>> 2) Token Revocation >>>>>>>=20 >>>>>>> Available document: >>>>>>> = http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/ >>>>>>>=20 >>>>>>> 3) UMA >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/ >>>>>>>=20 >>>>>>> 4) Client Instance Extension >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://tools.ietf.org/id/draft-richer-oauth-instance-00.txt >>>>>>>=20 >>>>>>> 5) XML Encoding >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://tools.ietf.org/id/draft-richer-oauth-xml-00.txt >>>>>>>=20 >>>>>>> 6) JSON Web Token >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://tools.ietf.org/html/draft-jones-json-web-token-05 >>>>>>>=20 >>>>>>> 7) JSON Web Token (JWT) Bearer Profile >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00 >>>>>>>=20 >>>>>>> 8) User Experience Extension >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00 >>>>>>>=20 >>>>>>> 9) Request by Reference >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://tools.ietf.org/html/draft-sakimura-oauth-requrl-00 >>>>>>>=20 >>>>>>> 10) Simple Web Discovery >>>>>>>=20 >>>>>>> Available document: >>>>>>> http://tools.ietf.org/html/draft-jones-simple-web-discovery-00 >>>>>>>=20 >>>>>>> ---------------- >>>>>>>=20 >>>>>>> We have the following questions: >>>>>>>=20 >>>>>>> a) Are you interested in any of the above-listed items? (as a = reviewer, co-author, implementer, or someone who would like to deploy). = It is also useful to know if you think that we shouldn't work on a = specific item. >>>>>>>=20 >>>>>>> b) Are there other items you would like to see the group working = on? >>>>>>>=20 >>>>>>> Note: In case your document is expired please re-submit it. >>>>>>>=20 >>>>>>> Ciao >>>>>>> Hannes & Barry >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>> --=20 >>>>>>> Nat Sakimura (=3Dnat) >>>>>>> Chairman, OpenID Foundation >>>>>>> http://nat.sakimura.org/ >>>>>>> @_nat_en >>>>>>>=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>=20 >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 --Apple-Mail=_6BABA5D4-7367-4A9D-8001-A16DA0C4DCC4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 In = the general OAuth case the user doesn't have much incentive to modify = the request parameters.

In Connect the user is also = authenticating to the client.  There may be cases where the user = attempts to modify the request to escalate = privileges.

I suspect state might be something = someone would look at modifying depending on what the RP is = passing.

Things that are Connect specific like = authentication context requests need to be signed,  so signing the = other parts at the same time is not a big = deal.

When FICAM looks at OAUTH 2.0 to replace = SAML attribute query,  I am betting someone is going to be looking = for signed requests,m based on defence ion depth even if there are know = obvious attacks.

John B.
On = 2011-11-02, at 4:32 PM, Torsten Lodderstedt wrote:

=20 =20
Hi,

standard OAuth does not sign request parameters. Does this mean OAuth itself is not secure enough? Or is there a new threat angle against those parameters in the contect of Connect?

regards,
Torsten.

Am 27.10.2011 22:24, schrieb George Fletcher:
The main reason to include the OAuth parameters in the request is to ensure that the request object was not modified in transit since the JSON request object can be signed. Agreed that it would be simpler if OAuth adopted the JSON request style.

Thanks,
George

On 10/27/11 1:33 PM, torsten@lodderstedt.net wrote:
Hi John,

why do you need to include the OAuth request parameters into the JSON document? I would expect OpenId Connect to extend OAuth none-intrusively. This would mean to use the JSON document for OpenId connect specific parameters only. Alternatively, the JSON request style could be adopted as part of OAuth. Then, the URI request parameters could be omitted.

regards,
Torsten.

Gesendet mit BlackBerry=AE Webmail von Telekom Deutschland =

From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 27 Oct 2011 13:52:31 -0300
To: Torsten Lodderstedt<torsten@lodderstedt.net>
Subject: Re: [OAUTH-WG] Rechartering JSON based request.

Hopefully to make it more compatible with existing OAuth 2 libraries.    At least leave open the possibility of = dealing with it at a higher level.

The argument has been made that you probably need to modify the library anyway to check that the duplicate parameters are a match.

If there is consensus that the parameters should only be in the JSON then we would happily not duplicate them.

It is mostly a case of trying to fit in to the existing OAuth work and libraries.

John B.

On 2011-10-27, at 2:22 AM, Torsten Lodderstedt = wrote:

why is it neccessary to duplicate the OAuth request = parameters?

Am 27.10.2011 00:31, schrieb John Bradley:
Nat and I just refreshed the I-D for draft-sakimura-oauth-requrl.

It is essentially  a standardization of = the method we are using in openID Connect to make signed requests to the Authorization server.

We do have the issue that parameters in the signed/encrypted request necessarily duplicate the query parameters to keep it a valid OAuth request plus an extension.

Even if it doesn't wind up as a OAuth WG item it is probably worth people looking at it before the final openID spec is voted on.

Regards
John B.

On 2011-10-26, at 3:16 PM, Torsten Lodderstedt wrote:

Hi = Nat,

I think your proposal would be a useful OAuth enhancement. A JSON-based request format would allow for more complex requests (e.g. carrying resource server URLs and corresponding scope values ;-)).

Please note: I also think the way this mechanism is introduced and used in the current OpenID connect spec requires OpenID connect clients and servers to handle OAuth request parameters differently than for standard OAuth requests. Introducing the JSON based claim request capability to OAuth would be a way to cope with this.

regards,
Torsten.

Am 22.10.2011 16:00, schrieb Nat Sakimura:
Hi. 

Just a clarification: 

Although my expired draft is 'request by reference', what was proposed through it at the iiw really is a generalized JSON based claim request capability. It could be passed by value as JSON or could be passed by reference. The later is an optimization for bandwidth constrained network as well as strengthening security in some ways. This capability already exists in OpenID Connect but it is actually an underpinning transport, so it probably should belong to OAuth instead. This was the primary reason for the = proposal. 

Nat

On Thu, Oct = 20, 2011 at 3:56 PM, Torsten Lodderstedt = <torsten@lodderstedt.net> wrote:
Hi all,

my prioritization is driven by the goal to make OAuth the authorization framework of choice for any internet standard protocol, such as WebDAV, IMAP, SMTP or SIP. So let me first explain what is missing from my point of view and explain some thoughts how to fill the gaps.

A standard protocol is defined in terms of resource types and messages by a body (e.g. IETF, OIDF, OMA), (hopefully) implemented in many places, and used by different but deployment-independent clients. OAuth-based protocol specifications must also define scope values (e.g. read, write, send) and their relation to the resource types and messages. The different deployments expose the standard protocol on different resource server endpoints. In my opinion, it is fundamental to clearly distinguish scope values (standardized, static) and =  resource server addresses (deployment specific) and to manage their relationships. The current scope definition is much to weak and insufficient. Probably, the UMA concepts of hosts, resources sets, and corresponding scopes could be adopted for that purpose.

OAuth today requires clients to register with the service provider before they are deployed. Would you really expect IMAP clients, e.g. Thunderbird, to register with any a-Mail services upfront? So clients should be given a way to register dynamically to the authorization servers. This should also allow us to cover "client instance" aspects. It is interesting to note, that such a mechanism would allow us to get rid of secret-less clients and the one-time usage requirement for authorization codes.

We also assume the client to know the URLs of the resource server and the corresponding authorization server and to use HTTPS server authentication to verify the resource server's authenticity. This is impossible in the standard scenario. Clients must be able to discover the authorization server a particular resource server relies on at runtime. The discovery mechanism could be specified by the OAuth WG, but could also be part of an application protocols specification. But we MUST find another way to prevent token phishing by counterfeit resource servers.

As one approach, the client could pass the (previously HTTPS validated) resource server's URL with the authorization request. The authorization server should then refuse such requests for any unknown (counterfeit) resource servers. Such an additional parameter could also serve as namespace for scope values and enable service providers to run multiple instances of the same service within a single = deployment.

If the additional data enlarges the request payload to much, we could consider to adopt the "request by reference" proposal.

Let's now assume, OAuth is successful in the world of standard protocols and we will see plenty of deployments with a bunch of different OAuth protected resource servers. Shall this servers all be accessible with a single token? In my opinion, this would cause security, privacy and/or scalability/performance problems. To give just the most obvious example, the target audience of such a token cannot be restricted enough, which may allow a resource server (or an attacker in control of it) to abuse the token on other servers. But the current design of the code grant type forces deployments to use the same token for all services. What is needed from my point of view is a way to request and issue multiple server-specific access tokens with a single authorization process.

I've been advocating this topic for a long time now and I'm still convinced this is required to really complete the core design. We at Deutsche Telekom needed and implemented this function on top of the existing core. In my opinion, a core enhancement would be easier to handle and more powerful. If others support this topic, I would be willed to submit an I-D describing a possible solution.

If we take standards really seriously, then service providers should be given the opportunity to implement their service by utilizing standard server implementations. This creates the challenge to find a standardized protocol between authorization server and resource server to exchange authorization data. Depending on the token design (self-contained vs. handle) this could be solved by either standardizing a token format (JWT) or an authorization API.

Based on the rationale given above, my list is as follows (topics w/o I-D are marked with *):

- Revocation (low hanging fruit since I-D is ready and implemented in some places)
- Resource server notion*
- Multiple access tokens*
- Dynamic client registration

 1) Dynamic Client = Registration Protocol
 4) Client Instance = Extension
- Discovery
 (10) Simple Web Discovery, = probably other specs as well
- (6) JSON Web Token
- (7) JSON Web Token (JWT) Bearer Profile
- 8) User Experience Extension
- Device flow
- 9) Request by Reference
 (depending resource server = notion and multiple access tokens)

regards,
Torsten.
Zitat von Hannes Tschofenig <hannes.tschofenig@gmx.net>:


Hi all,

in preparation of the upcoming IETF meeting Barry and I would like to start a re-chartering discussion.  We both are currently attending the Internet Identity Workshop and so we had the chance to solicit input from the participants. This should serve as a discussion = starter.

Potential future OAuth charter items (in random order):

----------------

1) Dynamic Client Registration Protocol

Available document:
http://datatracker.ietf.org/doc/draft-hardjono-oauth-dyn= reg/

2) Token Revocation

Available document:
http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-= revocation/

3) UMA

Available document:
http://datatracker.ietf.org/doc/draft-hardjono-oauth-uma= core/

4) Client Instance = Extension

Available document:
http://tools.ietf.org/id/draft-richer-oauth-instance-00.= txt

5) XML Encoding

Available document:
http://tools.ietf.org/id/draft-richer-oauth-xml-00.txt

6) JSON Web Token

Available document:
http://tools.ietf.org/html/draft-jones-json-web-token-05=

7) JSON Web Token (JWT) Bearer Profile

Available document:
http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-= 00

8) User Experience = Extension

Available document:
http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00=

9) Request by Reference

Available document:
http://tools.ietf.org/html/draft-sakimura-oauth-requrl-0= 0

10) Simple Web Discovery

Available document:
http://tools.ietf.org/html/draft-jones-simple-web-discov= ery-00

----------------

We have the following questions:

a) Are you interested in any of the above-listed items? (as a reviewer, co-author, implementer, or someone who would like to deploy). It is also useful to know if you think that we shouldn't work on a specific item.

b) Are there other items you would like to see the group working on?

Note: In case your document is expired please re-submit = it.

Ciao
Hannes & Barry

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth


= --Apple-Mail=_6BABA5D4-7367-4A9D-8001-A16DA0C4DCC4-- --Apple-Mail=_E85127A9-0C86-4DE0-BF81-98AD9FCB594B Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEx MDIyMDA0MzlaMCMGCSqGSIb3DQEJBDEWBBQzNLkDZ1Itq2IH0MrlHg79cBf6BTCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQBWBuEsOsWooGvsDqEpnCSoF6ItU88VJ2zIllOR/7CYdmwH9Tba1gHeRuebr7DjIkCNrXdnO6Gd kmydFSfSCj0ee7gPMcZ8wKCJFChSiP1LglcRa/BCvCCtl2JIH3u4M0u9BZk5T3j9WuPVNwywyEH3 iNKttZXBWPQiXDhPLvbyuEDp1LsT1T2wzwsFLp1rs1m7EvCMMmf6mb7+44Kn6hIDRDnRzuUOH1Y1 ScdVxLdBdsPSOuxVCPmtlxSy8aBVShq6xqzZNVnRVX8L/G6nEVLbJ5cLCsg3xj3HGgHU93i+W9Zt Fn/98+zz/Y2QlERhWT3F7Jr03VC+WfVx3fM6RyRvAAAAAAAA --Apple-Mail=_E85127A9-0C86-4DE0-BF81-98AD9FCB594B-- From ve7jtb@ve7jtb.com Wed Nov 2 13:06:56 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F451F0CBC for ; Wed, 2 Nov 2011 13:06:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.526 X-Spam-Level: X-Spam-Status: No, score=-3.526 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJ4NATzmy7fx for ; Wed, 2 Nov 2011 13:06:56 -0700 (PDT) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id C1E0B1F0CA9 for ; Wed, 2 Nov 2011 13:06:55 -0700 (PDT) Received: by ggnv1 with SMTP id v1so566362ggn.31 for ; Wed, 02 Nov 2011 13:06:55 -0700 (PDT) Received: by 10.146.159.14 with SMTP id h14mr1512970yae.4.1320264415155; Wed, 02 Nov 2011 13:06:55 -0700 (PDT) Received: from [192.168.1.213] ([190.22.4.104]) by mx.google.com with ESMTPS id l27sm10118574ani.21.2011.11.02.13.06.53 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Nov 2011 13:06:54 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_547BD3C2-7528-47CD-B61F-5B5C875F3598"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: <4EB19DD1.6050904@lodderstedt.net> Date: Wed, 2 Nov 2011 17:06:48 -0300 Message-Id: <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: Apple Mail (2.1251.1) Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:06:56 -0000 --Apple-Mail=_547BD3C2-7528-47CD-B61F-5B5C875F3598 Content-Type: multipart/alternative; boundary="Apple-Mail=_9309BC16-F0AE-42D4-8B75-190910F5A199" --Apple-Mail=_9309BC16-F0AE-42D4-8B75-190910F5A199 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 +1 On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote: > Hi Stephen, >=20 > I'm concerned about your proposal (7) to make support for MAC a MUST = for clients and BEARER a MAY only. In my opinion, this does not reflect = the group's consensus. Beside this, the security threat analysis = justifies usage of BEARER for nearly all use cases as long as HTTPS = (incl. server authentication) can be utilized. > regards, > Torsten. >=20 > Am 13.10.2011 19:13, schrieb Stephen Farrell: >>=20 >>=20 >> Hi all,=20 >>=20 >> Sorry for having been quite slow with this, but I had a bunch=20 >> of travel recently.=20 >>=20 >> Anyway, my AD comments on -22 are attached. I think that the=20 >> first list has the ones that need some change before we push=20 >> this out for IETF LC, there might or might not be something=20 >> to change as a result of the 2nd list of questions and the=20 >> rest are really nits can be handled either now or later.=20 >>=20 >> Thanks for all your work on this so far - its nearly there=20 >> IMO and we should be able to get the IETF LC started once=20 >> these few things are dealt with.=20 >>=20 >> Cheers,=20 >> S.=20 >>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_9309BC16-F0AE-42D4-8B75-190910F5A199 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=iso-8859-1 +1
On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:

Hi Stephen,

I'm concerned about your proposal (7) to make support for MAC a MUST for clients and BEARER a MAY only. In my opinion, this does not reflect the group's consensus. Beside this, the security threat analysis justifies usage of BEARER for nearly all use cases as long as HTTPS (incl. server authentication) can be utilized.
regards,
Torsten.

Am 13.10.2011 19:13, schrieb Stephen Farrell:

Hi all,

Sorry for having been quite slow with this, but I had a bunch
of travel recently.

Anyway, my AD comments on -22 are attached. I think that the
first list has the ones that need some change before we push
this out for IETF LC, there might or might not be something
to change as a result of the 2nd list of questions and the
rest are really nits can be handled either now or later.

Thanks for all your work on this so far - its nearly there
IMO and we should be able to get the IETF LC started once
these few things are dealt with.

Cheers,
S. 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail=_9309BC16-F0AE-42D4-8B75-190910F5A199-- --Apple-Mail=_547BD3C2-7528-47CD-B61F-5B5C875F3598 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEx MDIyMDA2NDhaMCMGCSqGSIb3DQEJBDEWBBTgqh5h/ShYjeq/xSWUjsDr5QbPyTCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQCtsGJUTnlMEq01YxD9Yg7Zr87klYjNOR2U0vSvtX7EK1s4DJoMMM+O70nWsrI4Nug+iQtqNN8g Po8+jeE/LoMNyCnUv3G6UNyACP9SJES/eWeu5mCYBxI9KacN7SIVHwFY6395BAAkeNlmFiFhFbgq 4Yen0WPXDCwc/jyc6Vv53hVVWYYqK9w65qb1JiQOg56obCMGmNosWq4KD4pIeSGrrebVJtPRfZzk lfzNaDBmkAMbUhzIvaV8lw/l9jiHkZrIEeMnyq8tfnqE2GmDuzq+0bHE4cVFTmnBqI7I6XChbJqP IL6XcWoTb2nsgNOZaU8/q9Akd1cWmy8daLpDER4+AAAAAAAA --Apple-Mail=_547BD3C2-7528-47CD-B61F-5B5C875F3598-- From eran@hueniverse.com Wed Nov 2 13:12:26 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5A211E8179 for ; Wed, 2 Nov 2011 13:12:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.509 X-Spam-Level: X-Spam-Status: No, score=-2.509 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZU8DfoLc3uV for ; Wed, 2 Nov 2011 13:12:26 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id DBF7C11E817B for ; Wed, 2 Nov 2011 13:12:25 -0700 (PDT) Received: (qmail 14799 invoked from network); 2 Nov 2011 20:12:24 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Nov 2011 20:12:24 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Wed, 2 Nov 2011 13:12:24 -0700 From: Eran Hammer-Lahav To: John Bradley , Torsten Lodderstedt Date: Wed, 2 Nov 2011 13:11:54 -0700 Thread-Topic: [OAUTH-WG] AD review of -22 Thread-Index: AcyZmwOQJxRtzE6eSU+DHBXCpvLukwAAKbSl Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>, <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> In-Reply-To: <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72345263321025P3PW5EX1MB01E_" MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:12:26 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E72345263321025P3PW5EX1MB01E_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Do you want to see no change or adjust it to client must implement both, se= rver decides which to use. EHL ________________________________ From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of John Bra= dley [ve7jtb@ve7jtb.com] Sent: Wednesday, November 02, 2011 1:06 PM To: Torsten Lodderstedt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] AD review of -22 +1 On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote: Hi Stephen, I'm concerned about your proposal (7) to make support for MAC a MUST for cl= ients and BEARER a MAY only. In my opinion, this does not reflect the group= 's consensus. Beside this, the security threat analysis justifies usage of = BEARER for nearly all use cases as long as HTTPS (incl. server authenticati= on) can be utilized. regards, Torsten. Am 13.10.2011 19:13, schrieb Stephen Farrell: Hi all, Sorry for having been quite slow with this, but I had a bunch of travel recently. Anyway, my AD comments on -22 are attached. I think that the first list has the ones that need some change before we push this out for IETF LC, there might or might not be something to change as a result of the 2nd list of questions and the rest are really nits can be handled either now or later. Thanks for all your work on this so far - its nearly there IMO and we should be able to get the IETF LC started once these few things are dealt with. Cheers, S. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_90C41DD21FB7C64BB94121FBBC2E72345263321025P3PW5EX1MB01E_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Do you want to see no change or adjust it to client must implement bot= h, server decides which to use.
 
EHL
=  
From: oauth-bounc= es@ietf.org [oauth-bounces@ietf.org] On Behalf Of John Bradley [ve7jtb@ve7j= tb.com]
Sent: Wednesday, November 02, 2011 1:06 PM
To: Torsten Lodderstedt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of -22

+1
On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:

Hi Stephen,

I'm concerned about your proposal (7) to make support for MAC a MUST for cl= ients and BEARER a MAY only. In my opinion, this does not reflect the group= 's consensus. Beside this, the security threat analysis justifies usage of = BEARER for nearly all use cases as long as HTTPS (incl. server authentication) can be utilized.
regards,
Torsten.

Am 13.10.2011 19:13, schrieb Stephen Farrell:

Hi all,

Sorry for having been quite slow with this, but I had a bunch
of travel recently.

Anyway, my AD comments on -22 are attached. I think that the
first list has the ones that need some change before we push
this out for IETF LC, there might or might not be something
to change as a result of the 2nd list of questions and the
rest are really nits can be handled either now or later.

Thanks for all your work on this so far - its nearly there
IMO and we should be able to get the IETF LC started once
these few things are dealt with.

Cheers,
S. 



_______________________________________________
OAuth mailing list
OAuth@=
ietf.org
https://www.ietf.org/mailman/listinfo/oauth<=
/a>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--_000_90C41DD21FB7C64BB94121FBBC2E72345263321025P3PW5EX1MB01E_-- From phil.hunt@oracle.com Wed Nov 2 13:18:45 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4480A11E8178 for ; Wed, 2 Nov 2011 13:18:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7qqVtJPNbsk for ; Wed, 2 Nov 2011 13:18:44 -0700 (PDT) Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 569E811E8172 for ; Wed, 2 Nov 2011 13:18:44 -0700 (PDT) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pA2KIgaX020050 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Nov 2011 20:18:43 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pA2KIfVs011552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Nov 2011 20:18:42 GMT Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pA2KIaDR029177; Wed, 2 Nov 2011 15:18:36 -0500 Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 Nov 2011 13:18:36 -0700 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/alternative; boundary="Apple-Mail=_7B01112C-B0F2-4A80-8058-43994F33F31E" From: Phil Hunt In-Reply-To: <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> Date: Wed, 2 Nov 2011 13:18:34 -0700 Message-Id: <91476515-F5FF-49B6-B44A-55E5B48D7632@oracle.com> References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> To: John Bradley X-Mailer: Apple Mail (2.1251.1) X-Source-IP: acsinet22.oracle.com [141.146.126.238] X-Auth-Type: Internal IP X-CT-RefId: str=0001.0A090202.4EB1A5A3.00AA,ss=1,re=0.000,fgs=0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:18:45 -0000 --Apple-Mail=_7B01112C-B0F2-4A80-8058-43994F33F31E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 +1 Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-11-02, at 1:06 PM, John Bradley wrote: > +1 > On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote: >=20 >> Hi Stephen, >>=20 >> I'm concerned about your proposal (7) to make support for MAC a MUST = for clients and BEARER a MAY only. In my opinion, this does not reflect = the group's consensus. Beside this, the security threat analysis = justifies usage of BEARER for nearly all use cases as long as HTTPS = (incl. server authentication) can be utilized. >> regards, >> Torsten. >>=20 >> Am 13.10.2011 19:13, schrieb Stephen Farrell: >>>=20 >>>=20 >>> Hi all,=20 >>>=20 >>> Sorry for having been quite slow with this, but I had a bunch=20 >>> of travel recently.=20 >>>=20 >>> Anyway, my AD comments on -22 are attached. I think that the=20 >>> first list has the ones that need some change before we push=20 >>> this out for IETF LC, there might or might not be something=20 >>> to change as a result of the 2nd list of questions and the=20 >>> rest are really nits can be handled either now or later.=20 >>>=20 >>> Thanks for all your work on this so far - its nearly there=20 >>> IMO and we should be able to get the IETF LC started once=20 >>> these few things are dealt with.=20 >>>=20 >>> Cheers,=20 >>> S.=20 >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_7B01112C-B0F2-4A80-8058-43994F33F31E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1

On 2011-11-02, at 1:06 PM, John Bradley wrote:

+1
On 2011-11-02, = at 4:45 PM, Torsten Lodderstedt wrote:

=20 =20
Hi Stephen,

I'm concerned about your proposal (7) to make support for MAC a MUST for clients and BEARER a MAY only. In my opinion, this does not reflect the group's consensus. Beside this, the security threat analysis justifies usage of BEARER for nearly all use cases as long as HTTPS (incl. server authentication) can be utilized.
regards,
Torsten.

Am 13.10.2011 19:13, schrieb Stephen Farrell:

Hi all,

Sorry for having been quite slow with this, but I had a bunch
of travel recently.

Anyway, my AD comments on -22 are attached. I think that the
first list has the ones that need some change before we push
this out for IETF LC, there might or might not be something
to change as a result of the 2nd list of questions and the
rest are really nits can be handled either now or later.

Thanks for all your work on this so far - its nearly there
IMO and we should be able to get the IETF LC started once
these few things are dealt with.

Cheers,
S. 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth
_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

_______________= ________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_7B01112C-B0F2-4A80-8058-43994F33F31E-- From jricher@mitre.org Wed Nov 2 13:27:53 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6E681F0CCD for ; Wed, 2 Nov 2011 13:27:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CkbWc0fUQHM9 for ; Wed, 2 Nov 2011 13:27:52 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id C36271F0CCC for ; Wed, 2 Nov 2011 13:27:52 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 25D1521B0B99; Wed, 2 Nov 2011 16:27:52 -0400 (EDT) Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 1F33921B012A; Wed, 2 Nov 2011 16:27:52 -0400 (EDT) Received: from [129.83.50.1] (129.83.31.55) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.1.339.1; Wed, 2 Nov 2011 16:27:51 -0400 Message-ID: <1320265663.15549.13.camel@ground> From: Justin Richer To: Phil Hunt Date: Wed, 2 Nov 2011 16:27:43 -0400 In-Reply-To: <91476515-F5FF-49B6-B44A-55E5B48D7632@oracle.com> References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <91476515-F5FF-49B6-B44A-55E5B48D7632@oracle.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.1- Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:27:53 -0000 +1 Leave the current text as is, keep this part of OAuth token-type agnostic. -- Justin On Wed, 2011-11-02 at 13:18 -0700, Phil Hunt wrote: > +1 > > > Phil > > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > > > > On 2011-11-02, at 1:06 PM, John Bradley wrote: > > > +1 > > On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote: > > > > > Hi Stephen, > > > > > > I'm concerned about your proposal (7) to make support for MAC a > > > MUST for clients and BEARER a MAY only. In my opinion, this does > > > not reflect the group's consensus. Beside this, the security > > > threat analysis justifies usage of BEARER for nearly all use cases > > > as long as HTTPS (incl. server authentication) can be utilized. > > > regards, > > > Torsten. > > > > > > Am 13.10.2011 19:13, schrieb Stephen Farrell: > > > > > > > > Hi all, > > > > > > > > Sorry for having been quite slow with this, but I had a bunch > > > > of travel recently. > > > > > > > > Anyway, my AD comments on -22 are attached. I think that the > > > > first list has the ones that need some change before we push > > > > this out for IETF LC, there might or might not be something > > > > to change as a result of the 2nd list of questions and the > > > > rest are really nits can be handled either now or later. > > > > > > > > Thanks for all your work on this so far - its nearly there > > > > IMO and we should be able to get the IETF LC started once > > > > these few things are dealt with. > > > > > > > > Cheers, > > > > S. > > > > > > > > > > > > > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From stephen.farrell@cs.tcd.ie Wed Nov 2 13:28:42 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9013F11E811F for ; Wed, 2 Nov 2011 13:28:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.585 X-Spam-Level: X-Spam-Status: No, score=-102.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLll2k+PF-TE for ; Wed, 2 Nov 2011 13:28:41 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 975E211E80BC for ; Wed, 2 Nov 2011 13:28:41 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 6EC1A153D3A; Wed, 2 Nov 2011 20:28:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1320265720; bh=SbFxuNpB7lzT67 P/U1QrF4pQKYgZ1dqXhZYJmqxT3tU=; b=eClrxy6D0wv56VROt6tfXSe046svXO meq3GwKUMDkcapzWsTdMN8P2jjLYykw8dXdFOnQNBp4MVWQd1RuACkMBSeAnOMQa u0wchTaWU/BJeGFgL1BOfXZHabVncKSbtEYct2pzQ2H3w+uWKKCLT+LkgfeiVa/k i1wjpbJ72q52N032/d/0dS9F/mDNBLI+tKHcGgia8PM5akb5blnwGzWMp9SIpsDD sVq0I+nKVVK0+rbGgVsPz7SEhMWbqUNyClXFtwx/ZzuB2P5W4pc+osU0j64wXruO l20zrtvyMjnADWiS7cSPQPDbQcYcBI9CrzsiE2sk3L+x2qD6/TU4L3iA== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id cvzUqRAZAF80; Wed, 2 Nov 2011 20:28:40 +0000 (GMT) Received: from [10.87.48.6] (unknown [86.45.59.36]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 0627A153D39; Wed, 2 Nov 2011 20:28:39 +0000 (GMT) Message-ID: <4EB1A7E8.5030209@cs.tcd.ie> Date: Wed, 02 Nov 2011 20:28:24 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Torsten Lodderstedt References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> In-Reply-To: <4EB19DD1.6050904@lodderstedt.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:28:42 -0000 Hi Torsten, On 11/02/2011 07:45 PM, Torsten Lodderstedt wrote: > Hi Stephen, > > I'm concerned about your proposal (7) to make support for MAC a MUST for > clients and BEARER a MAY only. In my opinion, this does not reflect the > group's consensus. That wasn't quite my comment, which is below: (7) Doesn't 7.1 need to say which token types are MTI so that we get interop? I think I'd like to see mac being a MUST and bearer being a MAY but regardless of my preference, I don't think you can be silent on this. And as a consequence one or both of the mac/bearer drafts need to end up as normative. > Beside this, the security threat analysis justifies > usage of BEARER for nearly all use cases as long as HTTPS (incl. server > authentication) can be utilized. As I said, I personally prefer the mac scheme since it demonstrates use of a key. However, as I also said, the main concern with this point is interop. (I do note though that bearer has server-auth TLS as a MUST USE, so the implication of making bearer a MUST is that TLS is MTI for the base spec too and a MUST USE for anything involving the MTI token type.) In any case I can live with it so long as the set of things that are MTI is clear. Incidentally, I don't believe any amount of +1 messages to your mail answer my point above. As Eran's mail asks: what is it that you're suggesting be MTI for whom? S. > > regards, > Torsten. > > > Am 13.10.2011 19:13, schrieb Stephen Farrell: >> >> Hi all, >> >> Sorry for having been quite slow with this, but I had a bunch >> of travel recently. >> >> Anyway, my AD comments on -22 are attached. I think that the >> first list has the ones that need some change before we push >> this out for IETF LC, there might or might not be something >> to change as a result of the 2nd list of questions and the >> rest are really nits can be handled either now or later. >> >> Thanks for all your work on this so far - its nearly there >> IMO and we should be able to get the IETF LC started once >> these few things are dealt with. >> >> Cheers, >> S. >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > From Michael.Jones@microsoft.com Wed Nov 2 13:29:04 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E97A011E819F for ; Wed, 2 Nov 2011 13:29:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.27 X-Spam-Level: X-Spam-Status: No, score=-10.27 tagged_above=-999 required=5 tests=[AWL=0.329, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULX+zMlml0vg for ; Wed, 2 Nov 2011 13:29:04 -0700 (PDT) Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 6350F11E819C for ; Wed, 2 Nov 2011 13:29:04 -0700 (PDT) Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 2 Nov 2011 13:29:03 -0700 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.65]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.01.0355.003; Wed, 2 Nov 2011 13:29:03 -0700 From: Mike Jones To: Justin Richer , Phil Hunt Thread-Topic: [OAUTH-WG] AD review of -22 Thread-Index: AQHMict1zk8cqcN/m0uxJszI0KCfbJWakauAgAAF/gCAAANJAIAAAo+A//+K1aA= Date: Wed, 2 Nov 2011 20:29:03 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F6E7C4C@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <91476515-F5FF-49B6-B44A-55E5B48D7632@oracle.com> <1320265663.15549.13.camel@ground> In-Reply-To: <1320265663.15549.13.camel@ground> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.78] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:29:05 -0000 +1 The predominant industry practice is the use of Bearer tokens, so if either= of Bearer or MAC becomes Mandatory to Implement, it must be the Bearer spe= c, with MAC being optional. I'm fine either remaining silent on this point (leaving the spec token type= agnostic, as Justin suggests), or making Bearer MTI, with MAC either being= optional or not mentioned at all. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J= ustin Richer Sent: Wednesday, November 02, 2011 1:28 PM To: Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] AD review of -22 +1 Leave the current text as is, keep this part of OAuth token-type agnostic.= =20 -- Justin On Wed, 2011-11-02 at 13:18 -0700, Phil Hunt wrote: > +1 >=20 >=20 > Phil >=20 >=20 > @independentid > www.independentid.com > phil.hunt@oracle.com >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 > On 2011-11-02, at 1:06 PM, John Bradley wrote: >=20 > > +1 > > On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote: > >=20 > > > Hi Stephen, > > >=20 > > > I'm concerned about your proposal (7) to make support for MAC a=20 > > > MUST for clients and BEARER a MAY only. In my opinion, this does=20 > > > not reflect the group's consensus. Beside this, the security=20 > > > threat analysis justifies usage of BEARER for nearly all use cases=20 > > > as long as HTTPS (incl. server authentication) can be utilized. > > > regards, > > > Torsten. > > >=20 > > > Am 13.10.2011 19:13, schrieb Stephen Farrell:=20 > > > >=20 > > > > Hi all, > > > >=20 > > > > Sorry for having been quite slow with this, but I had a bunch of=20 > > > > travel recently. > > > >=20 > > > > Anyway, my AD comments on -22 are attached. I think that the=20 > > > > first list has the ones that need some change before we push=20 > > > > this out for IETF LC, there might or might not be something to=20 > > > > change as a result of the 2nd list of questions and the rest are=20 > > > > really nits can be handled either now or later. > > > >=20 > > > > Thanks for all your work on this so far - its nearly there IMO=20 > > > > and we should be able to get the IETF LC started once these few=20 > > > > things are dealt with. > > > >=20 > > > > Cheers, > > > > S.=20 > > > >=20 > > > >=20 > > > >=20 > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > >=20 > >=20 > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From stephen.farrell@cs.tcd.ie Wed Nov 2 13:31:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80A5811E8157 for ; Wed, 2 Nov 2011 13:31:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.586 X-Spam-Level: X-Spam-Status: No, score=-102.586 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N+Hfmnq0hL3C for ; Wed, 2 Nov 2011 13:31:52 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id DBA9411E80BC for ; Wed, 2 Nov 2011 13:31:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 3A4B4153D3A for ; Wed, 2 Nov 2011 20:31:51 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1320265903; bh=mJZr8LmB2HlE1g q7HLFyCkHGIMSMgW4wHvahdDCoBDQ=; b=bxAG2HnI97ubTOJ32zbd3XKfaND6sF gs9hn4oQZGB4mQxZjrrFCda2kOS1GkhO2P6TGlelHjY0RjSfwsD6u280y1g5i0f1 75dNVU0lva5s9kiaZhoyzlFEL23UEZBJSn2FeHIEeq+PJPIQ1TLlasX0burj3Fvk xRMIuSFVelN2N0Yzf71YK23+lWkL4QQYkP55N+h926UnsxXIg7LlEs5JooOXmVpc VCgcjpoU8IMapfUAow3d0WUKbOd1v5nfa0bnXxVFuorPHNcVy7igca4nrgZlCcTC hlNarN7cOVpLChUGST/+xynbxXgkw1q3LjDnYAWa1N0aHXQjaaTD7j5w== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id V8a72QHMneKX for ; Wed, 2 Nov 2011 20:31:43 +0000 (GMT) Received: from [10.87.48.6] (unknown [86.45.59.36]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 88E85153D39 for ; Wed, 2 Nov 2011 20:31:43 +0000 (GMT) Message-ID: <4EB1A8A5.6030906@cs.tcd.ie> Date: Wed, 02 Nov 2011 20:31:33 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "oauth@ietf.org" References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <91476515-F5FF-49B6-B44A-55E5B48D7632@oracle.com> <1320265663.15549.13.camel@ground> In-Reply-To: <1320265663.15549.13.camel@ground> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:31:52 -0000 Agnostic sounds like a fine word. I'd need to have it demonstrated to me that it doesn't mean non-interoperable in this case. S. From ve7jtb@ve7jtb.com Wed Nov 2 13:37:28 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD12611E8122 for ; Wed, 2 Nov 2011 13:37:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.532 X-Spam-Level: X-Spam-Status: No, score=-3.532 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oANEo5xCuDsT for ; Wed, 2 Nov 2011 13:37:28 -0700 (PDT) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0F68B11E80BC for ; Wed, 2 Nov 2011 13:37:27 -0700 (PDT) Received: by ggnv1 with SMTP id v1so594278ggn.31 for ; Wed, 02 Nov 2011 13:37:27 -0700 (PDT) Received: by 10.236.22.136 with SMTP id t8mr9639130yht.30.1320266247399; Wed, 02 Nov 2011 13:37:27 -0700 (PDT) Received: from [192.168.1.213] ([190.22.4.104]) by mx.google.com with ESMTPS id v5sm10425403anf.3.2011.11.02.13.37.24 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Nov 2011 13:37:26 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_CF6FC7A4-1D67-470A-B242-176C0D3D0248"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Wed, 2 Nov 2011 17:37:21 -0300 Message-Id: References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>, <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> To: Eran Hammer-Lahav X-Mailer: Apple Mail (2.1251.1) Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:37:29 -0000 --Apple-Mail=_CF6FC7A4-1D67-470A-B242-176C0D3D0248 Content-Type: multipart/alternative; boundary="Apple-Mail=_04CB22FA-29A8-4397-A4B2-1E056E5C46D5" --Apple-Mail=_04CB22FA-29A8-4397-A4B2-1E056E5C46D5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 If the spec requires clients to implement both, the reality is most = clients will only impliment one and be non compliant. Given that openID Connect supports Bearer ONLY. Requiring clients to = support MAC would cause clients to implement code that won't be used. It is up to the server to decide what formats it will support. If = clients can't talk to the servers they need to then they will support = the token format. I am opposed to making MAC MTI for Server or client. I don't want to start a token war, there are use cases for both, and = perhaps others in the future. So I think that is a Canadian way of saying no change. John B. On 2011-11-02, at 5:11 PM, Eran Hammer-Lahav wrote: > Do you want to see no change or adjust it to client must implement = both, server decides which to use. > =20 > EHL > =20 > From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of = John Bradley [ve7jtb@ve7jtb.com] > Sent: Wednesday, November 02, 2011 1:06 PM > To: Torsten Lodderstedt > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] AD review of -22 >=20 > +1 > On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote: >=20 >> Hi Stephen, >>=20 >> I'm concerned about your proposal (7) to make support for MAC a MUST = for clients and BEARER a MAY only. In my opinion, this does not reflect = the group's consensus. Beside this, the security threat analysis = justifies usage of BEARER for nearly all use cases as long as HTTPS = (incl. server authentication) can be utilized. >> regards, >> Torsten. >>=20 >> Am 13.10.2011 19:13, schrieb Stephen Farrell: >>>=20 >>>=20 >>> Hi all,=20 >>>=20 >>> Sorry for having been quite slow with this, but I had a bunch=20 >>> of travel recently.=20 >>>=20 >>> Anyway, my AD comments on -22 are attached. I think that the=20 >>> first list has the ones that need some change before we push=20 >>> this out for IETF LC, there might or might not be something=20 >>> to change as a result of the 2nd list of questions and the=20 >>> rest are really nits can be handled either now or later.=20 >>>=20 >>> Thanks for all your work on this so far - its nearly there=20 >>> IMO and we should be able to get the IETF LC started once=20 >>> these few things are dealt with.=20 >>>=20 >>> Cheers,=20 >>> S.=20 >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_04CB22FA-29A8-4397-A4B2-1E056E5C46D5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 If the spec requires clients to implement both, the = reality is most clients will only impliment one and be non = compliant.

Given that openID Connect supports Bearer = ONLY.  Requiring clients to support MAC would cause clients to = implement code that won't be used.

It is up to = the server to decide what formats it will support.  If clients = can't talk to the servers they need to then they will support the token = format.

I am opposed to making MAC MTI for = Server or client.

I don't want to start a token = war, there are use cases for both, and perhaps others in the = future.

So I think that is a Canadian way of = saying no change.

John = B.


On 2011-11-02, at = 5:11 PM, Eran Hammer-Lahav wrote:

Do you want to see no change = or adjust it to client must implement both, server decides which to = use.
 
EHL
 
From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On = Behalf Of John Bradley [ve7jtb@ve7jtb.com]
Sent: Wednesday, November 02, = 2011 1:06 PM
To: Torsten = Lodderstedt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of = -22

+1
On 2011-11-02, = at 4:45 PM, Torsten Lodderstedt wrote:

Hi Stephen,

I'm concerned about your proposal = (7) to make support for MAC a MUST for clients and BEARER a MAY only. In = my opinion, this does not reflect the group's consensus. Beside this, = the security threat analysis justifies usage of BEARER for nearly all = use cases as long as HTTPS (incl. server authentication) can be = utilized.
regards,
Torsten.

Am 13.10.2011 19:13, schrieb Stephen Farrell:

Hi all, 

Sorry for having = been quite slow with this, but I had a bunch 
of travel = recently. 

Anyway, my AD = comments on -22 are attached. I think that the 
first list has the ones = that need some change before we push 
this out for IETF LC, = there might or might not be something 
to change as a result = of the 2nd list of questions and the 
rest are really nits = can be handled either now or later. 

Thanks for all your = work on this so far - its nearly there 
IMO and we should be = able to get the IETF LC started once 
these few things are = dealt with. 

Cheers, 
S. 



_______________________=
________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
=
_______________________________________________OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_04CB22FA-29A8-4397-A4B2-1E056E5C46D5-- --Apple-Mail=_CF6FC7A4-1D67-470A-B242-176C0D3D0248 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEx MDIyMDM3MjJaMCMGCSqGSIb3DQEJBDEWBBSNI2DEN5jvoEHZGlPRH3c4MXTyRDCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQCkz/tdBK2ZUqEI/3wlpX+3UbgFk9SHcvc4vrsIRpZcIgtgy11qWc793LqjhIkdCZWW9uUYBfuK dNhMbh3IXCQwEOaI9uvcUsNicJnSS9g5TW7IBwl6p6yI39k8ZqR6LFXHJhdHWu/CD3anD6UMtuEP ale2KEgh7n1snOyPNL8NYuIVDYKis2WUeNDyvK310SU1QJ4YE8clf6Ue5XCfGw0FpAdOs62JD+K9 mcDnHL7jWRcQpW2tC1M86i0z56yKXVJGCiJY3gHY1CYwYGk4uqmGB5prYASmXlvPzXuuRhyaKqt1 rqM3tTOA1NucuRkeCi0w489C6CBgXu//pxtBA9NQAAAAAAAA --Apple-Mail=_CF6FC7A4-1D67-470A-B242-176C0D3D0248-- From phil.hunt@oracle.com Wed Nov 2 13:45:02 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EADB11E811F for ; Wed, 2 Nov 2011 13:45:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.901 X-Spam-Level: X-Spam-Status: No, score=-5.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHR2ZYY9lCME for ; Wed, 2 Nov 2011 13:45:02 -0700 (PDT) Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 39DDD11E80BC for ; Wed, 2 Nov 2011 13:44:54 -0700 (PDT) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pA2Kindj018668 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Nov 2011 20:44:50 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pA2KimwA024528 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Nov 2011 20:44:48 GMT Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pA2Kih4l014712; Wed, 2 Nov 2011 15:44:43 -0500 Received: from [192.168.1.67] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 Nov 2011 13:44:43 -0700 References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <91476515-F5FF-49B6-B44A-55E5B48D7632@oracle.com> <1320265663.15549.13.camel@ground> <4EB1A8A5.6030906@cs.tcd.ie> In-Reply-To: <4EB1A8A5.6030906@cs.tcd.ie> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <7665D063-300D-439C-ABB4-19FD93F8BD73@oracle.com> X-Mailer: iPhone Mail (9A334) From: Phillip Hunt Date: Wed, 2 Nov 2011 13:41:58 -0700 To: Stephen Farrell X-Source-IP: acsinet21.oracle.com [141.146.126.237] X-Auth-Type: Internal IP X-CT-RefId: str=0001.0A090204.4EB1ABC3.0016,ss=1,re=0.000,fgs=0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:45:02 -0000 The issue is that the service provider will likely only accept ONE token for= mat in practice. The security requirements of the scenario dictate choice of= Mac or bearer or for that matter any other new scheme.=20 An MTI would complicate the spec by implying a choice of tokens by the clien= t because of the implication that the client has the right to select the MTI= token format.=20 Phil On 2011-11-02, at 13:31, Stephen Farrell wrote: >=20 > Agnostic sounds like a fine word. >=20 > I'd need to have it demonstrated to me that it doesn't > mean non-interoperable in this case. >=20 > S. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From stephen.farrell@cs.tcd.ie Wed Nov 2 13:45:32 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22C9A11E8157 for ; Wed, 2 Nov 2011 13:45:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.588 X-Spam-Level: X-Spam-Status: No, score=-102.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAdHdWv0LlbG for ; Wed, 2 Nov 2011 13:45:31 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 6624F11E80BC for ; Wed, 2 Nov 2011 13:45:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id B7C13153D3A; Wed, 2 Nov 2011 20:45:30 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1320266730; bh=W1m2azP8EiD9wD FdIv3cs1QMY+51OysVqZSDvxDG0KM=; b=koW8DeGkK4yVbnsIXZeaMX6RjR9kxe 1HmtSOW0zKV1rQ9nBnNV7LtnKQGrefVwaeg8Qqf2KFbrKTIlL24rZTakBiIoBwA5 xoxOX9eAUbvF4SEprLV8yjTgTJUSBUNJOict+dBlhQ50QbGw8tl1PkCSNaFr393K daH6kM42+1RpeUhYHzn1OZe2Mia6hFjbI8EI+ueSIuQBnfVQPNb391JzMyR8uJlt 88w7U1KyWyoxmZyzxBwMIPwA2e/mDsWg/2wl8m4S1/b2c0sl1X3W0FL/b1E9jsTA 5U0ZaTgPk44/VuCxW7pohHTri15ogA+oaO+UELej6+ulejzlBiAbpZzw== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id brEyB6NeV6FR; Wed, 2 Nov 2011 20:45:30 +0000 (GMT) Received: from [10.87.48.6] (unknown [86.45.59.36]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id D0257153D39; Wed, 2 Nov 2011 20:45:29 +0000 (GMT) Message-ID: <4EB1ABDF.4030509@cs.tcd.ie> Date: Wed, 02 Nov 2011 20:45:19 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: John Bradley References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>, <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:45:32 -0000 So perhaps this is the interesting point of difference. On 11/02/2011 08:37 PM, John Bradley wrote: > It is up to the server to decide what formats it will support. With IETF protocols, its IETF consensus that decides this in almost all cases that affect interop and it is therefore not up to the specific server deployment admin what the server code will support. I think this case affects interop. and should be treated as for any other IETF protocol. Am I wrong? S From torsten@lodderstedt.net Wed Nov 2 13:49:44 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D479B11E811F for ; Wed, 2 Nov 2011 13:49:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.248 X-Spam-Level: X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PGN3su-J4Pr for ; Wed, 2 Nov 2011 13:49:44 -0700 (PDT) Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.28]) by ietfa.amsl.com (Postfix) with ESMTP id 16F0511E80BC for ; Wed, 2 Nov 2011 13:49:43 -0700 (PDT) Received: from [87.142.252.185] (helo=[192.168.71.38]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1RLhkh-0005g6-Tw; Wed, 02 Nov 2011 21:49:39 +0100 Message-ID: <4EB1ACE2.9070209@lodderstedt.net> Date: Wed, 02 Nov 2011 21:49:38 +0100 From: Torsten Lodderstedt User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Stephen Farrell References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <4EB1A7E8.5030209@cs.tcd.ie> In-Reply-To: <4EB1A7E8.5030209@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU= Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:49:44 -0000 If we must define a mandatory token type then bearer + TLS would be my suggestion. regards, Torsten. Am 02.11.2011 21:28, schrieb Stephen Farrell: > > Hi Torsten, > > On 11/02/2011 07:45 PM, Torsten Lodderstedt wrote: >> Hi Stephen, >> >> I'm concerned about your proposal (7) to make support for MAC a MUST for >> clients and BEARER a MAY only. In my opinion, this does not reflect the >> group's consensus. > > That wasn't quite my comment, which is below: > > (7) Doesn't 7.1 need to say which token types are MTI so that we > get interop? I think I'd like to see mac being a MUST and bearer > being a MAY but regardless of my preference, I don't think you > can be silent on this. And as a consequence one or both of > the mac/bearer drafts need to end up as normative. > > > Beside this, the security threat analysis justifies >> usage of BEARER for nearly all use cases as long as HTTPS (incl. server >> authentication) can be utilized. > > As I said, I personally prefer the mac scheme since it demonstrates > use of a key. However, as I also said, the main concern with this > point is interop. (I do note though that bearer has server-auth TLS > as a MUST USE, so the implication of making bearer a MUST is that > TLS is MTI for the base spec too and a MUST USE for anything > involving the MTI token type.) > > In any case I can live with it so long as the set of things that > are MTI is clear. > > Incidentally, I don't believe any amount of +1 messages to your > mail answer my point above. As Eran's mail asks: what is it > that you're suggesting be MTI for whom? > > S. > >> >> regards, >> Torsten. >> >> >> Am 13.10.2011 19:13, schrieb Stephen Farrell: >>> >>> Hi all, >>> >>> Sorry for having been quite slow with this, but I had a bunch >>> of travel recently. >>> >>> Anyway, my AD comments on -22 are attached. I think that the >>> first list has the ones that need some change before we push >>> this out for IETF LC, there might or might not be something >>> to change as a result of the 2nd list of questions and the >>> rest are really nits can be handled either now or later. >>> >>> Thanks for all your work on this so far - its nearly there >>> IMO and we should be able to get the IETF LC started once >>> these few things are dealt with. >>> >>> Cheers, >>> S. >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> From eran@hueniverse.com Wed Nov 2 13:52:03 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC8D11E811F for ; Wed, 2 Nov 2011 13:52:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.514 X-Spam-Level: X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gasp3AUmPcq1 for ; Wed, 2 Nov 2011 13:52:03 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 0E1A611E80BC for ; Wed, 2 Nov 2011 13:52:03 -0700 (PDT) Received: (qmail 11536 invoked from network); 2 Nov 2011 20:52:01 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Nov 2011 20:52:01 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 2 Nov 2011 13:51:45 -0700 From: Eran Hammer-Lahav To: Stephen Farrell , John Bradley Date: Wed, 2 Nov 2011 13:47:01 -0700 Thread-Topic: [OAUTH-WG] AD review of -22 Thread-Index: AcyZoGRZCGPlMCtnQJy2LGe5ycIipwAAC3Hb Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345263321026@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>, <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> , <4EB1ABDF.4030509@cs.tcd.ie> In-Reply-To: <4EB1ABDF.4030509@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 20:52:03 -0000 The problem is centered on the definition of a client. If it is a service s= pecific implementation which is merely using OAuth for access, there isn't = any interop requirements other than making sure the client and server are c= ompatible. But if the client is a general purpose OAuth library or generic = client (e.g. CURL), then the MTI becomes critical for any real interop. I don't have a strong prefernece here, but we should clearly define the cli= ent characteristics in this discussion since an OAuth client isn't usually = similar to an HTTP client in its interop reality. I am not sure how to craft this language into spec form, but we might want = to list such a MTI requirement in terms of a 'client designed to work acros= s multiuple providers such as a general purpose library'. EHL ________________________________________ From: Stephen Farrell [stephen.farrell@cs.tcd.ie] Sent: Wednesday, November 02, 2011 1:45 PM To: John Bradley Cc: Eran Hammer-Lahav; oauth@ietf.org Subject: Re: [OAUTH-WG] AD review of -22 So perhaps this is the interesting point of difference. On 11/02/2011 08:37 PM, John Bradley wrote: > It is up to the server to decide what formats it will support. With IETF protocols, its IETF consensus that decides this in almost all cases that affect interop and it is therefore not up to the specific server deployment admin what the server code will support. I think this case affects interop. and should be treated as for any other IETF protocol. Am I wrong? S= From elliot.cameron@covenanteyes.com Wed Nov 2 13:59:26 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1B5111E817E for ; Wed, 2 Nov 2011 13:59:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.486 X-Spam-Level: X-Spam-Status: No, score=-0.486 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_IMAGE_ONLY_32=1.778, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tntv5TUBuvmG for ; Wed, 2 Nov 2011 13:59:26 -0700 (PDT) Received: from email.covenanteyes.com (email.covenanteyes.com [69.41.14.22]) by ietfa.amsl.com (Postfix) with ESMTP id 16EA611E817C for ; Wed, 2 Nov 2011 13:59:26 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by email.covenanteyes.com (Postfix) with ESMTP id 689AE64E718 for ; Wed, 2 Nov 2011 16:59:25 -0400 (EDT) X-Virus-Scanned: amavisd-new at covenanteyes.com Received: from email.covenanteyes.com ([127.0.0.1]) by localhost (email.covenanteyes.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D+MqZv8HUKuL for ; Wed, 2 Nov 2011 16:59:25 -0400 (EDT) Received: from email.covenanteyes.com (email.covenanteyes.com [69.41.14.22]) by email.covenanteyes.com (Postfix) with ESMTP id 28B8964E710 for ; Wed, 2 Nov 2011 16:59:25 -0400 (EDT) Date: Wed, 02 Nov 2011 16:59:25 -0400 (EDT) From: Elliot Cameron To: oauth@ietf.org Message-ID: <079275cb-f23c-46de-92c6-fc308ad2e1eb@email.covenanteyes.com> In-Reply-To: Content-Type: multipart/alternative; boundary="=_973e56ac-6a4c-410b-9c22-8a7b88099a30" MIME-Version: 1.0 X-Originating-IP: [69.41.14.130] X-Mailer: Zimbra 7.1.2_GA_3268 (ZimbraWebClient - SAF3 (Linux)/7.1.2_GA_3268) Subject: [OAUTH-WG] Authentication Methods X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 21:02:39 -0000 --=_973e56ac-6a4c-410b-9c22-8a7b88099a30 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit What are some common or suggested authentication methods that are used in conjunction with OAuth 2.0? Is TLS/SSL the only standard one or do people normally roll their own authentication within OAuth's flows? Elliot Cameron Covenant Eyes Software Developer elliot.cameron@covenanteyes.com 810-771-8322 Call 810-771-8322 Phone to call with Covenant Eyes Connect --=_973e56ac-6a4c-410b-9c22-8a7b88099a30 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <= div style=3D'font-family: Trebuchet MS; font-size: 12pt; color: #000000'>Wh= at are some common or suggested authentication methods that are used= in conjunction with OAuth 2.0?
Is TLS/SSL the only standard one or do = people normally roll their own authentication within OAuth's flows?

=

Elliot C= ameron

Covenant Eyes Software Developer

elliot.cameron@covenan= teyes.com

810-771-8322

Call 810-771-8322
Phone to call with
Cove= nant Eyes
 
 
Connect

--=_973e56ac-6a4c-410b-9c22-8a7b88099a30-- From ve7jtb@ve7jtb.com Wed Nov 2 14:04:35 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 881E61F0C5D for ; Wed, 2 Nov 2011 14:04:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.537 X-Spam-Level: X-Spam-Status: No, score=-3.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1R7jftmGiEDI for ; Wed, 2 Nov 2011 14:04:35 -0700 (PDT) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id D03371F0C59 for ; Wed, 2 Nov 2011 14:04:34 -0700 (PDT) Received: by ywt2 with SMTP id 2so627918ywt.31 for ; Wed, 02 Nov 2011 14:04:34 -0700 (PDT) Received: by 10.236.154.3 with SMTP id g3mr9853439yhk.119.1320267874416; Wed, 02 Nov 2011 14:04:34 -0700 (PDT) Received: from [192.168.1.213] ([190.22.4.104]) by mx.google.com with ESMTPS id q57sm5860606yhi.22.2011.11.02.14.04.31 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Nov 2011 14:04:32 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_ACCFE374-8654-48AE-AA32-BC018A410705"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345263321026@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Wed, 2 Nov 2011 18:04:29 -0300 Message-Id: References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>, <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> , <4EB1ABDF.4030509@cs.tcd.ie> <90C41DD21FB7C64BB94121FBBC2E72345263321026@P3PW5EX1MB01.EX1.SECURESERVER.NET> To: Eran Hammer-Lahav X-Mailer: Apple Mail (2.1251.1) Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 21:04:35 -0000 --Apple-Mail=_ACCFE374-8654-48AE-AA32-BC018A410705 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I could probably live with the client needing to support both token = types if we quite narrowly define client as a general purpose library = designed to support multiple protocols using OAuth for authorization. That however is not the general use of the term in OAuth 2.0. =20 Many clients will be optimized to work only with Bearer + TLS knowing in = advance that the protocols they are used with only require Bearer. John B. On 2011-11-02, at 5:47 PM, Eran Hammer-Lahav wrote: > The problem is centered on the definition of a client. If it is a = service specific implementation which is merely using OAuth for access, = there isn't any interop requirements other than making sure the client = and server are compatible. But if the client is a general purpose OAuth = library or generic client (e.g. CURL), then the MTI becomes critical for = any real interop. >=20 > I don't have a strong prefernece here, but we should clearly define = the client characteristics in this discussion since an OAuth client = isn't usually similar to an HTTP client in its interop reality. >=20 > I am not sure how to craft this language into spec form, but we might = want to list such a MTI requirement in terms of a 'client designed to = work across multiuple providers such as a general purpose library'. >=20 > EHL >=20 > ________________________________________ > From: Stephen Farrell [stephen.farrell@cs.tcd.ie] > Sent: Wednesday, November 02, 2011 1:45 PM > To: John Bradley > Cc: Eran Hammer-Lahav; oauth@ietf.org > Subject: Re: [OAUTH-WG] AD review of -22 >=20 > So perhaps this is the interesting point of difference. >=20 > On 11/02/2011 08:37 PM, John Bradley wrote: >> It is up to the server to decide what formats it will support. >=20 > With IETF protocols, its IETF consensus that decides this in > almost all cases that affect interop and it is therefore not > up to the specific server deployment admin what the server > code will support. >=20 > I think this case affects interop. and should be treated > as for any other IETF protocol. Am I wrong? >=20 > S --Apple-Mail=_ACCFE374-8654-48AE-AA32-BC018A410705 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEx MDIyMTA0MzBaMCMGCSqGSIb3DQEJBDEWBBQPZ8uN/GrHgC7saA+oUbOzaTX2nDCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQBWY6mKi99lHeCeLI9vgLLQwDth3bcbbKFEidPSu7dBlim3cqluttfUlWSGPHgIWBpWPjb17So+ YjUEL/pxIGCEzl6BcOpYl3ccxrXuvN6elYUQt2JOuYFkF928A2oddseeNtN3Me1pNXXsvc66Dm8J ttD2dZXHrHUwQTToV/qfDW+46lQdBzvUi9omPPHmezsm8kcMa01nExDqVJyGo+6yOTTo5YDQ4Yrd 2PeRABplw2ExYrZCZMuw+HPn0OzVhtexCNdSjSmxYre9dpde1lMudyBe/1k5S1q3QbfThuYd4U/4 bLvv9lqQi26TD+2jlwId1Yw8G5Q+6lT0VFoYv0noAAAAAAAA --Apple-Mail=_ACCFE374-8654-48AE-AA32-BC018A410705-- From jricher@mitre.org Wed Nov 2 14:09:00 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BECD011E8162 for ; Wed, 2 Nov 2011 14:09:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLBJb5yAv0b5 for ; Wed, 2 Nov 2011 14:09:00 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4B64011E811F for ; Wed, 2 Nov 2011 14:09:00 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id CA5DE21B0269; Wed, 2 Nov 2011 17:08:59 -0400 (EDT) Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C485921B0185; Wed, 2 Nov 2011 17:08:59 -0400 (EDT) Received: from [129.83.50.1] (129.83.31.55) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.1.339.1; Wed, 2 Nov 2011 17:08:59 -0400 Message-ID: <1320268131.15549.20.camel@ground> From: Justin Richer To: Elliot Cameron Date: Wed, 2 Nov 2011 17:08:51 -0400 In-Reply-To: <079275cb-f23c-46de-92c6-fc308ad2e1eb@email.covenanteyes.com> References: <079275cb-f23c-46de-92c6-fc308ad2e1eb@email.covenanteyes.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.1- Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Authentication Methods X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 21:09:00 -0000 Please clarify what you're asking, if you would: There are two kinds of authentication which happen with OAuth: client authentication and user authentication, and neither of which are standardized on two-way TLS. Client authentication happens at the token endpoint and is described in section 2.3, which recommends use of HTTP Basic but allows for form parameters or other, out-of-scope methods such as client assertions. User authentication happens at the authorization endpoint and is completely outside of the scope of OAuth (by design). You can use whatever means you like to authenticate the user here, from a local username/password, OpenID, SAML, NTLM, whatever. OAuth makes no assumptions about how that happens and makes no recommendations, either. -- Justin On Wed, 2011-11-02 at 16:59 -0400, Elliot Cameron wrote: > What are some common or suggested authentication methods that are used > in conjunction with OAuth 2.0? > Is TLS/SSL the only standard one or do people normally roll their own > authentication within OAuth's flows? > > Elliot Cameron > > Covenant Eyes Software Developer > > elliot.cameron@covenanteyes.com > > 810-771-8322 > > > Call 810-771-8322 > Phone to call with > Covenant Eyes > > > > Connect > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From ve7jtb@ve7jtb.com Wed Nov 2 14:14:02 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8369D11E8162 for ; Wed, 2 Nov 2011 14:14:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.541 X-Spam-Level: X-Spam-Status: No, score=-3.541 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxUNsF2BvGlM for ; Wed, 2 Nov 2011 14:14:01 -0700 (PDT) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4259F11E811F for ; Wed, 2 Nov 2011 14:14:01 -0700 (PDT) Received: by ywt2 with SMTP id 2so635682ywt.31 for ; Wed, 02 Nov 2011 14:13:33 -0700 (PDT) Received: by 10.150.14.9 with SMTP id 9mr6954167ybn.80.1320268413631; Wed, 02 Nov 2011 14:13:33 -0700 (PDT) Received: from [192.168.1.213] ([190.22.4.104]) by mx.google.com with ESMTPS id l8sm10705767anb.1.2011.11.02.14.13.29 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Nov 2011 14:13:30 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_194C94DD-8389-4FC4-B489-3D7728BE9693"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: <079275cb-f23c-46de-92c6-fc308ad2e1eb@email.covenanteyes.com> Date: Wed, 2 Nov 2011 18:13:16 -0300 Message-Id: References: <079275cb-f23c-46de-92c6-fc308ad2e1eb@email.covenanteyes.com> To: Elliot Cameron X-Mailer: Apple Mail (2.1251.1) Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Authentication Methods X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 21:14:02 -0000 --Apple-Mail=_194C94DD-8389-4FC4-B489-3D7728BE9693 Content-Type: multipart/alternative; boundary="Apple-Mail=_F1BF0065-CBC2-441F-9C04-D659932D1F9D" --Apple-Mail=_F1BF0065-CBC2-441F-9C04-D659932D1F9D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii That probably depends on what authentication you are asking about. Authentication of the client to the protected resource has two profiles = MAC & Bearer. Authentication of the client to the Token Endpoint has an example in the = OAuth spec using client_id and a symmetric secret. That is extensible and openID Connect defines an additional method using = asymmetric keys. Authentication of the resource owner to the authorization server is roll = your own:) Authentication of the Authorization server/token endpoint/protected = resource to the client is TLS for the most part. Regards John B. On 2011-11-02, at 5:59 PM, Elliot Cameron wrote: > What are some common or suggested authentication methods that are used = in conjunction with OAuth 2.0? > Is TLS/SSL the only standard one or do people normally roll their own = authentication within OAuth's flows? >=20 > Elliot Cameron > Covenant Eyes Software Developer > elliot.cameron@covenanteyes.com > 810-771-8322 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_F1BF0065-CBC2-441F-9C04-D659932D1F9D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii That probably depends on what authentication you = are asking about.

Authentication of the client to the = protected resource has two profiles MAC & = Bearer.
Authentication of the client to the Token Endpoint has = an example in the OAuth spec using client_id and a symmetric = secret.
That is extensible and openID Connect defines an = additional method using asymmetric = keys.

Authentication of the resource owner to = the authorization server is roll your = own:)

Authentication of the Authorization = server/token endpoint/protected resource to the client is TLS for the = most part.

Regards
John = B.
On 2011-11-02, at 5:59 PM, Elliot Cameron = wrote:

What are some common or suggested authentication = methods that are = used in conjunction with OAuth 2.0?
Is TLS/SSL the only standard one = or do people normally roll their own authentication within OAuth's = flows?

Elliot = Cameron
Covenant Eyes Software = Developer
810-771-8322

__________________________________= _____________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_F1BF0065-CBC2-441F-9C04-D659932D1F9D-- --Apple-Mail=_194C94DD-8389-4FC4-B489-3D7728BE9693 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEx MDIyMTEzMTdaMCMGCSqGSIb3DQEJBDEWBBTXG4YeN5oqbySJGADtP96lQI1pkDCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQBH8+gS4BBeywGQ508JqMSANobCvgCAMuXewNyi+s/JeADXxhhiYW+lHZyr846wsaayJW2y3nlb QpxRilpnv6nTAGjqLLlpUd0cRR4cIV3BaBzzcWino4YUP3Gvc1UlMdB0DyOnGwm/Z8oPDjSSqI7l 1waeFrpUBiIBOZpQiPulKeIS+NPM9Vs0z52JzRFh78hSuHWiLbcMLBt9PKvjjPgkaJE8mdbV8lzz nVt1Na6tT74aXw0b7R7VRQEi64pgTiRFEvf8Gv4yDdzXK5aQOdXIf4NDFnFXBoLIvW2gSEO7v9L3 EAz5sAOUwbptcV7dfMbeAy2ePqqYgz9AyAtbUXVOAAAAAAAA --Apple-Mail=_194C94DD-8389-4FC4-B489-3D7728BE9693-- From torsten@lodderstedt.net Wed Nov 2 14:27:14 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 798C91F0CB4 for ; Wed, 2 Nov 2011 14:27:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOawBzfqonSk for ; Wed, 2 Nov 2011 14:27:13 -0700 (PDT) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.100]) by ietfa.amsl.com (Postfix) with ESMTP id 5833C1F0C59 for ; Wed, 2 Nov 2011 14:27:13 -0700 (PDT) Received: from [87.142.252.185] (helo=[192.168.71.38]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1RLiKz-0001zd-0a; Wed, 02 Nov 2011 22:27:09 +0100 Message-ID: <4EB1B5AB.6020208@lodderstedt.net> Date: Wed, 02 Nov 2011 22:27:07 +0100 From: Torsten Lodderstedt User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Andr=E9_DeMarre?= References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU= Cc: OAuth WG Subject: Re: [OAUTH-WG] Phishing with Client Application Name Spoofing X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 21:27:14 -0000 Hi Andre, how do you think differs the threat you descibed from http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.4.1.4? regards, Torsten. Am 26.10.2011 22:44, schrieb André DeMarre: > Should a brief explanation of this be added to the Threat Model and > Security Considerations document? Or does anyone even agree that this > can be a problem? > > Regards, > Andre DeMarre > > On Tue, Oct 4, 2011 at 11:32 AM, André DeMarre wrote: >> I've not seen this particular variant of phishing and client >> impersonation discussed. A cursory search revealed that most of the >> related discussion centers around either (a) client impersonation with >> stolen client credentials or (b) phishing by malicious clients >> directing resource owners to spoofed authorization servers. This is >> different. >> >> This attack exploits the trust a resource owner has for an OAuth >> authorization server so as to lend repute to a malicious client >> pretending to be from a trustworthy source. This is not necessarily a >> direct vulnerability of OAuth; rather, it shows that authorization >> servers have a responsibility regarding client application names and >> how they present resource owners with the option to allow or deny >> authorization. >> >> A key to this exploit is the process of client registration with the >> authorization server. A malicious client developer registers his >> client application with a name that appears to represent a legitimate >> organization which resource owners are likely to trust. Resource >> owners at the authorization endpoint may be misled into granting >> authorization when they see the authorization server asserting "> trustworthy name> is requesting permission to..." >> >> Imagine someone registers a client application with an OAuth service, >> let's call it Foobar, and he names his client app "Google, Inc.". The >> Foobar authorization server will engage the user with "Google, Inc. is >> requesting permission to do the following." The resource owner might >> reason, "I see that I'm legitimately on the https://www.foobar.com >> site, and Foobar is telling me that Google wants permission. I trust >> Foobar and Google, so I'll click Allow." >> >> To make the masquerade act even more convincing, many of the most >> popular OAuth services allow app developers to upload images which >> could be official logos of the organizations they are posing as. Often >> app developers can supply arbitrary, unconfirmed URIs which are shown >> to the resource owner as the app's website, even if the domain does >> not match the redirect URI. Some OAuth services blindly entrust client >> apps to customize the authorization page in other ways. >> >> This is hard to defend against. Authorization server administrators >> could police client names, but that approach gives them a burden >> similar to certificate authorities to verify organizations before >> issuing certificates. Very expensive. >> >> A much simpler solution is for authorization servers to be careful >> with their wording and educate resource owners about the need for >> discretion when granting authority. Foobar's message above could be >> changed: "An application calling itself Google, Inc. is requesting >> permission to do the following" later adding, "Only allow this request >> if you are sure of the application's source." Such wording is less >> likely to give the impression that the resource server is vouching for >> the application's identity. >> >> Authorization servers would also do well to show the resource owner >> additional information about the client application to help them make >> informed decisions. For example, it could display all or part of the >> app's redirect URI, saying, "The application is operating on >> example.com" or "If you decide to allow this application, your browser >> will be directed to http://www.example.com/." Further, if the client >> app's redirect URI uses TLS (something authorization servers might >> choose to mandate), then auth servers can verify the certificate and >> show the certified organization name to resource owners. >> >> This attack is possible with OAuth 1, but OAuth 2 makes successful >> exploitation easier. OAuth 1 required the client to obtain temporary >> credentials (aka access tokens) before sending resource owners to the >> authorization endpoint. Now with OAuth 2, this attack does not require >> resource owners to interact with the client application before >> visiting the authorization server. The malicious client developer only >> needs to distribute links around the web to the authorization server's >> authorization endpoint. If the HTTP service is a social platform, the >> client app might distribute links using resource owners' accounts with >> the access tokens it has acquired, becoming a sort of worm. Continuing >> the Google/Foobar example above, it might use anchor text such as "I >> used Google Plus to synchronize with my Foobar account." Moreover, if >> the app's redirect URI bounces the resource owner back to the HTTP >> service after acquiring an authorization code, the victim will never >> see a page rendered at the insidious app's domain. >> >> This is especially dangerous because the public is not trained to >> defend against it. Savvy users are (arguably) getting better at >> protecting themselves from traditional phishing by verifying the >> domain in the address bar, and perhaps checking TLS certificates, but >> such defenses are irrelevent here. Resource owners now need to verify >> not only that they are on the legitimate authorization server, but to >> consider the trustworthyness of the link that referred them there. >> >> I'm not sure what can or should be done, but I think it's important >> for authorization server implementers to be aware of this attack. If >> administrators are not able to authenticate client organizations, then >> they are shifting this burden to resource owners. They should do all >> they can to educate resource owners and help them make informed >> decisions before granting authorization. >> >> Regards, >> Andre DeMarre >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nov@matake.jp Tue Nov 1 20:08:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C88441F0C55 for ; Tue, 1 Nov 2011 20:08:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.97 X-Spam-Level: X-Spam-Status: No, score=-2.97 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_RECV_IP_218216=0.629] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GohMA9HWjog9 for ; Tue, 1 Nov 2011 20:08:09 -0700 (PDT) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 492DD11E8080 for ; Tue, 1 Nov 2011 20:08:09 -0700 (PDT) Received: by gye5 with SMTP id 5so462668gye.31 for ; Tue, 01 Nov 2011 20:08:08 -0700 (PDT) Received: by 10.236.114.83 with SMTP id b59mr4310237yhh.10.1320203288779; Tue, 01 Nov 2011 20:08:08 -0700 (PDT) Received: from [172.16.8.184] ([218.223.19.176]) by mx.google.com with ESMTPS id c44sm1980898yhm.5.2011.11.01.20.08.07 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Nov 2011 20:08:08 -0700 (PDT) From: nov matake Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 2 Nov 2011 12:08:05 +0900 Message-Id: <73915F72-4D3A-46D3-A8AA-74D67D519726@matake.jp> To: oauth WG Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) X-Mailman-Approved-At: Wed, 02 Nov 2011 14:51:18 -0700 Subject: [OAUTH-WG] small typo in core draft 22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 03:09:45 -0000 If it's already reported, my apologies. In section 8.4, "If a response type contains one of more space characters". It should be "one or more". Thanks -- nov matake From andredemarre@gmail.com Wed Nov 2 15:45:25 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05F81F0C3F for ; Wed, 2 Nov 2011 15:45:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.299 X-Spam-Level: X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgoT07iEkzAE for ; Wed, 2 Nov 2011 15:45:25 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5C5D31F0C3D for ; Wed, 2 Nov 2011 15:45:25 -0700 (PDT) Received: by iaeo4 with SMTP id o4so787783iae.31 for ; Wed, 02 Nov 2011 15:45:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Wgkzegu6UfOZqGZg4tho3ZeP9IcWUfeBLMguSSYIyIs=; b=b7mOs79lEpmzL//r7ZaJQssDLEdSZ2PhyhODlsVYE7B8HvYez4fBtY6jP/0QDzlYfU azr0eJYM8Kvi/JMcBKP74zgYZk1fmHZrZCV1Vm8OLndxXymbSToNu8A7rZCRSZZbKFSm rQ1bP1QowUxw4VpyFC7hEENzXU0cAzTDJvfY0= MIME-Version: 1.0 Received: by 10.42.155.133 with SMTP id u5mr5160746icw.8.1320273924428; Wed, 02 Nov 2011 15:45:24 -0700 (PDT) Received: by 10.42.151.131 with HTTP; Wed, 2 Nov 2011 15:45:24 -0700 (PDT) In-Reply-To: References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4EB1ABDF.4030509@cs.tcd.ie> <90C41DD21FB7C64BB94121FBBC2E72345263321026@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Wed, 2 Nov 2011 15:45:24 -0700 Message-ID: From: =?ISO-8859-1?Q?Andr=E9_DeMarre?= To: John Bradley Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 22:45:26 -0000 Eran's point about the definition of a client is an important one. There are two breeds of OAuth clients: (1) general purpose and (2) purpose-built for a specific OAuth service. When discussing interop, something to consider about OAuth is that discovery is not part of the core spec, which IMHO leads to many special purpose clients for a particular web service. This fits well with many OAuth use cases and isn't a bad thing, simply something that distinguishes OAuth apart from protocols like OpenID, where it is a design goal for all clients to be compatable with all OpenID identity providers. With the current OAuth landscape, to me it seems reasonable to say that clients SHOULD support both mac and bearer access token types, but MAY choose to support any access token types needed to achieve compatability with the desired server(s). Regards, Andre DeMarre On Wed, Nov 2, 2011 at 2:04 PM, John Bradley wrote: > I could probably live with the client needing to support both token types= if we quite narrowly define client as a general purpose library designed t= o support multiple protocols using OAuth for authorization. > > That however is not the general use of the term in OAuth 2.0. > > Many clients will be optimized to work only with Bearer + TLS knowing in = advance that the protocols they are used with only require Bearer. > > John B. > > > > On 2011-11-02, at 5:47 PM, Eran Hammer-Lahav wrote: > >> The problem is centered on the definition of a client. If it is a servic= e specific implementation which is merely using OAuth for access, there isn= 't any interop requirements other than making sure the client and server ar= e compatible. But if the client is a general purpose OAuth library or gener= ic client (e.g. CURL), then the MTI becomes critical for any real interop. >> >> I don't have a strong prefernece here, but we should clearly define the = client characteristics in this discussion since an OAuth client isn't usual= ly similar to an HTTP client in its interop reality. >> >> I am not sure how to craft this language into spec form, but we might wa= nt to list such a MTI requirement in terms of a 'client designed to work ac= ross multiuple providers such as a general purpose library'. >> >> EHL >> >> ________________________________________ >> From: Stephen Farrell [stephen.farrell@cs.tcd.ie] >> Sent: Wednesday, November 02, 2011 1:45 PM >> To: John Bradley >> Cc: Eran Hammer-Lahav; oauth@ietf.org >> Subject: Re: [OAUTH-WG] AD review of -22 >> >> So perhaps this is the interesting point of difference. >> >> On 11/02/2011 08:37 PM, John Bradley wrote: >>> It is up to the server to decide what formats it will support. >> >> With IETF protocols, its IETF consensus that decides this in >> almost all cases that affect interop and it is therefore not >> up to the specific server deployment admin what the server >> code will support. >> >> I think this case affects interop. and should be treated >> as for any other IETF protocol. Am I wrong? >> >> S > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > From wmills@yahoo-inc.com Wed Nov 2 15:49:28 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33071F0C95 for ; Wed, 2 Nov 2011 15:49:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.435 X-Spam-Level: X-Spam-Status: No, score=-17.435 tagged_above=-999 required=5 tests=[AWL=0.162, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AjqkS12hZy1 for ; Wed, 2 Nov 2011 15:49:27 -0700 (PDT) Received: from nm29-vm0.bullet.mail.ac4.yahoo.com (nm29-vm0.bullet.mail.ac4.yahoo.com [98.139.52.248]) by ietfa.amsl.com (Postfix) with SMTP id A06E31F0C57 for ; Wed, 2 Nov 2011 15:49:27 -0700 (PDT) Received: from [98.139.52.191] by nm29.bullet.mail.ac4.yahoo.com with NNFMP; 02 Nov 2011 22:49:00 -0000 Received: from [98.139.52.134] by tm4.bullet.mail.ac4.yahoo.com with NNFMP; 02 Nov 2011 22:49:00 -0000 Received: from [127.0.0.1] by omp1017.mail.ac4.yahoo.com with NNFMP; 02 Nov 2011 22:49:00 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 122246.39537.bm@omp1017.mail.ac4.yahoo.com Received: (qmail 9106 invoked by uid 60001); 2 Nov 2011 22:48:59 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1320274139; bh=2bWdBoFDJ/1Lh3W6xYkXynvE8QZefpyV6/4MV9TKouE=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Mu2Cf4PEm9iN+XNhokoNogz0+JnqUaoWU/ZfBkvyjtScbQdSyVq3xc8MIS6jTNSxbLX46SU70g2VR4qZx8/rYM11Z9d1VQvl3VmLaqbyIkYfa1SIBrHwFrblGpXdgKzAyrmm7k3WsBeEae1h1Q3B0AM5nZdewCmXNxf31WAiCS4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=b0b02/qOOSgqPH4g7ehMS1dPVsjkGnDYwi280RpxNUjcbhQ26zJydEirec3Meau4WQttu4uxXCM3+L99uymNJHQhrdaMNRr7YwcqZVSXoDB55lhOXBtgmeJnoqwdBXGcw9WyTzJAcwc60zUOQTbexKWgGCSuKV98ayxZoUxCTfs=; X-YMail-OSG: 5FN1nGgVM1m8TB_B05m5XXehpV5t2YTCPWQ7kPXzlPYPybJ kkazqs2BwJiWp3ccH7hAE5bZyITVtCgL3sajv9WFYIP_zsr3qIAOunr0HqJO RymZt5HubHUZRolh8scemiiysuSMaSVK_gK1hdpEJJLakuMg.ZY_x6hwPKhm h1jy8xBY0QwmVE1QBBrML6cmWokHT8vUj4cprThuer6lqLhLwjk5WgHjMB0y 8T36WgBmZygUVpy1DoAKr1Q5icyofT08xmFKlkhVrYCuyhGlrDcM3ChZrxfo U3rNKjqmGrk9Pk7pekb_Nujk0Fae6naZwoPJqclX5.JrfHzTnorSXz6SvqFl JqDajYDTgScBmY90b8S2YcuOcTaQCcIvbMS2wBtTGAO4joUupKDzG0zXAAwD pzIVyMNfFdeMKolvsm2K1Hm0hEISC_9sLOmTo Received: from [209.131.62.113] by web31809.mail.mud.yahoo.com via HTTP; Wed, 02 Nov 2011 15:48:59 PDT X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.115.330114 References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>, <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> Message-ID: <1320274139.8042.YahooMailNeo@web31809.mail.mud.yahoo.com> Date: Wed, 2 Nov 2011 15:48:59 -0700 (PDT) From: William Mills To: Eran Hammer-Lahav , John Bradley , Torsten Lodderstedt In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1393739988-1320274139=:8042" Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] AD review of -22 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 22:49:28 -0000 --0-1393739988-1320274139=:8042 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I actually think the protected resource specifies the token type(s) in eith= er it's service docs or discovery information, and it does know knowing it'= s authentication server will issue compatible tokens.=A0 The client may enc= ounter endpoints requiring token types it doesn't support, and it needs to = fail gracefully.=A0 The client may select any supported OAuth 2 scheme it u= nderstands which the PR supports.=0A=0A=0AI am not in favor of specifying M= UST for any particular flavor of token.=0A=0AWhat is the value of mandating= a token type?=0A=0A=0A-bill=0A=0A=0A=0A________________________________=0A= From: Eran Hammer-Lahav =0ATo: John Bradley ; Torsten Lodderstedt =0ACc: "oauth@ietf.= org" =0ASent: Wednesday, November 2, 2011 1:11 PM=0ASubject= : Re: [OAUTH-WG] AD review of -22=0A=0A=0A =0ADo you want to see no change = or adjust it to client must implement both, server decides which to use.=0A= =A0=0AEHL=0A=A0=0A=0A________________________________=0A From: oauth-bounce= s@ietf.org [oauth-bounces@ietf.org] On Behalf Of John Bradley [ve7jtb@ve7jt= b.com]=0ASent: Wednesday, November 02, 2011 1:06 PM=0ATo: Torsten Lodderste= dt=0ACc: oauth@ietf.org=0ASubject: Re: [OAUTH-WG] AD review of -22=0A=0A=0A= +1=0A=0AOn 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:=0A=0AHi Steph= en,=0A>=0A>I'm concerned about your proposal (7) to make support for MAC a = MUST for clients and BEARER a MAY only. In my opinion, this does not reflec= t the group's consensus. Beside this, the security threat analysis justifie= s usage of BEARER for nearly all use cases=0A as long as HTTPS (incl. serve= r authentication) can be utilized.=0A>=0A>regards,=0ATorsten. =0A>Am 13.10.= 2011 19:13, schrieb Stephen Farrell: =0A>=0A>>Hi all, =0A>>=0A>>Sorry for h= aving been quite slow with this, but I had a bunch =0A>>of travel recently.= =0A>>=0A>>Anyway, my AD comments on -22 are attached. I think that the =0A= >>first list has the ones that need some change before we push =0A>>this ou= t for IETF LC, there might or might not be something =0A>>to change as a re= sult of the 2nd list of questions and the =0A>>rest are really nits can be = handled either now or later. =0A>>=0A>>Thanks for all your work on this so = far - its nearly there =0A>>IMO and we should be able to get the IETF LC st= arted once =0A>>these few things are dealt with. =0A>>=0A>>Cheers, =0A>>S. = =0A>>=0A>>=0A>>=0A>>=0A>>_______________________________________________=0A= OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oau= th =0A_______________________________________________=0A>OAuth mailing list= =0A>OAuth@ietf.org=0A>https://www.ietf.org/mailman/listinfo/oauth=0A>=0A=0A= _______________________________________________=0AOAuth mailing list=0AOAut= h@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth --0-1393739988-1320274139=:8042 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
I actually think the protected resource specifies the token type(s) in ei= ther it's service docs or discovery information, and it does know knowing i= t's authentication server will issue compatible tokens.  The client ma= y encounter endpoints requiring token types it doesn't support, and it need= s to fail gracefully.  The client may select any supported OAuth 2 sch= eme it understands which the PR supports.

I am not in favor of specifying MUST for any particul= ar flavor of token.

What= is the value of mandating a token type?

-bill

From: Eran Hammer-Lahav &= lt;eran@hueniverse.com>
To: John Bradley <ve7jtb@ve7jtb.com>; Torsten Lodderstedt <tor= sten@lodderstedt.net>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Sent: Wednesday, November 2, 2011 1:11 PM
Subject: Re: [OAUTH-WG] AD review= of -22

=0A
=0A =0A =0A

Thanks for the careful= read, Stephen.  I’ve attached a proposed draft -14 that address= es your comments.  (Per your other note, if you let me know how I can = submit this during the submission blackout period based upon your approval as an Area Director, I will gladly do so.)

 

Replies are inline bel= ow.

 

-----Original Message-= ----
From: oauth-bounces@ietf.org = [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell
Sent: Wednesday, November 02, 2011 9:45 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-bearer-13

 

 

Hi,

 

Good work - another on= e almost out the door! Thanks.

 

However, I think this = one needs a revised ID before we start IETF LC. Nothing hard to change I ho= pe, but I think there are enough changes to make that its best done that wa= y.

 

I reckon items 3,5,7-1= 1 and 13 below need fixing, but are I hope all easy. Not sure about item 4.=

 

All my other comments = can be considered in conjunction with whatever other IETF LC comments we ge= t, or now, whichever.

 

If you want to argue t= hat the WG already had strong consensus against a change I'm asking for, or= that I'm just being dumb, (which happens all the time:-) then please do th= at and we can discuss it on the list and/or at the meeting.

 

Regards,

Stephen.

 

questions/comments:

 

1) What does the 1st s= entence of section 2 mean? What is the 2119 MAY for? Couldn't that sentence= be deleted? If not, why not?

 

Agreed, this sentence = was unnecessary – deleted.

 

2) I think you should = warn implementers in 2.3 that using the query string is fairly likely to re= sult in the access token being logged, which is highly undesirable. (That i= s there later too, but I think deserves to be here.) What does "the only feasible method" mean?  I = think that needs to be defined, as was done in 2.2.

 

Done=

 

3) Where's it say what= to do with a scope attribute presented by a server?

 

Added “In some c= ases, the scope value will be used when requesting a new access token with = sufficient scope of access to utilize the protected resource.”

 

4) What is the realm a= ttribute in section 3? What is a client expected to do with that? I guess i= t has to be different from how realm is used with e.g. Basic. (That might b= e my ignorance of HTTP details though;-)

 

Spec now describes the= realm parameter and states that it is used as defined by HTTPbis-p7.<= /o:p>

 

5) Section 3 ABNF allo= ws "realm=3Dfoo;realm=3Dbar;scope=3Dbaz;error=3D123"

is that ok? Is process= ing clear for all cases? I don't think it is.

 

The spec does not allo= w this, as realm (and the other parameters) are defined as a quoted strings= .

 

6) 3.1, invalid_token = - the client MAY retry, SHOULD it do that in an infinite loop? Probably not= ;-)

 

The spec says that = 220;The client MAY request a new access token and retry the protected resou= rce request.”  So this isn’t just a mechanistic re-do; mul= tiple protocol messages would be exchanged to request and present a new access token and retry and user interactions may occur in the proces= s, so it’s not likely that this is going to be placed into a simple &= #8220;while” loop.  While you’re right that a badly writte= n program might retry ad infinitum, I don’t think it’s likely;&= nbsp; therefore, I’m not sure that it’s the place of the spec to war= n developers against writing an infinite loop in this particular case, as c= ompetent developers will avoid them in all cases.  But if you strongly= disagree, please provide specific suggested language to include.

 

7) "Assuming"= ; token integrity protection is wrong. You need to make it a MUST. That is,= you need to say that resource servers MUST only accept tokens with strong = integrity or similar.

 

Good – done=

 

8) I think you need to= say that TLS is MTI and MUST be used, (i.e.

with 2119 language) an= d it'd be better to put that in the introduction as well as 4.2.=

 

Added statement that &= quot;TLS is mandatory to implement and use with this specification" to= the introduction.  (It was already present in 4.2.)=

 

9) As-is 4.2 allows an= onymous D-H TLS ciphersuites. I don't think you want that, but yet you only= call for ciphersuites that "offer confidentiality." I think that= needs to be tightened up. 4.3 does tighten there, but I think 4.2's language also needs fixing.

 

Done – added = 220;As a further defense against token disclosure, the client MUST validate= the TLS certificate chain when making requests to protected resources̶= 1; to 4.2.

 

10) The token validity= doesn't have to be "inside." I could e.g.

change a token MAC ver= ification key every hour and limit lifetime that way.

 

Clarified that putting= a validity time field inside the protected part of the token is one means,= but not the only means, of limiting the lifetime of the token.<= /span>

 

11) Two paragraphs in = 4.2 contradict one another. 3rd last para say you MUST use TLS, 2nd last pa= ra says you MUST have confidentiality "for instance...TLS." I'd d= itch the second one I think, but something needs fixing.

 

Agreed – Dropped= the confusing phrase "for instance, through the use of TLS" from= the sentence about confidentiality protection of the exchanges in in the 2= nd to last paragraph.

 

12) Why reference 2818= instead of 6125?

 

Changed, per your sugg= estion.

 

13) I think you need t= o say something here about load balancers and other server side things that= terminate TLS, before the resource server and behind which bearer tokens a= re unprotected.  At least say that tokens MUST be protected there and provide guidance as to how to do that well. Lo= ts of people do that badly I think. (At least at

first;-)

 

Added this new paragra= ph to the Threat Mitigation section: “In some deployments, including = those utilizing load balancers, the TLS connection to the resource server t= erminates prior to the actual server that provides the resource.  This could leave the token unprotected betwee= n the front end server where the TLS connection terminates and the back end= server that provides the resource.  In such deployments, sufficient m= easures MUST be employed to ensure confidentiality of the token between the front end and back end servers; encryption of the= token is one possible such measure.”

 

14) Why are cookies fi= rst mentioned in 4.3? Seems like that should have been done earlier.

 

Added this new paragra= ph to the Threat Mitigation section: “Cookies are typically transmitt= ed in the clear.  Thus, any information contained in them is at risk o= f disclosure.  Therefore, bearer tokens MUST NOT be stored in cookies that can be sent in the clear.”

 

nits:

 

abstract: maybe s/gran= ted resources/the associated resources/?

 

Done=

 

abstract: s/the bearer= token needs to/bearer tokens need to/?

 

Done=

 

1.2: s/abstraction lay= er/abstraction/ I don't see any layer there

 

Done=

 

2.1: I (and others) di= slike the use of the reference as if it were part of the sentence, e.g. &qu= ot;defined by [I-D.whatever],..." Better would be "defined as par= t of HTTP authentication [I-D.whatever]"

There are multiple occ= urrences of this.

 

Done (although the ref= erence “Representation and Verification of Domain-Based Application S= ervice Identity within Internet Public Key Infrastructure Using X.509 (PKIX= ) Certificates in the Context of Transport Layer Security (TLS) [RFC6125]” is quite a mouthful!)

 

2.1: s/follows/as foll= ows/

 

Done=

 

2.1, last para: I thin= k the SHOULD in the last para of 2.1 and the corresponding rules in 2.2 &am= p; 2.3  would be better stated up front.

 

Statements about when = each of the methods SHOULD be used are made in the last paragraph of each o= f 2.1, 2.2, and 2.3.  I looked into moving all of them to the first pa= ragraphs to keep the presentation parallel, but it hurt readability for 2.2 and 2.3.  Thus, I made no change here= .

 

end of p7, s/attribute= MUST NOT/attributes MUST NOT/

 

Done=

 

4.2, s/recommended/REC= OMMENDED/ is better but they mean the same already!

 

Done=

______________________= _________________________

OAuth mailing list

OAuth@iet= f.org

https://www.ietf.org/mailman/listinfo/oauth

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;          Thanks again,=

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;          -- Mike=

 

--_000_4E1F6AAD24975D4BA5B16804296739435F6E777ETK5EX14MBXC283r_-- --_007_4E1F6AAD24975D4BA5B16804296739435F6E777ETK5EX14MBXC283r_ Content-Type: application/pdf; name="draft-ietf-oauth-v2-bearer-14.pdf" Content-Description: draft-ietf-oauth-v2-bearer-14.pdf Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-14.pdf"; size=166530; creation-date="Thu, 03 Nov 2011 23:52:04 GMT"; modification-date="Thu, 03 Nov 2011 23:49:08 GMT" Content-Transfer-Encoding: base64 JVBERi0xLjQKMSAwIG9iago8PAovVGl0bGUgKP7/AFQAaABlACAATwBBAHUAdABoACAAMgAuADAA IABBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACAAUAByAG8AdABvAGMAbwBsADoAIABCAGUAYQBy AGUAcgAgAFQAbwBrAGUAbgBzKQovQ3JlYXRvciAo/v8pCi9Qcm9kdWNlciAo/v8AdwBrAGgAdABt AGwAdABvAHAAZABmKQovQ3JlYXRpb25EYXRlIChEOjIwMTExMTA0MDA0ODU2KzAxJzAwJykKPj4K ZW5kb2JqCjMgMCBvYmoKPDwKL1R5cGUgL0V4dEdTdGF0ZQovU0EgdHJ1ZQovU00gMC4wMgovY2Eg MS4wCi9DQSAxLjAKL0FJUyBmYWxzZQovU01hc2sgL05vbmU+PgplbmRvYmoKNCAwIG9iagpbL1Bh dHRlcm4gL0RldmljZVJHQl0KZW5kb2JqCjEwIDAgb2JqClswIC9YWVogNDcuNTE5OTk5OSAgCjY4 OC44Nzk5OTkgIDBdCmVuZG9iagoxMSAwIG9iagpbMCAvWFlaIDQ3LjUxOTk5OTkgIAo1NzQuNjM5 OTk5ICAwXQplbmRvYmoKMTIgMCBvYmoKWzAgL1hZWiA0Ny41MTk5OTk5ICAKMTgxLjAzOTk5OSAg MF0KZW5kb2JqCjEzIDAgb2JqClswIC9YWVogNDcuNTE5OTk5OSAgCjQ3OS41OTk5OTkgIDBdCmVu ZG9iagoxNCAwIG9iagpbMCAvWFlaIDQ3LjUxOTk5OTkgIAoxNTEuMjc5OTk5ICAwXQplbmRvYmoK MTUgMCBvYmoKWzAgL1hZWiA0Ny41MTk5OTk5ICAKMzE5LjI3OTk5OSAgMF0KZW5kb2JqCjE2IDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNzgy Ljk1OTk5OSAgNTQzLjg0MDAwMCAgNzkwLjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAv ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMTcgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5OTk5ICAxMTQu Nzk5OTk5ICA4OC43OTk5OTk5ICAxMjUuMzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMQo+PgplbmRvYmoKMTgg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICAx MDMuMjc5OTk5ICAxMTQuNzE5OTk5ICAxMTMuODM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMgo+PgplbmRvYmoK MTkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5 ICA5MS43NTk5OTk5ICAxMTQuNzE5OTk5ICAxMDIuMzE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMwo+PgplbmRv YmoKMjAgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5 OTk5ICA4MC4yMzk5OTk5ICAxMTQuNzE5OTk5ICA5MC43OTk5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNAo+Pgpl bmRvYmoKMjEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4y Mzk5OTk5ICA2OC43MTk5OTk5ICA4OC43OTk5OTk5ICA3OS4yNzk5OTk5IF0KL0JvcmRlciBbMCAw IDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNQo+ PgplbmRvYmoKMjIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5 My41OTk5OTk5ICA1Ny4xOTk5OTk5ICAxMTQuNzE5OTk5ICA2Ny43NTk5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYXV0aHoj MmRoZWFkZXIKPj4KZW5kb2JqCjIzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbOTMuNTk5OTk5OSAgNDUuNjc5OTk5OSAgMTE0LjcxOTk5OSAgNTYuMjM5OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM2JvZHkjMmRwYXJhbQo+PgplbmRvYmoKMjQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICAzNC4xNTk5OTk5ICAxMTQuNzE5OTk5ICA0NC43 MTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1w IzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIu aHRtbC5odG1sIzIzcXVlcnkjMmRwYXJhbQo+PgplbmRvYmoKNSAwIG9iago8PAovVHlwZSAvUGFn ZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAyNSAwIFIKL1Jlc291cmNlcyAyNyAwIFIKL0Fubm90 cyAyOCAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjI3IDAgb2JqCjw8Ci9D b2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3Jh eQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwK L0Y2IDYgMCBSCi9GNyA3IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+ Cj4+CmVuZG9iagoyOCAwIG9iagpbIDE2IDAgUiAxNyAwIFIgMTggMCBSIDE5IDAgUiAyMCAwIFIg MjEgMCBSIDIyIDAgUiAyMyAwIFIgMjQgMCBSIF0KZW5kb2JqCjI1IDAgb2JqCjw8Ci9MZW5ndGgg MjYgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dy27kNhbd11doPYDdIvUG BgH8HGAWAxg2MIsgi6AznUHQDsbJIr8/UklVRd0j6pAsSla52+6kbbZEXt73i6xP/3j+Ofn1z+TT 3fP/ks/D33fPu/Q6LZr+K0nb7ytzQNfXmU67r6RW2XVZ7Uc/v+7ekrfd0+6p/X/399vuMGu6//7z 8++7T/16w1Pd6Ouubsp29jRVWfvrV/NXlaWqui7bn9vxVP7aPfzf3b//lvw+u9TxX67zdPiy/my+ 97ZT+rrej6v9pOLXdr+6Sro/SieqTP74z+5Lu68ll8vTdderkjxfd3urrlclpVp3e6uuVyVVve72 Vl2vSppi3e2tul6VqHatVfe37oLtBnWz8gZnFizTrNGqKGvrz+aCWTYskCcqrVW5N1itLcvyojNQ aVp0462hrHtrVZcq72DvFh+P6+paH8YP83y1zN/Zuy8GzE02fFl/HsE8gi1XvSV9FWsVPZwAmzlu 7uUwz1fL/BLmSHi2wGyDwUaXJfA8TetXMe6C52nesPHSGOaDt9aAQ+QgLGVnh+vujyoOovLk8uJh fbX/NlftR57v/tV6bn8lOvln+99vyY8/te/9Yvhv+OLty+7TY9luNXn5kvQLXfV/vfSAXmVN8vJL 8vcOjh+Sl992nR85DOj9QHUayPYD9Wkgl0/0czy8jDxYC1iVBaxWzwBUlYSqlFBlM1AV8pVSvlLt B/LTQC2faPYDzVmT3sgnbuUcd3IA4LiXNIBlAbAHOfAYg0q5NsikUoEeBdwkd6J6QhYzgAN6JO1V FonfivIwY05pBPwGHAkkoRuBSVUhB0rJ1XIVVUnsAPNEQVdH+BO+JOGByVVD0SMJP5A1n3lima21 nFBlMTlBvqJuKEvDEyA4gB1gHskJCKnUCTCpuqUCfDdtH+bgoPjAV4DN4RXAB0B67y87wLVVLNk5 cZgUaQel+SBf8cdXNFFpjks8Cqh0KnX7owQCbCFoBYuy92JRMEsSXVpJSOUcWsKhQZjglVy+IvWX LuVAHou9GjuK/bUR0i2CirMp0vM5UqXVmCYR8HmaM0BedcXcV1Q01LFEDFs8pwgI1Xl8hB7n1DXT /ogdkEaOPxiIoso77OQqPnZOc0LoA1rkRiovwM6tUICILu69AlPLKGUZjVieUOoSmct/o9Hy3GR7 OrUxfDlFJ9XG9Vda6zGdFOBUgYZThpNiiVJ1KimhDOe6golr6X/j2rBSA8DcyEduObyRoLuDkd5b UwYipNczmCUFll6BF9jMzAJLKySl3PYQtqpqDl7cEwCDayOL4DMATSHnhSeQTLDQBPJwTwje/ZTO C5aqos5bqSoKu1QhOiqACfcG86hJXR0Md6arFu66HlusWX5GfA8m3SCSZBglNTmyM1IIJpHL4KyI ZGSOEDmHlYbw0ZwX9BK+dM8161ncbFIJFn+ApYxM2omR+vJ+ui+5TP88tlv8eQdb5rfowNGtIZvy Q8rkquPqsZ5XkggGYnry15IfCold4KrTKwqSy/UEbtHqO9r6aZluktaETOmiLrdZHETaloOuJTvx HDS3p8ak1TRGZhIugwTNpIZwjhu5yq2kHcxxJ1+BpDTs9oFuDvABkD4ywICpHFYBSIG2creDRYFS QD6DQsCYfEXBsgAp7AXm4NsHYgNO4RV4wn+3g2zP7QU4iBMK2JJy4eA+mXYARFsODB4WzCrdBz8F k+flSMNQMiipHZBhOK8DoTiS/TkZeQwEGQY46BTSgy9o2G/wfgBlsDt4ApZpJB1u5BOTuZcQA3RM FKNpAH4BssDWuDXhr4AWB+JzfQKUBG0BRIBJ/RkIyBRFjFXdmHQCjgOVhDUTwCDQmutsSTjbKudt Vhf5iCn99S/uDdiWC36ArojhwMAr4GpxRfihDTZs7l6uwvHxIBl5FQThshyF3I3mCIrg8iFrA20j mHTNyRDN6B0TKe/kR4R4PNyN4ISE3XLQATAeH/Jg7wPZfK6SMJTj8sTjQ+5m+ofHQ51aeRkxHgAA lgOyAXJZ1BYX7wecqdfaoMRUbEu4Ejxbgk4hUIGqPiQtZyBYhSfPphP0/sYkT4+eOXVoAD3gBCwT QtSVCSfmI7j14cEhKBPo7OXuHdVhExqKZkUDXCBt6Q38oF61xaadx3NZWo6YDlYFuAK8goAcKCdc APNvJTMCSp5COiFR3HHglQi5Ow2NrtQaO7hrAaELD8K5QwOgUwPlENxwcwygP8QyYao+A18B/h7X QNx54wmqmxN6PlbdNC/UmK/MYoOsiqLCg7ppz4tzpdZcEv1OvgJdYvAKLKvFHAM/5x5wWP0B8EMw qHm3om9ei66uuEVfLU91OPhZ3BPh5ltOOvTWGQNQPXFQFWDReJwboU4OtgekyMUTBVCDTfy5SfVi xHUBSl6SARAEBh4tPg8neagM7EDtwgShuD3ieSDwK2NkeRZJ+vl7rxi6cZEKSHtwsfRPYmhZHdPy TKWt1m7MAd7bbTRnbW7ZRUCH+NDwis6yYl3C6ds0OJxvA0J/rk+opsPQP0YaFfiWVgTQNqAKDsgF LaEuYijYrbA/AgZzcPJz14CnbWgLXQgbgqdMa1koDoAgS7P+3F4CPANZEAKGQULJ3QKkKyWOi2as 6R9BobpmviIYHF1Y1wCp5SUmrj0CdANN4DoUN3ipDzw6HhNyJ9ihawicC3Dxefk4RnKRZ5xo065D /fS7iV7ARPMOhK2a1/fyLhdS7Hk20qg8EcX9INAGAZLs6tNFMCe5u3QgYblDH1Dc/MY5PUomL8Dw c1MAA9ICZ6mYNFNsALU2B50/wekCzM4LxtzXBELxaAUyijApT+1J0+iA5CUYF5d9H40CcMRL9pSH CuF3JUU1TkCZehE2vWA/ETPQPPawXD81h3b/akJA15xD7JXRhDtO4kKaGBkymulH4B0wwKsDPPoO EM2ArHyMyDmg6cgh6g9wIGi9UU/ekhRiMepj5xfXh3JrKNy8T991a3O8HiD+kK0BUtOcCO6We0/+ vWGYAuEJn1VSYhdklkKiC6qDHOhA++Md9m/LI8zFn4v0WvASA2/vDujI5K/EOMgSo0M1wpGtjXnp EcxJcwxANuPn81e45QPAOBW4YvOvUbk0yQQwDJUohyahAJsccLqOn2qLIfvUWgb58IsY5YASG+8i 8xehTGanohRdYrSJB7RV8dqf/3kzMOvZ5CWvASq31If7t7+3qUYwMP4NgyEtlXK7GJwD3wLpAvJX /ncdZP2AceNXQFydQeDID27B3SqyuS8Dz9lyHcsHPFlQFs0YkyZ9ZM//wI7GAPQnyhvZoMV/kD64 1A8uKZw5WXAQ2BlQcRI4awBXw2UTRAYtutwpgfJ4xzb0gfLgBkWH+mZonfyPmON1HBC5U88jQEBh gBubgJYrh5408Dx4KBchgRByTjJGHzm3xrwdKMaVbPzaP+5ZBFxyGHA8MyCEjEG5zSTYKEJCbk/j AeJKLTVVY2ptuKcrxJ1bRGvHChCqtLDCyQMZqj0cLhCQjB2t3l1l9ssSYtzLul2JXOXwXAafrBRw PD5C2ueCTwstcnJhs15R1nizZQYfNwDJNtCd/ulJ5I+LOV2XAZ8CgngZdpGbmwIEOZiTI9iKfKY0 sdlSJoZq79QGSVsYQ4IoekjpcloYHRqdeL2HaweQfZkWdciR03YqhzsvAzLxvKjGq2wB7kbA/a6L BHMxqtQBfWH0rnC8MiGAk9f54IBFDo5arHoEg1NmVmZ4J3uz0M3XujB3C76WQ+MUz7hw4Qi46o4a k5DPdwi4jP+CckM8zuTKwb/fIuAeE8itOzQWrpL4c2gk28onpIA3CqAHXN67ZvYsRtdxBEtQuX+4 R4xjtA5u0hKR6jJ36wRgLODTk5ZIW4U7H5eQk3RoVOUFUa7o/Ced2B2/ppA3pMQwjbztI8JJwQ3f UPoBBSKCdWgyKxhRKtM8VqfXwCIc/pKbQbeHQ3s8P3KySkkYKhCwmYmkIk91r5IichDDAL0Uw3fe ipvL1aF/ugu5PcAJiZA0yeAcC9jtRfJOMXJoqzTuRCxAnW8L6vT42cGXW7GKUjeNcVx7kSs1udLi Z/w28lEzCAfHesCt4RA5+F9h9Y0bkxja9Lv79T7u18ftQq8r8anYRj8OnGKGzwmHi+ehszvCbfYO 7fGoBKEJXULGX1HGxxal10UzfCWHLnSFhCqLpFHtsz0hXndVY/7+dfdsEHI84ZhTcDHCFfbJ9hxQ WtyVFt6rJm3G0magpJxgewTXEUg/0LoOTwM0JekJA5XkNPjw1l6rGSckbuTArXzlDjSSlAFUfLDM 47QlANZzcz1naalzd4RZBnz4vW75XRcnflctaMbA9hi+HiPJwvDgbm1DJDrsepF40OCm5gTWk9yK ejGYn2f08+DoQpwIZsAUPb4MKHl5bMpBKQTszqcAPyu+mYe+iyS+eSrEN9+wvarHSKLiq+DI27uL rw+Joc0H2FlaMDW40JD0n7OLksFROOGJWgqn8rkrdFYGivVNWCFNWLF1E1a4m7DBwd6SDPiQGJx/ ByUPUgFhiRQKmEPdenNS5/xXwvmvNqxM99JWHtTRplTl3vkv3TWlcvDTwdGxRLPnOQtwTIq6U7gs bgb2+wD6FxgYPz+Abhjz1QBsNFenXl/N11LN11tX80ck2aRz05GKB4mjCDB66hDgS3mFstAi4c92 5BcgOeSL1cyslmuA5qBHzMPCcPkEt8nglxqfLnmeNmpWD7xU+2KvfQZtZAxsVBs1zFfYdODlQWLk TapZMPAa0tbGrNy/gFwiT0iGuA/DEb7Z3AouJC8LwWlLeMdSnJxJNyEicYfchfI5nD6nGFQ79/qa QRVCMxwHtqkZDCw5qIbNxaNeRMYiJRpzrEXALLU0u9y6o+xcqES238lbSzNV7skw/PX5NZT6T8nT 7v9aYBWAZW5kc3RyZWFtCmVuZG9iagoyNiAwIG9iagozNjczCmVuZG9iagozMSAwIG9iagpbMSAv WFlaIDQ3LjUxOTk5OTkgIAo1NjYuOTU5OTk5ICAwXQplbmRvYmoKMzIgMCBvYmoKWzEgL1hZWiA0 Ny41MTk5OTk5ICAKNjA4LjI0MDAwMCAgMF0KZW5kb2JqCjMzIDAgb2JqClsxIC9YWVogNDcuNTE5 OTk5OSAgCjM0Mi4zMTk5OTkgIDBdCmVuZG9iagozNCAwIG9iagpbMSAvWFlaIDQ3LjUxOTk5OTkg IAozNzIuMDc5OTk5ICAwXQplbmRvYmoKMzUgMCBvYmoKWzEgL1hZWiA0Ny41MTk5OTk5ICAKMTcx LjQzOTk5OSAgMF0KZW5kb2JqCjM2IDAgb2JqClsxIC9YWVogNDcuNTE5OTk5OSAgCjE0MS42Nzk5 OTkgIDBdCmVuZG9iagozNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1Jl Y3QgWzc4LjIzOTk5OTkgIDgwMy4xMjAwMDAgIDg4Ljc5OTk5OTkgIDgxMy42Nzk5OTkgXQovQm9y ZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0 NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNh dXRobiMyZGhlYWRlcgo+PgplbmRvYmoKMzggMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBl IC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA3OTEuNTk5OTk5ICAxMTQuNzE5OTk5ICA4MDIuMTU5 OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzcmVzb3VyY2UjMmRlcnJvciMyZGNvZGVzCj4+CmVuZG9iagozOSAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzc4LjIzOTk5OTkgIDc4MC4wNzk5OTkg IDg4Ljc5OTk5OTkgIDc5MC42Mzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2Ej MmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1 dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNzZWMjMmRjb24KPj4KZW5kb2JqCjQwIDAgb2Jq Cjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTMuNTk5OTk5OSAgNzY4LjU1 OTk5OSAgMTE0LjcxOTk5OSAgNzc5LjExOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmls ZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYj MmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RocmVhdHMKPj4KZW5kb2JqCjQxIDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTMuNTk5OTk5OSAgNzU3 LjAzOTk5OSAgMTE0LjcxOTk5OSAgNzY3LjU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAv ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM21pdGlnYXRpb24KPj4KZW5kb2Jq CjQyIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTMuNTk5OTk5 OSAgNzQ1LjUxOTk5OSAgMTE0LjcxOTk5OSAgNzU2LjA3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjYKPj4KZW5k b2JqCjQzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzguMjM5 OTk5OSAgNzM0ICA4OC43OTk5OTk5ICA3NDQuNTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNwo+PgplbmRvYmoK NDQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5 ICA3MjIuNDc5OTk5ICAxMTQuNzE5OTk5ICA3MzMuMDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yOAo+PgplbmRv YmoKNDUgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxMDguOTU5 OTk5ICA3MTAuOTU5OTk5ICAxNDAuNjM5OTk5ICA3MjEuNTE5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yOQo+Pgpl bmRvYmoKNDYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41 OTk5OTk5ICA2OTkuNDM5OTk5ICAxMTQuNzE5OTk5ICA3MDkuOTk5OTk5IF0KL0JvcmRlciBbMCAw IDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMTAK Pj4KZW5kb2JqCjQ3IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBb MTA4Ljk1OTk5OSAgNjg3LjkxOTk5OSAgMTQwLjYzOTk5OSAgNjk4LjQ3OTk5OSBdCi9Cb3JkZXIg WzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5k aXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hv cjExCj4+CmVuZG9iago0OCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1Jl Y3QgWzc4LjIzOTk5OTkgIDY3Ni4zOTk5OTkgIDg4Ljc5OTk5OTkgIDY4Ni45NTk5OTkgXQovQm9y ZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0 NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNy ZmMucmVmZXJlbmNlczEKPj4KZW5kb2JqCjQ5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlw ZSAvTGluawovUmVjdCBbOTMuNTk5OTk5OSAgNjY0Ljg3OTk5OSAgMTE0LjcxOTk5OSAgNjc1LjQz OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMy ZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0 bWwuaHRtbCMyM3JmYy5yZWZlcmVuY2VzMQo+PgplbmRvYmoKNTAgMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA2NTMuMzU5OTk5ICAxMTQuNzE5 OTk5ICA2NjMuOTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJm dmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIj MmRiZWFyZXIuaHRtbC5odG1sIzIzcmZjLnJlZmVyZW5jZXMyCj4+CmVuZG9iago1MSAwIG9iago8 PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzc4LjIzOTk5OTkgIDY0MS44Mzk5 OTkgIDE0Ny4zNjAwMDAgIDY1Mi4zOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUj M2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJk b2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IxNAo+PgplbmRvYmoKNTIgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5OTk5ICA2MzAu MzE5OTk5ICAxNDcuMzYwMDAwICA2NDAuODc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMTUKPj4KZW5kb2JqCjUz IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzguMjM5OTk5OSAg NjE4Ljc5OTk5OSAgODMuMDM5OTk5OSAgNjI5LjM1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVz dCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMy ZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3JmYy5hdXRob3JzCj4+CmVu ZG9iago1NCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43 MjAwMDAgIDU2My4xMjAwMDAgIDU0My44NDAwMDAgIDU3MC43OTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5k b2JqCjU1IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjM5LjUx OTk5OSAgNTE4Ljk1OTk5OSAgMzM5LjM2MDAwMCAgNTI5LjUxOTk5OSBdCi9Cb3JkZXIgWzAgMCAw XQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYj MmRvYXV0aCMyZHYyCj4+CmVuZG9iago1NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDQwNi42Mzk5OTkgIDI0NC4zMTk5OTkgIDQxNy4xOTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZD R0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1s Lmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHAxIzJkbWVzc2FnaW5nCj4+CmVuZG9iago1 NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI5Ny4xMjAwMDAg IDQwNi42Mzk5OTkgIDM1NS42ODAwMDAgIDQxNy4xOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rl c3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQj MmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkM1MjQ2Cj4+CmVuZG9i ago1OCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAw MDAgIDMzOC40Nzk5OTkgIDU0My44NDAwMDAgIDM0Ni4xNTk5OTkgXQovQm9yZGVyIFswIDAgMF0K L0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJh ZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2Jq CjU5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNDEyLjMxOTk5 OSAgMjgyLjc5OTk5OSAgNDcwLjg3OTk5OSAgMjkzLjM1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzIxMTkKPj4KZW5k b2JqCjYwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNjcuNjc5 OTk5OSAgMjUwLjE1OTk5OSAgMjQ0LjMxOTk5OSAgMjYwLjcxOTk5OSBdCi9Cb3JkZXIgWzAgMCAw XQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYj MmRodHRwYmlzIzJkcDEjMmRtZXNzYWdpbmcKPj4KZW5kb2JqCjYxIDAgb2JqCjw8Ci9UeXBlIC9B bm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTA1LjEyMDAwMCAgMjM4LjYzOTk5OSAgMTYzLjY4 MDAwMCAgMjQ5LjE5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMy ZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYy IzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyMzQKPj4KZW5kb2JqCjYyIDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzcuMjgwMDAwMCAgMjI3LjExOTk5OSAgMjE2 LjQ3OTk5OSAgMjM3LjY3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRo Cj4+CmVuZG9iago2MyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3Qg WzY3LjY3OTk5OTkgIDIxNS41OTk5OTkgIDI0NC4zMTk5OTkgIDIyNi4xNTk5OTkgXQovQm9yZGVy IFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTgu ZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJIzJk RC5pZXRmIzJkaHR0cGJpcyMyZHAxIzJkbWVzc2FnaW5nCj4+CmVuZG9iago2NCAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzk0LjU2MDAwMDAgIDIwNC4wNzk5OTkg IDE1My4xMjAwMDAgIDIxNC42Mzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2Ej MmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1 dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkMzOTg2Cj4+CmVuZG9iago2NSAwIG9iago8 PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDEzNy44Mzk5 OTkgIDU0My44NDAwMDAgIDE0NS41MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUj M2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJk b2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjY2IDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzQ4Ljk1OTk5OSAgMzcuMDM5OTk5 OSAgNDQ4Ljc5OTk5OSAgNDcuNTk5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMz YSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRv YXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRvYXV0aCMyZHYyCj4+ CmVuZG9iagoyOSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyA2 NyAwIFIKL1Jlc291cmNlcyA2OSAwIFIKL0Fubm90cyA3MCAwIFIKL01lZGlhQm94IFswIDAgNTk1 IDg0Ml0KPj4KZW5kb2JqCjY5IDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9D U3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAw IFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBSCi9GOCA4IDAgUgovRjkgOSAw IFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3QgPDwKPj4KPj4KZW5kb2JqCjcwIDAgb2JqClsgMzcg MCBSIDM4IDAgUiAzOSAwIFIgNDAgMCBSIDQxIDAgUiA0MiAwIFIgNDMgMCBSIDQ0IDAgUiA0NSAw IFIgNDYgMCBSIDQ3IDAgUiA0OCAwIFIgNDkgMCBSIDUwIDAgUiA1MSAwIFIgNTIgMCBSIDUzIDAg UiA1NCAwIFIgNTUgMCBSIDU2IDAgUiA1NyAwIFIgNTggMCBSIDU5IDAgUiA2MCAwIFIgNjEgMCBS IDYyIDAgUiA2MyAwIFIgNjQgMCBSIDY1IDAgUiA2NiAwIFIgXQplbmRvYmoKNjcgMCBvYmoKPDwK L0xlbmd0aCA2OCAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7V1Rj+O4DX7P r8hzgZ21JFu2gaLA3txsgT4UWOwCfTj0odjrtTjMHjq9h/79OrYTW/wsU1YoR5mdGdxNok0kiiL5 URRFv//z538c//X78f3j5/8cv45/Hz8fioeiaoefY9H9vps36ObB6OL0c2yUebB13/r12+Hl+HL4 dPjU/f/loGz/xfFP94/nIYr+9/evvx3eD4MfhpbPj3/tXv3vqI9/6f779fjT37vGn8f+Th/4dmha 29FRFMp0b5/nb5UpGvVgu9dde0Hfnj7878Pf/nD87USYfmh64tVA4Pztu+6Lqh6+eA3JL9NXu85M q1VlG+/recfGjPSUR9O06uHE56qbuimrE1mnN6YtyofhZccDq8qHsqNX03Zdn758ap/6efb0f2LP LzOaWzP+eF87NM9pU7bvv6d5Nlar2/4zlDa3fTaXSz/Pnv4pzUJ89tDso8G3Lin4vLzW39z2ID4v y4ZPloT4XNvOcHSvlXLlubbloKvKpYG0X2ie9fPs6V9MnmtbDeQoVzZqawdygDanfTaXSz/Pnv4T 8dlDs48G37qk4PPyWn9z24P4vCwbPlkS4rMq2kb3/bvy3LW3VU+PSwNpv9A86+fZ07+YPCtVFE2P ma5sdO266BlHaHPbp7lM/Tx7+k/EZw/NPhp865KCz8tr/Y3wLYTPy7LhkyWX5rOb1oLTssn3sWXH mY5Lnbd3VNXxv//sBvnUuzYRDpTqf+e0DC0eB+pl5Ys/fDm8/2g7Bhy//HIcKHg3/PkyEN2RUJrj l5+PfzzR9Kfjl18PJ3dxbNB9Qz01mL6hmRpK+omhj6cv4/TTcNrq8g45bU11d5xuGnuHnG7aOhGn KXdP9Cuk354MqOk+fGJLZ9Tqdv7++fA5aLmWBltl1lpnZ7aZRbZV3ZtCt+OM1Yd+xu3EAjuxIHKf 97LyxVXaOt7NaRtXo6LLM2vQZEXVj2Q6qqTzo33otm9Q5bYWQ7pRj8NHimkkSksx9GK3UNtwfRQf +4aJsuKJ8kSxdLBMUk90dvAdVZFx9QfgyA/c9KCTgPUbGpRaIQ04AIuF43ygjIaBNf0KXQokRNPF epy0LVptBpXuzGGw2ngatti95mT3OifybPfUKdo0NeRn+BqXSz7DN2NKlZFpPLF32yJrXqKhAfST VYIRQleVnFe2Ue03464luGtzx93qjG0auHRz3K3CcVc/ssBFUQjREGQLkAxwqqWdxogjizlISARc 8KiLw4SSKgEX9Q3goqZwUecOFxcu+fQ1b7jYsMj5qjTr46Pu8Q4g0CGnWc2G/YuUZrUF0aw2XyRs XC7xmqVsfpq1ZZF3EWBU6GEUNQuIsNqIO5gGkE8O1wSUrfOId1e2zlNylW1qyFTZJi4FKFtOAaFB 2bYsMsAYgJSqB5Eu11pAyEFDedyirNZPnMoGRFkQhOkwQfPj40zo8qZ2aDds/JR2N37T+/w0cLBT 6gJ3HzPSr37jN9EWYDJrChAoJ8XQolY+87ZviwY8cwPAMxTwTO6Ad+GST92y3rdtWmQToG7bTyIQ m7BXgCI4eWDPCFCHWe8ZtM0U7M4V0I330Sm+42mGzKkJONjogwOPwCIlNGISNqu8fkcs0bDF7qk+ YaaabavLet6Qn+E7UTzndbzly9U2diuwUZgEjofN0DDlCOiKV2p++8D6ITDum+XPzfJLmEZ7A3fO UnfO5u7O2XB3LsNg4ZZFvuc0koiNUUD8BuhgZxsS73hz1ZbtUX2vrlpDXbUme1etDnfVfFYtb1dt izC9alftzaontOqbg8dt5QaP23zdn8Eot2f/wUDK4c2Dx+0G34bHWDgjCQjY8moRujsRAFBd7H/6 rxU5/Z8a8pPoxuWST6JzBbbeod+yyHgcwmdZhhxI8kf39LaDiBN8/wqq999xa0123FNDrgqqOcjJ ese9aZHpkSaIJx7cv2nwVRq8wVnT5QzbKqchP9UZDIy53K0Crx9DiSHHSnxuBoiOgatuAVuSW6pt 5bIuKlBGZRDCw8hJSJ4ZGpSeWuiVHVwfzDLArLmYGBW7vYvVqaoiOlXlC0eDTlXlPegUxhsy0Kkq HApNyfuqbBK4iGQH3PKLCb7yuN3GaVQ9y0fT8/e5KpS9bMCq20lox6o5KTudjgRIAZUkY6mPGEBZ SAuf+M2em656WpO0DIXJTiLpe+2KI//5ABHdNmgvK30FggVZ0fZUcGDCAbBDH+gSlVyDbqgFAR+9 oRL5IzUpcG2mpX3U9BOAIzDKEyUdRlELayysta1Ha6uT1prmXOHibO/B/ZlR6znJXzvrrygL6mXg AQmYaUZBGsYrsWalU6gIAXQ05BPYqWFHAdKBHzwd8JVHloWUQTAXbOAZxFNqaR8fWdJhckAHUMp/ BUwGUAqE8dOnpKOsQ6cRTKaUgmiP+ANfCYuY+VS9VK6u42wpHbgMIHSgHqAN7Cc0DMvLOoySi3qw ijwCxtqwwCBDRwEJAqwDwYVlgOnzVhv62JI6tYpAZeFXbOBPy9IF4hFhPvhOJZRSqcaZ/k4ADHlx inpcY/BkrQ8JwgAswMDSdTBPVHBB1WFYWEsYNsniloV1ZVvGjBdupzB9HnCeWLsO6gCdApPZlYux /DyI8w4Jb9cjfLrXB2sSZlxVPkJfoXHgkXHFdUB+RGBUxLaB5zrQcZtdExgp3g1C+eBXn58+dBrB 0+2ajvIBIiVhgqLF4VoQM665yGWzBgyCUcDV5p1NSodpWXPB6lwAx3hPOgLmqCSj7suhifFPBeji 2cEGGWAqsA8fvWSJuVXNmQxIOBXYMgYIFJgknoN3DHuZBPqCQz2yXuLrdr54d56SrqGa8HbURyCA uUQExiXcM+A6bJG2B3GRYzwQsFiKkRwJ36IyxjWwEjy9qX8igTe18dIl4NFA+Ag5CDCX68YjxhWP OHpKoun3G+S+5zMxiaV8O1cLMoW8iomAx2Qteb+Ij4xuZ3KMnxgqhRJo0jS5ScNtvEIR3ON3Ufzk wHzwtgCG5c/VoI99HHw+kAH84MMllDA8/Y4AddZaoLMlgHvnfMqVME0AIr9BkpARutLAlu1GC6vo QgUEWXjQ4mMZfNKBx+sTQKCqMF7Kt3tfe6W95eKfJvHXI2CMPXYOMMoRccyIEx0BjskFjyuj3ryL Hb0LiYSjXXaRMZGK6Cjd69TSGNwTCPwmRaArz2rLxrU5fGw4dC2vJKwpHMIU1h32FHOZnUfB7RBF VsaAu0X3fEZiX62b3rKXVpJDurFOpymTCq6j1OjSnT5dKPOBNkAZGhGZ0o3LMc8G/8pRjBWa7VX+ V8C+Ee2j567OmllijxJjolt8NJgyZGG61LHhL5UsdBJ6xCDh+Vl1xUqlcBdudQz65ta6sAWFvXi/ Lkku3GtmsohFTXW5p3DNA+WyASeND7xttyhvirtZpmC2QBifiZOXYZfAudp6Z79PCi+fSsxbBxBT fiU9yQhXXjKqjMtTicg+fALUBfaJnlTR5fzKV3bb3U5bCva2u8h9+DGgoOh6rFyIxzhO9GX21t+p 4mmHYvgBw4A8QsEtviBAxOyaBYkF7Rxaktzdt3V9JlYgw4oPmPFbNd8D2tfMDQg86xRADv1Y+2Qm NOVYrXGKB+EuGjbetFv+1kkiStC3/Eg7waBhmvnQq6CaQl+pKCE447Ge0pZuNcxPZDqeh+OuxV4x HgMN2VKWkSAFzA8oWdAdOsPbyckV1Ap4ybbVN19SXolpDR2kDA0mtmC/MGUUg70sClALalrS7XfE uBIhPxh24eCJHomA4IApx04WBJK3XHAtLrooQ+qIBPCZ3Q3BlvyKQPLaRlbiWtf2WHvACXDEWvIR KphcRDUAiQQ0Tw0GARtfF7WXjBulQWZTO6XP1Z4YVEIttlw3L7nE+CLsKQI+vfUHgJ+k/hlgUAAY SkR4WZ4Cg2LyNbdfb04DJ7iZgHHZ5A8+7CeTN1vXjjWQS7erzaVMQZJ0u2ydiWwvvvG5UZClIsOh 7ViooTwymwQMQTh+HTR9jgP63wGXwlnMAVvP49YC32E1fyTfgeUFJi5s/ihpKk3OmS1ciwAyw5+c 7HOMuOdl64kfN87Bm+k7XzQR9rn83okHTLlcwLri5nLlKG3hjHLbIpJrPjlsSfiSdxFXLoF0/vhW IvqQpr5S/8zG2dq+AeadAaaE32ovVvmOEFbVjUO7TKeNy5BcYDtNerEujbv87BOeAvbKEk4KWzOG L8EVECaXKMfABmh40gPu/qaokIqWXaJQfpJqYSAfbH0XNMF8UJQPV8Ji8+WQfLuaK8125dq+78Kb lkC65kKo50rptQbVOqOMDyOTNttV6YwCfq+hHqnhHbBd6s9LFJwDjwz9b16iAGBAT/c5Zg0wjzwW Au0BSf75mLK+wutMmL8HU7ZTYKA940MiOzQEBi6jBJxXRBQCoTqE+r9LyfkAnZKwB9noZTlA2WVx MWEp4BEu248vA8LA/MHZjUpJ4VFjksrK/IUUT/qDgAPVqAsHaahgIaMNjoAhHyhNZMCWDqlprJ+q XYbEzB9sWYBsw/LzyS681LHCLndK2pjGyzE0wxF7Un6TmuKqUMCmPSLvIiL8xAPods82IIiRJLqS y/0jnjCJLUdMyhl/Y40PrgUQEhH42e78RNSOjqlgliRmxWcIRWh/xPOH+DodrIPBZ+q84ut3bXFG p4DLdfThaBHX7woPbMAaW7o+CvxMPjsR7iisXGEbfZNZQ7Ww6uAADC3SV9hsvzbm/NBoPPvbp5CU 3CM4rvQ9+wfGtdODkYEfEbaETR4L2EbDw5kECrZIFB3M9yEMES4OX9WADTuJlInmDzq3ewkBhEX4 XhHT3yc1vTSlo8gBuST8fidii7RnIpmwAu1jP2i0o5DYD49m3J5hDR5lt0/BRByWR0Le35V4cl3E 6uclQRJl+Sb5iLnWJmBxETxDaxXdA5zsUzcmL9BaI+xVAw7v9QlYOpFY6YgNzdkzWAiWJnnQ53dV ajvmjk1EgCkiirs9USDJbbHXJB8Se6+AEsYyt0caR/lfoZUWsY7txTNiLzAjegJPWQlC88lXf4NR Ii5LgIoJVF8KqekbcfwQ8RxgGU+5cOQB92sRcRbWv8BUlIiv3I1qw65Q7ExYF/pyGxfuF0QcPd6o FCTbx4LO7XM6xR9G8Y4Qn4gQ8bSLXEpEaKtcMUz5mIWZIacnSJCWqCAhZPsd5/t/iLPAk7Lmi7t4 fFm14w90Tv8t4FjS31lPqfWJYV2dnulVXJg8iOF09lcsZ4dy45nCi5vugMXypbLo+fQZorP5jMm9 s4KdgIc0z3I8qZxFn1rClPHCmRhTjFEpmWL6hzrMuv+BKrDnQcsrLFDLp4rxLOgv16VjQWOc7hXU YKWHz6YRJaByH6KSXM8seWiLLDtt7c7mLrRMFU1Knqj+XsHsAS2sDuGMP1AnYKw8Nw/CASOXESue TXbxETBibKqV0z3O2QPB8RPqMSHdhNrKXffRk1sRdbjHgQ2ecs5rglCAXwbfETZqplLrVm086Jvf 1dZUK+D6zXjBezYPSAyiAGZor9LWuyicEk4yE4V5jZK/0jCWvUoLU1N1hn1gahovBUzNZnNHMJWM JwNMzQpw3DVMpWNTD1OzSjc7wVS6CfUwNVv37wemVKGcy+t7wZSixhpxS3ai1r2mndx61+54whJb t+5s7sN66yIlT5Su3MvL92q9h1o6ydjUuHe8F+a8XOIhPq5V6JQT0kXtrnt0xCax69h6jWwa17Gt 0jB8cB2n2dyH8Rlcx1Q8GV3Htrp342NtUjYNruOl+91cx2QTGlzHad2/H9exqd2L3TL7ftjEQwO9 G5U6wFGqxjmxSm69+8dZzwYUFtnyVP11Pp+7sN/lyaFOyJTaPZbM8Ryo0iolC6rTncv5yeymc6Du 9/jSkaFs39/45+u32NuJn46fDv8Ht7XtLWVuZHN0cmVhbQplbmRvYmoKNjggMCBvYmoKNDQyNQpl bmRvYmoKNzMgMCBvYmoKWzIgL1hZWiA0Ny41MTk5OTk5ICAKNTc1LjU5OTk5OSAgMF0KZW5kb2Jq Cjc0IDAgb2JqClsyIC9YWVogNDcuNTE5OTk5OSAgCjEyNi4zMTk5OTkgIDBdCmVuZG9iago3NSAw IG9iagpbMiAvWFlaIDQ3LjUxOTk5OTkgIAo4MTAuNzk5OTk5ICAwXQplbmRvYmoKNzYgMCBvYmoK WzIgL1hZWiA0Ny41MTk5OTk5ICAKMjI2LjE1OTk5OSAgMF0KZW5kb2JqCjc3IDAgb2JqClsyIC9Y WVogNDcuNTE5OTk5OSAgCjc4MS4wMzk5OTkgIDBdCmVuZG9iago3OCAwIG9iagpbMiAvWFlaIDQ3 LjUxOTk5OTkgIAoxOTYuMzk5OTk5ICAwXQplbmRvYmoKNzkgMCBvYmoKWzIgL1hZWiA0Ny41MTk5 OTk5ICAKOTUuNTk5OTk5OSAgMF0KZW5kb2JqCjgwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNzc3LjE5OTk5OSAgNTQzLjg0MDAwMCAgNzg0 Ljg3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRt cCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVy Lmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKODEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFsyMTYuNDc5OTk5ICAzMTUuNDM5OTk5ICAyNjIuNTYwMDAwICAzMjUu OTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1w IzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIu aHRtbC5odG1sIzIzRmlndXJlIzJkMQo+PgplbmRvYmoKODIgMCBvYmoKPDwKL1R5cGUgL0Fubm90 Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICAxOTIuNTU5OTk5ICA1NDMuODQwMDAw ICAyMDAuMjM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFy IzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRi ZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iago4MyAwIG9iago8PAovVHlwZSAvQW5ub3QK L1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDkxLjc1OTk5OTkgIDU0My44NDAwMDAg IDk5LjQzOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIj MmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJl YXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjg0IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAov U3VidHlwZSAvTGluawovUmVjdCBbMTQ5LjI4MDAwMCAgNDYuNjM5OTk5OSAgMjg4LjQ4MDAwMCAg NTcuMTk5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMy ZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVh cmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9i ago3MSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyA4NSAwIFIK L1Jlc291cmNlcyA4NyAwIFIKL0Fubm90cyA4OCAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0K Pj4KZW5kb2JqCjg3IDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0Rl dmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4K L1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBSCi9GOCA4IDAgUgovRjkgOSAwIFIKL0Y3 MiA3MiAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3QgPDwKPj4KPj4KZW5kb2JqCjg4IDAgb2Jq ClsgODAgMCBSIDgxIDAgUiA4MiAwIFIgODMgMCBSIDg0IDAgUiBdCmVuZG9iago4NSAwIG9iago8 PAovTGVuZ3RoIDg2IDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztXUtv5LgR vvev0DnAeERSTyAIMONHgD0sYIyBHBZ7CGayCQb2Is4e9u9HLXW7xfrE/ig2pZY8sjHjdpkiq4r1 YpEqfvz7l38m//4j+Xj75b/J18PP2y+79CbN6+4rSZvvD32Arm6MTvdfSaXMTVG20K8vu9fkdfe4 e2z+f92pon3w8KP543GItP3+4+vvu4/d4LsO8uX25+bTn4lOfmr+fU9++bUBfjv0t2/wsqvqosEj TZVpfn3u/6pMWqmbovncwFP5677xf3b/+Evy+x4xfVO1yKsOwf6vH3SR1vVNQ5y5COXX06MNFqbW Ki8q5+d+x8Yc8MmShsc3affxZWeyfE9PmuZJr0nDg0JlN1mDvZZwXe7p2MNP/Tw7+t+z57cezrU5 fDk/Wzj3cDt9fLHGyqs9lnu4jZsNP9Fy6ufZ0b/EORKfHTi7cHDNyxR8Hp7rFwvux+dh2XDJko1z py175Xd97uM8St9qlWiTmSRXVaKS//2rGfdxnpGLvBm5MElW6kQ3P+cce091USgX1cFyrdK0aBFU tv1o4KU5GsfenAv4m4z0+nl29B/NfjR9VkWLj62LDbzjGOLWh/dpOfbz7Og/mv2w+ezA2YWDa16m 4PPwXL8IuA+fh2XDJUux+KxKUx5x7vNNlXl65GcfBxt+wvnUz7Oj/3jyrMrCdHx7EWOVRRu7AG59 eJ+WYz/Pjv4n4rMDZxcOrnmZgs/Dc/0i4D58HpYNlyzZOB/D4hqCxHEeKMsSnZaNH2q8QH50A49h Aatqv/u4dBBHwPp65sHPT7uPD0Wj0MnTb0mHwYfux1OH9AfdmLPk6Vvy1z1Of0uevu/24fkBoFtA eQKYFlCdAJls0fVx/3QgfxpOV6ZYIaerrFwdp+uiXCGn67KaiNMnLuteHDn82VpyerSnvBg7aMup dvIGOKWLvfLXR5FU95INn1pA9gbQNWtx4Nw5QN4CGpt8hKhb2SvMx10LKM48ci+HkX3oTwNTOC4v 8HrmwZbRdaLMEKNz3TBa6aNEqrJjQXqip2oh9QmgJYGfW0AupbiSjO2xoJAtHmQfko3aoRpGMrrX aUmVBxD7xFDXnb4pc2YYzhCHkJxjWS0B0AfwEPqoBP06kzwEpgJxd5RazmV4BGjhEyNpQQCf/gjy ECDKSD5gCrTwR7gEAWKcQRJ1VH7olE8DIAYMAhmTj6iU6jpgKqcShR9UjGPKH3FIUGvtw812lVp2 +7pzeyEtrQvKjBMvJTwQigcQKzFXEA2AXc+lNFAh9LDzVPY1F+Tx1HqIOnUNKLcgQBIPbYaZfJl4 6EbI+/LhofoBrpIbKe4J5vGuATPHJXnzru/Fu7qUENYf5gz5POhFVIE6Lrmgp4AZ0O8YJYYHyivn vIDJAdpAkoEUhxJehnld2JhHUP2Q9R23r5Id5p5aLRgWWDo+bkR3S31niEkGwebLW1xWThFuLMVK 8cg6RtTn4XCgU27oA6aBa6F8xEC6A3hKFzgwrEewOYnQvT8TE8PflMY5LfMYJd8E0mXEKqUsalcU ntI0lTJ0WEmcayV66SLJ2ExW1FoErHjWy/UQR8iXHpzaebKnMdIOEUyOqaX15LRACxApsFIwLwFL IOnlPWKaKeJTD0x9I5YYHqlyroBCZC4gGoNRAEC9PqzVPIKN8ftE07js8VkHpPZ2DvPxDiO6uY0l z0iH+/DLbEHWBWwnY3ClvOY84UfAHnEMBVpWXjOC89CpcZKykBxDiLG8UhBIs4dok+KJaYz9mp44 vOtlRMBJhnedxuPCL0fBgz3Bu7kX+r2isAQ3ZEeYct3n+NAUe7PQImTpsbYdzxhuTb2FQRCM892q 8R4aOLhcHxWwr8itdsA2QBSnlRp7smGiOE/58cMAv89Pcsxz2m7bR7yCn4sylXNuZseVoCkDxQtd Q5nb5iJesBnDZ5m3s1JgPbmNpkrpodgwtfwwJj/eHWMJxNUl3pmUc/xYr1K+a7O+6uMhkxw0znRt WZTlrjwnPDYcwyYX6jjItjVLiFvPy0EB5hMsDPce3AbxxO8ke5Pj99Bx+cJpiREI8LU72GQA8HB9 il2Pd+hvLzSnRthTfmIA8BivczgNXOeoQVF3TIIg0wmyHtFFlYWT2PHLXWQ6hPwhqdAYBzjBv/B0 qgRgcMF1TiIWkoEN2M8EPCIosuKZihivq/IENJA/3lmgSwo4FDtFHIRayGWdzz43fTBR419WnvVY yqWmL7Vs33IXOHNurcVwJ/WIFQ+o7fhgfD2RNT/9z50nUOthxjhP+TSAI+RTGRCuv6flLT9LCFrK N3348nYpDjlgccIXSVQJ/WPLC9NjdWqbOno4ma/FuL+NEjmCz4aQFs5VSzH0eK3cgUcE/2JSf5c9 IA4BKaQ5z2BtZ30OgJCXCniiN+D97vF7SdcK4GOskaml99ha5MRxWZ/knUbfKi4X+oaqsM1UjNRe jDMl/PjUPEcm+ButHnacGsNRK5pSOyaz2G+DGVm5rzqD+5UAgBhUrNsAPzJgsYJ7VX2JYh3qt03y bCGT7ageOopBuQTwJY4jJ3Cuj2rYJfcADifVA3CfBBHJAx3W4V97XhwCEEmtkjoHjl8BgyQ/8BGY SkAdOoU+YG4jCK4HtTAKTCWIA6xopAS5ElEx9CWGdcjSKiKTZ7IOS0FsAywCMIt8KNgDB1vIX/Hm dZsXZh30+mIHBQ6Hxg4KnDiPHbZgwm7BMZV4YKfjQwUPwGIF96r6EsU6mC122ADrBmx5hyF+RLEO +VpihyjUFpstDAZskVL0SMnjipjNFs5nC6u12MJRDIJ1FN/hDpgGEG049guKDC0g1xegUUAcPc6g QJED8IBhoVOoGshljHI9JAf7Q5nxmLFD7R87XEn4l2u2NsAiALPIB75lRDOsmm77TJOUjWcdcrW+ 2CEgB6v5maJJgjzqxXBLj+7xgQPmHlkDHtIlaeiU2/Xxfn8awGIFd/V5h1xveYcNsG7AlncY4kcU 65CtJXaIQm2+2cINsG7AZgsns4XlWmzhKAbBOgoSd9s6ym6xmnXUJOdgAbDmg7ERY4dqix02wLoB Ww52KutQpOuLHUJysAHv0IyPDDR06rhTpgeQtKCPAtT5I7BPuB7XuOVgl2Qd1Pb+7QZYN2CxgruC vEORqHTw9o683FuHXBQc6xWq6YYtTsM+iBYKihHcSUB3hKZXKg0KGshhD37/1MJ0ncIdf3Ddy6ms xqH+Sa+eQS5pqQViiCkUYLunfQALC8aPg0cuz3QKLQAP2eLgos0ZxOTc4iPQ6WfB5FFSeLYqUVGV dp9x63xfq8gdrSaGpaB4PXZafo4XnPKoVBvAjwgXswIt0xRDNmlpCx2vfM2rR/G7jyRxKJZXulaT V/XiBZZo9T1X2bMLywVl9lQe3oNVqfRRJw0KKSAEdZxg+SZLTuM5+kluM4UWtK63jlZLrky10xjw SmmOVeS5S3bGXwznUcKNFg+PeMXwmMKSHgrEnQW1px7V+LhvoBcYhNwSwQv4cUx5wojfm8CvNgq4 gDzGDVO+vnKUs4BOJ7kJLFPGth/AMWrXQLN9qpzRsm8mjUBd3RpH84ZYQB34GBbmOteMDkwDhOOG hhcB9mLhl4Wfw3SxtUq5s+TJYU5LQOXi7b5o8sgU92i67ieIYS2z3F9tl3V3/GXUqyKzyY8ht++o EHyUmxU6EXs7YKXltU0zOeTNnNiRAvQRo4J/QFpqniTLO1LKkEr6AdW0+VJsFpHyoHYSBYonljGs 5+kA2nWCwr4jeCPkRqeHL+fnPpk+7b/c/rxLkz8TnfzU/Pue/PJrg8K3PvdGDtrytkpUPrgHty92 Xp1eDHC8gQ6idg7QcV8pye1etqEaFhzIR5xLLUEf9zJchD4ggoI+4JFaDivJ1Z+BXDjRI3cHkSEw LhyLkageWtjyCIrVQbhMjdPINvtaVbV/cOKb1hll0+a55YlvxfAMHS/8EcPY8vhuktt0tKotcfBJ hAXchgrzwFnme2PEKKnjgUSEpLfH1lxAwjrgqqj1BokhF6dxa7DYNdSVUmWTpOeLLiw5ORiHfETY Q6zTbPFTO8/y2HEDS+TrdVRRWlzXMsCaZpeA2gKTyzAu60xwbyffQBwHgQ8sCB9kJ3hAgPcScrOz x74Iv9Mv4E5dQJWvxLnf5vFTnF1B2yLMFchMst0w/k4uEKoB+vk28SS5q1lubnaFAzG8jKqdePGQ i54G2lIisVMi9Sn2oCkRLDF3raQJ+KdOgHsHdWWOxKOWKs2zwLCYq1lK0gQRuaOI4K4j5ITgdQHg O4x7L/sArgIeso8DHlfLAJlmHXuMlTJgI7cvAXcPXmcxvm2/BHrOSXgq5d2y99mwk3G28tELjwHO vwXXeBNLW95hJdirGKEsta3QUuIixIN3CvMbcMcwP+NLl9K4+nasVi4Mio3QiHmS7Pxc7CQnjDpn aY43Ch8c+dkMgARArROjBOqGniOHFnxjGUus8KwzP6HpODp54Ts1WWpx2UXcpaNU1igXurFwPEpj 43Gdw7YhiakJT7usLzTISltq4ao1V0b5jON3lQ+5zkJBCYWJ4j60bVF/hDvaY7igXDuVcJpb3bfM JqPuHS0Lh9OBeX34QoMj/uaR5nN3dqw0MLwAywrrJU0NmbMH6dgqiNHu5DMdub032DPZQg2LkFTl ULJUbtvWQ4BXyDkbO55JnZt3wpgPv4AfTI8IagxmlYphY5CdmYRaMOWQeovGFK2yKZnSnq7pRwgg h5JApPiTFOZDeYq+eAMjw2TVzaZST8qmsrTDf6T5c2SC6mJKgkyq7HmHpDoVBBAV0zsz2Hwnrw2i qmhHPPz4+hIaIT4mj7v/A5gmLf9lbmRzdHJlYW0KZW5kb2JqCjg2IDAgb2JqCjM2MjAKZW5kb2Jq CjkwIDAgb2JqClszIC9YWVogNDcuNTE5OTk5OSAgCjUwMy41OTk5OTkgIDBdCmVuZG9iago5MSAw IG9iagpbMyAvWFlaIDQ3LjUxOTk5OTkgIAo4OC44Nzk5OTk5ICAwXQplbmRvYmoKOTIgMCBvYmoK WzMgL1hZWiA0Ny41MTk5OTk5ICAKNTMzLjM2MDAwMCAgMF0KZW5kb2JqCjkzIDAgb2JqClszIC9Y WVogNDcuNTE5OTk5OSAgCjExOC42Mzk5OTkgIDBdCmVuZG9iago5NCAwIG9iago8PAovVHlwZSAv QW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDY5NC42Mzk5OTkgIDIwNi44 Nzk5OTkgIDcwNS4xOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYj MmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2 MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+ PgplbmRvYmoKOTUgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsx NDkuMjgwMDAwICA2MTQgIDI4OC40ODAwMDAgIDYyNC41NTk5OTkgXQovQm9yZGVyIFswIDAgMF0K L0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJh ZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJk aHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRvYmoKOTYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9T dWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICA0OTkuNzU5OTk5ICA1NDMuODQwMDAwICA1 MDcuNDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJm dG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFy ZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iago5NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzEyOC4xNTk5OTkgIDM4NS41MTk5OTkgIDI5Ny4xMjAwMDAgIDM5 Ni4wNzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjNXM0MuUkVDIzJkaHRtbDQwMSMyZDE5OTkxMjI0Cj4+CmVuZG9iago5OCAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDg1 LjAzOTk5OTkgIDU0My44NDAwMDAgIDkyLjcxOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3Qg L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjk5IDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNjcuNjc5OTk5OSAgMjku MzU5OTk5OSAgMTI2LjIzOTk5OSAgMzkuOTE5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAv ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzM5ODYKPj4KZW5kb2JqCjg5 IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDEwMCAwIFIKL1Jl c291cmNlcyAxMDIgMCBSCi9Bbm5vdHMgMTAzIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+ PgplbmRvYmoKMTAyIDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0Rl dmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4K L1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBSCi9GOSA5IDAgUgovRjcyIDcyIDAgUgov RjggOCAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3QgPDwKPj4KPj4KZW5kb2JqCjEwMyAwIG9i agpbIDk0IDAgUiA5NSAwIFIgOTYgMCBSIDk3IDAgUiA5OCAwIFIgOTkgMCBSIF0KZW5kb2JqCjEw MCAwIG9iago8PAovTGVuZ3RoIDEwMSAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt Cnic7V1Lb+Q2Er73r9A5wHjEhygRWASwHc8Ce1jAmAH2EOxh4ewkCGaC9eawf3/16m6xPlFFsclW t91jJG6zJbJYrDeLxY9//fyv4tc/i4+Pn/9TvIy/Hz/vyruyssO/omx/PkwbZHOnZNn9Kxqh7kzd t758370Wr7vn3XP7/9edMP2L46/2y/0QZf/z58sfu4/D4Luh5fPj39tP/ytk8bf2v9+Ln//ZNv4y 9tc98H3XWNPCUZZCtX9+m/4pVNmIO9N+bttL+mf38G+7f/xQ/NEBJu+aHngxADj984Oywqruxeok kF+Pr469d8jyfZ52vAo+UxVKlO2CGF1Uqvjvv3df28HPNrTUVSGtKeTM0KZUVorKNN7P06GVGofS hbZ6ALBuF1zpqhuxG1Pbqh+9bW9X3gh9p1vAJG2X9Z0c2w/9fPP03xHF1wnMVo3/vJ8dmKewGdOB M8A8Hau2HTgIm9M+mcuhn2+e/inMifDsgdkHg29dcuB5fq2/u+1BeJ6nDR8tuTBnZqXaNoVqdNGk ZCUhmqr/Q7is1Labai8dJ9Mn7Qd0Tfr55uk/GSu1fdZND49Llm27FT08ANu0fTqXfT/fPP0nYyUX zx6YfTD41iUHnufX+jtpD8HzPG34aMmFeW9HWNCq69hG66JFXmeOFKLas81znIYX/c8UlqHFo+Ff F158+LL7+MkUoiy+fC0GCD4Mv74MQH9Qum7/+KX4SwfTj8WX33edPTM2yL6hPjaovqE5Nmj6xNDH 05dx+nkwPRh+V4ZpXYpcmI60DV8XXuznY1vjdW4+lWwxWjZ7UOQThe2RQv+pb6iODVXfoI8NNXlF AUruyRNywICYoNHQRzRFNAxTHtHI4qOWHoQY2yJESD12Kh4oHBVtgPWlDbKhT1CkCkkbNH2FwlHy nVIUwigIqeUmhw10GWC2ElYbcHqfbuWU9c0FUIhIhukD9dPpQx+IZNrHSOyrXgHQ6Svyp3k+nTzx RBvoE4I+gaMAHJTGAMnjsEnWttpzJUgH5AZYfUqFyFGw2IBTiiBAMg4LfQAKy/VER+eCFASAsSIH pw+sTglX0mVQdC6CwqFoH4AxBbIQ4ABKVitobFETttanq5QnSgsQRiXfqAmpHr+TE8dOzzp2/qdC 9H3AAMvcVVt36m+PuzaxrUTrdjt4BUuJJynAKyAJXuENNEsbFGdbofUFcNBRUMCA3QugwxMA+gOd XChXLk0fMBZgn9JhxPCIXSB4Oswo2Jamy682v5bAI9AHv5Yg1x/nQT9NBGtjHIYZjStRHocBqUwb BLXPR41znIyCpbvnnhgVjF7AEB0WOReoDGiZdrrKLvYhVaouNiCFSblSUjVupzBbnpWBcsHqpUIH pRBYNcCFFI6EXqI0h2FBY/IeHljf8ARlugD1x5v04PNQ60qx/qwCn+cs9igMiwYqhUOBsw7GNghD mC0YuZ74xtJCgVfEuo1iDZ0u2rSqPHBptE27oAoQPx6jrFpYfNCEAAd0CvKEcjrqKB4wICAIXQE+ QOJEiMKGXRcwJnhjiscYCFyYbYRxmcJCA/sLBD+MwkMK+PD4LJNXqC0VgKAU2lVZ4/CtHjoVwg87 ik92HUbvffIEaDHehgmwlC+EUQOICngKuO7aDPQU6kMK13Z47+Z4ambXpYPlRJ1qd+nAlgTS5uX2 egs+QF0Az4HMjdkbAh4DDQtP0PnncnGFu9qAIT4ExIspkCi8CQKj8OG5LPQAC+XZPlmihwjNjgwC dMgTmYeEUghhtbcF0N5kwQjgZH7LFkYBkmJxDCQF3hgClkQagP7gw3kRJkgAAtYzKijDNOGbqnSI atzUnkAKrMwLDJAP0MBTagTGeLMOQM9j5wIJRfgoEXKaVyARRiurlQOG5fUFbwmfJf7P+06+eNbC 9HkbFZcyBWtXjcvaAVwIvA4NPOGGys8UurASXjLlAykxumC9kYKZExEbaKAdU3B2DndUpNinGNa2 Juk7dgGD7K5lgBJnBa56JHCgFyxq2qJL2qLuyUASXkJ/E0kTwj584JQVOxGhoxhM8y4Zb1BF6BhW UgWkyfHqcT1d5bHjPSpllVCJsDA8bt2JrrKyjkQ4zzZCQNpCCr8m2o65vuyiSruS/ZZelDB1W9lq Y0n3vpKaskjtdyQMhsSRI9XmTB3YhCtlY1y2BBJKsYuSx6rjw7WU2hWcF8kSFeN3DbI4fnmCb7pW DoUo0GW8FOZZAJYOMMR7CnyOAR0lJoOAd8Fg+3vGv6Ju2vRQ1WkqVgtvvAHRDrYNmxkWsREZwMp8 uD7A2+QjmrwIWYoVHI8UTtXK/GdHcgc8z8v1lYP2hNKfVJyT+p3Q182BUDwGLJgrS09ormE8BwEp x5OGQZIayp+TRRZ0TcdjQdP4BjV64EQGDCxo9AbPsMATdHqjuTrNemGHgdN52KuE6YG3RrGGR3QA jXjKs5nXezDMdr5DJeRenmpAdUTIJ0J/8E7aps72UmQF9CmvYAEfEecdsqRObrMRk8kS3tQPPjFt p6kdvkwSZ2UTWyARMCBbCNQ6dMrvf6VgS8p0eXYJUmx+n+dsU0YxlcCUrmR9XsHGjpJnFa5YBIlB BB0WKoUsuAXZ88fVmsrlLzgJBBTHkiDWNqANio/cn3by5dx2sWqEi8Y0Wp2szcXmH2UKeBmC1ATH kDZS/KeEopZiL+hzY3oA20vMiet0oaUU5oFWp5D3+mBUAApB7bDZpcFu3omKuhIOyvhEyIDMSMAY nwea5UR+lqPAKUwKNvMrJqSRI3E4S+ZoDFuqlepcoDoXsixUZbrynOPH5k6UujKFEHb4ZLtW29UH HD68tDLa3DW25Y9y/5Vx3zRDn/2T3cdqeLxwX6z2fVb9k9Ph2q8GaA5v7uF82f22e/ghV1kR1TN+ fQg2pzjV+wZDMUv5q1cTRgmI1fGcn8C5CjhUkeI4KSB5brcoRng08iA8GjUnPBo9Mnr7gQiP/ivj vmmGPvfCoynnhEdT7vssqfDovhqgKR3h0feZX3g0KUsCvCn22qYqSR6zil8X3pzJsiGTQi+sP5GS 5tgXv3TnNKKvL1KlbeNKIChUyTZAVRtYNizIk6VSI5Q6hT4guEVf4RvGPtBbPHkpBmVgyv12ExZn ZNNsoRYjUi5fqJatO4rlDdi6owH1lT6tsy2SZglWLuaTOJp8vI99BY04/lg8LEXELlWWCEmLXxfJ F16sI3WpAeVOP8DHw/AmnFvCkCjIXhpEhhraY0GPE1e3Dxma1r5O6yoYafeuglHljKtgWqnZm/Xd B9dVGL4y7ptm6HN0Fbo7DtBVaFvHPmVNXIX+qwGweuoqDH1mdxWMUj5qucUZ1hvcORyhrU5c8LKR 3aTBZYg4m/6urWnROEwq1luxYAnHVKKE885QRhFq63sMtG3yIYV2ZV2So/hkbd70yaiAvcaIvPb5 gzyXz5aj7tTWXaWbk+trgD5uvujZcl5s5dBqMkPaiIMhbeScIW3UaPS2H4gh3X9l3DfN0OfekK7s nCFdjZuA3QdiSHdfydJ5cw/nOQxpczgSeDOkGUWwVfpHzOYaH5dJkP/Aa3ncY+Aj5vyhyVt2LDG3 G5eV8+xBwWwjSkqfM9Z1YiLTIB4b/+QCNnL48pURBWnOVIyvrJz5YzE+Ps89wVY7j4+AolbssL5j ISeisGlcEtrqgCxPhimiF/wZ+1tI5EgMwVc4bmJ96746zoR0k6gpbVyRspE9ddnp0uvr68VkWOcr lleX1jvZ953Fg3Q3BhyOVKb5CwM2im/zHkaEMOejhNtY5biZAa/w+8t8cXfe1oU+kuxA143Lpxd7 8gfQHnB+d/2p8TM5qXxlSd7FSHd8+fosqEG7HO7Avp0ljPNrdeOiMYXXdiZpcCZDLqbEsWfTY+mM N69BwE0FRZ4lRUdp4ZIIb04moJkkdXX5S1QDLu54Q+HFCzNkUrgX+goEFV9nOWOpgevT7KK/uPS4 smJ+g/08+rGuXSrj7Tg+EsYLP+g04pj8TxwZCn6/hvYBHiroUyyJTyPFGDqOyCte76FquILHswM+ f7DrRDFlDlcGQDHSiPun6GTxJqQAyRZxJdFbLpeU5iKDjS6Hv9Sj6G87A2CrCkG8/uB3dBKUfAVr kt9qQw/lPNc0VFXjSOEAH4bdWOQLT/OR5oQXvTfiUJcEuAEEOeTPsfepQ4ZdwO3xcBc6ZMfxnYae sZxACkm88AQ0AIIgnxAUKsR51hgLzFLKxjcXTNsDJMP0gbOhzC0bovL5yateAdBhqx7EFiSgUruP z0jFUQAONjdSrkkhYdZWv50s+DU0dksuZhpuycXJWKxWPnK4uk2BySigtCh9SDoXBQtF8YE0RkFX ABjAATJZrVjKRbfZitOTB64v/lVbd+o3yXmTnIGS8+zHMrRyaTXNhlPtdLpZYtiGt2pec/JYTLyS L/jt4ZSIs78pFJM6nJOB2At7u05APDPi2tEUN1blqOeBax1arejUGuHaWaiAtB4+FhWx858jyR2f 4IflR4kI78IT7AZ7QJmxBBuqKJP4mvpA2nxK4/pDMQF3j/GFaC7kVpd3ncBf6dLVA7cLY9Nd+mQr 4U5n862es5ZFOLXmtnZRmKO0Qp5TZqI/InUE/XbrJCOk05whuN0YyY37jm+M1C0KGQ02wXaCGyPH qOWEpscdm2lLw/Yyrruk675w3SPeRAmpCLebGn1KW5fV7abGYP1xqTb97aZGCtmFGKAzcUXPkeFJ 0tdbztd7l9cbJo6RVd09ehPBve2Fh6fHZXVp/Hc3Xs0pjSS8j+IxAlRIiObLwrAh5IBM5JhyRSkE yGUVrFkTd8108qu7E2/CU0iHOBn+MBDrKQacwbrYwADyIU8yESUM1od0Aopz0cMeMWJnVRqPNwwk bUd3DSk8f2oFJ+V0mv3M1QlnjoQ7/XcUVhfWuHO/+gyuba5usHKOg67hWPd8JK2y4z9EIPkuIELm 76xHqlnampBifyfMeEGAoXOjzM8Np0pfMqM73ui8ru3eNxtTu7PBmA0cFv5ENcbwziSiZglKPInT 0SgRZZMTJ0Iop/tRJS5MEGd8D0rTgtUEiJxXG/FoMiYrmjoFNel+Zs4PiSdky6wT6qsLT9YdkhRY QgBSUfNn3KNB7E8wqUMsPrv0EcYdMDkNKXc+VyF/ZF+CPxtSpLBO99cqf2Qts6KpP5R/7D6//JGd WZpvQqoU7rpfoPwZCuAebjIC+TNu/YkJVd1ToDFCD5X2nugjEph8/ir3+LUttTOz1MRaWvcKKH4p a8CkpGGGB7raT7TX1CxtbFYs1WQRKjpBSkx8A/QxuooLDYjXtFxUuW4ZMNEM+UuWiYDPEDU0k13R XqfzbH+K13a2wvRgj79evsd6sc/F8+7/rIgOq2VuZHN0cmVhbQplbmRvYmoKMTAxIDAgb2JqCjQw MTcKZW5kb2JqCjEwNSAwIG9iagpbNCAvWFlaIDQ3LjUxOTk5OTkgIAo1MzguMTU5OTk5ICAwXQpl bmRvYmoKMTA2IDAgb2JqCls0IC9YWVogNDcuNTE5OTk5OSAgCjUwOC4zOTk5OTkgIDBdCmVuZG9i agoxMDcgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs0MzEuNTE5 OTk5ICA1OTUuNzU5OTk5ICA0ODMuMzU5OTk5ICA2MDYuMzE5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzc2VjIzJkY29uCj4+ CmVuZG9iagoxMDggMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1 MjIuNzIwMDAwICA1MDQuNTU5OTk5ICA1NDMuODQwMDAwICA1MTIuMjM5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+ CmVuZG9iagoxMDkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsy NTcuNzU5OTk5ICA0MjMuOTE5OTk5ICAzOTYuOTU5OTk5ICA0MzQuNDc5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQu aWV0ZiMyZGh0dHBiaXMjMmRwNyMyZGF1dGgKPj4KZW5kb2JqCjExMCAwIG9iago8PAovVHlwZSAv QW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzIxMS42ODAwMDAgIDIzOC42Mzk5OTkgIDM1MC44 Nzk5OTkgIDI0OS4xOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYj MmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2 MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+ PgplbmRvYmoKMTExIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBb NDMyLjQ3OTk5OSAgOTkuNDM5OTk5OSAgNDk0Ljg3OTk5OSAgMTA5Ljk5OTk5OSBdCi9Cb3JkZXIg WzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5k aXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3Jlc291 cmNlIzJkZXJyb3IjMmRjb2Rlcwo+PgplbmRvYmoKMTA0IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9Q YXJlbnQgMiAwIFIKL0NvbnRlbnRzIDExMiAwIFIKL1Jlc291cmNlcyAxMTQgMCBSCi9Bbm5vdHMg MTE1IDAgUgovTWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+PgplbmRvYmoKMTE0IDAgb2JqCjw8Ci9D b2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3Jh eQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwK L0Y2IDYgMCBSCi9GOSA5IDAgUgovRjcyIDcyIDAgUgovRjggOCAwIFIKL0YzMCAzMCAwIFIKPj4K L1hPYmplY3QgPDwKPj4KPj4KZW5kb2JqCjExNSAwIG9iagpbIDEwNyAwIFIgMTA4IDAgUiAxMDkg MCBSIDExMCAwIFIgMTExIDAgUiBdCmVuZG9iagoxMTIgMCBvYmoKPDwKL0xlbmd0aCAxMTMgMCBS Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dSY/byBW+61fwHMBt1sINCALY7XaA HAIYbiCHQQ6BJ04wGA/SmUP+fihKarHep+JHFqsosiUbM26XpVrevtWr93/++o/sX79n7x+//if7 dvzz8esuf8iL5vAry9vf7/oDun4wOt//ymplHsqqG/32Y/eSvey+7L60/3/ZqbL74vGP9h9PS+Td 79+//bZ7f1h8dxj5+vjX9qf/ZTr7S/vfL9lPf28Hfz7Ot//Aj13dlO0+8lyZ9q+/9v+qTF6rh7L9 uR3P5V/3H/737m9/yH7bb0w/1N3m1WGD/b++K7Suiof2cNWsLb+cv3qcfQ8s38/9iSftrywyq2ye marMTJ3995+77+3iiy1t8iIrrM20waXL3DRaFWXt/bm/tDHHpWxm69Lukdou82NnbLHHYt4uZOuq 7D5T7TFfKvtg241pOa6r/Ra78dd5fvXMvyeK7709N+b4y/uzs+f+3uqm+7nbc2+tJtf7bcLe3PHe WV7n+dUzv9xzJDh79uzbgw8vKeB8Gdc/nPFxcL5MGz5acvecmJVK1WTW1pkqLrDxSfA2IIamrdOy qrVV0crvdp3TMl/CRKLqfvf3chjxiMSXgS9+fN69/1xmKs+ev2eHHbw7/PF82PS7FjJl9vxz9sf9 nv6UPf+y2yuA44DuBqrzgOkG6vOAlZ84zPH03IfyNBH/MvDF7jxNq4MunUfppj1PXuvTXorzXsIn bVmmP6nSFARGgvGT+IrO5RxRdlop9/gfu0kLic7estXAPnq7eNA9rrQXudL/qTFYHrFAd/RK+87e lO7ZP4uTqZIOSOgoywZMLeHXyIGPEvUwKSybX4+DdKMvcZA9n0dCLf8gBz5LqpOf0AcRoXoMAnQI pAufkMuoDxFYqNgfXyl12umTZO1HelqAmNy5AaE6AkAS7EcyGgChNnIjsLNg+dCboxaHwY2BNIRJ pXjEjcllL0BIAlEZCWZYFwR3Egg1ckDSEIAMYSi/og7nbyLonPPGjuJN5VKZg3Y/D6iCnh84RIKM S+IRqKMkk1JvD1EMFYdI/rAxELpcDMl96FIOAJEBBz1SDvJIv5lCuLXT+1IY4QH7kFIIkQ07BWRL iMHxTT7hcF5LpdzbqKooTquAgSA5SoPNLQc0mCEgL6htA4ZKzielfGs8xsGGzbLeKoAGJQfkWYyc Q0l4GDkHbN3AxmAfT9MpSK4CX8EBMDgk1DXYNQD1KTYb4ajKexZANhI/HB8ErDw+UiGIHNDzErcj vgJbl1/RoD0kSSE5ABPKT+AqsA9QSYDbpxiqYG+PayUCFD1NMN0ee9tWjs3l6YxHwZgBEAVsFdwx MB6o6zDCMoI5qMnGHRQ8nGSHEUY+yIsAzyGJMWVs5bLQdQgVzM8RRi618hD74GvBJ2CO7UQ4AGQj XHzOH8D84FoC+jlQ4SsBzE+t/ogRju0FPA+a0SiXWDZsWF8nY2BrF4wbkgZyq+YwoNSQMfAomRts H5AHEPPg2hCABpsHfcmlv5wDFbnH5JirQJVLIjwaEYFmRhAEWCk88kjRcIFUk8RE70bIbLo8KIDW ulu9oKJh9uQp1U1pdtXFM86YPYq16+jHqnKpjNtxgMsA4QeTBqQDPzEyVFSjwhyqFuoT9Okx+NQb kN42d7/x+KAtp3uoFjKIENJJl1HV1cn93HJGNWL832g/8YNJDcFJsPWljQ3hS4zNyoF7PPOiohta djNZF4AppC6MpDHlYcsNO5gDx99O5gbwAsQPhzuuEkGMm/JVjEtFOMJOhvQyt/oC4q5gfCfxX1aS kR4RvION8ToZkMDc0+Lw4LU2PAAIA4B97pylcLRHVONwoktBpzOyQfPEhTWNKy9CPEtqTYzADPUC cB9DNbHh8rMxDkDA2NbxpHStvGSYJDuWpGwqQCjTPAXuw8OFM+uwy9pBAy+J5LWKI8oqObtM558R eOEC9UqS7WgGT8pAA4R4aSqcnzPdWhiGx11gIMAU4FsHF4eX7gakMUEa8LLb4FzITDFucyJAwAuQ G0MKomZNSDb5YzSl1Zw0I4TUsGBHVXLkgjiQ3K/hS1hV/pmvlCRhFuIKcdsHJgUxQ0NeIezNbV/+ lemrjIjwoXTnpwNNDYzGYThdAMZJXHZl1GfGWm1p+l25TVVuAWU9b70Uxp6vCwBJ8qCix4gdImuA OAhkGZnDZT3WJYQur5P7K0oXrivJ4o9w/GjQa0QCjaeheJ6fe3HcAxubH5upLPLGRXYEEfy2K61D rjFOj/BCyQpal9Srh0mPiV2w9Gfa8blxSAgc8hFQpxk0xD7X4gHRe4jOQYY5QtkLFuxBfYHVMRDT 6Udd+TaGQAYNGs/Kmxlaywv3LFxMTfctFgpW98srzv1I+sbQ5Z8dzT/i89wumLhoh6GuzcmlDgKd 0dCcEISXsUD2WDrgqUiH2A5Ilh6vHb6ipo0oQHMpWfZIGr291JdJY2C3GKuCOZ6kboU5QC/AHBRI x6qI/ulgGSgksXLvEL+Rp4M5RuzsE98ZZOhlKRYuc5i1HFj3Sc4hEeG7GGjlPq5iw3eiv9D16TiQ 7FsmXR5QD87TsgFFgtzapsbltWyWtVi9AELAXEDqHyxnTg7rugk40/mqSodNR5TKBHBlgHvCL2nx OXjghKflOFdyRAUcH+rowH3npB1Q3npVFovgahTWeDG5TIKVB4MDvpIwfhyj71sP6svEoJOUBvB9 gGwMyMgEFKOtJHtwt8/YHIvYZ75c+UzpqQrCyCmu2r3BKFwMJVacrLFE92pX07piZZH+7eUfdRf4 7hEMVKLRAYR5hCQmvwjBM5J4L4ZmNZW+iMdsiXiHMcpBRRRxyIPfvEwioHp1u0lM8zmFdrS1wO30 QqPxGZctCO4YhVafounLyq6exQKs64R9nebVIfMq/BihmRi3dqbfUeKVuWky2LpuXEoObje3PSPG qNI5+92IuZoRY7tnGXpkeFVbYabSbir3LIsUTYXUU8drBh5DmzZ+Ay1GGxeUwTROjTFDHrgGIHPs 88unHPuQCU7SGEp1V/rOmIriBB9vkfdMVkCdVH3wCX6RA31v3qSF9+SHOSJa/U3kSQt30ulWzEJt /eU+IvYgKc1JKKN+5H27oZqJ9tzANgw8zkgbVycZgBYK+AloOsFTtmBz8OPLT8CyuDHPZcMeWcqd GikM8DIZyGA+KW3SwuHBO7/g8afEfwl7lHbRrW9ngLPH6AzCgPzgEMMGPLxJO2/zAxujQklPaedH iK5qVobs7Qxw8emL5gx9IoDokuwDtCml0xHEv9bD8S5Yvkv1abiysb5V7gNsAHRlwG08aN8WTyPH oI9Kv1rSiyic7QyEWNIpQDjCcIZWdPQTKBzhtEDrIAs9gccBQY+qgD5nw8WnzzmLwh6m8R0uiYre zkAIe6QA4Z09rskehU2J22Usx7fNHtAsNwYIKdGhlRPcQODO6utg9TKtJkzhR904qweA8M5iSVls MHFaq9eHVaFF8VZLM8rCOVjE4Op1+srk4jy8pghyj7yV1YE7Bhp3jbhTRyvKotQThjywJE+3UAmi J/U+s+qqu/3Yo4eAMj0OD14vF3DZcZHiesxF83JB/oxRjE7qV7o2BJgLuGLKCSYFKi9U5vCbibwi Jtqll/r8yhkXBpwspwvlkCthY1E5s9rHGAdA92qfFFC2WrlQTlLna3XjEvsN1fnarqtf7+wbtyZt I87zlqzJKBcNJ3Q1jqFCzm/FAeB5WzFex0wvU1zQsbwHQwxDLqDHADdc6L3aRDchlHJxeUMSUpva PfvGJaSuxHmAY/jzedx5DPBZA1qJ824hvIFEsJs7pfg30W2KrkFAPfDoK3/hF0zugPsEY/yYgO5C Ma5xBLR+CXAxFmlpNaYPJT9dtLY+dTm+wUyUIBcP2dB7pFhyD3XacDckQBws09BfVbmLhgBZF4PF aKfbeA/H1s0t+mhV4xw9YkXUdQL+yj3Phl20EE3gCZQMBXj5fRzeoQjeuqd2D39j7IJGAoBE6PI0 4rGzgM6VAQHuRSLvaczvJJ3mDs869jj5SnkXuuxCD6jFaMoKZwlodrmulFEEvd/kEzq83/hbQMG+ 6OIAektsG9BLebvtDhOlYbog45nVsTs5J356/DFONO/Hw++HU8SMeF4xmLa35+IUpnRwv3Ufp6jc 8ywaZJ3HhqWqXVQEv5waQ/HrU3RjNc9oel4fGdoYl1tXUkExNDD3Z2nFCsL0pkw2zmEjVEEM1jeV dXhuxNNQYG3ylj6AKPhEQLP+dbk8Q1p9rZQ8QnxS+cEjNcdGIPP6NKZrtNWY2ksN9ybow4hL4xWo WuDlhgL/unuF83z2rVvF2rrn2XDk//rFWZNyDPdSK6a411JqtX/u4VblXdFltN+OvCtVPizvIkYB Yhg/hehrcy/OmmO42MqF6b04i6LqXpxFlrmXWgXCY+5b5rnLy2+/1Kpp/a4jJiEPc38l9nmNDvhq wsorv588SeFsJn4XpXgghgIG6UBf7BzxRON0VL7pR3IjZo9j6IrmNc+5WlGY8HnBoRemZAgI7wlj gOdCJOmDFI8YFVqL0L3lMgbd5A47ROxJdKX389zzbDhgG9JGJMBjB5kBXLjMG/K2VC7mYljkVF4k SeVGTI8vXTg4olDMo+rna+UiV8YLQWjj5XkSJzLArmQ7r8QNQjQEvDPDxUcAl05/ZcmX/OgNBCcu hiQwz0oFPH81Qp3w5Ne6bk3P1B62dATIvf2PAFC5z8z3JWySXGCpKmcVX0V0DGWhax/dItAXeWw0 ZYH0FmJ3V3JYoa5hy08i35DraWzhsPG987VYNr+I2GwJN7p7tLAvYu9u9PAc4W50DFVoLVlkaKP8 FnVA3THN+4WU5QOnwrM6Ae0p8Z55gJMMYIfYPjxJyDMIcH75CQO4nJ7TRjmUIvofpUYuIGu3/UqK uW6RcuXDvRpjtnJYeSVFbI9uH1DvURB6dLH6MxV50fhwjdTAw5Jv0FGYWd9XCijfkLOh6so5+8re 3rjO5Yaicelhu0b+ei4kFmpYkgWUtKAG5k0DuMyZDuQLWX4oZgftwAUoF34BNS2ypAeNhWVuEt+C yxJD9Vevr94AJ0Pqi+OFJmEQt1fyvrg5sZaeM9wg5dWu8hOJej/bxiGpW7qQ1L1F02enrdfzKPc8 vhzL9jBltE2FqQGL9B7+HleLlI+iuhh1yNuj3O7FisUpd92+VFHWrs7Zji8Vq/VRkb+21bzfNb/f Ne/d63olqoeiOf5CthT/xhl0YLKOVksvre7fIDBleUKMp+K9R5kgug/qrJSYA7w0EmJA7r1iiMuB 1NBj6mbfuqJoXvmtknu+7L2x9UzuM2hyd0HPkzyh5zHKuuexUsbkHrfYDmBWIrL/zkkUoBRFUqDs DZXe9OoTOyCe+ANI5gaEKgDysp8WDCarTEow2a5D4Hn6C2cOYz7/gUyV9EBWu3iHqAklBCCVo8UV Tf4Y94265PLn0KsHHsWLdp7CuufZhPzRTZESKKa7Zt577nCj8scUJimYitqZPr38MVWV9EC1+9rq CuVPoUUp8krMvKNh3PsEiI0ecbe/s5cWHKrsznX849uPUAf3S/Zl93+5aaV6ZW5kc3RyZWFtCmVu ZG9iagoxMTMgMCBvYmoKNDE3NAplbmRvYmoKMTE3IDAgb2JqCls1IC9YWVogNDcuNTE5OTk5OSAg CjUyMS44Mzk5OTkgIDBdCmVuZG9iagoxMTggMCBvYmoKWzUgL1hZWiA0Ny41MTk5OTk5ICAKNDUu Njc5OTk5OSAgMF0KZW5kb2JqCjExOSAwIG9iagpbNSAvWFlaIDQ3LjUxOTk5OTkgIAoxMzMuOTk5 OTk5ICAwXQplbmRvYmoKMTIwIDAgb2JqCls1IC9YWVogNDcuNTE5OTk5OSAgCjQ5Mi4wNzk5OTkg IDBdCmVuZG9iagoxMjEgMCBvYmoKWzUgL1hZWiA0Ny41MTk5OTk5ICAKMTA0LjIzOTk5OSAgMF0K ZW5kb2JqCjEyMiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDQ4OC4yMzk5OTkgIDU0My44NDAwMDAgIDQ5NS45MTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjEyMyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDEwMC4zOTk5OTkgIDU0My44NDAwMDAgIDEwOC4wNzk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjExNiAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAx MjQgMCBSCi9SZXNvdXJjZXMgMTI2IDAgUgovQW5ub3RzIDEyNyAwIFIKL01lZGlhQm94IFswIDAg NTk1IDg0Ml0KPj4KZW5kb2JqCjEyNiAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAg UgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1Nh IDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y3 MiA3MiAwIFIKL0Y4IDggMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMjcgMCBvYmoK WyAxMjIgMCBSIDEyMyAwIFIgXQplbmRvYmoKMTI0IDAgb2JqCjw8Ci9MZW5ndGggMTI1IDAgUgov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztXUuP3LgRvvev0DmAx+JDlAQEAezZcYAc AhgeIIdFDoE3TrCYWWSyh/z9qKVWt1Sf2EVRpUf3yINd99BqsljvKhZLH//87R/Jv35PPj5++0/y /fT347dD+pBmZfMnSaufD90BXTwYnR7/JIUyDy6vR7+/Ht6St8PXw9fq/28H5eovnv6q/rFdIq1/ fv/+2+Fjs/ihGfn2+Nfq0/8Snfyl+u/X5Oe/V4O/nOY7PvB6KEpXwZGmylS/vnR/VSYt1IOrPlfj Kf31+PC/D3/7Q/LbETD9UNTAqwbA7q8fXGZcefxiOQnkt8tXT7MfkeX73J14FHwuSzJduMToIjFF 8t9/Hn5Uiy+2tE1dkqU2cQNLu9SUWmXVP/k+d5c25rSUTTJ1+pxXBDc2O66YptVq6vQ5P1LeKftg K8A0Hdf5gz6Nn+d58cx/ZIofHZhLc/rj/dyDuQtbVhzBaWDurpWrIzgIW2+8s5fzPC+e+SnMQnj2 wOyDwUeXOfA8TOvX/ngQnod5w8dLfZhnFqXSKq8UR5NYqax0x19UX5SUcmnZasfO9sn4GV2deV48 84uJUgWD1jU8fbasxk1Ww0Nh641399LO8+KZX0yU+nj2wOyDwUeXOfA8TOtXMh6C52He8PFSH+bW jyjBqo4TG1spmUwd3ZFEZa3YfI2z8Kr+6cLSjHgs/NuVL35+Pnz84hKVJs8/kgaCD81fzw3QH7LM VL/8kvzxCNOfkudfD0d/5jSg64H8MmDqgeIyYOkTzRxPz6ftz4Jpl2p7e5iuRDebCdORvuHblS/W +ykr53VoP5muGEdV7N6AojIK7Jd6ILsMPNInnsiA0vSJgm44Z1cBHDWA2StwlPSJbBCtD7pjZ+2g nfU/FYL+gAVqkuTaQxNlXJ8olmLY0b1/JgP6yzBRVuExlff3g7QEan+m/AAMYqjc/URRkLJyR+Ew zYBS5xHbTKLSyzMN35VUemHaGtXRONOVX9DF2YmgHUBUTkd8kFw2iKIJOAHRBGKBNMOkn1jxhidg UuCAOXQG4gOWhUmB8aj+C0AhrAJw8HPwlINV6Bz2xEL6wt3UeqmSzGpYyIwaVsTT1rVU52lHtmcL +kRBRdUD6jRRbUzo2SMI2BxCCrIMu9NUZDRVeCJ6Rynb2w1aVbC7IIfAqvAE8BAYNP4rPP8DgkAg IozIMrIM6hCwDhhjV9HgmQJLWYIP1I88GWBzoOuBLqBBJRSGoj4RQibB2xLkZy0IEAY4VzeaTF15 JMKkqk/DqnyiwqxCt66O2YOODQQdWWn6RAGEwt5hACTucRAZyXKBbaYma6HbI2WR9rYuSMmOG0hd GOWJODsDfBgLcIA9pqukVO37rH5n2XQ9rtTK9dnyXYTCltJvtTB2muEyjlBvD4Wf33EoDB4mBG2b j54lIl+Xt4tEB+DTdjtrOC0RLkwMyZ3toXkPpyOV/9Kh8DzRkzFFjx326GkDLrfVfVU4i8+NokAV n8+BXsXXtSXRW9vydSeaPpv1Nncf/rKEO1AYrw7ZveOxnu0Ne8dbc3UlDoqkTblNexJzD77ufuxz q36qhPIvixauJ7oIwAW0jkApnWPgGIRnXDhtMffilqpGwZypsrulxxRsn1M35pbOnoINOFsGDTre GgwIokwGVvWJB6QByObwqQYIAbnAjLAEmOUAYwd4531b3hzyoT0rEeqRzsEbXWq50JOb57C5Lo3u GCZKFwSdrWAAo4vn8zP6CwJ2Wivr5QaIuHi3hT7hM6D2CtJ5ud1sOAnhNnVrA8zuHD6qUtQ4QNVI BCMD6IBCOsC7fgEMw7OliH1RRV88IsINPsyPSEjwrM1rcT7a4l07ykEKuDCi7Iit/0JDyILudUBG pcU2UiCIiQHMA5RU2GG7PxFATEl2Zyma4YlTlYeECdLn6wBbVexycbHO2jwxxMUxiRUKObhS6LGg NECaDFR/aFzcGWDlJSZLBFI5vm4o5p5DRGgBXCihg3nGjeB1XuVG0IXPmsOkEcEIC1iA/8Xvhc2J 895VgOaPOGdgmS5gDh4fEUlUPpLg52AF2XSK91id7M2LuWMBsknbOi5NzxA0vbOJA6AcwSCDDoYU ASCIrmIooSx1N/g5rKL8AS4LFFVCAg+qLD20HaWT2SqEUd4GQ2zlWpxSSPkBlBdQ4+MxhrsFurC1 rVhBy9bHwrIaCEU5SPEaBpblFRu7bLA56TxBWUrTAQMiBlXJgCBgXLosrILXb1leP8Eh4Gwap9tF 4Fxz/NWb3aXjnthduufdpRvDQeMTznft0gVgDFZhpSEg4A3gh2USRB4GkTAFee5DEOYMAD+wN15/ 8DqIT9Tw+gOowOdPWc2vDLvsjLGI1Xss0uWxu45FrNljkeFl91iEQ9CSsUhHbjvdg6Yy/+X2HCB5 H2CYf5abvCwXoqiD5qd6nZcGnJR+Ba4Yow4CK8YKEIA+K687tzEOup2B/dY6x7is3IKjGBBXwlcA QRCJs6E5ohA0DCw7h6jzPAbmFSnHFi75PEcgVL/6tVfrO/y5Vxsb8DxfOTty0Vrl1c06BzvWHVuQ Wm8ck9LyPjQJUABouQG8H3UikLsyADWz8AQs03BOpxQXJlFQfwHcVgyQHczKPEXPdTYgy9vEsLWw n4j8UUSudCOJPqwn8oSu1yrjIqoeJa5zbTaJy+fjoewPclDjiy0XOmwAXcWmnG6nugyZHxAUccbB fwW2z+d92b2cXIur12PpAN6gj7gSwsIewA8SFawu7av6gOsenoJVgfxzVpwvxNPiQ8QP3CngE9Ls +QRf4AzL8mrcQOgKzjp4qwKTwoXaAIMzvriQhwMu2CqJcu5ZTqYpfwTcluSrtyP6XABgvE4O7ZUh bArYm14BVwbA3eCPVSMMH+8q8DaK9y6itecohgmtsZiokk3e08lruaNz1HqMOovz2s5jCOtUFs6m 4+9n820h7Cc66ZJR08ReVWmNQvoikmu1/TdTHYKUYwU7pCsvf5g9S43BLFiepWIA1MX42yADdOCb oPDhq8R9iJVclPFFSQgHq6XxK3xgydtoiUq4jfGUiNK1WTgORfoSatNfdmNIvaLKZ+mrEqAOIjri wBN8kiSiGkqirVQMLbcumGOUfUxX4hgPYnxDmxgGiKhaFQh7o2jHnxQ/yWlZd550rXawOu/DsYyP MWOh66iv3G656CzpuoigJOA6wvjGWwE5noj2Z6gN+PhapFcR61L6mtV0BhYJfe/wsE9ETeetVwod svCECFuqDvR3okkZ7Lsoo91dH/y1jjeXuRoj4IfOc+AXccTD99vANqNg3Vg6YD34IskwOOJZ94hU NkEv0uejkdtyhL+0TO5YzpOR0Mt5Sl6cPM083pF3KHGvFFkqogd1xLkrj7F1bp9JZGQQpxHEHg/Y hl3fheKYRfRlxAF4wF7kAiwRnatHiBDfZm/8Ye07j5UWj0DWL47cowfCV2wtFx89IEcgIST6BvD6 jtLOQE87Pn2yajwholUvr8iWC0HmVpFsIhjlMqKNBIhDM9C5bQCNaSwY981WgfCVFOyxB6rD9xXZ SBR/8paN7dqPFcezHJTu/YGeQzwoEaWcrawu5FJJuQsvQwwovIGwBgb44noB24D5KUApb009NRIi DFSI2tut2KyVavt4e8OugqfK488mY1QywMGm1gL6J8NeIjA2S+XGVlONcIV7IZN9R96XYGQhomDL KSebN3+2fS1K2tNEe5qIDMBVu4BD5vEvGAh4hweQjlfunv4+93mEHB/jSijVQp1ZKj7VMhGQ+m7Z BZC1bj7ISf/tve1RK9WjQUDrIrin7OmHtM6bGrP+fgKEjG8Uy3r66HPySXTegGzVsgnG35NSoiIO NXtXICZ88LQIn6YubdnX25uJOG4+vyliT7Xz7mWdIEXuVVRF1r7bDt+EuUyLgY0kxTBfw8oght8C Fy0DdNI7bwfPu5IihU+LbAb74ID/AQmbiMNiCTld57AYPaXQN3+OuqoMIsUvG3rNbqKSzmxPS78H 4Zcwa670rsor6dtxTyOqEdd6m0ZEun/V922MAuyGex+8A4VyZfuz3jC+ku30VU1P1X2ur/xuvsOo hC0oRry++86OcrAhMq6EZxcRLvcy2duIs2yeXFvpCydh3Oe4y70WTm84zpPLz5Sq7dx6y68KF3w1 Vpm1ybj91ViDOhjk40qYu/VXY5V5+/6A/dVYhIP2V2MxCFr8Nb339e4Ol9pW0cIbS2LezIHXlYBh gZUabX3tzRxPw45Yx+BD2U3MyzxoNlCB4qCA8O//gM2gJqGbwe2GQrraW0ZcennnKF9YGJGr40M6 /uxQ4lQiogsnADa+GGGekmGBnEBA+TPrekYcF0SwQ0Bugi3OEKlDjriNHdHrkacc8Bh/9CHXHm5i HYV1fZWzzAW2iJp78D3407TxqW08xRJ4rZNgVn56fOzSso2PA3RjxBkeH1LPwmISHZv51P/t2Cw2 Dgm4Q7tMKZcubI8tQ3q+sw5JgE4eX4QY4wiMb9q4kuHrZuCqn+StoqhyNZFOf31/jXWIvyZfD/8H 5gSm0WVuZHN0cmVhbQplbmRvYmoKMTI1IDAgb2JqCjMzOTQKZW5kb2JqCjEyOSAwIG9iagpbNiAv WFlaIDQ3LjUxOTk5OTkgIAo1MTIuMjQwMDAwICAwXQplbmRvYmoKMTMwIDAgb2JqCls2IC9YWVog NDcuNTE5OTk5OSAgCjQ4Mi40Nzk5OTkgIDBdCmVuZG9iagoxMzEgMCBvYmoKWzYgL1hZWiA0Ny41 MTk5OTk5ICAKODAwLjIzOTk5OSAgMF0KZW5kb2JqCjEzMiAwIG9iago8PAovVHlwZSAvQW5ub3QK L1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDc5Ni4zOTk5OTkgIDU0My44NDAwMDAg IDgwNC4wNzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIj MmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJl YXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzMyAwIG9iago8PAovVHlwZSAvQW5ub3QK L1N1YnR5cGUgL0xpbmsKL1JlY3QgWzQxMy4yNzk5OTkgIDc1Mi4yNDAwMDAgIDQ4NS4yNzk5OTkg IDc2Mi43OTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIj MmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJl YXJlci5odG1sLmh0bWwjMjNOSVNUODAwIzJkNjMKPj4KZW5kb2JqCjEzNCAwIG9iago8PAovVHlw ZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDQ3OC42Mzk5OTkgIDU0 My44NDAwMDAgIDQ4Ni4zMTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYj MmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgj MmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzNSAwIG9iago8PAovVHlw ZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDIzMC45NTk5OTkgIDEy Ni4yMzk5OTkgIDI0MS41MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYj MmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgj MmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkM1MjQ2Cj4+CmVuZG9iagoxMjggMCBvYmoKPDwK L1R5cGUgL1BhZ2UKL1BhcmVudCAyIDAgUgovQ29udGVudHMgMTM2IDAgUgovUmVzb3VyY2VzIDEz OCAwIFIKL0Fubm90cyAxMzkgMCBSCi9NZWRpYUJveCBbMCAwIDU5NSA4NDJdCj4+CmVuZG9iagox MzggMCBvYmoKPDwKL0NvbG9yU3BhY2UgPDwKL1BDU3AgNCAwIFIKL0NTcCAvRGV2aWNlUkdCCi9D U3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRHU3RhdGUgPDwKL0dTYSAzIDAgUgo+PgovUGF0dGVybiA8 PAo+PgovRm9udCA8PAovRjYgNiAwIFIKL0Y4IDggMCBSCi9GOSA5IDAgUgovRjMwIDMwIDAgUgo+ PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKMTM5IDAgb2JqClsgMTMyIDAgUiAxMzMgMCBSIDEz NCAwIFIgMTM1IDAgUiBdCmVuZG9iagoxMzYgMCBvYmoKPDwKL0xlbmd0aCAxMzcgMCBSCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dS4/cuBG+96/QOYDHIqknEASwx+MAe1jA8AA5 LPYQ2NkEhr3IZA/796OWNNMiq9kfWSrq0dM2dj2mu6Visd4vvv37539m//4je3v/+b/Zl/HP+8+H /C4v2+FXlne/30wXdHNndH78lTXK3FV1v/rlx+Epezp8Onzq/v90UFX/xfGP7h+fX5H3v//48vvh 7fDyw7Dy+f7n7qc/M5391P33Lfvl127x6/i84wd+HJq26uDIc2W6v36f/lXptoPq+HO3nrt/PX74 P4d//CX7/QiYvmt64NUA4PSvb+qmKNWdzpWaBfLT6at3VW5arcqq8f48fbAxIzxFv2NTlN0Hu1/l FNBu65Uq7oruZ+2u67oD/7h+3LT1tCMOfpsA1prxl/dnC7ATJHr8KTdHCE+vMM0RpP4jFiTO+gvk k+d89zzfhXkeMj2g+l7tQ74gVs+f44/peiBWrXP3kYcQMkvdtse35bVNoqXp3pb36xYMzvoLqJPn fPc8X4xoS6OL/vm1TQmlMXX/GRc2e32yl5fnfPc8PxGePTD7YPCdSwo8nz/rH/Z6EJ7P04aPlmyY nxVUS8R1lNSviiLr3pd3ei5TZfa/f3Uv+dQLdYbqUP3vKSzDikd1PF344vvHw9uPVaby7PG3bIDg zfDH4wD0m0qVKnv8mv31CNPfssdvh6OiHBd0v1CfFky/0JwWCvcTwzMeHsftp8F0WRY7xHRZlYkw fcLyYGN1v7w/WyZJwOchLmJf2mOqP7wzmNLVkSQrPW5SfXTR8K5fKF4W1AP6xIi5Cws67xdU7ke/ IudR9wvtaeFDv1CdFh7c9zb9Qnl6b3n+kAv3kFuXUC69loCeu29x4VDNGVKKs1+fLnyxP/A260zu Mwde6uOBt8becO1umCB+slC6SGvdhXvnK7pw+I8skK8ochLG/coH9y0E8S6k9LXkoYTt3zuHR7df ua/96H6FoJC8hXzC3RyFgzyDAAbfookYJHCQvbxDZ0vhaNy3EPoYDluZCyvkSxRF5MUEZ4S48VG5 ++UcBMEZoVTyFkjtwZTaixm2vCiMsgUGpnZyUAQw8glMIYTKINYVOWwCh4tkLB/Mw3nDYZZYonvB DCIhlsnRnXkNeSp5SCtAZb1W0nkTTDGjfRAlQV0sK2K5kM1i7YgVyDJKyHMsZHPzzknVOTiolSRs /DFQM43AgbU0MYbxuXi01rxz0W1tnYsesD6xsEfbdyLJ7l0DixC7uxn6FaIMCIaIZCcnFW9QKNeO J6KeHG4A0xFIMV2SZ8TbKPq9Czpc0JUDh3GPoSDnIkFkZVtZROaTn/PeUuWF9RZKdNg0IkdZi+ko bbzUIKAbqECBphKh/RBbAXsXUFxS8wpbU2R3GCFJrH6P7TRTBpvCIhBVuzJ49PvbCzjEsJODad2D ISEbV4AEGKASgp1YIOuIXG2QmUdjDdi4dj9hiCvtbo6wAz19wh8YDoIxLFKwWIIyhn6FLAjoxmCj disu/0zNp1SshvFAKqHoTON9CcYgJkIcEiPCgbzWJTFq0jMMdob2YOADuuIBLg7mHwgYVdGY9hk4 3YxV4wkBzOTb3izu/j++hPhREsEL4jdQfJCjcx9CxTiRp+QZhAtdnNKHQqozCm+GUAhWYxuxN0wu QFMq74mqec4VE9MxgPvx5sgCPP4A0oWSLIB01f15BUtyiJfEMsFQfHIjQPrFW2RUTZFwL3a2sOeU JIYqoMjSMDummLX8wqLSFisvdDAwpRKgLlNkJdUHqJTJuZC9QK/YF8wVkcptNZukLkDKCQowDmoj 8U+OJcxQbPG+Q8AxJBEXJjc2jeFkULzWSmRN46NjePTQrOUEZxgpN4lEbwrRj+NbmLUD7Isk2/cI MgkpbdSLwmXU45BzwV6OJ+kgLB5U5WwOJylJlp9R9RNPyQEWOza/4/MUAWES8hYS7GbUuOCvwMSn iLNBqBCTJY7lCpy+iKkEQ+oUyfFqLU1as2hsvtWkkIhhCGE9R5LrVPG7lEuRSqwHrHE8nCwi2HXl fctVRTh25ycvHnxgiCHMMgwv2BMBn+kI1NqmdoFzoaofV98QksJER0QqJjqccMYKFbKH+RgvuBi8 zSk2gpvhhAAT6ksRSV6ocKReo8CcWXCicguJAQWM8c5CmqCPhPfAKJnfsfmMNydS7r1MzI9d2BDl kUIu9LH23PKJ0mZLQg8EMCjrA0rpCD7IMeC+DJypEozPlF4zPqB6V8ACDTCOoHYklWNyBQWmdvqE ExcUSNSJ4ba+gGQPLh+QS7CbJm3VBm4GkTB8RHJ9KdTpK0tl4fAlltpXndsqtLKZbj+5rYWMmPje hjRlxYwGZZwxwv2XnsyEhKgvchWO5M3a0nL2RaGWLVgMyMJhCwQ/A9YrCloPx97oEUFXVJ4XEGjC PjCjT2GRkPFmygaxJRAvg0QMQ2igB6SQkphX1IpJ4r4XVW2xdgCkWJ1uqwIhSs8vWT0gIpSLZ732 2kOGEq1hRAiRBUY3TGhVx8zweK0scrgxISIpAQfmjHJglNqROAKjKo64RTCMgtvHGPmzgJOScDX3 m5FPGWMuqhctLmFN4Ty3nHdWb847w3VCMHIp6Xu11+h7cQALiH9h+zyFAcJxJLfqN6aJ9uFnMGbL EbZkNLy7hmEiV6tUNidj5zz+5DhUCJ3zgOmU8ZM81ur3HwRqmd8M5VC9n3AGzaWSOCwdLhkkVza0 uHyxkPDQ4tydkcMYWrzMaGA6K5lqczjnmHxinBjWxgBC3uLO4VLnBmITyTOsJJliXOW11wQkfike dEFEB9ZG2IqGKWHOW/Y2FiemE40RBw4oew6ISuDkJA4nCoT9g6PclxQFYyRvfCJt0Y5A8oy5U42N JUA22y2fhtc3Ei1i0PpCjaoScZxBR+nnqxVwsJ3ChYUUYxo7RBiFA7dQCkwFSjMaQKTntqmtozTD Q5W6sBmc4sFD4SGGRAZK7rfgTrfO9gP6PTBO3fkk9LQJ2gkgZBJCoqZS3VqESQEj4gBrLcJk8dwf XNh1QXARXcDpOmXYjoxphwLd8mlG/iTpwh30mhE1nZIk5hk5jiTZbUagKzTYPlOv9VPjJ0cpUb+N lTa+U2OZcu0dl4EGyEJGkRpj0qlEDDt+nk8AjzE6P/fjvpaD3j8x7u5IWUIFleGulUThMLZQ8IUy 5DIDkVl3m9VrMLxBbeuC3A3IuKiEESLksBC2HaGvLdLqyK5tmTmgosptNmRI9s0WYgh0qFPejo8S 4IkVi0bEdimF+D2XElqqqoM3p9xAPr5jhRNWSzJQEXclpgnNlY2NZCzGGRGQ+KnoSRoeKKQk7Ipv MmHEFTDvr1SYIdFwu5tsSUAhNW6uX0QTShQQ0SuDMcGIuFZFZQsUCfrYlmqU0GqNnkEeW5mafQtV ATNIsGNZOPOhK2OTocA95iGDA7B3jnUSzp4lKQtYZsy+BC3vxkITuRpLYE5TQJoTX46D21qTFC9h Me2xeyTUWFvbz5wAekU3IIq0JfUIq3UZLnCv6frTAMgYfX0SrL8I4S40NXizeR5GJVKKeefrViXO rFUpaluAXFFlY8BcYUbZFaNuANsB8aUXARmJBzH9UkRYUpA7qCpgKQeC1CQ+X3ynH75HLsApTsFj IVjGjkMSKaT7Us4JmcVLoYA8D3YLGDed4EjuVm8oSuIDBlwnk2Qu/Uq9FSs5pwyJgtOPHi0loT/K 0gvXMqU5dW2Dga+1xlcJrdQRtmP/LVHQ0ZT24QoEHW8C92oErmgx09whdo1FqZyCKBwvxsPBGPee SARrGDkpTHaMyU4SoCe5InFQlvXCQoiQB2TtM8qAUSUhYBcvdUM9jLkLxnLbxiuDML/gSEN8a+JC U1WuebpxQGMAximj8gR+JWQqFY6y4ugVQ+RKjIZbydsw/bDaCSe/rrKIrQzOlLi+aZm5/hIR9FB/ PoorQ10HAcXXHP/Nc3DL5CAkSiBwmDo0fz+3AtfYOGVoMYIPohok3ASotEjr90KVatgyEEgWkZb0 AFMBu+/4oGCFA630jB/dyylRjvcKOL0525qlN/cO68Zm9XX0L2VTuUEhxYXDZgyyDg3USmg13WyT 5ha310jgiiH5Vhr5mMJXTRQLLyuL6Mx7uFvMLjigvPGpZFFteSuldbaSkmB4UQwtv1IZJwYsSR6Q EajBYTqPspDQWcWzKUHEhyZsS2YsDeiYJldIAoau0Od+dB+jyYPpl8hH5OKyTcTFr5tJn2GykriM h2FwLSPLdnN3boDpwyg6xQIySYgIiy52QnpmWLaubEa+JbVd84iRkCYCg2AVX1ESn3BbdODCTPXR Fpf1h3nnLojcu9ZPI2pOt/qKhBX7Cb2nh6bJDWKDkhGrZDRdY8mOdysR/GfcYRIv2qhPz1AXjFHj r1GPRbVqJskPFEOg4CQdbqVo4lo7TYinbEr75NgtfwJeUXu6vnulOTor3Qi/SB9ZSKcMRSKjs30r 4xJ202K+mSFAK1W4FFrZ3I/95iQlpVsZNXQr8LkMOiNhNMZEJJSUqrz4wdUHkG1xpjyAbhPeNjvT 4yscFN6k+Iak+AVr4pVJ4NedXfcFkGdq+bayeD9Aq+E2dazEkkxg2H0QQUIRGuWDi8O2t5CBuIpK VBWSt9bp08xAfCF0AJeGxrkvXBDJSJ2HDNCTGCYBzXXOdJ4kF4qYJreZn9EFgossE014SmJfwIS9 RJ3QWrdRJ4z2FZUXHVc0mG0z3VpruXxtbh92fBcuZ3Iuo1dPIBkdYApg5xSzrUQ320rN0PuZX7Ob eh9qtODkK06KL9ik3lbeyO+1ZzEkZg3Doa602QZeYqSJH52kYRayA8d9x+HQ+LwfNb8YFSDLtG4u Gbqbm/cxNvczrJqV1BjDmkgyGYOqPqI+JUKGSzZcSCiU+sXa3NZ41evs+2B0mQqabHPnfdU2wTDa cHGshkipWxkvslEkynhFrhgmb8GOQRJTkdFLtUyPm8Al9xxpuEzh86BP2v1V+acJ/itdWvggt9Ez utGwqRTgFDNIHTswjCs3sPpguDi3RqvHLQZeOHbPdTt0jS0dElkk1D9hJMYZSbpl/Pfl9FrdqTOv CsLiEiupJCkYRkQIB9XiDUVORAg+NOTaWiJiJZxziXp7xjCIJPP/TV7atJ1kVGwSM4/h4mylVI3o U6lm+To3xTMhu/MB6ClgiwQrS4YJKxDr3e7gLTzDJf6mjzOSDrvREvyy0tQfbMSRZ0AiS+PimaKw mA63hOEYQYClDEkoTRt/caxmm+4W08dmr2EVKW3F43cxhrbKliEJFYHxOiNkEqqvaL0yFwJKVZ9E 2G033nmiAFhV2efCuB+EUfCEs+/xwYmAwD7DzhEYrcyJIkEuTRWLIKOl6MyqNDkW7F3FE00aQY21 0DJWu1zv9kzRXjmyHUdBJLrPGM1EHutAQrNVERbX3ixyCfy0z9fe6zIeP9DlD6mvZ6RDcFaXcLpr 1ctU/jMckGXG9y9TSSNQV7dQe54APgLMSZzUl2mNURbnUpmM8xRY8jMi9QxuWDKTcalli+HBYnd0 mbs5ExZsCCgYlddeenlV3c4ybuFxAtYUp/FjC0IiooToGOkyiZpazB5JbthJMVwFCwN893PAjI6t XGN01eMAV2pxK/uE4/YEaqKRcVVr75Y9Mu7SUUK9Ty8VJkz4IKYrtfa+BDqJAXy8m0rvAC+BfGU3 qfR1B/jMLGNvS4tORSgovmOF05OPEYSDkitdUrSfprBX4IpJyHlzFfb7SlOAVVkAHDLaD3Cls0tB AWnP/Yqcm0EfLfqu2hgvKltuSSQL6G5DR1TMFMFK2fJj//mGHiEv6Lgr2/EXQYz7b5/vfz7k2Z+Z zn7q/vuW/fJrt/h1itsLD+uxXHmd1WNHk85fLnUbdlu5IneSKB8RMom4E2PBJQhiToyRf7Lgkgza lsm9bmlt7Ws0eWKf70Vb7aBNO/sZ+XuywUYWAG0NaqfHNuBzeqOVC+JIpdOPfHR3UTkL+r27Lfep 0312v7Onbreq6sEe//jy44JIyC/R+6fs0+H/XLBZwWVuZHN0cmVhbQplbmRvYmoKMTM3IDAgb2Jq CjQ1MDgKZW5kb2JqCjE0MSAwIG9iagpbNyAvWFlaIDQ3LjUxOTk5OTkgIAo1NjcuOTE5OTk5ICAw XQplbmRvYmoKMTQyIDAgb2JqCls3IC9YWVogNDcuNTE5OTk5OSAgCjU5OC42Mzk5OTkgIDBdCmVu ZG9iagoxNDMgMCBvYmoKWzcgL1hZWiA0Ny41MTk5OTk5ICAKMTEwLjk1OTk5OSAgMF0KZW5kb2Jq CjE0NCAwIG9iagpbNyAvWFlaIDQ3LjUxOTk5OTkgIAoxNDAuNzE5OTk5ICAwXQplbmRvYmoKMTQ1 IDAgb2JqCls3IC9YWVogNDcuNTE5OTk5OSAgCjg0LjA3OTk5OTkgIDBdCmVuZG9iagoxNDYgMCBv YmoKWzcgL1hZWiA0Ny41MTk5OTk5ICAKNTQuMzE5OTk5OSAgMF0KZW5kb2JqCjE0NyAwIG9iago8 PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDY0My43NTk5 OTkgIDEyNi4yMzk5OTkgIDY1NC4zMTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUj M2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJk b2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkM2MTI1Cj4+CmVuZG9iagoxNDggMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICA1NjQu MDc5OTk5ICA1NDMuODQwMDAwICA1NzEuNzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagoxNDkgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNTMuOTE5OTk5ICA0MTYu MjM5OTk5ICAzMTIuNDc5OTk5ICA0MjYuNzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDNTI0Ngo+PgplbmRvYmoKMTUw IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAg MTA3LjExOTk5OSAgNTQzLjg0MDAwMCAgMTE0Ljc5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVz dCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMy ZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMTUx IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAg NTAuNDc5OTk5OSAgNTQzLjg0MDAwMCAgNTguMTU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVz dCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMy ZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMTQw IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDE1MiAwIFIKL1Jl c291cmNlcyAxNTQgMCBSCi9Bbm5vdHMgMTU1IDAgUgovTWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+ PgplbmRvYmoKMTU0IDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0Rl dmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4K L1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBSCi9GOSA5IDAgUgovRjggOCAwIFIKPj4K L1hPYmplY3QgPDwKPj4KPj4KZW5kb2JqCjE1NSAwIG9iagpbIDE0NyAwIFIgMTQ4IDAgUiAxNDkg MCBSIDE1MCAwIFIgMTUxIDAgUiBdCmVuZG9iagoxNTIgMCBvYmoKPDwKL0xlbmd0aCAxNTMgMCBS Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dW2/cuBV+96+Y5wJxRN0FFAVib1Jg HxYIYqAPi30okm6LRbJoug/796uRxjMiP1EfdXQoaTy2sWub0VAkz/3Kt3//9M/Dv/84vH389N/D 59PPx093yX1SNP3XIWm/3wwH0vo+S5Pj16E22X1ZdaOfv919P3y/+3j3sf3/9ztTdh88/Wj/8fkV Sff9x+ff7972L7/rRz49/tT+9uchPfzY/vfb4edf2sEvp/mOD3y7q5uyXUeSmKz98+vwT5Mltbkv 29/b8cT98/jwf+7+8ZfD78eFpfd1t3jTL3D455vGZE163025ZMnfLx9tV9FOaYqy9v4+nDjLTuvJ D1ldFsc9JEW79Szvf2//yOqqvs+7X9szKE1+/MOk7nha3aen8fM8Xz3zH4/n18Gam+z05f3dWvNw bY05vrZf8+BdTZLfJyNrs8cHeznP89Uzv7tmpXP2rNm3Bh9cYpzzOKy/WeNh5zyOGz5cUjpnY/Km n9/GZ2OKpF+PvQZn/LzmwTxfPfOr4XO7hrTnMTZutOP9H7A2a3y4l+d5vnrmj3TOnjX71uCDS4xz Hof1N2c85JzHccOHS1rnnOatJKwRn9M8Pwuf4Rrs8cuaL/N89cyvh89pXoziRpqXo7Rmjw/3Ulxo cHT+SOfsWbNvDT64xDjncVh/c8ZDznkcN3y4ZK/5WU1rQGmZpfuUeX6o8iJrtb2DKQ7/+1f7ko+d aiNQoEz3PVxLP+JRoL5PfPDh6e7th/JgksPTr4d+BW/6H0/9ot9UeZkfnr4c/npc098OT7/dHdXF 00DaDVSXgawbqC8DuftEP8f7p9P2o5x0neTN9Z10nZTJ1Z20SdMrPGnT8po4Jy00cr5PfLDbT9Na YWP7KdKWRFuVw7c2k7qrb7qBfGIgc4+kHj+SwROV+5Yf3IGHbqC4DBTOa9P+FM3UrO8YKHC7H9z3 wqQATndlWT9gzHkkT/qR5PLMYzfSuEgxMa1J3JXA0tyPwBMjh1a6j+QusB6dJ8yju1RYyHu6MoCv +xa+GUQaDfAWF+IUU1lW5TaZAUXAbmEvnMzgkAVUBZO6JIPoAB9xJ0X8AFDC9mG3HGEAtpwcKNKZ jKI2nKmATuHEjMsN4CPz1xF8YstwvZcoZeWFJJAcx33K/AOOg7MgkA6hcyw7MJPbJ4b4Agtz2Qei aZQDAkkHk7qwTUEboh+Bt2QfKC/gmwOG674WmZQrCAOYJcfkm+J8eEBUVwo4Qr45gBxMCuuAAXfp QJUoCKOoDkXS2PyU6zSA6/DEXnRn805N4DTF80tAceaaJNecuBoEYh9kOFWUOKBWolvAIAA+ZY5y VVtDIk+pG/BabvG46wBhkWbjXHsZZqdNY6O2BucH+eJiEGw/wALkuO5CLgUtRwA5akYhYwthdRzL ADE1dAMuHOG165ivRVpbeDhyhrAyylKzhCk66XsmlLnyCIDxUeo2dlJq/EQGmwXKpXYkzBGC/Tel ou7HN8cRYAR4XKWgrjifebVUdJUWemvo9SItVcBlBfhOLXQkAOoDR9tZQ6hyyhQYbfM/AgTicxIu ZLLG5rKg66GaCgfERbsADIAwgOwAfYEnFoRwqK9WQ7SlfrVVRSxxhzhQFJwYNx8osLnrIMC8jCJA wUbjnlcuPoCxzZc4ASvlii53CYey8aWCLiPIvhPV5+RrUd5+Vtq0nn5wtScJkgnIgVtkIIJgDk7J Ak4Pk8Jr4YAosqelO8CVR+6Jp3RqfqAMROCtpecR4ErixP9BTa7l/kPnuQHgNPVsZdlC69JaaBxT iquF3DvholyAM3t+/oUKSw5QWbgU48JzG+N7ZDMCi1bMLReKoCKfS5bgz+XoD5gaRZzmib0XdD3M 94Fyd2aAT+w1YeVpD7p1xIizhmgsVLVg8BiDCsO9LNQfhDwpVMAszPooEuvEri5LaGoOFy4BNKiQ AaoSLtTYPogX7mQSGAXuEWYQLokSpdooKygGsLeluYUMN4/AcXdOtxoiqlKldEF2uMC65TbQTohy P9G0gIwVnvbBkX0dq+AUTDujrqndIxSkDqiYXl1iwICmBGYCxVTDYzaC/E8wgbkNBJMKShTAOuFU BwcEco3bHhT5NSQwzxOKE7DUy8aoCy++SDKLEFEBhXit1DpKHPddCZIVQ8PCC7lj4sAO1G9x6u6y +iSQ9IDsUaT09Sbj7MXi90nxQXS+cSXwXgQdhIpcXA/OXZ3QJjVyzgO0fhU7qW5s7sBlkhtckzNH BZmUJf63gh9XodqGh94DvKNciAGsuXLF7chVUr2vh79GMkaqxkJLyNINMGgFJwaCEENW3GU2X+lH f4+AJ+tFhgbcgEcguCWhEW+JqNJvr5AItD6a2bet00hDJJkiHKMU3EyKKftTYNnG+anqMltqSOUW dCXqBC1aWEmerhNr3kung/nJbzfuuQ5gKbTeNcCJEupUW5rkXlp0mz3QdWykPKzjy1oxnJRlZ679 4PJoBWa5G/fgfK6VVq4UC3Ch4m64ugmpsBAc4ZQsSIWFt2jEl7aBbkCSGWe5fC9RSlOzsrLIMC12 KvhV2gHwYhQgQzgPvlvOuHiWN8++L5g2EeC250jnvjaHbnzghVWrgMryIhwKvE0SZ2Nw6OC6437b GH0c0KKJUmqRP7qvAQ9YXrvQdnWllFr4UAUBqAxIBvAfWWoU1TDt2eMFESFuwYmdc8Moaosgz38+ e9SwNSWxILpbjHxFKRUAPwLnOjyuxdsvza/my94xDAroQsnzl+an2wfwRw3tASqvXMjBAcFejEYJ lEk77/+503CcGIPJKustV1RVKOcoCzl9ah/ZS3Bnxq6GFwihKM7K+bQcEHK9HsHO98Lpcr7oV4zs DfCUuzQwLrVR3VyZFDbHEKCyx5OiYTxV5yATbyMoSJzhxpOgrpRHB6+nJ8NeAgSQexQnq6EsLaQD m+41vM7Y2Fp5EJnNHTRC9FxY8ExejaIvDYTRkMh6vbI1JEGzMhQ0Su+umOHupJYoAAw6jN9YOIY6 L9U1A0wPDS5O+drLNpJeDZxplBJEnAI6/c4v+pF0C1bJgigTm5B3ki4d4GbJtURlnixRi7hJxMvZ OALtXDvVrTBHPq9B2C9aDeJNkwQtoaIUnmVlvpjmXv0BTzPVU48/wL49776/Eb398v5u3a0X8Dy/ eW/mSzvc6q4+HFVLj6h1cUd8GKdwiEJOPHE6uYmBFOP0lSOqTzJzWPYKI1jn2POn8vIZ8K7A2iB6 9W5cFA9W32P5IPQAVy8ayP5wXxOyP5zWVWiMGxLGI6nd7bynJwBvqUcwH1hYP6J9b2TnLiuS8pnz Q4AC2DjtXg+yEtkFV7Y0er4Iblng1uwqLRhPdyosDL4mHWxTY3OWAY2s0xVG0HGRF3aLrv9YJ495 q3tEBXimcrlPlJ6+L5m6dfznVWJRt/xOmVmdUSjk1unaGQw5FRaaPYtHSSMQQZ4ut08FB6TRmz3U BTKrKYGgQGe+70EjsVvgZgvueLW0f1Nl4eleWqcEtGaP4XQOaIMsccvH8AGt6iZ5SSkPKoy9MN69 7Msrop2XWVX29kG53OY2oZWuSwmwSDS6p3Bet00Sskp3P0FhNs9Jj1EVFyU/MOadI0uLiG3SvgVL avV8lpP4KGfYBfPJQ+KemX9AktixRrGNRtsfncSRvLFgGVAHw7UYjQQFQeTm1u7RjVL4scrFyio3 pvfO+/qZ1WPrgp3kDYEzEwegLOw1b8gemH9/oWYQoTlzR24p3ESHplvJ1nstaVqBciOaLAuDDF0u 3oX61y2LmqP67Kx0SIPplubsntmX620RoF6UHy3NMwtQ0EP1epLOEbaejyyNVOQ2alN0ENVmch8Y Z6AxYijYTQtL4gMkKvXOZrW7NBpniMO4uczlSRl8pVHiHXpp1CrSIC2969hX5vXS0ISxd3vF2du7 zQVYJeio5+Io87M3223Xh9cigO7MhQNlHypxbAVTCtvH8HoAGABlkt5lrehJKIuzLbFOOuJm2XjU C7AzTNVoUHaBrhzbF+qXvfi4rENn0sKadCMylJfWTui9AYYzmCwCj5dGIjFti7iXJmfbRv5V2HR1 lrjX315nt36khSy3yAmkBJ1pbyoRO45TKKsTCy634BSa4n3zb9fEppmcS3OWu0722W4N67K7XvGC llFd13Xp2wvw05AEBOruDlB7r8c1pZHEQDNBEA7AcwR+Fa4qcgpaBy6CFhFX7wFaGgzMbdK+Mi9S lZwlMnjheTZS1lBlSuBBFue83YiGFpBUzksseLozX/r81EtFp1llzk6zwmWwr8W0/dq1s3ogLGeQ aXAn4CsHUOcAq17AopE+c6HejTjRViqnoD1naLnkLF+bQs+C0xwqzDzzW2BRcikFzIDGnQK8gjwf j18tvmYFmUYVwQC2XEmnDSoDTLRtnOYj+gKHFC+Qml/bFVJFwgExvwIgQDhuw+ohZhTHxVk4nOxG 1VIVcZDPyOsRSGUND+6r0jqTQV6x2aoTAikyC7Vj5VhQYg8ApqB+nKdSC/p2RimQg8C8RiYc5w8c l3kCu6CpBVcxPN5WFUZehjeTiBNlVtBjED8oi4UkJUWPbeX1ewU4jgXGFEwqaKbrggUvNqbB3YCo yWt/RC2ybfxNUKJ0o17nFgbuN4W2pLkrkdHjOSK13bS+kdiKwKx/JeanSf9LgHLAD4ieR0BSmjgl caFntUgs2g3wenEc426wl8xTT536NHhqfe4nHKfrIE2eRHSgr8X0bEHHQIXUSBXmuEq2WBxDOTRJ bWkZYmPj6TotCTaKzPDr4xUuoVGMuk0lA/GFgbFFcR2f4Aln8Nr5ep1KPj8v/OZMSeVC6Z7zX/oR U/JAxQjwg3sJYFIVn7EgCB16ynN8pAEEIzDxA5odxujDp9IYmvuzJJ3HBOXjsH+a+8aV6Tixmjy3 CRNtuN30Lsxrh4e8JBMuou2gwrkzfxxqHc1PIX8k4MRcQCFZCm7W1EjkEFyTEZCBy5VDoCAQKQrb 9XbkXhpnKizUDSAyBdNonSsO9NzodeGN06/keeOhTN5j89XjrcXpS38zv1ePtzNyTR7vF00Ae6mb kmQcafg95n8EMQhYqMCnFaodLUww667BHXAqQV85nvnIU1QVDGFNv3rtt4wEIjaKl5izLe7l4YV2 gvY7gurnGGr9bnpAUYoKiIhs5CfIumYzA2pQiDJJfD5cNHI8jWKgbQrbqVS6Ve4cU7ScLp1vVyoZ 5Sc2Py/uxvRCgbZFT13gZx6xHB5cBIGu9xHNvubSpdZtovei8WFDs0+niFRSFKfBRgQ6xUsivYAk LHGd0NKrX3OLngP658ChatTnBFit/FAFmdAaV7EJjEOP/qPCm9MlCVMBwOVq53wHW3Ct2YAhgv9Z UFzAhZXLqPgltKuqSAsrTZvCxpibE6svWiDiMaKG4A6Ygs0awhL4AYSKZhWWeO75HOB1oRxAI36w knQ3VWNtf13QTWEmfITXWms0q1Coxl6pXYEgeMCvMeKozD2KMKngiqr5DrMQzKVsOKAGQYBTAmGu EtbIMpu1aRSwQodFDffXiQlfurWDz2CdFFlPlcKUKqeQELxRyJpvTuM2DMWU4Vmub+7HBhZDO+QL kmp18j/h2Pmhqpj+WWWRpUDzCbC451+UJ6ieidMkfSPfkMTzFUp1Koy88t8HvlGtA9fAFPqQABrG lB9LO0glFqBWkkE8uRGuP4btv2g5JrialRYtCfyRAXnKID4VVGeJT4/Gp28hILnQUGhymxmEnoeK sKhneKN34jbbbxxJwgz32vE8oPEfHjNvfaTh4I1xW+dKxch5mthUpxADwd3GrOKY8tZR9TJkVo1M vG0UzigKhV5OaZ0k/h4aUTS/TWuctX31x1jc4AgDCuvXsXr51R0U2AH1eDF62A29l2eo3KfJ6cv7 +xBmIc9/evzpLjn8eUgPP7b//Xb4+Zd2CV+GqDDzpR2i1AdTjF+PeMSTszqXZeM8ACyEiYGTRxZU oEGTxedYqpl4BufN4BEI9bom8ulaVkDAgUh3b/tM4Ah61CgntIDaxTf3LcErdcleHdYmz4NhbTwS YQ42nAjcpFOgrlwYwIGm7hPwHpjVuPuDAQA1oAviD7wXvDIAak+hAfdjTbwldSPrJ745hcdAUA8A CPczp5r0waxAP3BCALuI9ONw46I5fYG0dP8tgMv6J+uorPRZyMcCoax8XmhWubvv9zaw3VIPcg/N O3ikcA/EhdQpx/MykHk4jHCfaecJuNw9q7NRWDXu68HdlzvrcKPt9+F7u11Tdus+/fj8bUKxSqYQ 5OPh493/AeCIVGhlbmRzdHJlYW0KZW5kb2JqCjE1MyAwIG9iago0NzEwCmVuZG9iagoxNTcgMCBv YmoKWzggL1hZWiA1MC4zOTk5OTk5ICAKMTc2LjIzOTk5OSAgMF0KZW5kb2JqCjE1OCAwIG9iagpb OCAvWFlaIDQ3LjUxOTk5OTkgIAozMTguMzE5OTk5ICAwXQplbmRvYmoKMTU5IDAgb2JqCls4IC9Y WVogNTAuMzk5OTk5OSAgCjIyOS4wMzk5OTkgIDBdCmVuZG9iagoxNjAgMCBvYmoKWzggL1hZWiA1 MC4zOTk5OTk5ICAKMTU1LjExOTk5OSAgMF0KZW5kb2JqCjE2MSAwIG9iagpbOCAvWFlaIDQ3LjUx OTk5OTkgIAo3NTAuMzE5OTk5ICAwXQplbmRvYmoKMTYyIDAgb2JqCls4IC9YWVogNDcuNTE5OTk5 OSAgCjU2OC44Nzk5OTkgIDBdCmVuZG9iagoxNjMgMCBvYmoKWzggL1hZWiA1MC4zOTk5OTk5ICAK MjU5Ljc1OTk5OSAgMF0KZW5kb2JqCjE2NCAwIG9iagpbOCAvWFlaIDUwLjM5OTk5OTkgIAoxMzMu OTk5OTk5ICAwXQplbmRvYmoKMTY1IDAgb2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjQ3OS41OTk5 OTkgIDBdCmVuZG9iagoxNjYgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNTk4LjYzOTk5OSAg MF0KZW5kb2JqCjE2NyAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5OTkgIAozNDUuMTk5OTk5ICAwXQpl bmRvYmoKMTY4IDAgb2JqCls4IC9YWVogNTAuMzk5OTk5OSAgCjE5OC4zMTk5OTkgIDBdCmVuZG9i agoxNjkgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNTEwLjMxOTk5OSAgMF0KZW5kb2JqCjE3 MCAwIG9iagpbOCAvWFlaIDUwLjM5OTk5OTkgIAo5MC43OTk5OTk5ICAwXQplbmRvYmoKMTcxIDAg b2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjI4OC41NTk5OTkgIDBdCmVuZG9iagoxNzIgMCBvYmoK WzggL1hZWiA0Ny41MTk5OTk5ICAKNzgwLjA3OTk5OSAgMF0KZW5kb2JqCjE3MyAwIG9iagpbOCAv WFlaIDUwLjM5OTk5OTkgIAo2MC4wNzk5OTk5ICAwXQplbmRvYmoKMTc0IDAgb2JqCls4IC9YWVog NTAuMzk5OTk5OSAgCjExMS45MTk5OTkgIDBdCmVuZG9iagoxNzUgMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICA3NDYuNDc5OTk5ICA1NDMuODQw MDAwICA3NTQuMTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJm dmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIj MmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagoxNzYgMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICA1NjUuMDM5OTk5ICA1NDMuODQw MDAwICA1NzIuNzE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJm dmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIj MmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagoxNzcgMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNDIuNDAwMDAwICA1MjAuODc5OTk5ICAzODEuNjAw MDAwICA1MzEuNDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJm dmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIj MmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBiaXMjMmRwNyMyZGF1dGgKPj4K ZW5kb2JqCjE3OCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDQ3NS43NTk5OTkgIDU0My44NDAwMDAgIDQ4My40Mzk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjE3OSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDM0MS4zNTk5OTkgIDU0My44NDAwMDAgIDM0OS4wMzk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjE4MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDI4NC43MTk5OTkgIDU0My44NDAwMDAgIDI5Mi4zOTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjE4MSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEw OC45NTk5OTkgIDI0Mi40Nzk5OTkgIDM1OC41NjAwMDAgIDI1MC4xNTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LWlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmctMTcpCj4+Cj4+CmVuZG9i agoxODIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyMDEuMTIw MDAwICAyMzMuODM5OTk5ICAyMTcuNDM5OTk5ICAyNDEuNTE5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LmlldGYub3JnL2lu dGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nLTE3LnR4dCkKPj4K Pj4KZW5kb2JqCjE4MyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3Qg WzEwOC45NTk5OTkgIDIwNi45NTk5OTkgIDI1MC4wNzk5OTkgIDIxNC42Mzk5OTkgXQovQm9yZGVy IFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly90b29scy5p ZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtaHR0cGJpcy1wNy1hdXRoLTE3KQo+Pgo+PgplbmRvYmoK MTg0IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNDk0Ljg3OTk5 OSAgMjA2Ljk1OTk5OSAgNTExLjE5OTk5OSAgMjE0LjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov QSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5pZXRmLm9yZy9pbnRl cm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1dGgtMTcudHh0KQo+Pgo+PgplbmRv YmoKMTg1IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjkxLjM2 MDAwMCAgMTkwLjYzOTk5OSAgNDUyLjYzOTk5OSAgMTk4LjMxOTk5OSBdCi9Cb3JkZXIgWzAgMCAw XQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3Rvb2xzLmlldGYub3Jn L2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC12Mi0yMikKPj4KPj4KZW5kb2JqCjE4NiAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI1NS44NDAwMDAgIDE4MS4wMzk5OTkg IDI3Mi4xNjAwMDAgIDE4OC43MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0Fj dGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2Ry YWZ0LWlldGYtb2F1dGgtdjItMjIudHh0KQo+Pgo+PgplbmRvYmoKMTg3IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjc3LjkyMDAwMCAgMTgxLjAzOTk5OSAgMjkz LjI4MDAwMCAgMTg4LjcxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9u Ci9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQt aWV0Zi1vYXV0aC12Mi0yMi5wZGYpCj4+Cj4+CmVuZG9iagoxODggMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxMDUuMTIwMDAwICAxNjguNTU5OTk5ICAxNTMuMTIw MDAwICAxNzYuMjM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1Mg L1VSSQovVVJJIChtYWlsdG86c29iQGhhcnZhcmQuZWR1KQo+Pgo+PgplbmRvYmoKMTg5IDAgb2Jq Cjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTYxLjc1OTk5OSAgMTY4LjU1 OTk5OSAgNDA4LjQ4MDAwMCAgMTc2LjIzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlw ZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjMjEx OSkKPj4KPj4KZW5kb2JqCjE5MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsK L1JlY3QgWzEwOCAgMTU5LjkxOTk5OSAgMTI0LjMxOTk5OSAgMTY3LjU5OTk5OSBdCi9Cb3JkZXIg WzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMt ZWRpdG9yLm9yZy9yZmMvcmZjMjExOS50eHQpCj4+Cj4+CmVuZG9iagoxOTEgMCBvYmoKPDwKL1R5 cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxMjkuMTIwMDAwICAxNTkuOTE5OTk5ICAx NTIuMTU5OTk5ICAxNjcuNTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rp b24KL1MgL1VSSQovVVJJIChodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL2h0bWwv cmZjMjExOS5odG1sKQo+Pgo+PgplbmRvYmoKMTkyIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbMTU2Ljk2MDAwMCAgMTU5LjkxOTk5OSAgMTc0LjI0MDAwMCAgMTY3 LjU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VS SSAoaHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMjExOS54bWwpCj4+ Cj4+CmVuZG9iagoxOTMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0 IFsxMDUuMTIwMDAwICAxNDcuNDM5OTk5ICAxNzAuNDAwMDAwICAxNTUuMTE5OTk5IF0KL0JvcmRl ciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86dGltYmxA dzMub3JnKQo+Pgo+PgplbmRvYmoKMTk0IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbMTc1LjE5OTk5OSAgMTQ3LjQzOTk5OSAgMjIyLjIzOTk5OSAgMTU1LjExOTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFp bHRvOmZpZWxkaW5nQGdiaXYuY29tKQo+Pgo+PgplbmRvYmoKMTk1IDAgb2JqCjw8Ci9UeXBlIC9B bm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjQzLjM1OTk5OSAgMTQ3LjQzOTk5OSAgMjkwLjM5 OTk5OSAgMTU1LjExOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9T IC9VUkkKL1VSSSAobWFpbHRvOkxNTUBhY20ub3JnKQo+Pgo+PgplbmRvYmoKMTk2IDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzAwICAxNDcuNDM5OTk5ICA1MTUu MDM5OTk5ICAxNTUuMTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24K L1MgL1VSSQovVVJJIChodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMzOTg2KQo+Pgo+Pgpl bmRvYmoKMTk3IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjMx Ljg0MDAwMCAgMTM3LjgzOTk5OSAgMjQ4LjE1OTk5OSAgMTQ1LjUxOTk5OSBdCi9Cb3JkZXIgWzAg MCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRp dG9yLm9yZy9yZmMvcmZjMzk4Ni50eHQpCj4+Cj4+CmVuZG9iagoxOTggMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNTMuOTE5OTk5ICAxMzcuODM5OTk5ICAyNzYu OTU5OTk5ICAxNDUuNTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24K L1MgL1VSSQovVVJJIChodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL2h0bWwvcmZj Mzk4Ni5odG1sKQo+Pgo+PgplbmRvYmoKMTk5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlw ZSAvTGluawovUmVjdCBbMjgxLjc1OTk5OSAgMTM3LjgzOTk5OSAgMjk5LjAzOTk5OSAgMTQ1LjUx OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAo aHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMzk4Ni54bWwpCj4+Cj4+ CmVuZG9iagoyMDAgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsy MDkuNzU5OTk5ICAxMjYuMzE5OTk5ICA0MTcuMTIwMDAwICAxMzMuOTk5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vdG9vbHMuaWV0 Zi5vcmcvaHRtbC9yZmM1MjM0KQo+Pgo+PgplbmRvYmoKMjAxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5v dAovU3VidHlwZSAvTGluawovUmVjdCBbMTU4Ljg3OTk5OSAgMTE2LjcxOTk5OSAgMTc1LjE5OTk5 OSAgMTI0LjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9V UkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjNTIzNC50eHQpCj4+Cj4+ CmVuZG9iagoyMDIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsy MDYuODc5OTk5ICAxMDQuMjM5OTk5ICA0NDguNzk5OTk5ICAxMTEuOTE5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vdG9vbHMuaWV0 Zi5vcmcvaHRtbC9yZmM1MjQ2KQo+Pgo+PgplbmRvYmoKMjAzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5v dAovU3VidHlwZSAvTGluawovUmVjdCBbMTU2Ljk2MDAwMCAgOTUuNTk5OTk5OSAgMTczLjI4MDAw MCAgMTAzLjI3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9V UkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjNTI0Ni50eHQpCj4+Cj4+ CmVuZG9iagoyMDQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsx MDUuMTIwMDAwICA2NC44Nzk5OTk5ICA1MjMuNjgwMDAwICA5MC43OTk5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vdG9vbHMuaWV0 Zi5vcmcvaHRtbC9yZmM2MTI1KQo+Pgo+PgplbmRvYmoKMjA1IDAgb2JqCjw8Ci9UeXBlIC9Bbm5v dAovU3VidHlwZSAvTGluawovUmVjdCBbMzM3LjQzOTk5OSAgNjQuODc5OTk5OSAgMzUzLjc1OTk5 OSAgNzIuNTU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9V UkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjNjEyNS50eHQpCj4+Cj4+ CmVuZG9iagoyMDYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsy NDIuNDAwMDAwICA0Ny41OTk5OTk5ICAzNDQuMTU5OTk5ICA1NS4yNzk5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnczLm9y Zy9UUi8xOTk5L1JFQy1odG1sNDAxLTE5OTkxMjI0KQo+Pgo+PgplbmRvYmoKMjA3IDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzMzLjU5OTk5OSAgMzcuOTk5OTk5 OSAgMzU2LjYzOTk5OSAgNDUuNjc5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAv QWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy53My5vcmcvVFIvMTk5OS9SRUMtaHRtbDQw MS0xOTk5MTIyNCkKPj4KPj4KZW5kb2JqCjE1NiAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50 IDIgMCBSCi9Db250ZW50cyAyMDggMCBSCi9SZXNvdXJjZXMgMjEwIDAgUgovQW5ub3RzIDIxMSAw IFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjIxMCAwIG9iago8PAovQ29sb3JT cGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4K L0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2 IDAgUgovRjkgOSAwIFIKL0Y4IDggMCBSCi9GMzAgMzAgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+ CmVuZG9iagoyMTEgMCBvYmoKWyAxNzUgMCBSIDE3NiAwIFIgMTc3IDAgUiAxNzggMCBSIDE3OSAw IFIgMTgwIDAgUiAxODEgMCBSIDE4MiAwIFIgMTgzIDAgUiAxODQgMCBSIDE4NSAwIFIgMTg2IDAg UiAxODcgMCBSIDE4OCAwIFIgMTg5IDAgUiAxOTAgMCBSIDE5MSAwIFIgMTkyIDAgUiAxOTMgMCBS IDE5NCAwIFIgMTk1IDAgUiAxOTYgMCBSIDE5NyAwIFIgMTk4IDAgUiAxOTkgMCBSIDIwMCAwIFIg MjAxIDAgUiAyMDIgMCBSIDIwMyAwIFIgMjA0IDAgUiAyMDUgMCBSIDIwNiAwIFIgMjA3IDAgUiBd CmVuZG9iagoyMDggMCBvYmoKPDwKL0xlbmd0aCAyMDkgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp4nO1dS4/cuBG+96/ocwCPxackIAgw4x0HyCGAYQM5BDkE3myCxcwikxzy9yNK aomsT1RJbKpb7WkbWc8wElkv1ovF0sc/fv378Z//PX789PXfx+/9v5++HoqHwtTdn2PR/P3gD8jq QcnC/TlWQj3Ysh39/np4O74dvhy+NP99Owjbvtj/0/yfpyWK9u9/v/92+NgtfuhGvn76c/PT/47y +Kfmf78e//q3ZvDnfj73wOuhqm0DR1EI1fz64v8qVKHVQwOUaMYL+qt7+F+Hv/zu+JsDTD5ULfCi A9D/9YMotC4blJrfzgH5bXy1mUvVUhhbRX/2J1aqh0cfq+bHFjDZoK60ad5o/phjpXX7SDPe0MAK /aDbX8i4LFsCSH+el8j8jjy/eDDXqv8T/TmA2YPNlO2PHczeWmXhoETYwvERl3Gel8j8FOZMdI7A HIMhxpct6DzN69dgfBmdp2UjJkuZ6Kwq0/1sQnlWle1+NiEMZHyA2ZvnJTJ/NnlWVVm1hDOhbKiq Fg4chC0Y93AZ5nmJzL8RnSMwx2CI8WULOk/z+jUcX0TnadmIyVImOhulOkVQhvJslOk2WxnCQMYH mL15XiLzZ5Nno2xrFzuY/bVK2yqCisIWjHu4DPO8RObfiM4RmGMwxPiyBZ2nef0aji+i87RsxGQp E51LU7dzChHKc9m82YIjQhjI+ACzN89LZP5s8lxa0dKtg9lbyzZOajUBWzju4TLM8xKZfyM6R2CO wRDjyxZ0nub1azi+iM7TshGTpVx+nZGtEwP+s+n2FPqcwfjoI43zvETmz+g/d/safFHT6TSELRj3 cBnmeYnMvxGdIzDHYIjxZQs6T/M69J+X0XlaNmKyFMJ8CqNrCCpXxaZWN5SRqmqi8aMwx//8o1nk Sxt6JgS4ov3rw9KNRALct5kXn74dPn62R1Ecv/1y7CD40P3zrQP6QyV1ffz28/H3DqY/HL/9enDh fD8g24FyHFDtQDUOaPpEN8fztx79bSitS32DlNaVuTlKNxbiBintFr81SpfW3iCly7K8OUpXqr5B Slem2IjSiYnVt5kXW3zqo1BT+BjZoCNKogxLik5F0VEz6Jh2QM88YemkJR2opqnoLVvTVeAJmOOR rvLUDpiZOT7RV36iA4DtZzopRU4W62kKkALFYFmeLzApMBtWgTmADZRiUhPkYABeEZ0U1jMEomxA mgKkwH2QDxgA9IGmCUQGbBW7LC90dBXxaf2eg0lZqm8iUqJ7QhTjSEXkQcCs/LqwDJ30QvIAGjaf PLQWJNkU2IKxBYtl6jw4OpNUn+ZUT5wEZdGnVH0CsuJxwko/dKe9zZ/oz4ENX/A8b+FXLtoSu3Wx JogtrQs77UBscFYe6bZ5Pv+Jnh1zA2AB5LRJgL04zqEo00UnrkLEJxEgSt1WszPr0idgXcSu265C 0p3kg1ZOqydQcfXMOjCrAIQBHXii4gYWcO8TVeCg0mBZmINdRZpp1wOE5iqetm13Wk2C4QTtOmd+ wTBQp0d2ywoVn1UVGZS4KBy6qvlvvy5YW0AG/DPWke6fONPstYBKEUq3ByioMxgAc5MjrgDOgdt8 SddiXEXCEzAABAJJBvR5VxNoSgHjHYUFgSjPF5iDd2ipXlog6gn7NkeMmHPvq9PeFz/RZYGoPNkp LiLf3jfD3u/I4UUeuKVAbQNz2UAjJXrh9ymvc66TD1HU9iMcLLYLpB+FDNw/Kv05hd3eiqGrTsIu awoosAEA5bMuvIsC3OdFig3WUpJOrHLMKR71IB6GAgbYUg0jn3MxX4sT83FT/tApWXBIYA4KGOjo JQaYFdzrKiktT1KoKRwwkJLZSzgZ2AtjADL9TCnk7cIfLP2jB+3Ep3/6PX5ecidLsoNPGMAcz9Qz 49M/7ByY2mATF73V9BPcQHcWXSlB7NmMmHwCwsO0li4MRIP0D9CIZsQykvV6h6RGktP1+yHpGRb5 fkgaYrvXQ9L3EKue51vpQoXaAURqk3h3N6e19+zGlNeRhdsZzlGNlidId3KOuiAIAHHgzRibL8RV kjfQmbFYqQK+ZEk6KkHlEvJj1E+HJ6SiBMmRyGYjLQlzZNHKVoRU/nFP760YtniG8O1+ek833z18 JRt20/D1emfzVqu7T7O5TzOzrvwMlvC65QvWVKd1932qY8tBdMFE5zhq5+Po9WWv7z0DwhJZwU0C +kpOUa9Oon4/G+DQnT0bOG8jl8VpI08oQ8Cf36cslfFEClaBXXiR6qYtD8JKUUXRz1ya8oPFGuWg JlQkFlwTJyw4j+jjNhC2NT4+uLSLi16psGWnZxO8LaZnQmQmSyAw+HaUfOiZJ4QVIuJ1nHc4tQNh 2Coyid03lLWTkvpkFfqkDah87+CAZnH6gBYUOhzGeAwHs1GTZSVluPSit/OQrYvTBZReOc+AgXA9 kldUTecAZA3dAJSCMGlvRcstsBencwQBexfYAqDjAGQOwdul9ECvig6oaeUYtcST2IpGV/qS3UsU 7FzvjkRJGaXpE/wcoO2Kae5DmfU40CfS4WYQ7MGZOfTnaSfCA/1p2skGHeu9ouluYOEwBd0N63Hp LRfc9pghcu+oz7DyMqBLYEOC0FGqIytB6FjABFXaWfjyyAkMv19QLAHbz9OmYQ5SClgKtoAcAAZP RLK0qxhFTUGKFEbumc7QFPnCvwLagfoBC0gIu4FFrj8LMHl5CwORCouzNqGmCZgE0BFS4BwYrfWa jrdRyErY++xu6D3lGU23yg+a9wxGN1B5k9LmI87dFuhuC9c0qy7sg2ljsteDVoU/8HL4uqifydRy TMQdn2zW+XMQ+0j3mSs4UoEcvOeEWuqngQqgygpDAfqELugTtOEJeMfgcxYQtoEfD11UKBzqJxYO SMNE6gpmXH8e21gFxFy5DzjUMAeoACAQeOnssgnIIecilzWgNAHuM9RxbHNELUhCgIPuBl4sAY7F sdHWh5aTKsPptEBlUGOkQMWDdQLBA5XBW1rqEYJfwTvV6FXSVXBSap34gKnXdlCXPBcvsk4TTKrA KNJXTqcSxQxBgHUwQBkDQVZK8AsuISAD8gAeMdXUAkwZ+GZU6tDTAMmNIJfF9RhyMMBc3B9srIuv rGe2WB9TYYcF8O9gf1BccH/wUQbAUdNJn7gNAwMxGVvjEkrpXEJRDS6h1KU/sD+X0EEcCCN1+HTE R7yKNXLkDNKXsKcfV2zQ+Rypek/pcL37dDgEmxmxN4M8gfvGkgMIljFxXas65P09cb3YD7snrs8G /Z64JqDfE9drGXVPXM8jd09cM3DcE9fTnsHQTig5cW3kGKVUtT+wvyilT1wPSL/zxDXIL5+4FpGS rDWeLYYooJr5lDLdz0iP5LT0dULSqg5F854gnQfsMglSSCHiK+BW8biAB3TzqcwZwO55Sc7fu5m8 pC2q0OLb9qh6xxbfQeyr1X3nJa0KnbIt85Lle8pLjh9QgrRShlQd0Ada1wrwGjNm98b7dMAWsF5w mrfkfA8UJx/TwgAYRQBtfVpAgmeZEPXyMRzofNaOoieWIVDGmpHrBMo8HHyiDeHgSQieKc/b9TGt 0qoxaKUeLJwx2h/Yn4VzEPtKACzcgvgLCofgVkmGsA9jSaoUwYqoZ3aOHICBCoBQmlqz3kH1Js0X fq6pE0JIYVKAA56I7DS4qnoVl8jtP1+831lcDHZji2gTTC/EG/0rWdyVwRfDqIYO3INc8sQWQa6C MklYFpBjz6fQrfyR4mBZu3KcaizZVqL2B/bnJTiIgzho13GwI6cPbUyIV3l2bU2VzzNt980z1dVU jVSAIJK61fKaPNM21O6b5S7qYvhKL+QuoI4ebBt2MQenCg5woMAfqoqq1fLorGGDyZhLE1b5A/uT x9Z+e8SXQCcoUo985GfVfQM66YLDssjXqa6yLxxbA6ptEbaKUofC5Nqk71uYGoh9smAZAOxTKAeE YPCJBoN8ZAdfToR7FSBd0JaOXwUCbIjJ4VoJH6SzFz6QQAnakaXHgggTXqEZ5gV3dzKcAPM0BQKh FH6mc0A6ASAFtQiT8u0TFpyRU2S04mQK89TwhKQU8jyvi18iapTarCrlcwFQBSZpk1GoNUP9DDHG +mQuliFTcQbA+GiID34kBKE5ChwhbmOLnHiaIqQwsMafnM1J1IUYjlDWB4OicLZXjCljIa0/sEPb W+gA6X0Hg46cPrQ5gkGhJOGZlTvnWQNxQAW2dA0ut+rLNK2NeMEyPxNtRZhYi50zsYHYpwLss33x rCFnoBs3jOhlHRqC8yJ6CM9hgLqX0L80OaJXxSiPlfUHdiiPnfUbiA8RPR+NJwTw/K2tBZ4rHVjQ DQFqe6+ZFahsSPkc+rCWofxJo3cuf7UMqQBbmy0jggBlQeTINo1b0H0i8tno69QOG71ImHLUgaw6 JqlEKJCuVmHXAukg9ikJiggL3fieIpEPosxIOR/sx7TslVL/aqX8pVTmhMrMFUvuXLspui35jvBQ Z7I+14i5pJQsF4gorAtpL/AMIEHHpzQhLwjp2Qx3R5CofLEqm9HVcLdgfYsnbcgc/H0cTRue8wRa gByba+WPXDBbz+s0qijVFYMfp11mdVqfa8ySftLkU9ewRWbECnUrNPmBSy0XSU9qWBYyeFC9sR5S uLbJuzZYMsVmNLELwPrSFBjQFTtpQmmKdTGn9i9lVv7A/sykg9jfA/vORjpy+tDmCNxkrUOeKal3 zrNah1S4rWyko29uJipVECYatW8mOoh9Kuw7G+nI6UO7ZTZyaOSTIxsp6YkxFBxBvlLCxexs14U8 5NCEszWrcLLHdytI6FSScMMkx8UWvssIf0EUxYGvcmWb3yT07UkIsKUqG31lxqZzpqj8gf0pMAex L9D8ZRDszZqj8gJf4TvPgqzR79agJG1RiLRl3DaHPl0W+1vwfYfXx/Vbdo2YSZ4ktNVYLB/XuZRT VKElWV+Is0mkCwHlhSJdGshBMAixcKxkKIuFt6ekxQ0Hx8DKHMGxKN2BROmd0NbKH9ifiXMQ+xzd d3DsyOlDu6WPPlw0uIyPji75XMXAuTt4vPMBSpC/ZshfeFvfwpJvMLfNXXP2hv82TdnYS4TYoBL6 GWzjozt95V1iMrr2B/anwBzEvkBnuZ4OlRz8xRPWScMP5/HedEIJNhwGU3874ewJnXjeeeaP78Dx Bb+fvZABh2JoviiBABc4FNvZrXjQkR76JfHqE2qjcrQN4DsSiitWrzgVFpi8hGDiIk48+Oyx46os LkA9ZDUiXw6fuUmOTjyQEG5w79Znb6t868rz2Qt/YH8mr6/yrW/jWwiOnIG4beezCxHtOZbgs4MD DmoOnXjq5mf02T3kILUBnvD6DuDQtAM/jsu713zqOUMr7r10Z8amU+DVg5Xge1SsD51S3Hxjjo1A jTcbrLb+wP50noPY3wN8iRn62/w1Sf6S7Ppk9SaNmnJ8nC7Be9xtShxd0ojHNpMjx6aT4JHjYQ4g w5ba4idkQOOxBb0JB0J4AgCHwnBEAgHITpi7IB6FvQ5HRjwuXgHemhs6QlpPrxp/wOnVS9++EXJI jVyk+jUhjMe+Cvyk/K14XkfwXQKWlsWvuq/EZnUw4QAfb4Kszvq9igYhQ4sMnqaoiNnkGiYtgITA BpAP/rOybMpqwYdWobIk+TOqc5Yb4jvouAeBCO10CVcWF1ScU7EEgcGKcwopn23D25b8nstQkp+j 3ceCXiYJWirhexc5PtTMYotVGPyXrCNe2Xobq7xvV7reROPAVWysiuZi7kcH3Bw3f3RwnTrxtr/V KHhXymrjZRCa0cBaFZoI30uPmL10/9SFCjWcloZquH1lZxzEs1pwVxlpR04f2i0z0iaake73lp9M ADUPuhKStJDW1lQgIS+W66sXtbDLv8Y7kTqhEQtWwEB3dpopyYhLWcYWweYe7AB/UrCg/ifj0YEZ up9EHIeZFPWCnDX7La3LfHxiQTUiW4iDXaTXJ+Ql2IDrfEgDD3ZznGnwXyTd5MSirBsTaMfKSi2k P7A/m+gg9rde+hW2uRJ92M/8Jy6gWOMdFM9fx88QMpSA9S56H6XMfJV7QeUgqyhwFTg/hjlYxxcn hcgAdC1oUog/2O8cYSUKr8HAflH0sSJG5DPO5XA5P8OnotI+wMXbFjBHLM0WsIoPSOFLaFQgEr70 OUEiumWgEouPBBd8YpPvOEoH+GCaLyJL8L0WyN1lvseRg4Y5InJVV42zUXrtz2UwsD/vw0Hs65Yb u0Dv6OuDPxuiX43yKur3VUbLmAz3+4DaDm49VcQWrMIFi2nblIyPa8Xg49MpS7//k512yzxugS8A H4B6zksUpcyWRFG6CKYXdPMAgojxI9WY/aGub6mBkCYzmdyFqg3J5LSQN/0Ezk95EdKi3BIhLWXI d0H5zgoCiIqf6Gn+Ht8aQIVtV+z/+f6aqoC/HL8c/g+UuyxVZW5kc3RyZWFtCmVuZG9iagoyMDkg MCBvYmoKNDgxMwplbmRvYmoKMjEzIDAgb2JqCls5IC9YWVogNDcuNTE5OTk5OSAgCjY2MS45OTk5 OTkgIDBdCmVuZG9iagoyMTQgMCBvYmoKWzkgL1hZWiA0Ny41MTk5OTk5ICAKNDM2LjM5OTk5OSAg MF0KZW5kb2JqCjIxNSAwIG9iagpbOSAvWFlaIDUwLjM5OTk5OTkgIAo3MzMuMDM5OTk5ICAwXQpl bmRvYmoKMjE2IDAgb2JqCls5IC9YWVogNTAuMzk5OTk5OSAgCjc1NS4xMjAwMDAgIDBdCmVuZG9i agoyMTcgMCBvYmoKWzkgL1hZWiA1MC4zOTk5OTk5ICAKNzExLjkxOTk5OSAgMF0KZW5kb2JqCjIx OCAwIG9iagpbOSAvWFlaIDQ3LjUxOTk5OTkgIAo2OTEuNzU5OTk5ICAwXQplbmRvYmoKMjE5IDAg b2JqCls5IC9YWVogNDcuNTE5OTk5OSAgCjQ2Ni4xNTk5OTkgIDBdCmVuZG9iagoyMjAgMCBvYmoK WzkgL1hZWiA0Ny41MTk5OTk5ICAKODEzLjY3OTk5OSAgMF0KZW5kb2JqCjIyMSAwIG9iagpbOSAv WFlaIDQ3LjUxOTk5OTkgIAo3ODMuOTE5OTk5ICAwXQplbmRvYmoKMjIyIDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNzgwLjA3OTk5OSAgNTQz Ljg0MDAwMCAgNzg3Ljc1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjIzIDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNjU4LjE1OTk5OSAgNTQz Ljg0MDAwMCAgNjY1LjgzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjI0IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNDMyLjU1OTk5OSAgNTQz Ljg0MDAwMCAgNDQwLjIzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjI1IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTI4LjE1OTk5OSAgMjc1LjExOTk5OSAgMjY3 LjM2MDAwMCAgMjg1LjY3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRo Cj4+CmVuZG9iagoyMjYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0 IFszMTQuMzk5OTk5ICA0NC43MTk5OTk5ICAzNzIuOTU5OTk5ICA1NS4yNzk5OTk5IF0KL0JvcmRl ciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZD MjYxNgo+PgplbmRvYmoKMjI3IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawov UmVjdCBbMTI4LjE1OTk5OSAgMzMuMTk5OTk5OSAgMzA0Ljc5OTk5OSAgNDMuNzU5OTk5OSBdCi9C b3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1 MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMy M0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDEjMmRtZXNzYWdpbmcKPj4KZW5kb2JqCjIyOCAwIG9i ago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzk4LjM5OTk5OTkgIDczOC43 OTk5OTkgIDUwMS41OTk5OTkgIDc1NS4xMjAwMDAgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5 cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly9jc3JjLm5pc3QuZ292L3B1YmxpY2F0aW9u cy9QdWJzRHJhZnRzLmh0bWwjU1AtODAwLTYzLVJldi4gMSkKPj4KPj4KZW5kb2JqCjIyOSAwIG9i ago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzk4LjM5OTk5OTkgIDcyNS4z NTk5OTkgIDE0NS40Mzk5OTkgIDczMy4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5 cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpmaWVsZGluZ0BpY3MudWNpLmVkdSkKPj4K Pj4KZW5kb2JqCjIzMCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3Qg WzE1MS4xOTk5OTkgIDcyNS4zNTk5OTkgIDE5MC41NjAwMDAgIDczMy4wMzk5OTkgXQovQm9yZGVy IFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpqZ0B3My5v cmcpCj4+Cj4+CmVuZG9iagoyMzEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5r Ci9SZWN0IFsxOTUuMzU5OTk5ICA3MjUuMzU5OTk5ICAyMzAuODc5OTk5ICA3MzMuMDM5OTk5IF0K L0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86 bW9ndWxAd3JsLmRlYy5jb20pCj4+Cj4+CmVuZG9iagoyMzIgMCBvYmoKPDwKL1R5cGUgL0Fubm90 Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyMzUuNjgwMDAwICA3MjUuMzU5OTk5ICAyODIuNzIwMDAw ICA3MzMuMDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VS SQovVVJJIChtYWlsdG86ZnJ5c3R5a0B3My5vcmcpCj4+Cj4+CmVuZG9iagoyMzMgMCBvYmoKPDwK L1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyODguNDgwMDAwICA3MjUuMzU5OTk5 ICAzMzguNDAwMDAwICA3MzMuMDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9B Y3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86bWFzaW50ZXJAcGFyYy54ZXJveC5jb20pCj4+Cj4+ CmVuZG9iagoyMzQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsz NDMuMTk5OTk5ICA3MjUuMzU5OTk5ICAzODEuNTk5OTk5ICA3MzMuMDM5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86cGF1bGxlQG1p Y3Jvc29mdC5jb20pCj4+Cj4+CmVuZG9iagoyMzUgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFs0MDMuNjgwMDAwICA3MjUuMzU5OTk5ICA0NjYuMDc5OTk5ICA3MzMu MDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJ IChtYWlsdG86dGltYmxAdzMub3JnKQo+Pgo+PgplbmRvYmoKMjM2IDAgb2JqCjw8Ci9UeXBlIC9B bm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTguMzk5OTk5OSAgNzE2LjcxOTk5OSAgNTE4Ljg3 OTk5OSAgNzMzLjAzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9T IC9VUkkKL1VSSSAoaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjMjYxNikKPj4KPj4KZW5k b2JqCjIzNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzMxNi4z MTk5OTkgIDcxNi43MTk5OTkgIDMzMi42Mzk5OTkgIDcyNC4zOTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly93d3cucmZjLWVkaXRv ci5vcmcvcmZjL3JmYzI2MTYudHh0KQo+Pgo+PgplbmRvYmoKMjM4IDAgb2JqCjw8Ci9UeXBlIC9B bm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzM3LjQzOTk5OSAgNzE2LjcxOTk5OSAgMzQ4ICA3 MjQuMzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQov VVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMyNjE2LnBzKQo+Pgo+PgplbmRv YmoKMjM5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzUyLjgw MDAwMCAgNzE2LjcxOTk5OSAgMzY4LjE2MDAwMCAgNzI0LjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAw XQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9y Lm9yZy9yZmMvcmZjMjYxNi5wZGYpCj4+Cj4+CmVuZG9iagoyNDAgMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszNzMuOTE5OTk5ICA3MTYuNzE5OTk5ICAzOTYuOTU5 OTk5ICA3MjQuMzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1Mg L1VSSQovVVJJIChodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL2h0bWwvcmZjMjYx Ni5odG1sKQo+Pgo+PgplbmRvYmoKMjQxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbNDAwLjgwMDAwMCAgNzE2LjcxOTk5OSAgNDE4LjA4MDAwMCAgNzI0LjM5OTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0 cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMjYxNi54bWwpCj4+Cj4+CmVu ZG9iagoyNDIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5OC4z OTk5OTk5ICA3MDQuMjQwMDAwICAxMzcuNzU5OTk5ICA3MTEuOTE5OTk5IF0KL0JvcmRlciBbMCAw IDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86am9obkBtYXRoLm53 dS5lZHUpCj4+Cj4+CmVuZG9iagoyNDMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9M aW5rCi9SZWN0IFsxNDMuNTE5OTk5ICA3MDQuMjQwMDAwICAyMTUuNTE5OTk5ICA3MTEuOTE5OTk5 IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWls dG86cGJha2VyQHZlcmlzaWduLmNvbSkKPj4KPj4KZW5kb2JqCjI0NCAwIG9iago8PAovVHlwZSAv QW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzIyMC4zMTk5OTkgIDcwNC4yNDAwMDAgIDI3MS4x OTk5OTkgIDcxMS45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgov UyAvVVJJCi9VUkkgKG1haWx0bzpqZWZmQEFiaVNvdXJjZS5jb20pCj4+Cj4+CmVuZG9iagoyNDUg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNzYgIDcwNC4yNDAw MDAgIDMzMC43MjAwMDAgIDcxMS45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUg L0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpsYXdyZW5jZUBhZ3JhbmF0LmNvbSkKPj4KPj4K ZW5kb2JqCjI0NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzMz NS41MTk5OTkgIDcwNC4yNDAwMDAgIDM3My45MTk5OTkgIDcxMS45MTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpwYXVsbGVAbWlj cm9zb2Z0LmNvbSkKPj4KPj4KZW5kb2JqCjI0NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzQ0Ny44Mzk5OTkgIDcwNC4yNDAwMDAgIDQ5MiAgNzExLjkxOTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRv OnN0ZXdhcnRAT3Blbk1hcmtldC5jb20pCj4+Cj4+CmVuZG9iagoyNDggMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5OC4zOTk5OTk5ICA2OTUuNTk5OTk5ICA1MjIu NzIwMDAwICA3MTEuOTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24K L1MgL1VSSQovVVJJIChodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMyNjE3KQo+Pgo+Pgpl bmRvYmoKMjQ5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNDMy LjQ3OTk5OSAgNjk0LjYzOTk5OSAgNDQ4Ljc5OTk5OSAgNzAyLjMxOTk5OSBdCi9Cb3JkZXIgWzAg MCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRp dG9yLm9yZy9yZmMvcmZjMjYxNy50eHQpCj4+Cj4+CmVuZG9iagoyNTAgMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs0NTQuNTYwMDAwICA2OTQuNjM5OTk5ICA0Nzcu NjAwMDAwICA3MDIuMzE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24K L1MgL1VSSQovVVJJIChodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL2h0bWwvcmZj MjYxNy5odG1sKQo+Pgo+PgplbmRvYmoKMjUxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlw ZSAvTGluawovUmVjdCBbNDgxLjQzOTk5OSAgNjk0LjYzOTk5OSAgNDk4LjcyMDAwMCAgNzAyLjMx OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAo aHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMjYxNy54bWwpCj4+Cj4+ CmVuZG9iagoyMTIgMCBvYmoKPDwKL1R5cGUgL1BhZ2UKL1BhcmVudCAyIDAgUgovQ29udGVudHMg MjUyIDAgUgovUmVzb3VyY2VzIDI1NCAwIFIKL0Fubm90cyAyNTUgMCBSCi9NZWRpYUJveCBbMCAw IDU5NSA4NDJdCj4+CmVuZG9iagoyNTQgMCBvYmoKPDwKL0NvbG9yU3BhY2UgPDwKL1BDU3AgNCAw IFIKL0NTcCAvRGV2aWNlUkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRHU3RhdGUgPDwKL0dT YSAzIDAgUgo+PgovUGF0dGVybiA8PAo+PgovRm9udCA8PAovRjYgNiAwIFIKL0Y4IDggMCBSCi9G OSA5IDAgUgovRjcyIDcyIDAgUgovRjMwIDMwIDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRv YmoKMjU1IDAgb2JqClsgMjIyIDAgUiAyMjMgMCBSIDIyNCAwIFIgMjI1IDAgUiAyMjYgMCBSIDIy NyAwIFIgMjI4IDAgUiAyMjkgMCBSIDIzMCAwIFIgMjMxIDAgUiAyMzIgMCBSIDIzMyAwIFIgMjM0 IDAgUiAyMzUgMCBSIDIzNiAwIFIgMjM3IDAgUiAyMzggMCBSIDIzOSAwIFIgMjQwIDAgUiAyNDEg MCBSIDI0MiAwIFIgMjQzIDAgUiAyNDQgMCBSIDI0NSAwIFIgMjQ2IDAgUiAyNDcgMCBSIDI0OCAw IFIgMjQ5IDAgUiAyNTAgMCBSIDI1MSAwIFIgXQplbmRvYmoKMjUyIDAgb2JqCjw8Ci9MZW5ndGgg MjUzIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztXUvP3Dpy3X+/otcDXF/x KQkIAvgZIIsAF9dAFoMsAk8mg4E9iDOL/P3o1WqxjqRDsqluffbYmLltdosii8WqUw8Wf/2X3//z 8t9/v/z6/vf/uXyZ/vv+95fqTeXa8c+l6v7+smzQzRujq/7PpVHmja+H1i/fXr5fvr/89vJb9//f X5QfHpz+0315fUU1/P37l7+9/Dq+/GVs+f39v3Wf/u+iL//a/e+vlz/+R9f4p6m//gffXprWd+Oo KmW6f35d/lOZylRvbPe5a6/kP/sf/+Xl3/9w+Vs/MP2mGQavxgEu//mLUrXT7Rvf/eueIX+/Pdr1 ZVqtnG82Py87NmYaj71o31w/fnsx1nVPdH9cR341frQ9Dbyyw0S1bNf1Gz223/r5utF/T54/L8bc munP5udgzIuxtcNopjHf3mWqYTQwNtF+m8utn68b/csxF6Lzxpi3xrC1LkfQeX2tvy3bI+m8zhtb vFSKzqay/XatjOBno/zwGyPGELbfxnzr5+tG/+X42QzSYBrz8l1WD0wAYwvaF3OZ+/m60f9BdN4Y 89YYttblCDqvr/W3sD2Kzuu8scVLhejsKz9uqjbkZ181g1rq2oMxiPZ5zIt+vm70X4yffdWO/bch b3hVjb+RYwvbF3OZ+/m60f9BdN4Y89YYttblCDqvr3XAz5F0XueNLV4Kx3yFaS2AliTs4629dOvS bffmotzlf/+re8lvA7TJAFBq+Lscy9iyAaC+7zz47vPLr5/8RVWXz3++jCP4ZfzP53HQv7Rau8vn P13+qR/TP18+//Wlh4tTgx4a6luDGRqaW4OVvxj7+Ph5mv4xlDa1eYWUNo19dZT2vn6FlPZ1cxCl b1Qebbruz+bnwASK+D2lRepLB0oNi7dCKe37zW/8NEnjJBneDg321tDSX1jRoBvRoEZStreGsQ93 6+O9+EX1YWjwt07HFVS3NVWVHFkje/0oB/JePrLBBovJvBvfq7afwdlAr3I22AeQCPqAR5oVBk2z wr/vPLi74XTbs5G/7jdTCwrg2tRiR+r3cr/JLWrkL8xH1qDNjSR3zq2ZXyLHNS33YhhNwlvbjbe2 OqDotIcWb9WShT7JfSgbJmospKATDdaub0yT0Ieu5VK/lyP9KBvs+vZf/AK2f/o4MuainGTKmlFd j3PRO3ud90EHZt6tM+F9k5NUh7lMQsglvGVSm+6ekdpPcimB+b1seCd3w9tkDgKBkzF0eC2yA+wG 4OQPbBz4iKQYjGOSyHsNQGS5TSNIuBDAEpL2OkihDrId0OwEX/vGDUimA3MqaPj68nsUyl17HcFV 253tKoh+xEtZXULZAWKFR7RUOwoQK3DWJykC1LpWge27GIeXb5HcaVraqRwHjBQGNsFOt9OHFImV VJkwl3xEcZMrHA7AI5UUvLZK3iUdPGh7h/N1k/T2+6Kh3ySP2wAjVpkRErA7bAgNogXA7Ef5yAcJ TcBEgD0kx4FvgZ3Kt51dl4qLXwDwkHPBgcmh2wdg+S3k2bPScjlByhuAaxwDAuYB20z+Qo9Loapt DcWRFIKeVkqad6xBwy/e3hbnTquinQ1vsJhgA2yo44XkkaIZZBNIHvjF0nZJEUVtPYsi5eyy4Xz6 ehRXM+mRsKAmgdKg0UChg3oCA042TFpgwbxSGKEg8c8TE/0yB2TcAIMprKR8FfKSVvrcvNSPeEkF 66XwB1QGSEY2KABQTnAoZxXbytV4Iqv0q1iaVfRgFSxZxbtzs0o/4oAKEtEAggURAVgbBNFr4wzv ynNGrULO6GOO5+aMbsT7Gkl6lLmI4FLFVMkKaMJk51BA/bKW5h1j2pB3bHVyqdKPeFeqoI0PrEKx CjITaDXJoRGCyMhxPJGZ+nUuzUxWCUFk/cnRTD/iAM3IJUIkDI4acOVInRUhZsDH9EzO8HHgpYTP N4m7GiGqXKj3TshdTSiq0GHjKWdIA5YLIjS86CMgIcGFF7Ex7PNY1kk8cYSf3jXC7ve2Ojf/9SMO yCLRDECkCB87sBtVlROtQbum+lxMdYuRaOeWDU9w/5qq2dzWsL9AacAehR0IqRt8JbhagUcghgDG OvwCRDlYcTymIsULhgw4EgeqywaYvtnwlu4J5IWeerit6FzAZxl+aQiba7l6GtKbqAfZyNizkW5p +AUXyK6SrwWbkOcVwPTBxw4Rf9qA9PiQbmXVLhRfpq2l+DqX6uhHvCvj7MZ+fI5l3JFzd6fkwM3K hGtm1cnXrB9xQAUp/ybefo5VoQ5YIi2XaMiSPvMSabJEk0iHKNhz1mzM3y67Zq4Sa9ZUJ18zV4VU oEgEXFLWPHERm6r8IjY+XERXtSdfxMYHVAD1dao168m5HK2SwLVcRN5oG4Klh0fkJUTNjMgb7W4R +UEPzA3nY8fRgpxJHxH/oBYkRDdeexBVjdrnRqQS8fZB+yw4RZ+dU9SofW5UAB8OTWnEBnhk3PqL Mx5ooYMjUnaCDFggZnIqz7g+gCO15EgzmBkn5kjNOBIdQjxWS5NGkIlLROTOJO/MaCEV5S4zWEhL 7mrdubnLjBbSTAUMPIDweieQGypPYBWI90IQTz4SIaogJe6ZzNS64sxkKxUyk3X63MzUj3ifmX7C 8K7TUZyx8KLCURqAq+A0hdNI9IAbenPTj8BB/thDDzAlBRNtHe4lX51cMPcj3t1LEcFskJAUB4Bw xw26EZB8yubyVZzYvSsQ7ZUXvGNPzjv9iPchY2wwL9krYJapbfWy4Rkx47nuAB7mkWoF9wbkwnJY ww+RPeQgmvlARQM1LyOy+EAuw3kC6kXBcw1whk566PH0BE3A4QYRDh0YBmZLMSy8FsfBX/vj8emT 8i/rQCC8nuC+Tj9Y/kMH952uQz3jbCv1zLnUcT/iJe+dO7jfk3N3p+TA7yF9bLlmjTv5mo3JQGYz l+/cUcievsUXsVXhInplT76IrQqocO4oZE/OALPuRSF/sAphvf8sMGuXsRFZNAgaIqpbtetwblFn QR6shMpcODJemiyiEyi8peB8v5wNVC+bMIJaVNKBF8NrJEkmk2+HrFgTjVMeDuI/ooxYt8XMuibu eM3qWREDqNWSCaDQgJN0bWWDrPk2savZboBHkIogvz/It0CpCRgpcPhGJS04frczlwgCbdh8UK0O IlpgW0DFuwWQlNNXsJTQKQwdjr/DXKAPmAunOsxFjgOJLGd7rV2x8xMk6ls2EAXGuJyM3iiBsjc7 sEZhpJwfoA+gMvQB25KvJXAMjJSPA1gIBrZRaK/ZW1ygMt0xBqIkC8B3h/z0gQCdqgaCagb3/h5R YS5UpGjQ5kBlkKhwKEZ2Opmii+pjcnKgLpRk9qR6kPtKyqrNYVBhiEQHGgNJubjgso++BWg8Vd5T VcJSgqbjSmlroXbEg904ZbQn6tIJAm9RACnhEU6yiF0II6O6D9ZuquWLlWoX7wXdz2kGMpaLdsmZ GcsdscvShXCZtYO0UNQP6fsdpZ2sRIedwmLCNgMMmi6Xo9fuTiHrTCBlJ+funvwDtoOGDScLHOvd kyEAbEFxAU2z9UEJPeX8FkehuuRWDewgDtoBxaZvfgPHcCUmw1WgIMVs1A/cAzpgK3Cdky63X91O hyK79+kxilkjjFwqX9G1AIIexTiHSxyUAJPRhXFQQRm2FAUlRTwpJRwFBZR0PpPdKU9tEwjUHHrQ jYsiBuhBjdwcOc5t63IqqVabK8lBHeeGDA8PLJxkIPRWwUpyvj3EB0IJdD3McMO0IGEjfHHwi3Tp gAIVW3AksIUoL4ObLEJvFaDzdHfCwtwCzIqEh+tWfiyyFoADr2gLIAdwWwCBa3Yk4T7R7IfT8jfZ vGIKU7GJRIRqqCkHNfe1SNsWxDY/B4fsOjoKrC5uXngEJEIBlz0U6Y9AmUdELDKiLzykE2H8AR9C OIoP7PVEBbl7JQMgc6usBKqER7hzNSMGCuJh4/qB+3ZlrGovIOqdspsLx7kBZl8iVE+TCnAcP1d8 MwIc8kCjHCo4flBcFFjtY0Kzuq0CVs6KznB1ynMVqL8NaSjfssIhcAkKXX/08+XETehYI+bL9z8f B+yQAgSJmC31l6DE5K+FTmEcIFRoXCAiwgcQHDfEBjYuoWP01ZzASCOwP+wpUAeUYfjFUkWkjhqO VdwmBycPcCm5qyAjNgv0gKApzxFI9z88KDUDsl0i5CUYxht3xu1QCBvSA2kRUJAatTB/RBQw0nRL KWe1wQ7ikSQOqLjpJKfvNEg2ukGOEQfWGyLrHpK7FLEOHLZxfpCHmVCvp6N2HpxFk14One915H7I qSqn+ewMSSEizsN3YNJy3xvnFx4Ah3VKT9rNEJ8rXjOeok2XMiKfEsACj4DD0nFjIlsG32kZ+Tpg Q/TnRqRXcx7ioUVgmQyDJEIswSM8aYDnKSJnUuWXIYYyYP3PnqcZ4Qjh8YuI3JQNF14JBeGucGE6 tLQkWXoC1FTPMul8Acz/GGNpuKDtNt2tY9p7flLqi49I/cyhcvrGxNgz9T9GOJNg7BGh5/SxH2LG YvJnhEKAA1jp8j/CWi7BMzF5AhEQwIsGNCm5BQlDg7Pax1g/tQ32NxruGeHKdHgbYYQXEQmxJuWe BZ0OvNX7Ais16p3axlOMRhYzyHEaFz2sC0c3ERKynA/7Tvw/FAm7rTZPzY0I+WYknvJ9StMEI7xF JYYOb8nwtnMrhGfQ4/7grvICjj7k7QiHK2XunOlFhI4KzJerWARZGaejeG5yjoAEkm1g+RIKo7lq 9pU8qwxfMJ1LhB8CbQgquiOoGjH49Pgjh0M8C5of412ZHRfvPMMJV4L3Coq4RIiWZ3VQRRxxzh99 FzTCFiGbs53u921eU/tg93K7O2OvRuh7OGLIdQaFf/xgWoa+e4wfAumRgX4LqD90VHBnN4dd/Dhg RmUEwGGLKq336TZfzTlwR6SJRGiHCJFDj8BwIvNs55jTDU8Kr6rWBkuFOwhyqmmqYQTJQF0UWO4Y 8MvTe7mc4tOl+YoRcCFdkKPKKbJD+EE8fr484yAzdcmdVwlBKbWI0koUgx1Vs6AKtj/aqVwtcZcz R4dAs4gtAzTk8fNidptXCR5ZPvIMNswAizRXwkHpPZD13ANXAi1RZ0FEFtTGLQM7I8UwX3bs/E73 4lAv98ZjMb50WJh0X2kEDdOtiYhDSdzPA4BqI7doT9Xx7ApKU1BsGfZoDpHTsVCJY6w5Sjq98NqK 34tmuUT4rGHpftxCt372Qpy30K0qUejWwB2HULUWKt9OnLEgQImCszC0KTaxHJok0mQEgycSkojA TF5Uv3crXAy6ZWw5pNBtred9C4VkoFgTPz5GjyxGJHzBWzIAKnr4eWiJVwWCk6L85GyBygFgwWMq JmxoGAefLbdg0jOVI1Y74xQj5xg42QAuUV4fkjsaue8po4wtV/wlzsUewWP2oxQgxU7f1na+Kh1y fyQ3mEWRoBiRunYlcScU27rW/bXV40fzRlV91SWl2vFT27faS5+uN3z40qkK/6ZpnTXV9SsfPunH Podf9h+r8eeX8MHq2mc1/HL5uu6rcTTzk9dxfnn5y8u7PxykJ5Tpb0ioa7/JCekwMiJGTdk8JgE1 4+RMBuDnEgomw4/h83IRfC4Zpci5sgVNSv02/ABomRJDOZXdeKGGdK2PhhYMLMOjnF4dqYxHUbXB 9o84q8sP9JU4eMuJGg1h7gy5jAKyVZvL/1OdYdrKLrnThWY8ITK/ugL4A3iMl+ulKDCCQHKfTtUe 7oYsTTVDlqZagyxNNUGW/kMIWcavfPikH/ucIEtTrUGWrvXap4Qsw1fjaALIMvZ5OGRpKh+/I9OT 1RDDZBh73L/GzVLQrnyb89J7fLbpdgivCBxRe4kaexEWE79vJKMeT7rVFVFXiydE8smlw8KIUtaP MVzLABgfCANFvQNFaqZl1OnOSSGOTTsqAXEavV01Nz0cUSRfMoLuGbiRx3MpLIrgEG6c8uhcenm7 IldaxXox70zKHKpd37iuzKVXMJlD/Hhc2PF709Jr7kegBV5BM8NJWaJALs/l4Zv/kVd8FZGo8vLY NFnPY/NQRHwtbAojjzA1bD2bGrZZMzVsO5kF3Qdhagxf+fBJP/Z5NTWsWzM1rLv26aSp0X81jsYF psbQ5/GmhptlFFyZybc1d/Vwu/QQqZ6eXXunqlgsQhBKt/NnwaYbv4pZ5YgXDCtf682snnDpI6yZ T/IXUKrhY9r+LMnKuhHzKeK3GW6ZXnTKeepJN3vy9GNwfWJhkYxwQokKoyV2P48N8LnwqHJGFDUj zpFxswzH2ryWcjZAKYIlfL05MF7ehlM9veZ3NJK89/B2FU4/I4RXgIOyasemp9++ZjsydmHuPcvn An5YybaFFE24h06mMBsl1QNEOWXcA35RInM64qQJMGaJCy+M6ss2No0ubUi0ZjYkWrtmSLRX0N86 aUgMX/nwST/2eTUkWrVmSLTq2qeShkT/1TgaFRgSQ5/HGxLtlWtXjvLwun4RIqjATQ05zi5+IiID CDzHxlEy0akI/niMUz79/CiuPmiCcqkKSX7cHwnD2EYHux+ND1tJeYBRTVBrJdJv5c5FcyTj1lvu cs/I5YndUyXQdqt0PKfyHKpDZntaKQT8Qfd2zE2onLezw7x3YietA46JiXxxS7qATxA0WSlU1+oZ 1bV6DdW1ekJ1/YcQ1Y1f+fBJP/Y5obpWr6G6rvXap0R1w1fjaAJUN/Z5OKpr9WyL8JtOSjh3jkBb ZfItn4TQpGaEelaoTDl2KpKinHGdTPrJjJyTKun+wJjapLQY20Fs9qwLm5UL93+BKGeRu5XPFQdt rd6kx0nyOkuYCiiXSmzDErgvwy58zA3WGUQuhWHcDcO4VQzjrhjGAYZxVwzjQgzjbhjGrWIYd8Uw DjCMu2IYF2IY9xgM42bblGfTvhpfTglgcB5bPUe7ZOQXF1A3KAnpGZEIMZ9xioLWwkWa8umXiFjG 8vK9fqdwb2e43SIOhGVEqNJPiKHK4lo/ve5ERiWfiLPFG/7RItCq1psslZ60+w8H8gGA5TAvTHND MM0qgmmuCKYBBNNcEUwTIpjmhmCaVQTTXBFMAwimuSKYJkQwzWMQTPNYLwyuK7w2+0jEjjM1pzhh hp7MSEPIKBSVkQMM4pdfpcuFGneoPcmVzv3ENPkD9RO9Ez6j2HtEjasnHTNwlQmkQwSBjohWHWRG 8KvdIqaX4ZOsSyEY1TPC3SxS1uSLOImRXkD+GC8Vp0fG/THpGXZoRZY44c7967yY86OCgH2F+YCX +cXpGScVuaIqcD70NGA7w4uUUawlNq/f7QydvuW5vuEyclrNKpTfJ5lRNSRDhWZUu47Ai2fJGtJW C7pzvHxil3s3E91MFmv/ebQclxar6otlDObl+CmwWa9f+vBhP/U7Wq395/GJS/io9td+u0+B3Tp9 OQ3q+vA83uMt135ic+7IT36+jKtEfp7okGoPj8HdJRxjOTcZcRSZzkI4/xLuR17bI6Mo3JMsU9sJ mmD3vyKclVH/gu/+Q853nyUr8rj8io6FbL1Jw/Qa3zECggcb0q+HyznnCWSmN3s/KNWWrkP0MYt7 T/b4kEOetboZu/ugiiAlAEKJE4UcIHCX+jHa/gcSxOWMF7cwXtyq8eJn48Wj8eJn48WFxotbGC9u 1Xhxs/Hi0Hhxs/HiQuPFPch48bPxgmU+OX4BIMETAg+saFQ2IyEiYaeELOJ5MfzulIw8VfBoZRR7 L2EB8PS09IuIi4SzKPPjPUmw2CUye48xXloX7v5nVXhKj/dE+GIPOcL0YHdtneA2TE/zKXG794NK iP6MuWWlrQhdC556NflXp0G38hcGXIgZodoCVy+UQ8jNAiE3qwi5nRFyiwi5nRFyEyLkZoGQm1WE 3MwIuUGE3MwIuQkRcvMghNxedWTEBeDc5EuvZZ0hmktcGQP3jGFRlVY0WLh1i6vmEijzEGme7ryP ODleItrzkNNQERCamyWHpDJmRK4OqgrREPGQselgS2nZKRYukr8ophFUZWaN0MnjFY2gKjdJ7v6T 0Ajjlz582E/9XjVC93dFI3R/536V1AjDl9Og1FIjjP0erxFU9UOetjqrD/DEZ7peT8gvYnKg8CAr EB55SHmRnBPlfGDHnCjXVSggShzrwaWjtcdxl2VTqIg3Q+ntI+QUAuTAKn5z2BEpr+fNgOZ7igea H2Pec1kXUViP+6Ez1HLGeaBjjoUaL/ZU+jmkk0ldu0PlQ+TDYxBVelGanCND6RHyra1cRtabWfk9 1w+f4rrmwg1d19zd+1TmvjN7ua7FYj4kY/Q0J9pLMNlJTjOU8wfYm4dY2TUPsXJXD3H/SfoD3NVD vHjYT/3O/gC75iHuWq/9WvAQD19Ogwo8xGO/D/AHuNkF9AP5AyIsRp41WkITl3Ah0A1/kE+hREJj ibqwGWXpjqwhn2Sq8PXnByI21v/eJIo23P7H6Eju7+cHPEuwUIlKfwfe/lAGvPqEg+YZ8vCRBElx MvzjCOA6ye7N3q4FU73yI4CqXiDAehUBNjMCbBABNjMCrEMEWC8QYL2KAOsZAdaIAOsZAdYhAqwf hACbhByB59wtyW2NCAGXbuLEVNnlMrBEni0XaCdJ3og+Sn7v+bUqZN0IH3l2ccF7Q+0mHGqRW4MQ FB1yyMv4UUTM10eUUS3eiV7Pyt+ryueNa6c/qIbEd1xk73Q20NDv3+pzk93j0L2ci1wp9r5eYa2/ 0IYvnHg0tf/N+VgfzscC3PJygT/JPW/lnm8FUfR6XDCfKE19KFFaHd6N9YFNEGf8Vkob04L8AUKu 7/JsMmnrjiSTdlXQ/cqc12ME+RPqoNuRE6ptuO6gzCgjAKuYpugQTS3UGgig6azDYhUm9zeUKVz8 ZKpMtBg2POPYLwrP9AqTb1coPUTUBvrxAFkbzOj1CNsjydLqsP9XLW4PJJSe0PftSkGY9QZOvE/g Hjml2oq1n06U7jA8gnJokHJ7KtS6xwyVrOWKzywFXPf38r2jgPLDVKb/fPmWe8n3b5ffXv4fGqT+ fGVuZHN0cmVhbQplbmRvYmoKMjUzIDAgb2JqCjY3NDUKZW5kb2JqCjI1NyAwIG9iago8PAovVHlw ZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzIyOS45MTk5OTkgIDI2MS42Nzk5OTkgIDM2 OS4xMjAwMDAgIDI3Mi4yMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYj MmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgj MmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0 aAo+PgplbmRvYmoKMjU4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVj dCBbNDMxLjUxOTk5OSAgMjYxLjY3OTk5OSAgNDkwLjA3OTk5OSAgMjcyLjIzOTk5OSBdCi9Cb3Jk ZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1 OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JG QzI2MTcKPj4KZW5kb2JqCjI1OSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsK L1JlY3QgWzM0Mi4yNDAwMDAgIDI1MC4xNTk5OTkgIDQ4MS40Mzk5OTkgIDI2MC43MTk5OTkgXQov Qm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1w NTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwj MjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRvYmoKMjYwIDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTgxLjkxOTk5OSAgMTkyLjU1OTk5 OSAgMzIxLjEyMDAwMCAgMjAzLjExOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMz YSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRv YXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDcj MmRhdXRoCj4+CmVuZG9iagoyNTYgMCBvYmoKPDwKL1R5cGUgL1BhZ2UKL1BhcmVudCAyIDAgUgov Q29udGVudHMgMjYxIDAgUgovUmVzb3VyY2VzIDI2MyAwIFIKL0Fubm90cyAyNjQgMCBSCi9NZWRp YUJveCBbMCAwIDU5NSA4NDJdCj4+CmVuZG9iagoyNjMgMCBvYmoKPDwKL0NvbG9yU3BhY2UgPDwK L1BDU3AgNCAwIFIKL0NTcCAvRGV2aWNlUkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRHU3Rh dGUgPDwKL0dTYSAzIDAgUgo+PgovUGF0dGVybiA8PAo+PgovRm9udCA8PAovRjkgOSAwIFIKL0Y3 MiA3MiAwIFIKL0Y2IDYgMCBSCi9GMzAgMzAgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9i agoyNjQgMCBvYmoKWyAyNTcgMCBSIDI1OCAwIFIgMjU5IDAgUiAyNjAgMCBSIF0KZW5kb2JqCjI2 MSAwIG9iago8PAovTGVuZ3RoIDI2MiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFt Cnic7V1Nj9y4Eb3Pr+jzAjvmNykgCGDP2gFyCGDYQA5BDoEXSbDILmLsIX8/aolii3zUFMUm1dNj j7E7GlKk+PnqsVgsvvnTp3+c/vX76c3Tp/+evvjfT58e2CPTw/xzYuO/H9cBwj1Kwc4/J8flo7FT 6JdfH76evj58fPg4/v/rAzdTQv9rjFw+waZ/v3/57eHN/PGHOeTT01/Gp/+dxOnP43+/nP729zHw Z5/f+YVfH9xgxnIwxuX453/Wf3IxcP04FoqP4Sz98/zyvx/++sPpt3PBxKObCs/nAq7//JFLpqdM +RVFLknGMRkXY2mYYG6s6fI8PHKm9Inz+cEM51A+xnHnn748cG4e3aCVZCHSxImNz3d6d3qeU5zi pMws+Y5P53fXHz1H+kItiUN5v4yt++6H5xvl6zPN8u7zw5sP41fk6fM/T3O3/Dj/+jw2heTjX2PF xOnzz6c/MCbf/fH0+ZcHd46eAphNA0wSINQUIC9vvE2TuCnAPpPp+zRATwFqO1P4LJYD8vgwBehn yjGkSeANOo+f9ldfpW+kRed8Chgubwiyo+iSQgO9S5PQX7mfRoaSynTA0N0A7QFJGgxtuhxYdGjT Ocn7zyPIV8ODGlQMD/hdGDH0yG0xUFMQwjaETMmSsidyoFZPmOv6YYFpYcuHHUwQKGqPOcV/Sr+S lhSnEHwF3mgwY/j7tGAwL2mcgtEPLbZ/9nOWvMGf8nW5bgjJcexEQ0ilPSV0KlBN+sZcO84uZX27 X05B35EDUwhyHKazXaXdDf3PASBo5KLRjx66ADL0GHpN7ADqAkgOeQA+0MIP3oA86FEIeWz0XBto V2JzPADznXubyz3tXsp1rqyNM3FtWhAmIUkxDAMg7auC1UKapIC4tAP3b5WDf+cLL5QvaCHimazm JuP81qIdWqSYybRBar0wqNdNh3xdpja7TulmVko3k1W62aB0s6h0s0HpZmKlm1kp3UxW6WaC0s2g 0s0EpZuJlW7mIKWbDUISBlKNECDnCU09gfEjYEEe6Wcz7GQ/1yoY4lA7Gkpp+k7WDvMg9ZI0F8s0 GbBiKAgwHLLJSngjrTUA+bzCiSukzXlGSLY5EGVaUrWC9KvgSQoV4EkKnYEnKRYYOT8l8DRHmjix 8fku8CSFyMDTGBryFSk8TZG+UGINT3O+/eFJCrf0sEuFGK1KO4TE8nSWIFek19I91IJcAaADBsJM a6AHYDx9A5LQ5JmuLo0agHApaaXXdCVyhKbk0DPpWBYQ8CHtO/GebHe6Vcn+hyaq6X9aoLVZG9gY IQr6isv9En3/ZgN0BEpj+Cy9c1CBbhuUp8kKRCpZTs+OUcDtJ0G4nCwJAV4A8xlFQIUoollQCwVj CzUO3Zu0vpnWyDXZgJhVg6vBS/dDBeDTk5fW0gBxhtFM7+lWbFDS/UAnoTVfFXp/mpnQay/yDdCd tBFVg0tGHVCk53ZsV199nK2yxp/xWYXnZLWx8VYJRy/4wFRVKwjxoANxV2kbw6hMzX08+wFKXbzO aroSsUmFtljjHfaVHZK+onk4BICtFryRZso3uncVQI8ZWo2UfsVjLi1hV59ltxt3kuuycfcczkIN N2TG/Y1dqVOcOWTseopFD8SbjBklZNwoTShBzdYvzTNvRCNaWHCSCx7ccWlCI6xLeveF7AZu7Wy2 WWhatSUECqY8PQ5hox+2H2htHa2gpxUttOIBeqqHwrOPbgp32Es3w+9QMgmVjNt2kuk2TMQkFapA 1QKoJtfZtNkK4i45zLa2nFsbMWsTt2HBGYcWuAMaoWoLs10qYDqPJgJRpwOzAgBLFU+rTQHY5CSH f/GeUBuROeyQCLSK8BhjetJ6rmSTnywI9gxtC0ezLHqDi5ypYFFVw8PumTJ0pP9XQrcYkklVzf+/ lUF1RwY75AJBQqYNd9EU0+XNTPOBCk7VznBGyUW9TRvO8OHy2asMZ5S2wXBGaZcxnFF68AYu56fE cGaONHFi4/NdDGeU1hnDmTE05KtTw5kp0hdKrw1n5nz7G84ow5e2n4f82mS2gQlDwRT/bteXlOMY u74XawXSgnkeatJ0JW2YV82XiXg/dlEvxgquwcGElkdflTWbww706rSHAnLLv2aHn8YUGoaqLbqu Ws4VKG+gpDQKVyheq5dE1x6ONckge33HFHc1Oz3IGixe8ZhOWlL5lIxLBavZZsdUlFvRWZelsy7Q WYd01gU662I661Z01mXprAt01iGddYHOupjOuoPo7LBIUbQDBwzYb/ZTIPC6zAGa3vXQm/UxlK/g LjTy0J/t6C5jD82QKTRL2nwTtEa0dTKNorC/AfpNumDpsAQVSDO800wEvNNMZvBOM+Vx6fyU4N0c aeLExue74J1mLIN3Y2jIl6V4N0X6QrE13s359sc7zRYS8B3viAFOD9+CondhifvXtwUabRoiK9Qd N7LFAaim86hQ6NI0souZdBMdgrMxGly5NrkrOwrNRQKFd25JrHVSoYJZBf293wYAfTXQp1MaKk3O Phy2vguzqAUwQxu28SmTVKZGDtHWuBUaD6Cm35aV3CFHXApMr/cP5SbOIiuMNYAfVFjAQtHpRWcF tUkrV2y8ceV2Jk/n+n5HCDXuVveTroquoyk3TrqNz94fpVhEkly859w7pfCHky4VaiPsrI5z7Wnx 1kOroIaLVkGznFZB82X1Pz6lWoUp0sSJjc83aBWUzWkVlF3yVRa0CudIX0AbaRWmfA/QKujFQuMg rQJtaFCxjd5F70AXfb8lbYWdAUpretsMtIYNaBW+QUo8nPAApRU0glZWdln/0HSmnRuM2+88ntWd BDykPYWjbr9RZIH2D5YdpGVKS/9Sbda/xm2Omf0UuAL9Gpr46WFRXdAmfjJ/gn2/NDeCBWluBM9I cxN8WBnvw2olkudIEyc2Pt9FmhvuMtLcnPOc8+UuleZTpGBR4lDeI6S5ETvOktzmvowax7sVh0vI LT8NPlzA9aRGM8n9S+kKV9zov1NxCGFpSMZZY2pdBnYMB6nK9y9rO7nDOmQntGYfnER9EK4NIdzo RatRYKW9snS/DsKtuUC4tTkItwFqrQMInyJNnNj4fAOEW5WDcKtCvgog3AbMDolDeQ+BcBfanoTw DLHZ732zYM3WwDpC0SbnFR6yUOXcx5cBLW82dESN7eHo3VHof7oyTVyV7TdklwDXx9gUHundq4k7 wwsi3Eh+wUn9CueFiEOlKokmKy4z6OIhU3Me9Lv92LWjrp+fd8suTMOyHNOwbGEalgHTmCNNnNj4 fBemYVmOadhgqGYZMI0p0hcqYhpzvv2ZhuXlTOMgxwNHcpP726oSsxeRS7/d+1aVMEmFDvKr0ORo BjNJ2StO2dEmlhVzhrbtpjUuFY7USUWB8goK8YwQSP3xwfoTcpU8LVmL7ypQjqUrDZV6fQMNRZ+i 4ndB74P348GkaXhDmBXBGA88OlUcRdtPJYA4VZgQwxoITviIIQ2AU0JpQBOcEVLGrfxycYZW09KO FEg/6QjvXQ78Qabk3mbFMESv4V0M9dr5BH3uUC05pHAtkg6Ygh0IGGMbnmR7O+/SRsTTEmc/3ahd nLW/bwjtim9+t8XRBvqwO61nqzCQrLjFusWlxS2sZ1qc7Ku4wok2/aCVqE38dOAIabG/2A4grzzb oVwy7SrGLu1BhZyYJQYTdBP1WEMUeK+iRTndqPu3xlEn1kKX8dRgUC1Yrs1mySrEf8UsI/liO42f uRyZtyZ3ZN6a5cj8+SnV+JnlyPwqsfH5Bo2fyR2ZH0NDvnBkfor0hYqOzM/5HqDxs8ED1Leo8bvO I9Id62qqWcP96UilVPFI73IHgEyVMN/vryjiN5bFnVNzlLvFkbEelrqgMeKaTLKhELx2aWrjVlbv kpKBLgudqKFCDCZFNWtuw2ecLR4Ah668rxNdFavo/fKwYEO7y/Vc3+RK5Nrb6Vwy2u9+OfNckte/ NBkul87bIXfpvAteaByDS+fnSBMnNj7fsDQZcpfOj6HL0mSAS+enSF+o6NL5Od/+SxPHgg0qrUht sUmwfzwXWFvWoOQhXr8Psk98Ic7mEZsraOX+5d1LcQlwVy5xBxFP/3t2ifuyiGgTmu243fzubcgr rqLAxim1LIb1TgHx6OLMe//ZXpBkNXf+tnDVDNU/5qYNqdTuYUgS4mZszokLm3Miy+ZkYHMS2Zxc 2NwqsfH5LmzOiRybG0OXfAWwuSnSFypic3O+B7A5KTanXhff8/SqID3cR59n7uKvBR0FFzAPckEL tWuywiWb7FUfFDmop2qu8KWPT+6/9K4Rm3Px9KftqAqI5wtZZtR4uKrwXbrfoXs7cabkRZwplRNn atnfPD+l4uwivy6Jjc83iDPFc+JM8ZAvB3F2jvSF4pE4m/I9QJyphX2Akh+XCaglqLj2gfbIf6ON 0wrLKNoxGtxAtXHFdlsnGLd1z9L4/GWFQ5Pb7IHQlgd97o3pIu80S/Dh/v25OLuclETrZFho77yB eFvwDBfvbAPLeWcb2CIgzk+J4JkjTZzY+HyD4Bly3tnG0EXwDOCdbYr0BYy8s8359hc8Awv35+3X ihfQE9oEocIJfMXi7JtycVZj5U4r0kjw7uLTtcjMt9rZFlDcxpYSSrp4liG9u9H1Si0M1npc4dfi nme50wJpU2oMXF2kBtc5qcEXLdn5KZUaU6SJExuf7yI1Bi4yUmMMDfmKVGpMkb5QYi015nwPkBp8 cS+HXqJqrOHpHUp6hJPbKwfdQt/Qg8q1tv467qsCtT0te2mm3OLmJ1rt1aKFDBNxCzXTcwxiRTdl lm7KQDcl0k0Z6KaM6OY53wAcIkc3x9AlXwF0c4r0BYzo5pzvAcARrmvOAAdIQvqmgoqjibRpA00v W6yFaffANNbcD2620IRUOO7db5de4purtOxXrpaHZMq0Qye1ojUqS2tUoDUKaY0KtEbFtEataI3K 0hoVaI1CWqMCrVExrVEH0Rq1CALY4MdVGMBGF1FJGqIV2NG+FN1vxdXbFYo6WMfTpsh9XPrRx2ga ODwoOPNa0AD0RSKwI0TPhxabaiQPrKkcfb0RPaiaQbFeEUWTJYomEEWDRNEEomhioqhXRFFniaIO RFEjUdSBKOqYKOqDiKI5VmPSxANfhXUaDQH05lb6hnqb1uVVWwDTFjG41AC/1WDQBx6O6NNJ9KqA ZrDVVuTX6iltPOvQI2eNcwVap3jMpagdLS+a2MAOdvu6hhvph3tYQPXzwDm4lRgdsmJ0CGJ0QDE6 BDE6xGLUrcSoy4pRF8SoQzHqghh1sRh1B4nRIYhR2tc3zDQaaisobQPLSnSERx/Zo8sBg5M0ebxn u4oGohiZ2f5rCErWTdULiStlohjiKfS9u2/S3Qch14beoIV852NTlRO8CpVtBabC/WRdbjWVTsb1 byXxOeNB4vNxAKDEH0O9xJ+eYonvI02c2Ph8vcQfnzMS/xy65MtTiT9H+gKuJb7Pt7vEH6tz9A5L g9NBBafn6DwqzjV2uU8P3uhxDQm4rQYHwwVm/3Q5IAAUsvuhl75SBXwyY/UL5Ah9dAaUuHRlyOVp zWmLY3z/acFigHix/Y/epCFJ9ZxqI8/ltjynbSoA7EqN0xpITbWSmrlLisfQIDXhkmIfaeLExucb pGbukuJz6JIvXFI8R/oCxlLzmEuKz9dOL02Nl9z12NirMEjt44a64nRJgUUTeSdYHyPOLh6CXsyJ lBbdTbdHgUHE/uVmxa3UNzJIbXfQ4XymfEt+4UGHRrcenqEsIDxnJoPwnC1IfH5KEH6ONHFi4/Nd EH6UfxmEH0NDvjJF+CnSF0quEX7Otz/Cczb4pv6+LiLn4mteFzXk4886xAEvM2kAeG+s4NIFJoG9 +eiVIMml3epLBMlWNJgbfgFJI3IgaQKYGQkgOUWaOLHx+QaQ1EMOJPWw5OstNNYfPUcKFiUO5T0E JM1yNA+dV8DA6uPwjB7y+z1cFfCiNueQYGq1sIHqYSJSI4vonemK4xM0DaRv9CmwxaMPyMMZ4YYQ F3aQaIjzV3LGEPeoB/+DYJfE0cDwTGZTXczmVXoyPizhtXQmbcO0yagPnnEx/0WbfNGL0L0f2KyR dUmNvBRfXSENiqcPecm/AsohaRaRd5ZW3SySD12bRc6XQK5OxfxEVRHr/DblQ3IAhgRNmddy1jeU tX0byiXHhzK1fte2SorxrlVS852Tq74HPRU5GGC4eF/2rcqohSaAyFturC8sFGmp0R+5SYsNaXT6 Rur2vHFNFRviEyDdIVfx5Iutx5fHlkuN7gJyldF9m2W+tmB11OdOIVcL2bWhtHBx/v0hVyvbt0qz V5RV3788yBUsMWPpz/14ajjTmPtxk9ToLoBIaNu3WYxI7HXuFIgk110bSvrNdHYc95Ny6FulyRHu uu8bA9H47/R1LCk30yf9ry+/1t4S9PH08eH/Kid7S2VuZHN0cmVhbQplbmRvYmoKMjYyIDAgb2Jq CjQ4MTgKZW5kb2JqCjI2NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1Jl Y3QgWzEyOC4xNTk5OTkgIDYxOS43NTk5OTkgIDE4Ni43MTk5OTkgIDYzMC4zMTk5OTkgXQovQm9y ZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0 NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNS RkM1MjM0Cj4+CmVuZG9iagoyNjcgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5r Ci9SZWN0IFsxMjguMTU5OTk5ICA0NjAuMzk5OTk5ICAxODYuNzE5OTk5ICA0NzAuOTU5OTk5IF0K L0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVt cDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1s IzIzUkZDMjYxNwo+PgplbmRvYmoKMjY4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbMjUwLjA3OTk5OSAgNDM2LjM5OTk5OSAgMzg5LjI3OTk5OSAgNDQ2Ljk1OTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNH SXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwu aHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iagoyNjUgMCBv YmoKPDwKL1R5cGUgL1BhZ2UKL1BhcmVudCAyIDAgUgovQ29udGVudHMgMjY5IDAgUgovUmVzb3Vy Y2VzIDI3MSAwIFIKL0Fubm90cyAyNzIgMCBSCi9NZWRpYUJveCBbMCAwIDU5NSA4NDJdCj4+CmVu ZG9iagoyNzEgMCBvYmoKPDwKL0NvbG9yU3BhY2UgPDwKL1BDU3AgNCAwIFIKL0NTcCAvRGV2aWNl UkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRHU3RhdGUgPDwKL0dTYSAzIDAgUgo+PgovUGF0 dGVybiA8PAo+PgovRm9udCA8PAovRjkgOSAwIFIKL0Y3MiA3MiAwIFIKL0Y2IDYgMCBSCi9GMzAg MzAgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoyNzIgMCBvYmoKWyAyNjYgMCBSIDI2 NyAwIFIgMjY4IDAgUiBdCmVuZG9iagoyNjkgMCBvYmoKPDwKL0xlbmd0aCAyNzAgMCBSCi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dXa/cthF9v79inwPkmhSpIQkUBWzHLtCHAkYM 9KHoQ+GgLYI6qJGH/v1q9UGJPNw7FEVpd683QWJZWlH8nDkzHJ5586ef/3H61++nN+9//u/py/jn +5+fxLNo3fDPSXT//ri80dhn1YjzPycr1TOZ/u6Xr0/fTt+ePj196v7/7UlS/+L4R/dw+oTo//39 y29Pb4aPPw13fn7/l+7qf6fm9Ofuv19Pf/t7d/OXsbzzD74+WUddPYSQqvvrf5Z/lY3T4tl21919 Ef/1/ON/P/31h9Nv54o15wfn14YKLv/6o9RKm/a5Ec2GKue8JvE12XS1kY00XUuna/sshW67S9df kOvvnv9vx6svT1LSs3WtVsI/pPBlGsvtf9tft/0bp+jV1pfb9r8NPto9HCs1vezr+6Xr3Xc/vNwp 317olnefn9587L6iTp//eRqG5cfhj89dVyjZ/U02jTx9/uX0ByEa98fT51+fzhNzuCGa/oadb7yN b/wU3WhE/AsT3/gQ32j7G3q+QexnP/Y32su/aGR/o5/QlyryLi4EfgGfgarG7S+qyFDqh8/dmlyM 5fMgCs7SQDxrfx1N+wu/ypksGR/oJ5BpLswgJdpwBql45CTMoI/xjffsK/EvlI1/4dJDuxgFzX1F iuQgrBFPxStRi2gl4jyDuRp3yt1OIt00UePjKSJhVrHTTMJ4xzde3SRqOw0TinMVTyJe0K6XgFLG SgNmZlyGHCpm5l8MNxYiklcrcT3wF1B1XtLQPHyb1aoyU6k2bi70EGgRHb8CA8O+gq2DX7xdN1sv QyttZ2ilXQpatWKCQN1VDK36hxS+TGO5HlppSkErTVO53VUMrc4Px0pRAK36cg+AVm1zY9BqFINS zD+R8VSLb8iWBWwwXUFdQeviX/DTFT/LLyzokAvYa1Goi2+w8uxuVa9qbDhNYc7JeM6NcPYFQCeh z6HQ+BXUxayoHnWIjSfDGkwwDvV1IJ+Oux4mIq+LWQ2XYcAcs4bYmibMpD1l1zYV37omHDwFUzzG jspUhBZkp8/8FPWrFtBHrIWKkhekN2uS4QDHkE59YCFNPNEkDz5BJYKeiec3gs9iW2tvtcrPKriB NYtnSGNjJAJdxqIIBZ+Nx5K30HD4WRAB82FPC2fbStVGhCuVN3Ggqhnr8v4E75UMxzpy16qw1BrG 5ktqNJ6rqonbXzC9YRK9ZBaWq8heQyrpnREUj2UsQ7Rdh8YuWqNKtd4aVYoS1qjqbPPBajxfRdbo 8JDCl2ksd7JGlVIJa7S768tVsTXaPxwrpZbW6FDu/taoUi5bfiekAggOmIwF5qiJJYuM1VMJOgHf EMjaGlCatU8zuhnkCAg03rQGKfk+euUYR2CGnQBtiVuL/QEjx6M1+GzGlgyUuoe6ruZvU62YJVwr UxKuk7+jJOquYgnXP6TwZRrL9RJO25SE03Yqd/TNLT96ftiI4GVf30MkXPfFcYgf/jZuMj78bdfy t83T9OFvO9jftuj6h7+N0YE352+bBy/bM1LF7lPGl/qavSn37AhT7Br53l2lBYOZkBEsrED5xlpn NyRnhnimxXrnQRIYFzxqjDtAw9SMb2SokXr4to7MtO1UKm9bwroDmVkhQOQVBqq8BAluNegEZ/+H ePbHN+rZzY5mu9mZlN3svH3rLNjN/UMKX6axXG83O52ym5325Wqwm503lP3Lvr5H2M2dLTN1NeAZ WIo8PGURT0Kx8H4v1nlUIhN4YAXLZr2pjTXl12KJLubFF2/i836vQ+wm3C64EEj8Ui8XeCjBkOL7 A35RYfirSTwtpZd4WjYJiafltGdxvook3vCQwpdpLHeSeFq4hMTr7k7lChdLvP5hI4KXfX0PkXhy gifHSDycNrxc4c3+9ZA+wzzlpbeO5/N6qInLuQKO5uuRMVA85inw4FRQVRmSaL0ntcjCq6DN1h1n 2GDPRYt9F12l38YTomAnDCYVr97ABthlpKAMmGX84F7wVlUxNM/aJnthQqfyMgVGijdnoR58H8Iv oIxj1iXMXCiDncr1sIteYBedxC7aYxeN2EV77KJD7KIX2EUlsYvy2EUhdlEeu6gQu+iDsIuexBnE NfABQqi8+anHIlwoFEIQcKbxSxEWCS+8C5R3Acrine9gZ7JRLQAAcs6NQut4DMmjO35Hgw2p5b1A YN81w1guncC88511ejfgSS+BROxWAgwvdCI2D6p2yYW/EQIpEcqMfYzgAovoQqHbmtuIfptXU31t ZBbayCS1kfHayKA2Ml4bmVAbmYU2oqQ2Iq+NCLUReW1EoTYyB2kjM82sxIYa71FmbbiCLTcQLjsR ChSYaHzgDhu9lrG0QMjxmJ1XpTzuLYCoNexgNqD5jh2BfOgmbmvBguER3oU92o1nIByFAiLDyc+q 2gJXArrBeSAF9Yj3pNphOUh5+Sc32xglK4zuJP6dr1mNvRQWR6BsXx8gXWXniD+bBtsxtaDI2a31 1V+noEgrJihyvoqgyPCQwpdpLNdDEZeEIs5DEYdQxHko4gIoMpS7PxQ5h2+M4xeH/2b4rPlZEuuE DCuXB0BgTBVsdEFoF1+xGuEBUA9erbIwq4pbiwcAgDJhwfMxGPxpPB4zxMOAnhT47C6bC/zOSRVE oClcpxlon2/uLk4fHg/X0DtQsWNc+AX7M3u68NvmWPxTZZ/wmLVdsOdZY6E2JKKB4dcDq1HQgi7y cUIf3daO5UtThI1pyojr5iEGr9p5U54/2MRvz/MIq+CQ4S4CYpewqGNFqGqz51TWOuSDy3iMuYsb 6nWJmR3P3rfk2QrYs/dq4XvfZpramWS3tSmS3dZOJuT5KjZN7USyu3iZxnIn07S1KZLd7q4vF0h2 +4djpQKS3aHcA0xT54kQCoLdCzycBfgVtAI/fXexRQpOHX1Xof0ZvgzeNuEdArABEn8W68GfS4RZ yJ9s2oXiKRcAbrR3bRstfp4FBbyob9NKc6OKkDqsmXofL6ErxTnxAZnF8rIK0iJB2SAiA3pVcZHt Ad9xdYPoiqVuNQc3Laj6KUnVT56qn5CqnzxVP4VU/bSg6qckVT95qn5Cqn7yVP0UUvXTQVT95Lmd DzqnA185xsiD45+7eIHuZhO4ijkKfcqOS84pLfZYAy9G8GzAHtsqN3Uqh1QzyzelUvJNTecFz1ex fOsfUvgyjeV6+aZESr4p4csVIN/OD8dKiUC+9eUeIN/UpFtvhb/nkYrkXqh1hqP78wyC7A2YeYTP ABH34KtLGqGcirpt21Gdu5ozejCC5sY/0tcUGpMi7Md6inKRWIKSiSXIJ5YgTCxBPrEEhYklaJFY gpKJJcgnliBMLEE+sQSFiSXooMQS5JnHDzq+yqN63l2UEUB7R9r29YpFJSicY0BQxd9AuAZDu177 XhJ6L5UBGB7qARI9LmP87HVo65QOx+Janv6CSP6CHfOCzT3+hNsle3KjB5VsJIlhE4L3BTQVKjIe eaE5KUQ17WvcrH2tSGlfKyctaSVo3/4hhS/TWK7XvsaktK+ZCLrPV7H2PT8cK2gC7duXe4D29Tzw t0OkDSRKbKw51F2PPGxzSDtuCkAhcVV1Gxdyzyd6kIqKDfKvycV5h9jB2nCFoL7lqWaB4baC3udp c6VO9vkxat5Q2G2vylu9nrmrJGKXbwvfp3xEew3oQKPfYR7tXHagOjuYzl3s5j3x1kvxGrlQaRXe rHBOv+Qgd/l2zdacQ9HwVgOCRs75BoxM5Rswcso3cL6KgODwkMKXaSx3AoJGpPINdHencgXkG+gf NiJ42df3CCBopCekvhUg+KoOLvArmo+NqCcm7hCNDSmhF9P04eAukqyDwp77MeNobxUyNn6PfpWz 464mr7Yi6vTHjl6+X2rutgxq+Btzu1dBuUZFo7EGB9bAkhXDdLc6CFXYIbc23tuO0O4xdiVUW+tP ZWM0MHsKGcOj+WCpGqcda9hW+6TCYvHuLslT0FMI5EdgEjRtPEOq7EO0NhJ3Be1lD3fVMyUXpI4m SepoPKmjQVJH40kdTUjqaBakjiZJ6mg8qaNBUkfjSR1NSOpoDiJ1NDOpI+TEzNg4K6CX3mUlgRBc z7iK2xA5d1CW1kgkWkMNFDC5sn3EuxuutelboK8vnGDfRE5Wwkhag029ikQfNnQXEoE/notgcx/7 s4L/aRd9PPKk1bEc6PL4rmeWyeAWu1LONLhRwgV7q9ntbj1OZttMVbYJZ2qVHZUalEesMH+o9wwt yteUX4g1jO2K5yaNp4HkKcj5411V9HuBX4DdGcFDJ7mLaKOTp9FhL9+YvNsGEeErGfvUfEX4pcu3 jgcE61lQHniPV++7ZZ0wds4RaGwqR6Cxfk/aQo7A4SGFL9NYrndQ2FSOwO6uLxdyBPYPx0oFOQKH cg9wUHii15vZ65bgKamCCuAzgLVvxl1egQcGFRZPW8YGDGRo47gemLqE748CitLjDvnaBUuvTbL0 Ws/Sa5Gl13qWXhuy9NoFS69JsvQaz9JrkKXXeJZeE7L02oNYeu3M0guxVHUIM3g7hl83NVhH1mf+ ztDzLJzKCNnLCElmxXOd/DT8QPB0dpA5h9/vLUjDsJ5SpSQO8vXxVm1NX2MimcFPO/xJRgQAq1or MvNZlc/MN/JBVVBH7cypY9sUp45tJ7VxvorVUTtx6ixeprHcSR3ZNsWp09315QKnTv9wrFTAqTOU e4A6Ik+BVbCpUiDzC2ysCp6Lh9ttH9LvY1wmR/oDNwahtypcVZg1ARrDn/6oEV3MQ6saeRXYbsfP FhiCvMioeArtWpzG1lB+awoM7iroi3dVvup8scecbFFCRBMCFgDPmgh9yG5mweFWCbHBPK9igU+Z NzV48L3LaYsCMvpXPftZQZ3h1DpIctdbMHVk+0w8C30Gq66WR86JmXbPiRTtnhOTC/58FZlAw0MK X6ax3MkEciJFu9fd9eUC7V7/cKxUQLs3lLu/CeQ8pe0d5SmuEpL82EBg8cytbiAUuNsyjKRDCO0z gGedOMImXN1V2n+MKfZdHFFyM50zv0MBrVl/qonn4j0ISMWNUyIebpbfpsRXw/uwodA9MsftEhBx iZhmo+FFTThRaxwmek1jeYxDEHqsHiReMFG7JBO180zUDpmonWeidiETtVswUbskE7XzTNQOmaid Z6J2IRO1O4iJ2s2csHy0Sw0AxEO1K0FkWKwwnyvwe+m3bAdVSAGQkaH7GIPg1tDMSz2yB1XPnnBn a14cES7/m8FMN65F6wDiVmY35hgUVU/R0kLRUlLRkle0hIqWvKKlUNHSQtFSUtGSV7SEipa8oqVQ 0dJBipYeivbCeuZrynqG0a/yUIFsF1Vb8maOuHEmFXHjzBRx4wxE3AwPKXyZxnL9kjepiJvuri8X Im76h2OlgoibodwDlrz16fAgy8t6nvnvzJeM6UMrSIX78fpWITM5pnG7KJo9dMJ+Z2mcW4AelwQ9 zoMeh6DHedDjQtDjFqDHJUGP86DHIehxHvS4EPS4g0CPu7k8V3sgmH1EIgRh3A6mYTPTZvggQbDw W3R7+EoydrFAWPOxHjxvTXnOsgImj637a9Fihol4TP7MF43WbaHqjWgmGkE+VH1cmJvVRiPmrE/d dSLrUyOmrE/9Vag2xocUvkxjuaPa6K4TWZ/Od6dyIevT8HCs1DLr01ju7mqja9iUawSpxPgYWh4H 8FsXh+Qmvt2s4fza5OU7HNeqQfpcELt2SAQlyIhLwV2w9bsxCr0n7F0sGDWUukxLAn1WwCkDw70L eruAALZqLxN2EXr6CyyYGqRau8Shsis1w/Wdez6ghi+8EWTyRXnBQeiC8yGHxILUGMuKyZ4rC6bG NuHg4hnoKmyPGVwf60czQ1VVCToxilsAR4rZl/ZCK0jInJFh1+o+k3XYDF0MBOYDu1J4/1UVcR3x bpuLzWWxPLJfQXPXJ31VK0nrL5tvTs3mm9Mp8821k5nlWjDfnLfX5pdpLNebb06mzDcnfbkSzLfz w7FSMjDf+nIPMN+cF/o36/VjBVpCXPHzFw6ssEEV0LqMrYFdDs6gc/EYbxsf/8DH0LBhhDXg+rU6 iI+6Ad0EcJ2H/DsFGUXy4JhdLZ4kGUP5gAd+rwCZRorZ6SdFyukn5eT0kxKcfsNDCl+msdxJa0iR cvp1d6dyBTj9+odjpQKn31Du/lpDyotpuK/Fu5ZhkRWc+KqQAxId8FAo/xV+U5oVLLucGipxg1xJ FPNWf8F0KOCO4nftC+IL+MwK6/Nt1FErjQkFRsY5q4KoBXbLroYjYc88y1XsN9mYDeN/W/7KVYb1 d+57vJHUxeiKyk1VsJV4Xkezf31UUwYBEEwQXiwXUNMXgGx+i7SGZltPC1nCh16wtHkup/ULBk39 aiaFWpgUKmlSaG9SaDQptDcpVGhSqIVJoZImhfImhUKTQnmTQoUmhTrIpNA+jgAcUfyWf8EmeI2g gH0o4PnG8MEIfBkFOqJC1NetHxnahofAMckbtusPQ5R08jEH1bSx4VLGxlQ4l1lAYaw+xONwDBfT rcyYC/qujtHRPoyOC/Phfo2OenCHFnCHknDHeLhjEO4YD3cohDu0gDuUhDvk4Q4h3CEPdyiEO3QQ 3DGTjNQYbMHr6vXThGcWRSG5ixf2sXz3X74ZLDvr93JxoCrQ/yAgYNNNZ2eA2whmOhERLFSsCFQV KgK9zLtqarjpa0z2AhcBHwLMppk6lM23kXaFy+hKVgd8Bbxs67VDPfXuFurdpdR7M7FM9leReh8e UvgyjeV69e6S6t159e5QvTuv3l2o3t0x6r0R3psBx234w5AFvOn8HCjQ3bwYKThdVSATHqDiJkFF Rk35KcWPS8HOdoGpvj5VYaUTDy6UFyWuTN7rWESIy294FI9EFe3dYbNpqUKMBRyu5eeEcpxEKCEM WX90NsNZV+GA5kFxGQXxEPxaZXu9wBDRIp4xENqkgBAO3CZZkWjPrRv/gWkfP+PhyQuF9WuIXj71 r3227vEUHMWNWfTI6Jx0cQcsf/Ix+slIieXiLplvNO+iG8omZcTGlhLZqi2Fhil4p41/sXNLG+v6 lnbvXWjpBeOJ++AZcae/6KIvinQ4S2mLlNBRiyAdlIjPgI+ibiFQdTwwLuqW5kPdblGdIbNrt7Qi LF/+xDUR2/wWBJ4DpQldmcY8xR2lhdq1o7SwYfmJVqczSJQ3qY9427FJqonG/oJD4IXJANNlKYi6 f0/fuppK6j85/vHla5anIKGsPp0+Pf0fUCIri2VuZHN0cmVhbQplbmRvYmoKMjcwIDAgb2JqCjU0 MTcKZW5kb2JqCjI3NCAwIG9iagpbMTIgL1hZWiA0Ny41MTk5OTk5ICAKNjA3LjI3OTk5OSAgMF0K ZW5kb2JqCjI3NSAwIG9iagpbMTIgL1hZWiA0Ny41MTk5OTk5ICAKNjM3LjAzOTk5OSAgMF0KZW5k b2JqCjI3NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43 MjAwMDAgIDYwMy40Mzk5OTkgIDU0My44NDAwMDAgIDYxMS4xMTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5k b2JqCjI3NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEzMS4w Mzk5OTkgIDU1NC40Nzk5OTkgIDIxNy40Mzk5OTkgIDU2Mi4xNTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzptYmpAbWljcm9zb2Z0 LmNvbSkKPj4KPj4KZW5kb2JqCjI3OCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xp bmsKL1JlY3QgWzEzMS4wMzk5OTkgIDU0NC44Nzk5OTkgIDIyNy4wMzk5OTkgIDU1Mi41NTk5OTkg XQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6 Ly9zZWxmLWlzc3VlZC5pbmZvLykKPj4KPj4KZW5kb2JqCjI3OSAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEzMS4wMzk5OTkgIDUwNi40Nzk5OTkgIDIyOCAgNTE0 LjE1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VS SSAobWFpbHRvOmRpY2suaGFyZHRAZ21haWwuY29tKQo+Pgo+PgplbmRvYmoKMjgwIDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTMxLjAzOTk5OSAgNDk2Ljg3OTk5 OSAgMjIwLjMxOTk5OSAgNTA0LjU1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAv QWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL2RpY2toYXJkdC5vcmcvKQo+Pgo+PgplbmRvYmoK MjgxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTMxLjAzOTk5 OSAgNDU3LjUxOTk5OSAgMTc3LjEyMDAwMCAgNDY1LjE5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov QSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOmRyQGZiLmNvbSkKPj4KPj4K ZW5kb2JqCjI4MiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEz MS4wMzk5OTkgIDQ0OC44Nzk5OTkgIDI2OS4yNzk5OTkgIDQ1Ni41NTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly93d3cuZGF2aWRy ZWNvcmRvbi5jb20vKQo+Pgo+PgplbmRvYmoKMjg1IDAgb2JqCjw8L1RpdGxlICj+/wBBAGIAcwB0 AHIAYQBjAHQpCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfNAogIC9Db3Vu dCAwCiAgL05leHQgMjg2IDAgUgo+PgplbmRvYmoKMjg2IDAgb2JqCjw8L1RpdGxlICj+/wBTAHQA YQB0AHUAcwAgAG8AZgAgAHQAaABpAHMAIABNAGUAbQBvKQogIC9QYXJlbnQgMjg0IDAgUgogIC9E ZXN0IC9fX1dLQU5DSE9SXzYKICAvQ291bnQgMAogIC9OZXh0IDI4NyAwIFIKICAvUHJldiAyODUg MCBSCj4+CmVuZG9iagoyODcgMCBvYmoKPDwvVGl0bGUgKP7/AEMAbwBwAHkAcgBpAGcAaAB0ACAA TgBvAHQAaQBjAGUpCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfOAogIC9D b3VudCAwCiAgL05leHQgMjg4IDAgUgogIC9QcmV2IDI4NiAwIFIKPj4KZW5kb2JqCjI4OCAwIG9i ago8PC9UaXRsZSAo/v8AVABhAGIAbABlACAAbwBmACAAQwBvAG4AdABlAG4AdABzKQogIC9QYXJl bnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SX2EKICAvQ291bnQgMAogIC9OZXh0IDI4OSAw IFIKICAvUHJldiAyODcgMCBSCj4+CmVuZG9iagoyODkgMCBvYmoKPDwvVGl0bGUgKP7/ADEALgCg ACAASQBuAHQAcgBvAGQAdQBjAHQAaQBvAG4pCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rlc3QgL19f V0tBTkNIT1JfYwogIC9Db3VudCAwCiAgL05leHQgMjkwIDAgUgogIC9QcmV2IDI4OCAwIFIKPj4K ZW5kb2JqCjI5MCAwIG9iago8PC9UaXRsZSAo/v8AMQAuADEALgCgACAATgBvAHQAYQB0AGkAbwBu AGEAbAAgAEMAbwBuAHYAZQBuAHQAaQBvAG4AcykKICAvUGFyZW50IDI4NCAwIFIKICAvRGVzdCAv X19XS0FOQ0hPUl9lCiAgL0NvdW50IDAKICAvTmV4dCAyOTEgMCBSCiAgL1ByZXYgMjg5IDAgUgo+ PgplbmRvYmoKMjkxIDAgb2JqCjw8L1RpdGxlICj+/wAxAC4AMgAuAKAAIABUAGUAcgBtAGkAbgBv AGwAbwBnAHkpCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfZwogIC9Db3Vu dCAwCiAgL05leHQgMjkyIDAgUgogIC9QcmV2IDI5MCAwIFIKPj4KZW5kb2JqCjI5MiAwIG9iago8 PC9UaXRsZSAo/v8AMQAuADMALgCgACAATwB2AGUAcgB2AGkAZQB3KQogIC9QYXJlbnQgMjg0IDAg UgogIC9EZXN0IC9fX1dLQU5DSE9SX2kKICAvQ291bnQgMAogIC9OZXh0IDI5MyAwIFIKICAvUHJl diAyOTEgMCBSCj4+CmVuZG9iagoyOTMgMCBvYmoKPDwvVGl0bGUgKP7/ADIALgCgACAAQQB1AHQA aABlAG4AdABpAGMAYQB0AGUAZAAgAFIAZQBxAHUAZQBzAHQAcykKICAvUGFyZW50IDI4NCAwIFIK ICAvRGVzdCAvX19XS0FOQ0hPUl9rCiAgL0NvdW50IDAKICAvTmV4dCAyOTQgMCBSCiAgL1ByZXYg MjkyIDAgUgo+PgplbmRvYmoKMjk0IDAgb2JqCjw8L1RpdGxlICj+/wAyAC4AMQAuAKAAIABBAHUA dABoAG8AcgBpAHoAYQB0AGkAbwBuACAAUgBlAHEAdQBlAHMAdAAgAEgAZQBhAGQAZQByACAARgBp AGUAbABkKQogIC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SX20KICAvQ291bnQg MAogIC9OZXh0IDI5NSAwIFIKICAvUHJldiAyOTMgMCBSCj4+CmVuZG9iagoyOTUgMCBvYmoKPDwv VGl0bGUgKP7/ADIALgAyAC4AoAAgAEYAbwByAG0ALQBFAG4AYwBvAGQAZQBkACAAQgBvAGQAeQAg AFAAYQByAGEAbQBlAHQAZQByKQogIC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9S X28KICAvQ291bnQgMAogIC9OZXh0IDI5NiAwIFIKICAvUHJldiAyOTQgMCBSCj4+CmVuZG9iagoy OTYgMCBvYmoKPDwvVGl0bGUgKP7/ADIALgAzAC4AoAAgAFUAUgBJACAAUQB1AGUAcgB5ACAAUABh AHIAYQBtAGUAdABlAHIpCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfcQog IC9Db3VudCAwCiAgL05leHQgMjk3IDAgUgogIC9QcmV2IDI5NSAwIFIKPj4KZW5kb2JqCjI5NyAw IG9iago8PC9UaXRsZSAo/v8AMwAuAKAAIABUAGgAZQAgAFcAVwBXAC0AQQB1AHQAaABlAG4AdABp AGMAYQB0AGUAIABSAGUAcwBwAG8AbgBzAGUAIABIAGUAYQBkAGUAcgAgAEYAaQBlAGwAZCkKICAv UGFyZW50IDI4NCAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl9zCiAgL0NvdW50IDAKICAvTmV4dCAy OTggMCBSCiAgL1ByZXYgMjk2IDAgUgo+PgplbmRvYmoKMjk4IDAgb2JqCjw8L1RpdGxlICj+/wAz AC4AMQAuAKAAIABFAHIAcgBvAHIAIABDAG8AZABlAHMpCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rl c3QgL19fV0tBTkNIT1JfdQogIC9Db3VudCAwCiAgL05leHQgMjk5IDAgUgogIC9QcmV2IDI5NyAw IFIKPj4KZW5kb2JqCjI5OSAwIG9iago8PC9UaXRsZSAo/v8ANAAuAKAAIABTAGUAYwB1AHIAaQB0 AHkAIABDAG8AbgBzAGkAZABlAHIAYQB0AGkAbwBuAHMpCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rl c3QgL19fV0tBTkNIT1JfdwogIC9Db3VudCAwCiAgL05leHQgMzAwIDAgUgogIC9QcmV2IDI5OCAw IFIKPj4KZW5kb2JqCjMwMCAwIG9iago8PC9UaXRsZSAo/v8ANAAuADEALgCgACAAUwBlAGMAdQBy AGkAdAB5ACAAVABoAHIAZQBhAHQAcykKICAvUGFyZW50IDI4NCAwIFIKICAvRGVzdCAvX19XS0FO Q0hPUl95CiAgL0NvdW50IDAKICAvTmV4dCAzMDEgMCBSCiAgL1ByZXYgMjk5IDAgUgo+PgplbmRv YmoKMzAxIDAgb2JqCjw8L1RpdGxlICj+/wA0AC4AMgAuAKAAIABUAGgAcgBlAGEAdAAgAE0AaQB0 AGkAZwBhAHQAaQBvAG4pCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfMTAK ICAvQ291bnQgMAogIC9OZXh0IDMwMiAwIFIKICAvUHJldiAzMDAgMCBSCj4+CmVuZG9iagozMDIg MCBvYmoKPDwvVGl0bGUgKP7/ADQALgAzAC4AoAAgAFMAdQBtAG0AYQByAHkAIABvAGYAIABSAGUA YwBvAG0AbQBlAG4AZABhAHQAaQBvAG4AcykKICAvUGFyZW50IDI4NCAwIFIKICAvRGVzdCAvX19X S0FOQ0hPUl8xMgogIC9Db3VudCAwCiAgL05leHQgMzAzIDAgUgogIC9QcmV2IDMwMSAwIFIKPj4K ZW5kb2JqCjMwMyAwIG9iago8PC9UaXRsZSAo/v8ANQAuAKAAIABJAEEATgBBACAAQwBvAG4AcwBp AGQAZQByAGEAdABpAG8AbgBzKQogIC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9S XzE0CiAgL0NvdW50IDAKICAvTmV4dCAzMDQgMCBSCiAgL1ByZXYgMzAyIDAgUgo+PgplbmRvYmoK MzA0IDAgb2JqCjw8L1RpdGxlICj+/wA1AC4AMQAuAKAAIABPAEEAdQB0AGgAIABBAGMAYwBlAHMA cwAgAFQAbwBrAGUAbgAgAFQAeQBwAGUAIABSAGUAZwBpAHMAdAByAGEAdABpAG8AbikKICAvUGFy ZW50IDI4NCAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl8xNgogIC9Db3VudCAwCiAgL05leHQgMzA1 IDAgUgogIC9QcmV2IDMwMyAwIFIKPj4KZW5kb2JqCjMwNSAwIG9iago8PC9UaXRsZSAo/v8ANQAu ADEALgAxAC4AoAAgAFQAaABlACAAIgBCAGUAYQByAGUAcgAiACAATwBBAHUAdABoACAAQQBjAGMA ZQBzAHMAIABUAG8AawBlAG4AIABUAHkAcABlKQogIC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9f X1dLQU5DSE9SXzE4CiAgL0NvdW50IDAKICAvTmV4dCAzMDYgMCBSCiAgL1ByZXYgMzA0IDAgUgo+ PgplbmRvYmoKMzA2IDAgb2JqCjw8L1RpdGxlICj+/wA1AC4AMgAuAKAAIABBAHUAdABoAGUAbgB0 AGkAYwBhAHQAaQBvAG4AIABTAGMAaABlAG0AZQAgAFIAZQBnAGkAcwB0AHIAYQB0AGkAbwBuKQog IC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFhCiAgL0NvdW50IDAKICAvTmV4 dCAzMDcgMCBSCiAgL1ByZXYgMzA1IDAgUgo+PgplbmRvYmoKMzA3IDAgb2JqCjw8L1RpdGxlICj+ /wA1AC4AMgAuADEALgCgACAAVABoAGUAIAAiAEIAZQBhAHIAZQByACIAIABBAHUAdABoAGUAbgB0 AGkAYwBhAHQAaQBvAG4AIABTAGMAaABlAG0AZSkKICAvUGFyZW50IDI4NCAwIFIKICAvRGVzdCAv X19XS0FOQ0hPUl8xYwogIC9Db3VudCAwCiAgL05leHQgMzA4IDAgUgogIC9QcmV2IDMwNiAwIFIK Pj4KZW5kb2JqCjMwOCAwIG9iago8PC9UaXRsZSAo/v8ANgAuAKAAIABSAGUAZgBlAHIAZQBuAGMA ZQBzKQogIC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFlCiAgL0NvdW50IDAK ICAvTmV4dCAzMDkgMCBSCiAgL1ByZXYgMzA3IDAgUgo+PgplbmRvYmoKMzA5IDAgb2JqCjw8L1Rp dGxlICj+/wA2AC4AMQAuAKAATgBvAHIAbQBhAHQAaQB2AGUAIABSAGUAZgBlAHIAZQBuAGMAZQBz KQogIC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFnCiAgL0NvdW50IDAKICAv TmV4dCAzMTAgMCBSCiAgL1ByZXYgMzA4IDAgUgo+PgplbmRvYmoKMzEwIDAgb2JqCjw8L1RpdGxl ICj+/wA2AC4AMgAuAKAASQBuAGYAbwByAG0AYQB0AGkAdgBlACAAUgBlAGYAZQByAGUAbgBjAGUA cykKICAvUGFyZW50IDI4NCAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl8xaQogIC9Db3VudCAwCiAg L05leHQgMzExIDAgUgogIC9QcmV2IDMwOSAwIFIKPj4KZW5kb2JqCjMxMSAwIG9iago8PC9UaXRs ZSAo/v8AQQBwAHAAZQBuAGQAaQB4ACAAQQAuAKAAIABBAGMAawBuAG8AdwBsAGUAZABnAGUAbQBl AG4AdABzKQogIC9QYXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFrCiAgL0NvdW50 IDAKICAvTmV4dCAzMTIgMCBSCiAgL1ByZXYgMzEwIDAgUgo+PgplbmRvYmoKMzEyIDAgb2JqCjw8 L1RpdGxlICj+/wBBAHAAcABlAG4AZABpAHgAIABCAC4AoAAgAEQAbwBjAHUAbQBlAG4AdAAgAEgA aQBzAHQAbwByAHkpCiAgL1BhcmVudCAyODQgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfMW0KICAv Q291bnQgMAogIC9OZXh0IDMxMyAwIFIKICAvUHJldiAzMTEgMCBSCj4+CmVuZG9iagozMTMgMCBv YmoKPDwvVGl0bGUgKP7/AEEAdQB0AGgAbwByAHMAJwAgAEEAZABkAHIAZQBzAHMAZQBzKQogIC9Q YXJlbnQgMjg0IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFvCiAgL0NvdW50IDAKICAvUHJldiAz MTIgMCBSCj4+CmVuZG9iagoyODQgMCBvYmoKPDwvVGl0bGUgKP7/AFQAaABlACAATwBBAHUAdABo ACAAMgAuADAAIABBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACAAUAByAG8AdABvAGMAbwBsADoA IABCAGUAYQByAGUAcgAgAFQAbwBrAGUAbgBzACAAZAByAGEAZgB0AC0AaQBlAHQAZgAtAG8AYQB1 AHQAaAAtAHYAMgAtAGIAZQBhAHIAZQByAC0AMQA0KQogIC9QYXJlbnQgMjgzIDAgUgogIC9EZXN0 IC9fX1dLQU5DSE9SXzIKICAvQ291bnQgMAogIC9GaXJzdCAyODUgMCBSCiAgL0xhc3QgMzEzIDAg Ugo+PgplbmRvYmoKMjgzIDAgb2JqCjw8L1R5cGUgL091dGxpbmVzIC9GaXJzdCAyODQgMCBSCi9M YXN0IDI4NCAwIFI+PgplbmRvYmoKMzE0IDAgb2JqCjw8Ci9UeXBlIC9DYXRhbG9nCi9QYWdlcyAy IDAgUgovT3V0bGluZXMgMjgzIDAgUgovUGFnZU1vZGUgL1VzZU91dGxpbmVzCi9EZXN0cyA8PAov X19XS0FOQ0hPUl8xOCAxNjEgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVt cDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1s IzIzUkZDNTIzNCAxNjQgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUw NDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIz UkZDNTI0NiAxNzQgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZD MjYxNiAyMTUgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDMjYx NyAyMTcgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0 ZiMyZG9hdXRoIzJkdjIgMTY4IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM3RvYyAxMiAwIFIKL19fV0tBTkNIT1JfMiAxMCAwIFIKL19fV0tBTkNIT1JfNCAxMSAwIFIK L19fV0tBTkNIT1JfNiAxMyAwIFIKL19fV0tBTkNIT1JfOCAxNSAwIFIKL19fV0tBTkNIT1JfMWEg MTYyIDAgUgovX19XS0FOQ0hPUl8xYyAxNjUgMCBSCi9fX1dLQU5DSE9SXzFlIDE2NyAwIFIKL19f V0tBTkNIT1JfMWcgMTcxIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1 MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMy M2FuY2hvcjEgMzIgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5j aG9yMiAzNCAwIFIKL19fV0tBTkNIT1JfMWkgMjIxIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMy ZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVh cmVyLmh0bWwuaHRtbCMyM2FuY2hvcjMgMzUgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1w IzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIu aHRtbC5odG1sIzIzYW5jaG9yNCA3NSAwIFIKL19fV0tBTkNIT1JfMWsgMjEzIDAgUgovZmlsZSMz YSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRv YXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjUgNzYgMCBSCi9maWxlIzNhIzJm IzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRo IzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNiAxNDIgMCBSCi9fX1dLQU5DSE9SXzFt IDIxNCAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I3IDE0 NCAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJh ZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I4IDE0NSAw IFIKL19fV0tBTkNIT1JfMW8gMjc0IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNH SXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwu aHRtbCMyM05JU1Q4MDAjMmQ2MyAyMTYgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzYW5jaG9yOSAxNzIgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJ dGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5o dG1sIzIzcmZjLnJlZmVyZW5jZXMxIDE1OCAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjNyZmMucmVmZXJlbmNlczIgMjIwIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMy ZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVh cmVyLmh0bWwuaHRtbCMyM1JGQzM5ODYgMTYwIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRt cCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVy Lmh0bWwuaHRtbCMyM2FuY2hvcjEwIDE2NiAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjNhbmNob3IxMSAxNjkgMCBSCi9fX1dLQU5DSE9SX2EgMTQgMCBSCi9maWxlIzNh IzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9h dXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzbWl0aWdhdGlvbiAxMjkgMCBSCi9fX1dLQU5D SE9SX2MgMzEgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9y MTQgMjE4IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIj MmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjE1 IDIxOSAwIFIKL19fV0tBTkNIT1JfZSAzMyAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjNib2R5IzJkcGFyYW0gOTIgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1w IzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIu aHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBiaXMjMmRwMSMyZG1lc3NhZ2luZyAxNjMgMCBS Ci9fX1dLQU5DSE9SX2cgMzYgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVt cDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1s IzIzRmlndXJlIzJkMSA3MyAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1w NTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwj MjNSRkMyMTE5IDE1NyAwIFIKL19fV0tBTkNIT1JfaSA3NyAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjN0aHJlYXRzIDExOCAwIFIKL19fV0tBTkNIT1JfayA3OCAwIFIK L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkM2MTI1IDE3MCAwIFIKL19f V0tBTkNIT1JfbSA3OSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0 NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNh dXRobiMyZGhlYWRlciAxMDUgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVt cDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1s IzIzcXVlcnkjMmRwYXJhbSA5MyAwIFIKL19fV0tBTkNIT1JfbyA5MCAwIFIKL2ZpbGUjM2EjMmYj MmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgj MmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNyZmMuYXV0aG9ycyAyNzUgMCBSCi9fX1dLQU5DSE9S X3EgOTEgMCBSCi9fX1dLQU5DSE9SX3MgMTA2IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRt cCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVy Lmh0bWwuaHRtbCMyM1czQy5SRUMjMmRodG1sNDAxIzJkMTk5OTEyMjQgMTczIDAgUgovX19XS0FO Q0hPUl91IDEyMCAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0NTgu ZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhdXRo eiMyZGhlYWRlciA3NCAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA0 NTguZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJ IzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aCAxNTkgMCBSCi9maWxlIzNhIzJmIzJmIzJm dmFyIzJmdG1wIzJmQ0dJdGVtcDUwNDU4LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIj MmRiZWFyZXIuaHRtbC5odG1sIzIzcmVzb3VyY2UjMmRlcnJvciMyZGNvZGVzIDExNyAwIFIKL19f V0tBTkNIT1JfdyAxMjEgMCBSCi9fX1dLQU5DSE9SX3kgMTMxIDAgUgovZmlsZSMzYSMyZiMyZiMy ZnZhciMyZnRtcCMyZkNHSXRlbXA1MDQ1OC5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYy IzJkYmVhcmVyLmh0bWwuaHRtbCMyM3NlYyMyZGNvbiAxMTkgMCBSCi9fX1dLQU5DSE9SXzEwIDEz MCAwIFIKL19fV0tBTkNIT1JfMTIgMTQxIDAgUgovX19XS0FOQ0hPUl8xNCAxNDMgMCBSCi9fX1dL QU5DSE9SXzE2IDE0NiAwIFIKPj4KPj4KZW5kb2JqCjI3MyAwIG9iago8PAovVHlwZSAvUGFnZQov UGFyZW50IDIgMCBSCi9Db250ZW50cyAzMTUgMCBSCi9SZXNvdXJjZXMgMzE3IDAgUgovQW5ub3Rz IDMxOCAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjMxNyAwIG9iago8PAov Q29sb3JTcGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdy YXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8 Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y4IDggMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9i agozMTggMCBvYmoKWyAyNzYgMCBSIDI3NyAwIFIgMjc4IDAgUiAyNzkgMCBSIDI4MCAwIFIgMjgx IDAgUiAyODIgMCBSIF0KZW5kb2JqCjMxNSAwIG9iago8PAovTGVuZ3RoIDMxNiAwIFIKL0ZpbHRl ciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7VxLb9w2EL7vr9A5gNd8iaKAooC9sQv0UMCwgR6C HgqnaRHYQbc59O+XkiiKmk/SaLXa9QbNGo3lETkcDme+eUjb658ef8/+/Jpd7x7/zp7D793jRmxF XjafTPifq5Sg3FYrUX0yJ/XWFjX1+XWzz/abh82D/3e/kbaeGH75m+0Sov75+vxlc90svmkoj7tf /NW/mcp+9v99zj785okfA79qwOvGldbLIYTU/s+X9E9rtNsaf116uqB/VoP/2vz6LvtSCaa2rhZe NgKmf17J3BppPVN1lMj7burWCl0qz9eNXqeMtQ7ymEyrIJvxW9cm9zP8J/d01VybSgdWmmqnUlG6 KrYq0COflxH+lXo+JTKXOnxGr3syp7IFxdcyp2vlshIHZevRk71EPi8j/KnMK+l5ROYxGcbO5RR6 Hj7r1z59lp6HbWPMlvoytzBQglMc5FvWGH/fOOXhJJN59s8ffpWH2ncWeKisf1JhGsqIh+4nJt4+ ba7vbSZF9vQpayS4an49NVJfebFLnT19zH6ohPoxe/q8qQApEFRNKDqCrgmuIxg6ouFx9+R3Pwdy JG5IqkpPyqvyNV6XWylMnknZXNiyomp/T7pw9byRXpWuzI0W8abtT7aBbz22vm5mZP2pyrZ8/VU1 Nl20uhmEaidHeZ+9ed2+mwbU/YRa6uPyq+ih45JaVseltAqq1rf0MApCUM1hyOREd3QIHDFlIu4o Ia8JJhKkoiPeEwKOALs5fFlxXxPyCR4lnQIjeB50L8KxooOkt3QVegyo04apFB2lWbecUCosAyPo MprKLm+oINTKwogVPNzozsONGfLwmuDCFfXwzqW7yTbwjR5u5JCHGxn5SvDw6mYQSvY8vOZ7Bg83 RVC1EdQIhGXd5Ia1iu+u1p8CooOkVKcDwAqOJIm7oiB0GanpdkFUgE2wB9AQ6FDTKA/7hxHAgzcy 4AHbh9OG3cIqMGVBbDqnB9UguRgPcknwQEFQQMscSdn0ATrjEws0CNa4cVnWIHRJRQfzB5OBFMiu cBAtMNs29RrwfzAaqndl6G54ewedAYEHVdAZJawX0IskoBeDAb2IAb3AgF7ECF70A3qRBPRiMKAX MaAXGNCLGNCLfkAvzhTQi2K2Z50pZZ+Rf1MXRyQF2wOoocApd6wD88gCQQD2wkMen5ycJMLx+MWG Gg2nD1OA6Qqhd0mxwed3vE7XyDzoskqcIlqbkjg7yI4RAERdoLLTwblLOjBusANTxg5MiR2YMnZg XL8D45IOjBvswLjYgXHYgXGxA+P6HRh3pg5MeUAHBkwNjhwwgc82+aDPB4AF7gu59R2F95M0LWRJ CXTdt+qeIBgBXPEVLJufLahxsZLkgYVdBYM3X3yuV9IdCc5O9V0XbQiC5Aoh0Nywzr3C0fH+gCcF 57BGz2MBdKXRanmhXB+uVlFUS1ehQB36nscHSW1MDJLV8zMMktq0way6IkGyuWn7k23g2wZJbdRA kPTUyFfRIFnfDEKpNEg2fE8fJLVx7WHcsek52B4fE1kLB2+VNBTPSMcAvWFZviAHT4N2G92c0nQE xDdoLgI28XvhwxubSS/pAwEU8VMWNOT4IMo3rNmsCkyKTwhm9Hj57I5PKqD5tLhncGzcNX00WFCL 8mgOhDVMGeAB4z+obG7puUo7Uls9epiwO5CdT8R4K+M7yTuKUxfSZlIlFez/1WZa0GXjMZedAg+X 18EYKYg7SDbU8VU4WAyPoHwas8ZDscNFnwF+Cw6XN/YFTYjdivBYxJizoEyHpjtWP3xNBYUai0tn alxgS4V97eM8qS//gsrYGytrVJBG2ENzjuMryKqae43XcqCCNLqt9KorUkE2N21/sg182wrSKDdQ QZrqbcWGb3gpLl20uqlEb3KU9xwVpNGmPYycxS82JcAR0N/gn8+exeJnFBVrvDy3IPIA4LGVCl9i D+AqH63Y5tWMBPBSwjlMAYv5HiNWjRHd29/N9z78Z/S6B+UzxvNQeOCiNVDW75QPAKWyFU7mosXJ 4KBSUqNOyhw3bAdQCCWExoYttbZE3Y4emRmGjkQySQswIMC68PI5CAKEsSmzo/bCuCYmjkvrvh3P TlwGmUpt+lx1TvXY6ECxNpBo+oYSCkIIwJ4wpTFaQWF/MxxfO0IuhvE0kQNsggoWTO84pYaT8qnU CU4qcl1yUvfD4QP2DyVVMmIEYOftbuzLJGVRby4v+gaSoEYBEABl+j05/xDGOoJ+T2VPvm5Cv84z lnXrKpPNc7fNK7T1p22KlPCyeZz1DaGh5RjsH2c2qdvWcqJyUZfhVclOl4Z6m7mFrAG4wAGE+A3I kJjXLXXznE6hI8IDIWjFwzMCyCMmmMoDH+gtAfbR8xGuPh9fN4UdQv4x0iw5iWUXIlp2XqaEy7Xs qDn5nmIC2AYlKPqMHVSpKWoCAYxWwltVFIrAivGpHcAZrAK+QrcPcoiRlzAmlsUnG+CA1JuCgk6d Jg2W/yH4uqVp0khPwRzHdSpPKO2aTFtRI1dAEz5PCE8ZoWZKbNFQppDzQa4xAsJr6NAKdwIdJlxB ZZBJwu4gtbTsiAVMYcp62ZjtXoi58GzMKhljlpUp4WJjVqdchGQ2jdKCQ3EIhHg+kIqBHDRUDuSA UKWtYRjfZv5m4zer3zR/s1p3+ZtMCZfrC1Fzb5S/reGCJ/E49ARq+MAUXPLtkzFrlmY4U8nYcq5T iURersm0FTUfLe0gb1LQTYPcA9CQZmcarATyBmgNQZ+Hz99G2murnEMhT3EOkasa6UxMaYjqMDxp m1IIJYTEepXsLNYiF5+dOdNGJFnmKeFyI1JX6AFGU8DFrAgKZGivfaMZTtn2nt82wylta09a5inh cu0pau6tOlSNOZUHENBGqSsAquDbyZBHse6ELSvWNWYkVjAF3tha7JFpGz1Jtdb/n//tmQHZw+Y/ ZDVaGGVuZHN0cmVhbQplbmRvYmoKMzE2IDAgb2JqCjIyMDIKZW5kb2JqCjMxOSAwIG9iago8PCAv VHlwZSAvRm9udERlc2NyaXB0b3IKL0ZvbnROYW1lIC9RSE1BQUErTGliZXJhdGlvblNhbnMKL0Zs YWdzIDQgCi9Gb250QkJveCBbLTIwMy4xMjUwMDAgLTMwMy4yMjI2NTYgMTA1MC4yOTI5NiA5MTAu MTU2MjUwIF0KL0l0YWxpY0FuZ2xlIDAgCi9Bc2NlbnQgOTA1LjI3MzQzNyAKL0Rlc2NlbnQgLTIx MS45MTQwNjIgCi9DYXBIZWlnaHQgOTA1LjI3MzQzNyAKL1N0ZW1WIDczLjI0MjE4NzUgCi9Gb250 RmlsZTIgMzIwIDAgUgo+PiBlbmRvYmoKMzIwIDAgb2JqCjw8Ci9MZW5ndGgxIDkxMjQgCi9MZW5n dGggMzIzIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJylWQl0HNWV/b+qepPU +yqpl+p9Ue/V1a3Wvm/WvsuyMW2ppZYXSUhtbBOCLTDGmC1kAZLxScg6xBCSgAMkLCbJMA4JBAgh kzOcTDIBJmcCQw4ZmBAstedVqVuWZUImmf6nVK9+vb++++5/r4QwQkiMjiISob6hUPRPZcePQ82t cF05u+/wzHf2PfxdkN9CyPDzTDo1PXNXpwmh0qehLp6BCnmR8Fp4fh+eHZn92UNP96vKECozwvOZ fQtTqRufueVP8PwiPO/Ynzq0iMJoL0Llfnim51P70wO/eouC526YxAgiqUfxJ5AAiQWfEzAI4fL1 O/kSmiFUYgFRLKQI7kfdi4hv9qND51H+F2kcakYNyHqeELycG8CMqA4/dCVCX/j1vyBEVQlWuNEQ AaUFIWJaACMhEUKM0qp0WpXWFoLOOfA9uYxg5IP7W6jnEUb3ISSgoZ0WISvW6aFolXYlg11uKKyS UVJVazJMYRKf/jfiA5IkMfEA9a1oyBsI2VbHBSvnO8JRXzQSIE99cASGRGMX3qIMVC/yoQSsS6Pn u2SiiXhCLxTxxW5zu5QxqOCKbl1Br+WGs+c1RFijUrgcyWT/gfbWss8rzXSU6e7Z986117mczY0T Y+kTOyYrEwYd/p68o+OmQCTqqzCaKPyn0bYOhi03hYKdgUAgZHfpDHfcjsvv3jvX1GQ2YlwR6O6d 23PYcPJ0fy+Wyp2uusYU7IDlwh8In8CPShFywuBuG6u0s0yC0TJauxIWwOhgnoTP6/MnfvnxY+yh H/2orLS+tMxgEhcLxfg94mc3/PGPN6yN9FpoLKCEsOgLa7Cnz1FVgABktZP8TrrXF0baMaNeX/H6 +tVbH6m7XvqGRFQkKhZLisSSYtFDL+ZeeuhRoVgoFomhWiIS/dP3nxRxDxIoUH32W8T3yrweV0U4 WOH2eC1rXWAxq95qt7hcTqeFtuiI362VllltRrvN6TTbrWXEr8FOoxfepExgJy1iYcoErFvoXre5 wpk3iii2XlMwi1a4yZpQKBO+9uNvL41P1NZbrPiN63ZMVidNxifVGqcrnmhuTVS6PWot1uvcznis rrUy4XFrtYQ59/ott2Jst7a37p27gwhhbLO3tWf23PLxoYFoRKPGam0kOjh0zXWDQ5GoWqNRRSND g2ClEwCuEzDfAIfmGOviC8PNR6PXaJl4Hk9RDkvcrG3rc9Yrbwc3Oo0JDM6k0mtNRq8nqdOoS1QG g7muwl9uKpFhss7msNmsJqPBYDRb6HKzujYUMBsVUkwKiK9SFMZGU5hpbh1Yew5mchI8jRQ8h4o5 jxFxzqLEDMZkOPfJY2fO4FdfznXin+K39+eOCJ5bTRHSXGjtbthiJEFIdBw8reqvo+ISZHAlulEp +N3r7xaXyCQlJbLi4hJp0f+8nkudW1Mo5cXSYpmSR4lYJHzv0fc4kYONQo7FImmJXKr48znyiJON hRLJ6niYiTlXVwQrqysNtXWRaqalpZy2mE2mcj25f/VT+nITvxEtrXYry9RVsyTv2zfDMmph5Tyn qFlGS8Labz5z5oyAfuCBD35DVZ3/53VLkW+DpcD/rUpXHkJ5c3DcsmE8DW883aXG4wmITOIiaWmZ z1/XGGXtLrXmDGdEzoaYLKUtXk881r69saHCp1ETD/axMZtFLtXpff7a+oG128ghm8thtxr0YoFO X242WtRBt9NYCtbU6QOh9q6ptRCsZSQ3Sv6B2oY60RysKo99d2ITvFnWvomxuJJwbZooU6AwBhwD XAOgphEJ1bFLF6zf4jOEY2dHBxOzWKXfUdXVpGujEYcNFqE1moFeKjsyHV3BkFaPsV4TDfd2Ly6N DoVg0Vwh7yd4aeGqgKHM7Y2ybGuEsVjlSoyVctoSjbSwLOP1lJXmxrBG7bBFIzVl2zxepcLtrKkZ fdDrdBvNCpXd1tqSmbnp+sxsV4fbiWNsykCbTeUaNSXR6k1mh8u1+sxrS1ny3OJgX4wxwI9h+wYW D/T1R6IaLawj0t8LNp698KbgXsFdqBVwsJXKRVtsrs8fAokCiFkra1Xmt7bAOrOBiu3jN1z/4PW7 U50dsCmPlDlcDNvcOn70iitr68w0tlobG3bvOjrY3pZM+CtMuUliJFTf2Nu/c9eeh48dH9teESDO feX4sV07mQgGQ1f4a+q744zfZzYrFR5v57bZzJGjmb3benx+LJMatKYyU+7eXFm4wm+1qjUYV8Z3 p47fCCu78cKb5JvA3dzppdRcarwEwJ2zKDCO3s6DGDCxAZICfypxVUlReanfV1/PRl0OoLQzPP0A gHkDkmUW2uOLsW2TDY0+n1oDdD3YH4sDJGR6LbSqHSSWV79hd7isdr1BROl14ItGbdjpLjVK5Viv DQU7OtLES4DhY7kx4PAelEQTHIbzO8qB1a7R8xO9xN/yBtrwNyb60TyfuMjzak0w1N2zmB0bCwp4 OHIO+SBeRyYFLunzxCINiz3doaBG/USJ1GiORDtrY6zbq9PDYe5yxNn2bdGI2SgtIWzXzma2bQM7 +CvShEKpLzVajLkJgdDtcJiNOq2EVKlKy43mUsblMOhKijze9q505uh0b2+cNRmxQhkOD48ez/Zy gNRjk7Ey0d+3HscICWDXSp51+InnYwk7zgMSyqYApwDXAvlgRikYXV+PTC6TKWW5Tx/P3SHMn7xK Bf/q9Hl8UFhcJJGIRSQpFpVIiovEePE98gGGjQWYcCziD0Vdqw3k03KN2qCDEquqTIQY1rU6DFwb 0lhoOIfNCoXZbKVpi4Z8CYImjB4H612HXuUiUwZY9fEfvvoq1NKAxAysCKJQgS3PTQU0skrOhzTr 9sLP3r9/wfZ4kV5ntXjc3tnamtw7+HmjKZbo7tVMjH/f0hgMmS1SWUfbLWTrqVV7emAgWW2muTMp CWM8Aiw4sgU/l3HhxS1cB7krz4Kbnb3AdZsL+Qg2WhKVA0OZXV09lVVOt+oLus6Oo8lo2G7TqrHO 4PFWVbc1NgDPQ/y0N/OTh/ZmTF+SGAw2u9cfuKaqGqhQ63Ym4o0VAb/f53KYjGCKip6qGo8XeFIu tVriTI9lzOMVi7RqqyUSoS1ajVKmUei0dhvD9Hy6txvX19+i8ZmMKoVE5HR1+Y0mtVYqV8ApqlDr DFZbhR924knYgWthtzkbgJs/eVawwttmEr9I9BGLXL2atWon8bv4xXvv5U5DLnJOQwsVcl7cPTtE 2QW3KmwNV7W+jYI0jsUnd1573Z1r7+CfffnkiempysTT2OPr7JrNXANWq1rYdUVrq9tNvPDtG2/a viMQEqx4vMOjKzc8fPvsdFMDbT7/bYejvW3vnnwEtwznbCfatY6QRIGJE+wWCha5N7m8lg9quRlp N5u74P3ujeNPVOAD0Mef/8rAEPZ6mhpGhsf+G6Jno6kiUMV6fRZapRE8ITGVs0xv98JPMrNabbVc LpfZabuTcbh0+pISUmiy2YOhZLV9pKne79Nqn2muqgkES8vDQc3oyN172po9brmcoKqbQ0GzUS4V idUaqz2qbIjHPC69dueub+WC/R4vOOaimBJgWYmpHCIA1lsBnqQ8QZuj4eoqdoIiRJLSMn+gcyIU BruB1xA1gh8jO8fjdi6iZ2ObaE97MfoSaiHSx3Nn7rmnuMhijDEDFoetTKnTq7yGcqmCEr5MPrra ST56wzVVsYjbodeSpPBmSIMwLipRa81md+oGzpPAGuSPwRq1F7OehG5z1pM/HjaMtCngWfeivK2w WialLfFYz5WNDfJHJGYzw3Z2pY6OTyQqS8uwSmW1BCpYJllZPdnexjK0RfZdWTI518OA/0hlhG1n b18iCa6E2di+kpba+mDIaMJ+X09XZubQ/uHBhlq/r6y0pAhDdBWoqmmWbWdjIDNsTy+H6ZELb5F/ gAivAm1bz4a40EetcK4HPCwXAcXYS07B/KrwlqOS3XKmkGx0cPjwT3ftxvj2a4YGo/xJmD8XHyDy B8nav3JLD4db2ypZl12jVmscrli8rSkcsdBy5YOZQODkzbiUYHEgmJLotQYdnBb4y+fV3Mlh1urF Eg1E9eWl5Xjxqr5+htUb9DqWGRo8vNzfGw3rtUD5DDMwxK2TZ1w45S9Gsjzv/vCH5N4XXlj9zAsv gEV3gn+9DzFOmrNo3jfoLTy8eamX8GMBa1uDIvcmn9paqPdt9o6O/fN35f78qU95vis1G5lwV+fM SHtbjDEZLXQy2de/q6aqJl4Zitgcao3X09GxO7V8/RU7GhvcTsMT8tJyLuwZ3N3U4vYpVACieHvb QENTA7gH43LCBtw4sW1bvNJE4x2T33RW+oMWq0oll1rM4WBzi98HYaBKX6KUcVmSjwuxpzvaQkGt Fqt1Hm9NXZ816vWUl8ukGCtUZrPHF6z3eMvLVdCFHCjFaPL5klWwb0HIj84AL4rWPQ8OKi3x4lM5 I3WceuN8OfXGqVNo03cHLotSWvksysp9bUitCc+eJT44S9y2tixYWXuAGOa+K/D6VG5dHzS11vx1 HxVY/SQZXf0pebdg5VSu5nM57SnQ1kMO8nuwL5+jQQTAJWhcjmbN/Sr36g/wSu7Oc1iGS57N3YmP 4ydyLYSfkOUm8VfX3l37GTeaIDdGrkL7Cmi/OQlgC3ZP4Ivp2cWMjdjhcnvD0eqaXjvkT2qDQdnX 0hxT5oaefl2ilCnlJSUEWVKkkCpkxT9/andvfzxpNBNYfBOJieqq6ysodu10eQB+DoekyAZpjtdj IfZweJ298BZVClisROObzhrbpZTCbKaTjWBuE89cFuhtcVqqFBvNyerh0flrJ3fU1gFO7LbGhl07 DnbU17GM261/wFRTN9BVU+Pz6fSRifHslb29lXHa/KhK5XBCQBuNRD3e0jKN2g1pZnMDyzjAifHz e8cm6httjlBw+/jKka8+fsftu66IhOVyqz1e2WeZ9Hqwzd7KfQGYDAcxoLxmcGShs7qqwmPQYanC Youx3b3NkOsYTRAee+tqOPs8lvsAr0DEpACW0uadU2TnnNHO4hVKUFQsVag/5i8zjL96H1vhd7qs NktDc1MjF1fNApJKYC8buGjrIhdfpKyth+ZGXloYqFCs2lmmq3NgoL+3sd7rVqnglAtXJYJhp0tn ED0msdLVyaGBvZmhwWTCYubS2URlbV1tXbzS59cTvz5yYPt4V0ddbX1ta/NYdchPm5VwcJotFcEq 5baWZgaiZWDmcLS944r2hsZkNRtn2AjDAA0nP8thoh/4yQ7rsKD6TdGbcAsBbQ1GbH/B9HbsdDe1 TGyfyYxvb2hyulzOpqbtE3unt483Nbmcj0AG4PYkkh09yWqXV63Rqr3uZGVXW1WlF05o4vs/OXnr 8KjThbHLMTp868nnXrn1lqFBu9VqHxy65dZX/vGq+ZZGU7nR1Ngyf9XXvrSw0NxqNJuNrc0LC2AP oANKDp5dxNnDqhSwTs7BT+HZ3A9wz9fw2GepmtdOv3He8Nl8zMXFxHrk4zyb4w3rVutgsmDIi4EX dWvuk7nOs8Tdh3ZONtRzKZ+voqFxEn/ifZ3e66up6c5V4+cHa2rcTo2K6Fx7VLBSbmLYrm1XtDQ0 xuNut2Lti+RbDaGgFWy09r5W7bRHIwVWuhPmI+G4jmMkmI8Wz5Kq1bfPkv9JvbH27ufXngFi4ux1 DHzYBGerFyI2hAnrep5WwG4swRfucNVw3xP4LI2zHum61Gn1l2dnueWPDQxFC6fog3CkQnpGRYYH r3lu95VPYqnMQofCre3xSrtLBbluPh9rCodpi1JO2NZ+HKiYLgP3KlUoKbEeYhqHw039V27CXG7S lGlng4GTJ3O/XezvYxmDgTtEY4NDh7J9/eEoROB6XSw6NMDtBfA9+WfgTB33fevD6TH9Su7g028L i8WQQolEAu4OCdT/nIUUuEFvpm12M63V0harlTbriR+sf0sS2iGqGuNOiS3++de/JV3+Ycl+eSck KirWlTpdiWQwZLEpVA9f/NSkNxldjmio8WMdbSbSYDZ5PdFI42BNldupVj10aau/5TNUJLrnsi9S G+21gMf6hsG122D1veDhHOtPbIpANmdnvANzQWZhURDlFj5VxPIR5UbkX8j+C+SlLUQdpRa6pm58 +/Kx8e1V1UaT5HsivcbljMe7TkDqZLMzbHVddGZ3tDLOfRPFTS3XH+zsKvlOkddTV9PfN3FgdCQe LyuFvNzhSFT2jtTXez06Nb5x97Ye7ls8tloSsbbmLmVlMERDtIFbmo/1hoPG0iLJqWLIGkLBrsXm BlxbNy/b2doSCkCmYbREYs2t3XXxeIXfTMupIqOlIpBIIu7/N3BRv/nML3fJa97j/pmz9XdhLTcq Oi7gvtIKNyqhjagu14uaxc+DBiM6zve0+Rcg3kItgnPoPmoZjRFJZBGcu7AG8ihxGp2gEDoJdUh0 G5Lgc+hmqD/BvRMm0Szcb4TrmPA0ug90HgddGq4kyE9C28lNfZqgfozvE/QEo2gn9RoKcu9Bvg/e 6eESwPsMvH8M7lzf/XCd4vt4je/nGOiIhKf58SFcRxpUgz6DnsIKnMHfwM/iZwkfUUt8ggyRp8g/ UoeoX1D/LlAL7hF8RfBtwTvCo8LHROWiO0RfFNeK+8UZ8RHxF8S/kyxIbpO8UzRStLfo4aJni5PF U8W/LdnD71AAcVlmfgcv+xnx6Eb9FeipvIyRHNfmZQKJ8M68TKIy/A95mQKdX+RlASohCv0LkYyo yMsidA0ZzstipCFfycsSJKPEebkYGamBvFyCgtRzeVmKjgjO52UZqhC+DKNjChgaPcHPhJMxMmNT XiaQDPfkZRLFcDovU6DzSF4WIAP+j7wsREZCmpdF6F2iKi+LkYe8Py9LkJH8fV4uRpWUPi+XoB3U fF6Wohx1Pi/LAE8fQ81oAS2iw2gJzUGUkkFZRKOvwxVFYSgJkAYhG5mGewdKwVs/SJ1oHk1BzE2j RrQPCr2p9TL/lIZ7Gu5X8205zW5o1YRaobdGNAxyH6CJhlacfgquLGinQDeN9sN9Ce2FugU085Hj o+aFxcNLc7OZLP11OhoOJ+jB9DTdkcr66c75qSDduG8fzb9eppfSy+mlq9PTQbq7s6l1sHG4s6+X nlumU3R2KTWd3p9a2ksvzFzaHsGk59BufiHc0HMwoXkYfgie5mHiqHtud3oplZ1bmKeHUvNQwU11 Fh2ALeGWgAbTswf2pUBoBO0peDfPL3AJ+gjwW/KRvTcuT6Xnp9NLdIC+bKC/dWKjvO7yhmYEdo+z LhpNLy1zapFgOPHh3X5Ipx81h/+fRdexM8v3kuX7Xtec4/seAY0hXqufb8ltaJYfbZ7XGv6QEftg xBloz23/Rc0pvu8sPK/3vAByJm+aPWDAJX4G03y7wtqWOcRt2tm/gh6A3Ozccja9BJVz8/RIcChI 96ey6fksnZqfpoc3GvbNzMxNpfnKqfRSNgXKC9kM2H3PgaW55em5KW605eCHoYhz3iVw34VLjHAR Oc0LS4sL69NFsHPcjl3N70MPr57l/ZRvMpRNX52me1LZbHqZU87wrxdRFQpBOciXIDS6dAZT+fGD vLQfNFEmm12sCoUOHjwYTOWnMQWzCE4t7A/9/d1mgaEWeSykeRTPgu46ooN8n/vB5T5y6OzhxfR0 enludh4AH8xk94P+CE9SBVByAFgH74cDe4a/c3Bb5ltkYeopHqAF0C8DcHYDfNI8aLgeF/L9cjr7 8iCcz4+agkVwrTmwFoB8YJNtD/LzmYK/NCx+Ad5xbab4PhZ5001v6v1vnTPAaWQ5zYE2mwEgb4L1 zAIgdHlhJnswtZTmQL58YPee9FSWzi6AbpreB2Cdh6ap2aV0ej8H5wM81g5m5qYy9OGFA3Rqaiq9 mAXYc+p/qefg3w+GfR+y1v8jDPZtzCaPAYT+F0rsB7llbmRzdHJlYW0KZW5kb2JqCjMyMyAwIG9i ago1OTE4CmVuZG9iagozMjEgMCBvYmoKPDwgL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL0NJREZvbnRU eXBlMgovQmFzZUZvbnQgL0xpYmVyYXRpb25TYW5zCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3Ry eSAoQWRvYmUpIC9PcmRlcmluZyAoSWRlbnRpdHkpIC9TdXBwbGVtZW50IDAgPj4KL0ZvbnREZXNj cmlwdG9yIDMxOSAwIFIKL0NJRFRvR0lETWFwIC9JZGVudGl0eQovVyBbMCBbMzYyIDcxNiA1NTIg Mjc2IDcxNiA1NTIgMzMwIDQ5NiAyNzYgOTM2IDIyMCA1NTIgNTUyIDc3MiA1NTIgNTUyIDgyNiAy NzYgNDk2IDQ5NiAyNzYgMzMwIDcxNiA1NTIgMjc2IDQ5NiA1NTIgMjc2IDY2MiA2MDYgNzE2IDY2 MiA0OTYgNDk2IDU1MiAyNzYgNTUyIDU1MiA1NTIgNzE2IDYwNiA1NTIgNDk2IDgyNiA1NTIgXQpd Cj4+CmVuZG9iagozMjIgMCBvYmoKPDwgL0xlbmd0aCA2NzIgPj4Kc3RyZWFtCi9DSURJbml0IC9Q cm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAovQ0lEU3lz dGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBsZW1lbnQg MCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAyIGRl ZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2VyYW5nZQoy IGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwMkM+IFs8MDA0RT4g PDAwNjU+IDwwMDc0PiA8MDA3Nz4gPDAwNkY+IDwwMDcyPiA8MDA2Qj4gPDAwMjA+IDwwMDU3PiA8 MDA2OT4gPDAwNkU+IDwwMDY3PiA8MDA0Nz4gPDAwNzU+IDwwMDcwPiA8MDA0RD4gPDAwMkU+IDww MDRBPiA8MDA3Mz4gPDAwNDk+IDwwMDJEPiA8MDA0ND4gPDAwNjE+IDwwMDY2PiA8MDA2Mz4gPDAw NjQ+IDwwMDNBPiA8MDA1Mz4gPDAwNTQ+IDwwMDQ4PiA8MDA0NT4gPDAwNzg+IDwwMDc5PiA8MDAz Nj4gPDAwMkM+IDwwMDMyPiA8MDAzMD4gPDAwMzE+IDwwMDUyPiA8MDA0Nj4gPDAwNjI+IDwwMDc2 PiA8MDA2RD4gPDAwMzM+IF0KZW5kYmZyYW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0 IC9DTWFwIGRlZmluZXJlc291cmNlIHBvcAplbmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKNyAwIG9i ago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9MaWJlcmF0aW9uU2Fu cwovRW5jb2RpbmcgL0lkZW50aXR5LUgKL0Rlc2NlbmRhbnRGb250cyBbMzIxIDAgUl0KL1RvVW5p Y29kZSAzMjIgMCBSPj4KZW5kb2JqCjMyNCAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IK L0ZvbnROYW1lIC9RTU1BQUErRGVqYVZ1U2Fucy1Cb2xkCi9GbGFncyA0IAovRm9udEJCb3ggWy0x MDY5LjMzNTkzIC00MTUuMDM5MDYyIDE5NzUuMDk3NjUgMTE3NC4zMTY0MCBdCi9JdGFsaWNBbmds ZSAwIAovQXNjZW50IDkyOC4yMjI2NTYgCi9EZXNjZW50IC0yMzUuODM5ODQzIAovQ2FwSGVpZ2h0 IDkyOC4yMjI2NTYgCi9TdGVtViA0My45NDUzMTI1IAovRm9udEZpbGUyIDMyNSAwIFIKPj4gZW5k b2JqCjMyNSAwIG9iago8PAovTGVuZ3RoMSAxNjExMiAKL0xlbmd0aCAzMjggMCBSCi9GaWx0ZXIg L0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO0bXW8bWfXaSbvlll22C6wQiOVuYKUWzTpLy65QC4iJ M0m8dexgT9LtE4w91/a09ow1M04aHhDiBSSQ4AEQH+KNN34ASOwbvCFekBAvoH1YELwhVloJpKXl nHPvfNlONk3SDyTixr5z53x/3TMnLisxxs6xr7EFxprt5ctvvfq9n8LOt+F3pz/c79370PonYf0X +F0bSMftvlF7mbGSAdevDGDj/Gee/Dpcu3D9icEovnPuY+wPcP1NpDoMug77OPsgXH8Xrs+OnDtj doa9B65/CNfCd0YyfO4nQLv0S8Y+9zIrLX6//DpAsDNXzvwIdp9Tnwt/ZL3yM4yVz59bWDi7WC4v /o1V7v2evX2Pf+LLl4AS2+pZLhNM3Lt39gN3P1D68ROj0ptfZqV7oBn+lFnv7g8We2d+Blo+wdj7 Lzx/4YXnLzzfW2TvRAsfeeevd3/wxFP/eis8e4mVWFB6vfxm+Q20x/sBJijH//l2+Y27f0Y6JfX7 61/8+Ddfet9n32aafOEn4VRiZ9M9wHlidPejjD3N7nXudRZ7RCn/U178HesttFgA6w+CzRSvMjAo JxRmfj5c+ny6/8PSZb0usfOlN/W6zBZL/9brBfZ0Wej1Iqzben2Gvbf8Vb0+y95X/rlen2MXwApq fZ59dOFFvX7ymZ9e/IZeP8U+fe07ev00O3/tT3p9gS1eews4lhbR1y8Rd1yX2LOl3+o16Fb6h14v MFG6q9eLTJQ/pddn2IfKrl6fZc+Vv6XX59hS+Vd6fZ5dLf9Tr5984erCdb1+ig2uvaDXT7Nnr/1G ry+wc9f+zqpg6THbZyHzWJ8NWAzRc5F12SX4vMxegtcVWHUAQrAVgIlZBL8hk8xhI2bAbo35AF+B lcmG8BKsldKK6ErCpwScXXh3AZIfgesrKVcbOO0Cr1uA4wM0yuEAzv1xXIXVLcDbYROA6AKsQ9Qk YTikkQAqPryPAaYDdD2AE4AfAHeH7nHGqsF4P/T6g1hc7F4Sl1966Yro7IsVL47iUDojQ9T8bkWY w6FoIVQkWjKS4a50K3wG9RVEtZ3d0a3A74sVZ3AA4qq85exMRHfg+H0ZCSeUwvPFeNIZel3hBiPH 80GyooptUjCCbYXcdny4WAFlhqASWwmG7kEoIgPLIYtjo+yQLyKwYED2vQweuQIvtiPDyAt8cbly 5UqRckL3xWm6SPbFeZL0iLgKgFiHZyJLL/DBnjG4h1GQxODiq2wZXq6msQs0KoAbwGcIbpdEL6QA qQBdCThsEMfjq8vLLhDdnVSiYBJ2ZS8I+7LiS7i9lpMgCagkqGdTB+9hkEoKdAk6BmwPYDGsTydY kdI63NkHmAFhenBvTHrFlBhotZAwMJWQ6u6UJaf1yJJxUkjGg7Th8JqnuwoJB1Z5q82WBQ4RcPwX P1KpOf0CN9/fmc4e3OG0imkHo3BEtr4NewF44N1kQc22iN6IqGXJ5ZFMA7ontV594uJrrxva78pb ipuKMRXvBskVkPd9wh/rBFYcAqAa6xjzdBQ4RENZmmuaMUkxHU9dgsM4VNQTCgitZFexLCn/Vewt 5aJkiTyHuC59RiRXF3AcrR+nLOhChI6ISkx3Evv0YDXUmXQxlTHjgDUN5Y8hflX0I8fMJrgzpqxx gUOXsBNpXNIgpljrwN2Y7ioe/BAOhs7mLkg2ISrKJnsUAwOqSrG2zIj28holOoSFqFTSTsiGRs47 uB6RP5Wvea6CRIBtHKCHkeq5TBVEEGWVD4q2p61a9P7hWieWU9KO04iOSa4s6jKN9sgeoyNxSLKh R1Xd1xrKHEeX3pGHQZ9oiVsA0SV6CibxX49OIlXZEg91ibdLEnta0quUnbaWzgGKAVWGzAf5WpRZ YLYS+AAf62yICrBJrmQWy9eAPJ4gnR2SnFNtLsaasoY6S5xD/BnQKSi070f0mdWPo/gippMIT1ZH a1QpWOowXLTJvj5bFHe0eY9kdHUkDSlOw3RHSYo2dXM+z0ddcoI6dCJ6VDOGdMVTjVySFP3l56zR L5yrilNSQx2KHhW7CY9p+0TvqlMiJdcaZBHmkI+OLkGRz7Q95slmaH8PCc87oJrz1Dsh1VmH6kpG N9mJ0ohM8mX69JC6zknSIuG0R1q5hL805zxcSvWexuBwLzltl3JRpnKmPnW+dCjfg5ysE50HSZzs wl1vjsUku0N29nUmj+GlTi+HKqpMMfJ+VzInO3xupgyowgv6jLSMkiLpoDhJat282u3SSeCT3/P2 mmdVnrNc3ofHzdVI9+9Ca5JkW5JJ2DkM094j1BhFimOK6Nvw3tceU+chRhVPq+qDrFQHa9XRORLr 87CXWmqDWcSnyRpwhXyacGWzG9BHtuheDfYE9HEtuLMDV6uwu0p+MekO3l+ibLwBa6TYZNtES9Fo wTvSvgk7SFvQNV5dB/gG0EJci71GPCyg1gbJmrBG2puwW4dPS8MhRhV2tuEa1+sMu1DFrwFYNuUO 4qEsSlIb9jOuRalqxDGRbBOuWkB/Q981gXaN6KH8BvVHuG5oOZXlWkQdbYSUkWYVJKrTFe5uw+cW wLXJnibprKRtkA5rcF/pYpEEyhNKoip8bgFvhFgHuWyyAnKyNaRBfkR9VgkfuV4nKCVZU3sZ1xmV iralkgPtv5NybpP+dXgJ0t+GHZt8YwL9hG4SO+tEAeXmZI1t0s8kOzSJwwrBoRXRnvU04lo5r1TJ Xug3lHyVOJlkkfZcTRJqee/Miw6eclgn/SyyVJ2g22BHC+Br6Y6KxxrpWtW2VjRV3KuYqOesWyUd 0bNfBK6WjimTbFfUAv10g+TPtFAeMPV7NWezzPsN7d1EHps423OscoNy0SIok3zdTnNkjfJ3U0u+ nUZYVgO2dXw2U8mK9k3yKIE7Su1QtBLeRQ+uUjzVtYTt1BoKgh9CV9UuC861Lj3nxGndLp7c+a4x 60bzfaeRq7X5TkBV4XWCHU3BZbvqaUmdWdmzTr53m/eEnTwdq14+6Xqz7kPVbvVMlO96XerPVQ8Y pV1JQH1gkHYme3Q3O9PHenYSFJ7zkLNDZ7+R8krOooyW6isd6haQWzTHmgefUHzmyXBM573iskfr WHcmqN9Ew+L+V6aehpP5z6wPxFwfJLrM6xzy9g/J32P9LOWRhbGfrGi6IUueyzKboAXU3G005fUs +pDaVTY9VUAb9HOSu2RrztQMD3lyqlfJjOvRT51Oe8D9OM2DeGEeNN15Pbh5EJ87DxIPeR7EjzQP Knby3ZxM2awjgTzaBHXehIU/srmSmJkr8f/PlXJzpWzC8L85V+KFE/bRzZX4nKe1x2GuxOfOlTKN Hs5ciR8yL3g4cyXO7neulP3V6TTnSlm+FedKB52+B0+X1PO56iQet+kSZ8Xp0vzpxsOZLvFDrCty Fny8p0ycYmy2m3n4Uyb+GE+Z+NSUKXvWfZhTJv6uUybx0KZM/D6mTOKBTZk42WAHqL5K0iprm3D/ 4c2O+FyfP6rZEZ+ZHYlHNjviB86OshnQg58d8fuYHR1G98HOjpLKevCJMjvx4ceY+OSnNKc58eEn mvjMPrMdb+LDcxOfw+YOpzGhiWfof4FlkwZOfPCqwtgafUELv9eG34xLv0wnLkZSio4cBnuXKuII 34KriPXh/ngQCW80DsJYuqIXBiNhhnJXfwks4UHfupuob93l2XCecd+RoSOUaOlX9/iLh/7w2S/5 Hfn7gWKKsxdxR8Sh48qRE94WQW+aCudbMhx5EX2HzovEQIYSePVDxwfVDdAd1AI0sFjYl4aIA+H4 +2IswwgQgk4MFvPABI7ogtAcIOOBTOzU7QajMYAjQDwA6mBl6UdgvSUyydIlIOYKJ4qCrucAP+4G 3clI+rETozw9bwhOuogUCUG0g168B+ZfukSShHIcBu6kK4mM64FiXmcSS5SBFxAMcHN3OHFRkj0v HgSTGIQZeZoRcgiVKYHsJAJ4VMcQI4lacwqQaGDkeBjIczkIRSTBDwDtgaha/SnWKByQHaOhY65M R4z2BhBYMwjoht4k9IGhJEQ3EFFgiGjSuSW7Me6gfr1gCMGGCnUD3/VQj+gq5zaQczrBriQNVBSR AGkQ+EEMbojULnplnEWAuieigTMc8o7UVgMxIEucgp6BD3ERilEQyrlqi3h/LHsOMKoooYp3R84+ ZAugu17Pw0BzhjGEHiyAqOO6pLkyHSaoE4Jck6ETcmTkysjr+yRGX+UqIGGEOl0gEiFGIk80zQlJ cmBABnOG8wlonESOjBqI5w/3hZcLc47qhBK/f0+wuIjQkOiXJD0kxJwMCWkvCN1ILKV5uIS8kxt8 CdN2iUwGnqnrfOlIyCSkOgEfoE12Ay8VTN6JIWOEMx5DejmdocQbSnegjAueOWXgxGLgREBR+gWb YNRl0e2Kie9qgTNROQmnNDzMq1EwxKwmt6GTHDHE6gG5kgCOne5tpw+KQR76AcdQvb+gKrCCggUi ymEPhdqwxFqzYYt2c82+YbYsUWuLrVZzp7ZqrYolsw3XS4a4UbM3mtu2AIiW2bBviuaaMBs3xfVa Y9UQ1mtbLavd5s2WqG1u1WsW7NUa1fr2aq2xLlYAr9G0Rb22WbOBqN0kVE2qZrWR2KbVqm7ApblS q9fsmwZfq9kNoAnCtYQptsyWXatu182W2NpubTXbFtBYBbKNWmOtBVysTQuUAELV5tbNVm19wzYA yYZNg9stc9XaNFvXDQHEmqBySxBIBaQEGsLaQeT2hlmvi5Wa3bZblrmJsGid9UZz0+Jrze3GqmnX mg2xYoEq5krdUrKBKtW6Wds0xKq5aa6jOgkTBFPqZObgiLBuNayWWTdEe8uq1nABdqy1rKpNkGB7 sESdxK02G23ri9uwAXAJC4Pf2LCIBShgwr8qSUbqN0BdpGM3W3Yqyo1a2zKE2aq10SNrrSaIi/5s rlEEbIM90XkNLS/6CPdmowOgEFsruGqZdSDYRjFggxdgIbqsO105jjG2dXKr0khlVNVOg6JWFQEI 4XUfElft0RKOJcgsOnVUdcsObDyODVV6qXxAdMNJpEqvuyuhAkZYSoKQB1hM9ryIMh2OwFGgzjwR OUNgBliYRQQFtdIZAlqUillIKJ4chuPQA5S90IuhmAhnAruh9xV9DIf6mCINRKYBcsmKg5I/lNEY TilvVw73KwAb4llGknh+LwhHWnUyXze+mrQKsegTcTeIeRD2K4Jz6rhO3Dod9f9HnE4fxFUfJI7T B/GsDxLH7IP4bB+ki3yXKEXJmTGnQc0aFn6SXkkkvRJ/PHolrvzwwHolrhL2RL0SP8VeiWe9kjhm r8QLfcExeiV+UK8kjt4r8VyvlE/fQrsE5zkUidNql7hul8SJ2iVeEJeeG0+7ZeJ+IE7cMvFTbZm4 bpnE8VsmPt0yieO0THxuyyTup2Xitrmz+WoTxTY3jtUd8Uzzk3RHPOmOxEm6I57vjsSxuiM+tzsS J+mOMFgLiZI2PvzAxkfcR+PDD298xBEaH06NT7F3ePeGJk7gv0BNA6/AR+Uk/2dwmeZ2t+F3mWZn Lv1Vr0J/Xx3DXvGvhYf/D8PlPe+2t+xBsbpTGQ/Gy7piHus/fjL2Xw11pMdlbmRzdHJlYW0KZW5k b2JqCjMyOCAwIG9iago0MTgyCmVuZG9iagozMjYgMCBvYmoKPDwgL1R5cGUgL0ZvbnQKL1N1YnR5 cGUgL0NJREZvbnRUeXBlMgovQmFzZUZvbnQgL0RlamFWdVNhbnMtQm9sZAovQ0lEU3lzdGVtSW5m byA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAw ID4+Ci9Gb250RGVzY3JpcHRvciAzMjQgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL1cgWzAg WzU5NSA0MTIgXQpdCj4+CmVuZG9iagozMjcgMCBvYmoKPDwgL0xlbmd0aCAzNjggPj4Kc3RyZWFt Ci9DSURJbml0IC9Qcm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2lu Y21hcAovQ0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykg L1N1cHBsZW1lbnQgMCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9D TWFwVHlwZSAyIGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rl c3BhY2VyYW5nZQoyIGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAw MDE+IDwyMDExPgplbmRiZnJhbmdlCmVuZGNtYXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAg ZGVmaW5lcmVzb3VyY2UgcG9wCmVuZAplbmQKZW5kc3RyZWFtCmVuZG9iagozMCAwIG9iago8PCAv VHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9EZWphVnVTYW5zLUJvbGQKL0Vu Y29kaW5nIC9JZGVudGl0eS1ICi9EZXNjZW5kYW50Rm9udHMgWzMyNiAwIFJdCi9Ub1VuaWNvZGUg MzI3IDAgUj4+CmVuZG9iagozMjkgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250 TmFtZSAvUVJNQUFBK05pbWJ1c1NhbkwtQm9sZAovRmxhZ3MgNCAKL0ZvbnRCQm94IFstMTczIC0z MDcgMTA5NyA5NzkgXQovSXRhbGljQW5nbGUgMCAKL0FzY2VudCA5NzkgCi9EZXNjZW50IC0zMDcg Ci9DYXBIZWlnaHQgOTc5IAovU3RlbVYgNjkgCi9Gb250RmlsZTIgMzMwIDAgUgo+PiBlbmRvYmoK MzMwIDAgb2JqCjw8Ci9MZW5ndGgxIDYzMjAgCi9MZW5ndGggMzMzIDAgUgovRmlsdGVyIC9GbGF0 ZURlY29kZQo+PgpzdHJlYW0KeJx9WAlYVFeWvue9V1WAK1CLCFiUQJWILEVRVUCxb7Ivxb7KJotS oiIiIgiicSHGXUzHhThq0DjG2JrEaGtMMuOk1TZ+hqHzmUzaTozJ93WcJOOk00A95txXRcR86alX 971777vLuef+5z/nPgKEEAmJJQwJbmjuqM///AJWkA2ESM80Lq2uq9+WqiFEtgDrDI1YMS3dIR7L VVj2abSsWSdKl3pheTOWv2puqa1+8X/2/Ash8kYsr7FUr1tJonBsIv8My14rqi1L578XqsbyOCFw kQDxJIT7SDSMEhBQOQsXK4VLY/nwIei4YSATZMwf223HdvnYbi4hrtgo1GAwGOUKuVwuoyWNWq2Z L5Y4bwel0pQbUql1nDYDlKu0PcnLjplEw6P+zKHAnHAVQMIsd/9Qaznz6E7lAn8oKWG8cd0BE/c4 HVdHvMkilMJg0IeqcUC1Row/mRTn0IXQ6VRisfd8+kZjNOjkdHIFpwWY4xpxZb+54w9bkhL7rrZX nHihyo1/5LEqK7pqnsyF4eZeN5SpXGUiuOssm2Y+aBro9gfIO/xfO174ZF+WtnJzXkKKNsijOPva OGgXKtOMKE/uxF3R96InxJ0EoTxiTkIFUYjldE5fzoiyGPRqBgVh5bSOvkXB1Go91QqrPDpBKnWZ RncAd2Om7jrEQNSN4EzDPLDU1vJHKgeawwFMloGyygFLRIRlQPQEGuuNffsHzQWv7u8Nvccw93Q9 +4/kvgEBK5rq+X9Aav/7HWuubktJ2f5ee9t729JQQj0hokFh15xQQlcV4OWKf46pgUjrOH/W+h1E 1MEDvvMDCODv0x2AACBMCu5k+8THXD5nJq6E0O2mwouNmJHKdXKDUcbl8w+ZigLdZeAfXv99y2AU Z7Zm1BXNg5vMzXH+nZtQWNFHcTPxMdMoqiMKnN8be3vLdM6MLw6gF4s1YrXa6KxjGo/xD3fuZMA9 IFcjmzfT03cec4wzgR8/cs1azI8BTJv+EccCOGlSmVIcMwoxphTdIn4Ui1TLdlXbsSARK1SoYiOq XCoU6U3FuVlfnu4T3Zhb0Z2mgsWb3lrdev4yAAsuy+uWWMAja297xYZMDct+BsQ9xJRtSmxbsT69 6XRHHED8lW9cVEHrtwB0WkxLKtvzY9b1vFKLkvShBG+BP2FtVgFv8XdAB/78MOo+AvXnjVLKSAhF B8rBKGYjGKn2DM4CLiQCOtE27HJ6U9QK6MAVMUFrb8THREFD7O3etdcTO0Gni7+90Vjg4eQ8XSxx miGZWxLVqlfIRY4zHeeUim5BVWk+/9d7fM/JphVQUXkCDv47SAsaVzyGSKNbrmVzaszahixZfAK0 BA3vj1m/LGdOfDJBOVPQqnaiVbkSjSDnc7ZEdSr5DfQyjT0fvZSa+tKtnu7/2JUJkLbz9saIqiRf AHVSVbipKsnHJ6mKq4PcQ3/e2v/pQHb2wCdb+z/7Xc7XEFrRl5vdWxESUtmXk9VbGYpa7EUxfkIJ Ztk5QxciVzirvVEl+l5QjssWeLo5LR0M5Mxj55iMcREH3gysX/kpyo5sA0OIb3YqL8EQ/xCUNNEe ouEJfEX8CWGvIZodaTuZCmQqvQrYs+MngLd+zu6z3mWw9TfWrsePmT6qlTDUihZlWkDCCPGlOEVw ebEC3HQhsklY4V0hpZsaYhTLFSoQdKRXG4wCJI2cVu0B8OgLPtYNpJxbUKrhFMyVz1J4mXStJ49D lvaF9MsDMEMGRv4UtFnScyGjpMbDRyGd6e0V6c/Unz4DfO/CCG/nFs+A6Q5ODk4SqefZfbvzQwxH /QPlcLX7heSYmGRXF85B4iixaZKrRKldbJqk3Et518a6VJnQufwdvN84v3IwUtDnoZo2hvk3ayHz 6O2bUFw6SNd+GFljNmp1OmIXtWUHgoYq11kVQtGqgbuwsf7k2liAv39rtSDmlR1r13Yw0sRNl1v/ 8gRG/dE53Fi5anULoFRJqMsAgbcJTBopK57K15SsQynojQYk6wDH1M7TDV3v/xEgacuNDXWvdWdO 4594VOW2rAdP9zllMYWVbszFusGVJoCcr/lH2/+8L9PUMli3vALg0onsfl1AMEBls80b2fFhs08B GZTlcJWPcanunN/z2GHc+dsQShO1Ys6Pp32HJiZE1KfJiRflHJ1KbmMcI/ofgXdQfG9kVsFKvKmS 7LkhZnDjW4kqvUYGnV0rlsDimPjTbdZ6VFdWUwtASxN/AVpaWgFaW/g9oA93Ty0oDVxxIT1x95LM AxFh+gkCRea8AjBbz0Ft5ZIaXFEH7nANyjINZRZENiKn4/8QXdlqcIAc3gId/LvMCVaLZL6si3dj zsNx7GnCXfDDXdDZd8HbbuoCAylEyEKU4QW/qZJzCGi6QA2FPu5MiIJzYhK73mhZfnptlFI5Y54m 3A8K9f6wqjasyF0xx4F/LAYH66POqCT4lD9g8mdKMm+zzJOi7dV60FVvzQ8v95qlkMmnLXP28woN B5nrrMBFb79bE7Irfziuydl7fkAYHKDYMyFrlgu6Xoh+RyWAd6qklD0Fdyr7lTuNoiZvOFBfd6Y7 KTo8YnttaP0Bww+Golgf8IktDjWWxqpUsaWiYesTczaUHvukq3U4J3fxHMjKYznQVfZmZWwoC9aW bczM2FhBVUQjHqYXJRE8l15N3Ql1MWhJMhn1Yir0XL1nINvFX7YwacGM3f2vvALKM5zJUoBehRlh GIDt/S9cG+9ju3A0PQwxNczVSSQyNdb7TABzlf+bPbZKQ24S44pBxbIqYO5AF3/vL//N34M+zjw+ wvqNnaPa6UDt/E6QaaFg4Xq53Dhpnmq1PbhyfcbXk9rpAGXIwabaoa4UgBijZ1ZZrbbxoO6H0OI4 HwCfuOLQlmqbdkb9V+VlQfHR4Y0rh80L4gLnQraZcbEOgq5iY0Zmd7kW+ntz0zeUCRrqR04Vi84K 9kNdOyOSwWNQXkvit7HfjitEZ3krXEeptbi+AGznRGbYogBkX6o+XxVwAQP8Oet3TDIoB/g0fgt0 MkFs1/jWH/hrEP8dY8FZ4ifuIRs9EXArBHyaZ2EWIkJii/YQsjaiCsUGgi4ofmno90Cnz3o6uPX+ nnSAwLpXV98b2ATMsRePvC7hh2dCJHjtfngsD4Je+tO3eS0xGIxt69h71JGbWb8vylwEEL32THPR 5qp4mZ9HXUlVY3fHD+NxnRdbi7YdWBAw0zvA5FdQC9C+GuXcSohYL7AmoQYpeCKBdN6FGWjxDqDj tfwo/yOPBsH1j7XRJBoeK+dOIB1h/07sf8jGkrbImUo/NWPbXuGOZN4JyvrKlDz45cFcPtV4OGbh 4Ybg3GWJNm5fitSSGW9VPsuxM1/9PZOdn5UPLkbzdpy1FLXbidpdKLCCRu1DtcvIpC5T2FlCrcwo hCUhghEqRG0OgUFF/NPXBq0XKsrfHD2y46uT1Y788OzXd5W+WK0DXd3u8pyeRQr5LAf2QWV/9OoO AMsd/otLl/gvbi3P2POnTXteptze2fn+thSM5JXGAGpupJ2P56gO3EiAnZMnAR6qngJxxW8QAByk DKgbQJRvWAwuSn93z8yyGm3TgO4HQ0mMD/jGFYUabCTAmf/xPRNXUQxFR0Y2hrcuq9KoYxDpZWXh NiLoLtNqy3qyM3rKdaghFz6ay0LrdEeJqG3KZEKwptbIUDa5Pfg0Aqt59JT/EA6De1qGs2ruvKC5 buH5CzwDvL1d4Cba8APWd6yXEfslZACIHEdEInzMmj1NFZQcIhLWnszHYbxNI45InEn2jPYE0sMp JhesUQlUSOc1OoueD86MasqFiXEHK+pe25AQ0/5aQ1BOWoof+MaWhuY1zuZH9GFxV3tGby8G62ho WaIa47XEcmNoQRTFanQhZz5TXQalxz/t2XR/IBdm+UYHHQzNjVLGxcbWLjLoAY4cquXaPwfDkt6M jK7i4ODirgwM4vR2NhClIf4d7bwtbB+nQNjfsZ5HzehEw+MO7M+j/pyDLVKBi1M880UaOQue2eap VBg5Y+QFwvJ+oTO69ElgTjpfgRAw5pephL0Qwn5vb7jqGzzfU5qCZOwVnh14ewb/bVLPxVWtV7ak wJr1teUQ13G6qftmdCEDTuA0XVoeW1gB6Cu3I3mLOHlrjjY3Qgl/XfFGZ1xM5+vN3ecio/fVle5t CAPIz17+nlt4kkegEaC29AFdO56uxCrEyPRJBqdAUbm6co8hgh8ZOsU/HDrPj0AYqN88iVgYZcU0 jZ1jp48/pXt/AnW3DLXhI5wVhBhLIpbKBI5T6em2Cj+NgZIAxhr2SExB9YIEqIERqKqpQJfDOUpn QarPPGC4aerosPnjEGGouzr+BRJQa2yyhwHA080tNZbJKSyXLlCGOOvTwoLmGl3CtObuPfX+Hs5L wKX4cHg9xm85sMVZHtxgzEPuASEiRtssRXwKnhnxaTt2i+1HGJ2cng1Fv+WZTfV3lp7uSgTnwHD3 zNJq3cdLQWn9/teemTOfuARQcuQ/u01rXs3wiw2YA5es18WzP4eQis3Z6Jyn2iTFWvzUKMh2cTMx dvuj9QLFEnPKSr39PSZo1J85hX0OoRc6b8Mn/NIFbjE7ra3Mo7FvsEcfBqtmIAIGj2Nr3j7DswlU MMzcsupZbuwjrnx85FkPoCh4BbnUZI8YnKX0eEt1IpYL5wOKTb0z57Bz194XAQVcnJ771Y6tX+an LUa7mL51M8DmrezT8endl+PTMjPT4i93s09R60UTe0Q/IT8riQHPIcI510aFKq/nPjdgWKQwgkQx VfNGGzdIRGbfSP85noas4Bv8B/yN6yGZBk8EgiEz5AZErX6n5Pxh68PDR32XBFcetIRHWAYqKwYs EQAJ9wPW7TiQkXt0f5/h7l3D5mdfHkBrOHWKYU4dkLpOfmzAI+C2G2uvbKN6QKaUtNk84XPWIBqB o/y7X/zI33v8DX8FToH06Sh6wEGuauw4V4nEsHOslfY3ov17Y7zgQ3VPj1xGgQAkgpt/7mhKnYGr CoONn3uBkVclWDqB2bB8ST3HP4LkjeeaW2/0I93Gd5ysW9weHcQUi86Oj+jDgdm7ZdMuKCupPrIy Mr3/RnvL21vSYGEgBFGc17MfsHUovci+9646V/u9l39kbi2EL/mvzasLRcP8T/zP6NadbE/sGYdy a5C3Aki0LcbW2LnJZiiUxp6T3P7pgjpV9rkTNtZzM6fNkc0w/aF923CCKtBzOmjDYof7ms/3LsaY pOWVipKtceiNxGJpa3Gi2eOjpW0MqKJyA3WUtYrNXE1i/AJZFsYvayyGtm3Ha66MFjS0QPpLH6xr OIemGJkUFq9Wzqm1QFQi38Hs7IisTlX7JleZOiz0IwBRIfpTkM+mCbEM3T66fypmBBr5oQsX+SF8 7obiq1egGKNYXzzGZFkfWO9DMT+EejiK1tmKGpyFXIGnpRC6Shej8MXDmwZGPqyL71Fmcf6L/5pW XIknteK0L89YLyNFSaEMgD/pGlPeCJo3zoJvc0nemD87DLwrL6cnSdwb6BX2hjy3J5ObQb+Igi19 /GNJwZJZkf9LiFD7qx8fjQh9gu3Ev1RhH/Y+f4cQxx2ETLwpaRNGmvoL5/DGfUk8MW3nWkkAE468 H07MoptEj3XtzBl810qisL4PnyasS2E9SS+Wt2Nff6wLx7peUSE5jPlkWo99HmP/ISx32PuY6DiY 9Fimc9H6fkxa7BcvPkO2SjxJJ/YppXNivQs+k7Hcj+P10jFQJicsn8D6cFqPz0PY9zjmD+O7YslO 4o7tjOwtUo/PeEwqfHcUHpN6YaVSEk924PWA/AM8IBn64WX4jglk0pkqZh1zn/mJnceWsU1sN/sh +5AL5Tq4Qe4c94HISTRPFCXaI3pT9DexTtwlflPiLFkgMUh2Sd5wAIfFDtUO6xz2Olx1lDsaHNsc 9zr+3UnulOBUIGg6nMTQaMC+g7/+iVAilqB/w9cuWLblgczFki3PkJmwyJ7nsD7CnheTeZBPEkgL WYmn59WkiTSQRrIGz/LlJJjoMRUQMymyl7TEH69Fv9leizLSy4vU4Jv/r78XSSRLSavQdwWW1Paa tZiahZEtmFuBo5rwTYJ9nma8mkgt1jRgrgNbNeIYXqSa1OG1FNPkzIVY14w1yzGfLPRswtYrceS1 U+RK+EUmL4wrgvHSIjfZcnqShX0sOF6bMEcejrhCyGXgapaiBG04ajXK9c/bTX1jq8/A8eNRimZS 93/qOQxmZW5kc3RyZWFtCmVuZG9iagozMzMgMCBvYmoKNDY2MgplbmRvYmoKMzMxIDAgb2JqCjw8 IC9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9DSURGb250VHlwZTIKL0Jhc2VGb250IC9OaW1idXNTYW5M LUJvbGQKL0NJRFN5c3RlbUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChJZGVu dGl0eSkgL1N1cHBsZW1lbnQgMCA+PgovRm9udERlc2NyaXB0b3IgMzI5IDAgUgovQ0lEVG9HSURN YXAgL0lkZW50aXR5Ci9XIFswIFs0OTYgNjA2IDYwNiA1NTIgMjc2IDc3MiA3MTYgNjA2IDMzMCA1 NTIgMjc2IDU1MiA2MDYgMzg2IDI3NiA0OTYgNTUyIDYwNiA2NjIgNTUyIDI3NiAzMzAgNzE2IDU1 MiA1NTIgNjA2IDMzMCAzMzAgNTUyIDYwNiA1NTIgNTUyIDY2MiA4MjYgODgyIDcxNiA2MDYgNTUy IDYwNiA3MTYgMjc2IDU1MiA3NzIgNzE2IDYwNiA3MTYgNjA2IDY2MiA3MTYgNzcyIDkzNiA1NTIg NDcwIDU1MiA1NTIgNzE2IDIzNiBdCl0KPj4KZW5kb2JqCjMzMiAwIG9iago8PCAvTGVuZ3RoIDc1 NiA+PgpzdHJlYW0KL0NJREluaXQgL1Byb2NTZXQgZmluZHJlc291cmNlIGJlZ2luCjEyIGRpY3Qg YmVnaW4KYmVnaW5jbWFwCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRl cmluZyAoVUNTKSAvU3VwcGxlbWVudCAwID4+IGRlZgovQ01hcE5hbWUgL0Fkb2JlLUlkZW50aXR5 LVVDUyBkZWYKL0NNYXBUeXBlIDIgZGVmCjEgYmVnaW5jb2Rlc3BhY2VyYW5nZQo8MDAwMD4gPEZG RkY+CmVuZGNvZGVzcGFjZXJhbmdlCjIgYmVnaW5iZnJhbmdlCjwwMDAwPiA8MDAwMD4gPDAwMDA+ CjwwMDAxPiA8MDAzOD4gWzwwMDU0PiA8MDA2OD4gPDAwNjU+IDwwMDIwPiA8MDA0Rj4gPDAwNDE+ IDwwMDc1PiA8MDA3ND4gPDAwMzI+IDwwMDJFPiA8MDAzMD4gPDAwNkY+IDwwMDcyPiA8MDA2OT4g PDAwN0E+IDwwMDYxPiA8MDA2RT4gPDAwNTA+IDwwMDYzPiA8MDA2Qz4gPDAwM0E+IDwwMDQyPiA8 MDA2Qj4gPDAwNzM+IDwwMDY0PiA8MDA2Nj4gPDAwMkQ+IDwwMDc2PiA8MDA2Mj4gPDAwMzE+IDww MDM0PiA8MDA1Mz4gPDAwNEQ+IDwwMDZEPiA8MDA0Mz4gPDAwNzA+IDwwMDc5PiA8MDA2Nz4gPDAw NEU+IDwwMDQ5PiA8MDAzMz4gPDAwNzc+IDwwMDUyPiA8MDA3MT4gPDAwNDg+IDwwMDQ2PiA8MDA0 NT4gPDAwNTU+IDwwMDUxPiA8MDA1Nz4gPDAwMzU+IDwwMDIyPiA8MDAzNj4gPDAwNzg+IDwwMDQ0 PiA8MDAyNz4gXQplbmRiZnJhbmdlCmVuZGNtYXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAg ZGVmaW5lcmVzb3VyY2UgcG9wCmVuZAplbmQKZW5kc3RyZWFtCmVuZG9iago4IDAgb2JqCjw8IC9U eXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMAovQmFzZUZvbnQgL05pbWJ1c1NhbkwtQm9sZAovRW5j b2RpbmcgL0lkZW50aXR5LUgKL0Rlc2NlbmRhbnRGb250cyBbMzMxIDAgUl0KL1RvVW5pY29kZSAz MzIgMCBSPj4KZW5kb2JqCjMzNCAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IKL0ZvbnRO YW1lIC9RV01BQUErQml0c3RyZWFtVmVyYVNhbnMtQm9sZAovRmxhZ3MgNCAKL0ZvbnRCQm94IFst MTk5LjIxODc1MCAtMjM1LjgzOTg0MyAxNDE2Ljk5MjE4IDkyOC4yMjI2NTYgXQovSXRhbGljQW5n bGUgMCAKL0FzY2VudCA5MjguMjIyNjU2IAovRGVzY2VudCAtMjM1LjgzOTg0MyAKL0NhcEhlaWdo dCA5MjguMjIyNjU2IAovU3RlbVYgMTI1Ljk3NjU2MiAKL0ZvbnRGaWxlMiAzMzUgMCBSCj4+IGVu ZG9iagozMzUgMCBvYmoKPDwKL0xlbmd0aDEgMTUwOTYgCi9MZW5ndGggMzM4IDAgUgovRmlsdGVy IC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJy1egl8VNW98Dl3loSwDmRh5yYhhEjIvkAkwCSZJAPJ JMxMQhLyQiazJAOzMUtCgLDIJiIKIoJIMaxSpRZ52kWj7/WhbRXBUqWtIiBQn22Nlufr4ylkTr7/ OffeySSi9ff7vm+GO/fcc//nv2/nBIQRQpFoI5IhVGVIz3plx/8WwsyjcNW2Ojptp86s8sH4zwhN +KTNarK0ZmuNCE18E+by2mBijCzyd/DcB8/T25z+1Tt3JWYhNIlHCGc43GbTndF//wChydXw/qDT tNqDqlErPPfCM+8yOa0/r7/wbwhNGQHX5wjL93E9SIHkijL5uwiRIuHOGTDH2SI5bnikTKaUc5x8 I0I/HYP4RUj8FNn9PsQj/h6njCbR+GCEE9+CaSy+5pCNPCW3KY6DlBEIjVPFq5LiVfE2OerzySb1 fUqeihj19VdeZQqsiEJIsUJxmcEBDP1GKZqJimwgYxSXydV7OvlZitHaf0tpU9xGo9E0IJQQoYxT xsXmx+bn5eYkz5DJ42JVYyKU8XzyjHFcfp7MdsbUgnGL6cyZFpOp5Qxuexc+5AB5+t2LGF98V/7h Q5s/7920GePNm3o/3/wQjsMXLpJ9ZN+Fixcv4JV45cULVBpb/01FI9CMRyhJGaFMBuyqMfl58Vlx sXGqGckzEkU2soGNfEXjSq9/HXnkw48++hC3r/N7Vzpa23wX2zsw7mi/6GtrdejnTJqCL/0OW7Ht 0u8mT8kj58sTE7Zs+ctnW7bgxPhFlOJnoA05aCOKaUPB1KaKv42N5Bhehl3YeK8XR8neKsfK8nu5 5A6suATKmYs3U3+i+ruE28gBvJl0UWw98K4QsInvevAmskFx+e4s+u40UBorX4smw4MqPlcFWqTf RJAzjtKMycvPy46Ni1WMJQeUkaNjpk9PW7VAjclBbKtuXOb6lc3CPR+sdeNnds/Jn5gQMw7XLH06 +KG8+bgpIw23rwYKkxCSHVccRjGMAnypwbJV8QnJM3JViapsFZeNV5HHMT+t8Rfkwgd19WfPKg6T /+hHJEkHiupH9XUf4CsY4fkiv7Je4JdiE1UfI/GZTw0i601Py0jbqV1MWdQ01K0fGxOdIkuPHR5V V38i2Cdv/oUzJxNjmZx6U13/LUUyYAt5U0w0mDELUAFuGT/gTdTe3K9WFy5YULg6ML8Q48L5Acwf P3r0OPmEXDt2/Pgx2dqapd1Hampra450L63B6NAh0kt6D8EHR+PoQ4eA2jLwo1HKaBSNpou6yKXu lCA4K+VeliU4suRRspPUjovr6gPvbd2G8bat7/mW1R3xzp83b77XO28+xvPnyXq4um96j5rT0vGJ Y1iOZfCbltH3jtFwpNsIn+4jBiPorRskVcqbqZwQhzHRAn76zac0JWYSgZlu3IY5jCMjVLHTE9Ld 6oXYRg4uaWh0nLPY8MvcaU/jw4+kPVwwb1LiuGhcW3OQS7nXfbQlLb2jHejU9d+U54JG46mEkoGi hRDNV4VFTxKIK89dVL6oar/eaNTvN1QuUtfULF1KLr0AH5xeV2uUF5KPMyeMX1p/6HBtPcYTx2eR K/woFT50EMfiGPgdrQKtgkdwY0GrsvDccZryTC95871uSE4fi3GguANxMIzCMf1jGg0vctOwk+iD N8hexeU+JEd3Z0GGYvlraf8t+VsgzUiUDgiA+xgxzHNzkwYUlj8DxMlmdoOZCBV1RchE3NFV+XNx +uwlllINtpP95Q0Nm150uDDesR0nvF9cssvfYq7x+X0BnL59K/4aJyVrNUnJeFGZK2V7cNNJW1q6 zXLszX9ZhicbU5JxbFwaVk0ePRLj9k4hDkSpmcxMXmX0N71UTrCxYgLYWsnkxPE4fhq2QW6Lxa2k jHTIm/vuypT3upl8NxVRIN9ElAgLY+JjxSQmGYr6ZTyEgYImBbBkhCKq77WROt2jntXtXRvXb1xP 3nvueYyfO4ETcOSzPyJ7cMG8ZvtC9Rgu27Z+wQJIZyWkN2P8RPzMQaCvOvyjZ7ufsC0oBCgn8LkC tNsC1LOH+EpcHGgvDlyU5ohkVawYkjQ10dyUmyMEizzOv8LRZMvMmjG9ZQEe29yEt2whd93tq9et 8Hr89twcPH2GY8Hfm5vXdAZbXE7wptsZ48dPmJSTGjs+atj0quoX/rWhYeyY6XhM7oSJUyYXZIyP HRU5dcmSE2dra/DoMVSTRxGSX4fMPxUeqF/hPIGPkJ2zQTk0mCI4Hbfn3jkuXpuYgEvLAstWODo3 bdywBo/Y9+SCBe/gSeRTPAnfKFqwoKQNAiopuQKXz4qLbe/4/Rr7yjNA6XmEIl4GXaQBJTHl0vyb k5+TK+keHsVhTHhmlr9avLxx1a+sFkwOcDghUWcDr4PkP43Xt+XPgUFbUa2xzddQJzvZOicPcvLN YC1XPnLUyEnt+TnYaHw2+BFX/moeDGsPsczdlJmB8+eCdzQSjWKUvBOyVY5Y+RIE7WfTRJsbr+LA RMowE+XKpBQaK6bQkzR3Xdy6bdvWi4H6usWQWX78AulZYWoxNzXUN/7UoO/1FM6f96DfI+TUNyCN 4KPd9+4e7U5LbznZpyJfPfY4Vo2Jx3H5EyZVVpyQKfWGfc/oqrFBv2+fQU9tNIGUQgVrRirJ22lU JuYyl8mfAI4/G2qHjaSUNTUffM+z7IGZ46PkzcFI7ut7eT3axZ9PmVwxDbDsgLz1JVgaJIVQi41R honGMiT1T8AaKzpiguQAcsEBZK8+Va2jwr3m9wY8jpX2tgOGJVhvPHbw6J6yUqzRrG9qWt60apXH gROe2K3RyJKSm1uevObz42jVDJySB5UuN8diy835GjLGv9RA8YyJnYknTlONwU3N/75FT3N4OfjI FJB0BJV0HPuH42Wy+HLc2PM6ngVXI/mQdL7eQzohxvtk8qCc67vXLeP6CFgTegllMuuwoqg3y+Ix +8rkpcGTy0kXl4LPcymkK3gKP/0uHkNu0w6BS+L0oS4Bss13dQmqH9glPP1EeJegjA6eEtsE4A+y sxKxnicBqIiFMDlRpaIEIMziaMzRsBgXL6PUueuduTk5uZ1HyQauAic/8jDGpeW7qxYUqi8R28/m 5M9tki2YndpmS52FySZyJ3hecdls/sO+puWzxy5QbyR12OdJmYkp5WWklvn5aFaXpWZO5GBcWImW /D6ee1Wsvl5Wi9eEV2jBz8kBWYdQfIVCHJw1UKGPH6PO/c0dqtlGyDClYFNWk2JoksnF8QHZpeBZ TtcXy+mC5+XNd4MH+9FdzhZew4YP1DqV0NNxc2hfF/wt7e2Cv+HmgvU6g9vFNfLzUt0LrZCPDnq5 1uDTFJ5cJX8jVwVoN+7hbnHXpcri5vzBR7nr5KqE6cZ9qEu4uOP3rkjYyPN0jQz19PcrdjC7xqIU Gl1CakhMVI0T23YYZtOgoxZOEozNQmrssvQ0jNPSl12+6ZtXUPCg/+ZNbFtXUozxnifIH4KbuCKc t2tndrZsL06Zqat4YCZ5M+jDWZnm5qwM0slNmG5qefRPK1ZixeWm5RddiytFL2PcjEBxVAbRr5IS aS+QLfHTw23AU57ej/H+p8ktQjbgTZfd8wsL57sVl9dv/Gtv10YcvCt/gyzHc3Ktlrw8phnor84B 3himGcl/QDlSAwkWAn/ZsWP+PLzp2W7yGnn18LPQbmz6ZVV1ddUvZRv6NpH/OPgM1Mn5dJdDLrNd zjhalxWJYiVOog0pjQKIW+qlYqJlO5/Hp5LHL7BNDW7FK8+/g1c43sGzyR5yi26Blje9wnZAk949 j510W4NhG7Qn+MrPl5EzSjlsgm5v2CjugUAW2IlG7mU6EjMqyxQ4vhCvgsYQYR9cHHaRblJC/ov8 g5QoLt87Jy+kF7RO7nt7aFcGMdUE9Yz1uknh9YpqhHZN46TOUAw0bixNF9plDYGL27Zu3XYx0LDs hH/e/Pnz/CzGjgZfVkaxXcWxEyRI+o6dSE+T5RtrDz9rrMVCjFH7QjwpsoF3Dno2hGmagx1GInNT 7ivSgE8uxKcvXyZPBlfIDwQfl73Ypyd/JbfxGMz2XXuhH5oNeg91JEqpIxFrQlJ4R5Ib3pHQ3aD8 /NpAe+sjRUWzZ7Uf/8Zux3v2kvcff2z3Y49t39LVVVI8O337vk9a23bvxqPWbN6kOEnezJsyGZqB qnnxiXHxWbbW177uWIMnTcrFmsqk5Ace0JXOSJoWn2Fv+9frq1ePjRYjMGJumG1oU5LI2ti/YSOu xX8lT5JT/yCnWC97QzYNDFLSd0WWdK+Hrk6GgNwFeZzunmJYuxUjhDBEICvssl2/rpwyFWeRi+Tg 2bM26x+V0Z9PmlKs60d93bJmjHQ/q18KeA6DnjjgIknIAzFiJ8R6tvCGIF/qXT6UvR5sn5U2KxOr DuzHJ54jVzau7Vrb6Xa07NRXYVyl32loWr4SUsennw2PVD684x///fAO2vDj9LKERE1xeztEfUxc qlSLOkEGYW8seCdrgPEh3B28yumIjiymzXDfS/iZIAkexe+T2eAP52TPy9rYLjiCWjeRfWVtX5z/ AvLlZW4WvagHrQfZEhVfQjXIEHv+sD1hyCsipCYNRE6SOmVwAe5TW2Z2dqbNlg2bzMxs3L7cWFP1 k+XNY4oqKxo/3bUT/+gw+YZcffYIxj2/xKW2FhN3Ay8sfmjLwqKihVseKl7IXSS9qXExuMn0WsbE 8Xjrtg9v734Cv3UOr8DeD94foxL7e+hhaBYG4ccxP4A2AP+GOPDaT/+C18L9FNna9w3ZyhVyieRl XBG8HvwVbiGHaQbs71fOZfl4CtVDyJExS4axYj/LUjFX+Mjn69et6+oN/g9+ChufO9lhz4aPffWp U+QMWSE/27cq4P/kmt+HcWJGls+6ZevJ5zdvs/gzslhdHdVfKPsaokmNllB/C+/wxXCKEMnRfJCc GztwkhPq8+l9hqBqagua8+LEJlwWMFdVz6lImtEzYdTvq6ugZw1UJCd1rvmgtr7R6m1cNnfhzOSX p497F4DyV1VMi8d+79vGhgZysCQ+Ec8v/NnC6QlYU6r42a3k6HHjJ6aV6EbIG2rq1gWqqjMeyJ+r fUJvHD1y6hcpMXF065lSumjksKUNdZtbdRU52XPyF+9esgSPHBPcNiUpObMkI0sdmzIjtziXto/U 0/AZ4byF+hk+I3oYfXeGfCWbAt7L9qo0+GLiz3BO8hmeENyrjL5xt/sGhdpJvuK+FqBwPG04cuO5 r4N78QTyGQB/dUPRfIPmWKg5TQDF+paksKMDqmLZkHSbTInJkHB2wPLqmkG5Vkuz72fiqQHLqtwf BmfblqNAi0N2eooB8cHT+MiX+uN8aXsAxoqXjuEgFeAhbF1YVmMwnG5uVmkqKhv+c+cufPgQjsCJ R7pf6yGv2ZtNeKMlJzs7x2KljhaPo1Oj43Bz0+tZEyZCb/XR7Sf24DffIgfIrt9/gFWjuL/TmCmC D40f2sVDf/IlaF4pdlM4fofcGnyV7OCSg5mKyx/ek8tfpT1JF2huLDtFzEALhSgP7/mSpJwuNvcR YqDTQs68clx0WAUAybi3HQUPYvxggWNFwdy5BaRrR4lm1y6swqN37dKUbd9fVYH37iPQRD25T1fx dENWZmN9VmZmVn1jZhZ3iO6GXQUPPljgcj9YsGFmrXHj62YzNpnf2GisnflA0/Ld1z1er+f67uVN D+BZ9Rnwqa/LTMMZGTTGPoUfHeSCQacfn9LjBnrJm0kXOUlPATlkArulh05OxwgmUY0RBMFgriT5 wIZf9mJO7rqunNzcnK61sJF+qPsIuUL+RLPWkWfxTJx0pJvrxXF+r9cP5fPPPj+kgAlk19vnMT7/ NvQHvvNvv32engP3F3G9YiRk40Ru1LXgf11VXP6G7v6d5Co7sVQwvmWJ4y7htv+9bMGbyXtkJw4I 1UrJCd2m2IWwf7I+Tknc5BgI5oTRKPwELsOl+EnublCJCeG4u9wVMg3fEKqlclXoHFWqFbRZnoX/ LZgpm0CmBl9kDfN1Lj5Y2PclVxF8OazPVUg6pUtYb3tPJ3TCP4U4livH0l0njgd3yaduES/6kUxO /vi0dhFepD2AUzYuVGOsXkC+uvPJtStXbly/88XNP3987eYtiuU4i3OGZVye6E7xUgo+vkG9cKF6 A07Zv1irXXSAfPXlrZvXPv7zzS/uXL9x5cq1T+4IZ9O3FHfBqknCDj1x6Nl0cngBo42Q4u6eg8+c oOfT167hh558ZPuaLqjE/7mua/Xqqw/mZqd8ztW5oeay82n7e++x8+lSyJR4w0NffrFpU6RShRMw J5zYs/3kwClTFN6MH8U78ebgH0kuqOqsXHd3FsL9vVCvrgNkJISeaAJVND4B/YoRnwz+hum/l4vu 6w7u5MDu/buIjZ1Xj2Tap4kkUejNwQr7D5ALunmr58P7uz3kr488At1PSdFmxPX3kFJ2IjZSOAlQ RQvHAOw4SzghczguvDTfNiMJiweDL99o7/gcp6dtVyLyMUTINvJMhFvRDRFiBdWGVX0aKTjs/IMd NOdms4O+GeJWOEEomlJ1YzkxTlyTLDmIdEhNv0wu2YLcnIa6vByMc/Ia6rNz8cGpRSV1P1nhcDhe qCspmnppXVkpxpOnFix/7PGT/hUr6/ctMeTl2MybN+1dv359/cquvfv2v3rsxIaNxSW4pHjD+lMn X7n+i5+vXZychI8dJ39K5iatKy0rL13bWVZaWkYaypJTcNe63/5m/To8M6V0c3DxOKv5sLm+dlFn cdFUvsB88NAr+x7abGkBRtLTlhxtycrFRQvXrzt57I1XTp7ooluvmqXdLV5/F7m97yn2dx64GiNa s5aPnvc/9A9aQz9gS00kFDaAU4YmYU2Ek0D3MRz67P7syL2hvxhJnwr5BWTj3ga/CaAoJYwV1+Ha gz6TRaFL3F3UoziLTsveR5NkX6HTig2oTvEqaoS5bvkbqI57A51WngUYmzBW5KNpCieqk59DKwDH 0cha9DyDz0cT4HlHhAWVKzNRFMWpTIF18E5+CjUyHB2oR6ZHbnpXToDnq3DfABfwFPk+KgTY04Cj UXEO7Y24A7BrUTI8H1bo0Wn5LHQOxhsUKWia8jjqkSM0ivNBd3AKnYFrp7iW8rQDri5ZNvoU7i0c xAvI6VTOQsnKbKAJdMU1x5V7kI3xer6/l7vbv4t7o78HtA4bd+jpY2B/bUaH0CvoHLoEO7QUXI23 47fwN1wWV8Y1cz/hXuN+Jxsta5btk12XZ8lr5M/Jfy3/syJWYVDsUfwY9q8fKf6i5JRaZUB5SHlF GYyYG1EX8eOI30b0Rj4QWRrZEPlC5DuR/cPWDtsx7NCwnw77W9ScqIqol6J+PRwNHzV82vCFwxuH O4fvHv7S8C9HyEZMGpE3YumI2+LfAyuQjVaBsL8Ohn9i8ajQfEEIBsP+t0Acc0iOdOJYhsaH5uVh YwXsivTiWIliUZM4joAq/5I4jkSjIj3ieDgaP2y7OB45bBzyA2YsHwZP/mHPimOMZkSNE8cciox6 UBzLUEZoXh42VqDxUcXiWIlSo5aJ4wjUPByL40g0eeIGcTwcZUz+iTgeOXZG1PZit6fTa29t8/Mz zSl8VkZGNt/SydO/tPq9VpMzlde6zGm82uHg9RTKx+utPqu33WpJC8HwtVaviTeYXD6+yO2w6K0O q8ln5TPTMjNCMBSEQsymED+I5sio+xEdGTWErN3Hm3i/12SxOk3elbzb9m08I6OqrV6n3eezu10U vs3qtQK9Vq/J5bdaUnmb12qlC81tJm+rNZX3u3mTq5P3WL0+WOBu8ZvsLrurFeiYgXEK6W+z8ja3 Cxgzmc1upwfAKYC/DbA77GarC8SfmVBKIRJSAJmFN/l8brPdBPR4i9sccFpdfpOf8mOzO6w+fibF yBbwBrfN32HyWhNSGCdeq8frtgTMVobGYgfR7C0Bv5XxMGhBKm93mR0BC+Wkw+5vcwf8wIzTLhKi 8F5Bm4A24AN4Kk4q77QyqT2BFofd15YaRiOV0kx3e3mfFUwB0HZgVRR/CGnKHKD1UEX7RdUxQh1t bue3F1Az2AJeFxC0soUWN+9zp/K+QMsKq9lPZwQdOxzuDiqQ2e2y2KkcvgJqUCO8NLW4261MBsGX GAshR3C5/WAInzBL7eIZ8AHhHe9rM4FYLVZRb8CI3cWbBknqdoFneHmn22u9r+C8v9NjtZmAUJrE 1uD3TlMnpeB0W+w2O3U2k8MP7gcDQGuyWJj0gvqAuMfkBc4CDpOXkbJYffZWF2Ok1dHpafPRRdRL TWZA4qMrJI58QykJXmcRlGZy3B+BuEbiYwAbsOdydPL2Qa4O4nit9H9zMFg68FFVUttIIWIFv7MK zHe4vRYfnxCKxgRKW3rBJ9DgTRCVBtapEKOmxQrxRPEGwA5UhHa3PcSadbUf4oY3eTwQZKYWh5W+ EKQH3EMM02by820mH2C0ugZrBcgN+LiFD7gsIssJg3NLgiDj91vWB/kMopuZjhrKxDtoFoGYkQA9 JvNKUyuIBvHocodyyA93rUGkIHEBk1aHTWCrXMOXVumMvKGq1LhUrdfwWgNfra+q1ZZoSvgEtQGe E1L5pVpjeVWNkQcIvVpnrOerSnm1rp5frNWVpPKaumq9xmDgq/S8trK6QquBOa2uuKKmRKsr44tg na7KyFdoK7VGQGqsYktFVFqNgSKr1OiLy+FRXaSt0BrrU/lSrVFHcZYCUjVfrdYbtcU1FWo9X12j r64yaABHCaDVaXWleqCiqdSAEICouKq6Xq8tKzemwiIjTKbyRr26RFOp1i9OpRxWgch6noGkAZeA g9fU0sWGcnVFBV+kNRqMeo26ksJS7ZTpqiqpjmp0JWqjtkrHF2lAFHVRhUbgDUQprlBrK1P5EnWl ukxjGCBCwURxBtRBF5RpdBq9uiKVN1RrirV0AHrU6jXFRgYJugdNVDB2i6t0Bs2SGpgAOIkEGKRc w0iAAGr4V8w4Y+LrQFyKx1ilN4ZYWao1aFJ5tV5roCyU6quAXWpPWEFlrAF9UuPpRH6pjejct70D oOhqUcASjboCEBooG9+CZf6lWW22evzUv8UgF5IkS6hCFk1lniskA3DjMheErzDHhuDTEF+sAglZ biDEaHFOFZMwTSPg4VCVhCRsabdCJvTRlAIx4qZJpcPuY/EO5dDpFuufz+QAYrAqBAU50+SAZb4Q m4ODSiqMHq8dlnR47X5IKbwpALNe+xqxJHvFkjVUAkplKP9eq88DFcvebnV0pgGsl9Y1xondZXN7 naLoTH1mf4GUS/18K0NuAcHd3ta0Nr/fU5Ce3tHRkdYiUUiDVIiKkRt5UCfyIjtqRW3QNPJoJrTd KXDPgkYzA2XDqAUgeFQEMH7kg8sLW0oTcqJUmNUiF8CnwUiNHPDloWmVcPnYkxXuVljTDr8WgPw2 Hh7VMggTjAzw62Iri4A3B6ygGBwMkuLhUSbgyATOvo1HwiLhmB3C8f9OzpEo6gdLSmG/X1o7W0lH fjZjgTdOuHvRSphzwzbjh/BDr2qG08kw+uDXDe8l/G3snVWUr5VRcgE+yiXFZWNvrSGKZlhBeWiF uVTGm5tx6WLrPQybT6TgBqx+eGeHJ3q1ivKYRY1LOP2MC0rLzWgLcpsZnBMgBewSBgot8O6AuxlW ukTrz0QJqDSEI4FZkK61sLuP8WWGNSZRPh4uOhMAKla2ir6R9GODkYPZjWKWeBygQP2R8u9HHUwj VkZxQCd0xgO/bqASYHwOcGNhEviZz7XAWz97K9H4bgqpzG7Uug5YZQnppIP5QRtAB9g6qhknmwuX SMLvHeSbArcBpsPUMOvQsZPZU7K1B6BaGG4frE79DjlSQ3KmAyYvPPlYlDpCuO2iVgdb//ulljQn cOsJebR/iNcNSNTB9OH8QRSkaLCBDF7mrT62ZoCihf1SGqnsTjWxAiDMDJ8AE+7HVF43s4tgITOj bWEc20VOC0IRahRXmgCrm+WIATuE56UBLXw7I7gA3i9GhG8QrBQvA1oLzwPh63gmt0m0VouomQF/ EzRiZ+tM32NTilnIGV7mRW5Ryz/U4hSmk/FrY5mA4k77lra+bz3VS2dIBieLQjuLaSmzUf79YvYT ZgRuqV4tYbYP9z5Bcg+jIugsAFhMbJ0klYVxS23mCtNIK8BRidrEOW9YLjUxLxJ8WKIxVEe+fypT eK6zDPI0E7PTD+dgMJ2h+rgfb6mizR1snf17srpXzEBWxpdzEF5pxhfySiluhlYRq5jvrIM038Gk srD1CfepjQkhuYeuoPBS5U0Y4mlC7FQMqTUtLPbdYfwGxHiQrNAOb+330ZoVrWa6dokR7YGvUMlM LLtaQyvCbS/w/f0R08ayPc/uPpFHK/Om7/YVQbr75XH6NsCgBmv5fprlw7QXbsf/m5j1if0ZL0oj RZ0UUbSTcIR6Ea+4YjBGD/PslfDbKlpNqI8upt+hfcj/j6z13VK1iLHiF+ujbZC2ypGG0apCOnii tKrgyYiWQoepZ++0MMdDb6eHN7XwVAKzJcw+avaGvk9gkbkUxhRjFaphuAQceviluOthhuLm2TN9 WgzwOsBF12pQHaOhAWwGBqlnuCthtgLuGhGOriiGmRp4puMyRLtTgZ4OVhlZDNF1lBeBUyPMD1Ad zJWWUZQ4q4QnPeAvF9+qAbeW4aP8pzJN0bEuxGepyKma6YhipjiLgaMK9kRna+BeDXAGpk81k1ng VsdkKIX3giwaxoFgCYGjYrhXA20KUQZ8GRkXlJJRhExlElJ5Sth6SnUxmxU4qxKtTMcDWNJEXQp8 UP3XhigbmPwV8OWZ/EaYMTLbqAG/hFfynTKGoTLkRzVMPjXTQxWjUMTeUS1SfVaEIPVhVilm+qJ2 o5yXMEpqphHDfSWRsA22zv28Q6JQxuTTME1VMGgD6FED8NrQjOCPWiZrsahbAafg94JPVIRpt5jJ SC27BKhqRJ9SM90NlkKIEMr/gBSCBdTib3GYzgasrxOtWxyydRXzsm9rZSmLRQ2DUjNbG0JaKGXx WylyXhPmYZIda0T/rApxNli/UhxJcD8kdwi4JNqDLVjC/KlC5NAQ0sY/xzuQvzRQ48xs/+MP5e/B lTy8kxzoUMN70dSwnBveGQjZuIzBOofADcwKeVqoXwN7oPBe7n5VTNo5Cz3+QCcsdSNCDhf2SuGd sIX17EJP6At1KUIdcYc6lQ72dqC+C7tDJ4MI3//5GF1BsoC4Yiguoc80sc6BUvPdR5vfV6mG7hg9 rPYLVDrY2C92KVS+gAhL59cM2SV7h+yy/pkNJFn+mf69zN4ecY9lZxqm/WWaiNeLpP3agE6oBmzs nXOI1Qe8j2IrQEP7UqqD1jDOLaLF3ay/SGP7Lz9wUwC72nTQEP2mgT8MlSFN7Ar/D1MgmEFlbmRz dHJlYW0KZW5kb2JqCjMzOCAwIG9iago4NTIyCmVuZG9iagozMzYgMCBvYmoKPDwgL1R5cGUgL0Zv bnQKL1N1YnR5cGUgL0NJREZvbnRUeXBlMgovQmFzZUZvbnQgL0JpdHN0cmVhbVZlcmFTYW5zLUJv bGQKL0NJRFN5c3RlbUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChJZGVudGl0 eSkgL1N1cHBsZW1lbnQgMCA+PgovRm9udERlc2NyaXB0b3IgMzM0IDAgUgovQ0lEVG9HSURNYXAg L0lkZW50aXR5Ci9XIFswIFs1OTUgMzQ1IDY3NyA4NDMgNzI4IDY5MCAzNzcgMzY5IDcwNiA0NzQg NDg5IDY4MiA3MTAgNzA2IDU4OCAzNDAgODMwIDY2OSAzNDAgNjQ3IDY3MyA1OTAgNjkwIDEwMzQg NzEwIDY0NyA2OTAgOTE2IDc2OCA3MDYgNzY0IDcxMCA1NzcgODMwIDY3OCA0MTIgNjc4IDc1NiA3 MjcgODA2IDg0MyAxMDk0IDcxMCA2OTAgNzE0IDk4NyA0MzIgNjkwIDY2MCA1MTcgNjkwIDY0MCA4 MjMgNDk2IDMwNCA0NTMgNDUzIDcxMCA2OTAgNjkwIDY5MCAzOTcgNjkwIDM2MiAzNzcgNzY1IDc2 OSA2MzIgNDUzIDQ1MyA4MTQgNzY4IDcxOCAzNjkgMzQwIDk5MiBdCl0KPj4KZW5kb2JqCjMzNyAw IG9iago8PCAvTGVuZ3RoIDg4OSA+PgpzdHJlYW0KL0NJREluaXQgL1Byb2NTZXQgZmluZHJlc291 cmNlIGJlZ2luCjEyIGRpY3QgYmVnaW4KYmVnaW5jbWFwCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdp c3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoVUNTKSAvU3VwcGxlbWVudCAwID4+IGRlZgovQ01hcE5h bWUgL0Fkb2JlLUlkZW50aXR5LVVDUyBkZWYKL0NNYXBUeXBlIDIgZGVmCjEgYmVnaW5jb2Rlc3Bh Y2VyYW5nZQo8MDAwMD4gPEZGRkY+CmVuZGNvZGVzcGFjZXJhbmdlCjIgYmVnaW5iZnJhbmdlCjww MDAwPiA8MDAwMD4gPDAwMDA+CjwwMDAxPiA8MDA0Qj4gWzwwMDIwPiA8MDA1ND4gPDAwNEY+IDww MDQzPiA8MDAzMT4gPDAwMkU+IDwwMDQ5PiA8MDA2RT4gPDAwNzQ+IDwwMDcyPiA8MDA2Rj4gPDAw NjQ+IDwwMDc1PiA8MDA2Mz4gPDAwNjk+IDwwMDRFPiA8MDA2MT4gPDAwNkM+IDwwMDc2PiA8MDA2 NT4gPDAwNzM+IDwwMDMyPiA8MDA2RD4gPDAwNjc+IDwwMDc5PiA8MDAzMz4gPDAwNzc+IDwwMDQx PiA8MDA2OD4gPDAwNTI+IDwwMDcxPiA8MDA3QT4gPDAwNDg+IDwwMDQ2PiA8MDAyRD4gPDAwNDU+ IDwwMDQyPiA8MDA1MD4gPDAwNTU+IDwwMDUxPiA8MDA1Nz4gPDAwNzA+IDwwMDM0PiA8MDA1Mz4g PDAwNEQ+IDwwMDY2PiA8MDAzNT4gPDAwNkI+IDwwMDIyPiA8MDAzNj4gPDAwNzg+IDwwMDQ0PiA8 MDBBNz4gPDAwMjc+IDwwMDVCPiA8MDA1RD4gPDAwNjI+IDwwMDM5PiA8MDAzNz4gPDAwMzg+IDww MDNBPiA8MDAzMD4gPDAwMkY+IDwwMDJDPiA8MDA1OD4gPDAwNEI+IDwwMDRDPiA8MDAyOD4gPDAw Mjk+IDwwMDQ3PiA8MDA1Nj4gPDAwNTk+IDwwMDRBPiA8MDA2QT4gPDAwNDA+IF0KZW5kYmZyYW5n ZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9DTWFwIGRlZmluZXJlc291cmNlIHBvcApl bmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKNiAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAv VHlwZTAKL0Jhc2VGb250IC9CaXRzdHJlYW1WZXJhU2Fucy1Cb2xkCi9FbmNvZGluZyAvSWRlbnRp dHktSAovRGVzY2VuZGFudEZvbnRzIFszMzYgMCBSXQovVG9Vbmljb2RlIDMzNyAwIFI+PgplbmRv YmoKMzM5IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvcgovRm9udE5hbWUgL1FCTkFBQStM aWJlcmF0aW9uTW9ubwovRmxhZ3MgNCAKL0ZvbnRCQm94IFstMjQuNDE0MDYyNSAtMzAwLjI5Mjk2 OCA2MDguODg2NzE4IDgzMi41MTk1MzEgXQovSXRhbGljQW5nbGUgMCAKL0FzY2VudCA4MzIuNTE5 NTMxIAovRGVzY2VudCAtMzAwLjI5Mjk2OCAKL0NhcEhlaWdodCA4MzIuNTE5NTMxIAovU3RlbVYg NDEuMDE1NjI1MCAKL0ZvbnRGaWxlMiAzNDAgMCBSCj4+IGVuZG9iagozNDAgMCBvYmoKPDwKL0xl bmd0aDEgMTE3MjAgCi9MZW5ndGggMzQzIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJl YW0KeJylegl4HNWZYL2q6m6p1epDfd/V931fuo9utWTZ1i1LsnzKUuuwTkvt22DsmMsXGAgEw0AC DODgABMghA02V2YSEpiQsJn5drL7QYadZAeYWSYhM4Ct8v5VXS3LwjDHdvm5Xr3633v/++//L2EI w7AS7CaMwLDO3lD0c/feShg5CW37+PT+MWfLY/dC/2MMsy5M5IZHR95rM2GYbTuMJSdgoOwG3AfP 34Jn+8RMfl/Tk96j8PwyhiHR9NzIsOYFazW8+im8v21meN881ordg2GOLnimZodncvs/+P0X8DwP SGzACPJtdCfGw0p4Z3kxWMFYuBPD2BheUcLDBWQpjvNwkvw2hj/TiO27hHG/SFNvBmvELJdw8vf0 jbiTfw4fBxQffu9vMYys5mWZ3TCE4VgzhuGjPNgJE2BYTGaROSwySzNO0Xb0LXqCt+GLp5rJtwEy jz1PDpAPYWWAhcwmsyQsMoBW4s/cTQ+iJ+9GT+Lb6T50/i50nu67C0OoA71D3IjPM1RECYsSdeBh 9M63v40hXE4P4C/x3mLfwBq4/HF6QLD7sxPwiDbQA8RBeGeBB4VaxV42p4u9Us5Ukr1ifAF74TKl POBryQxf3JzJ+gJKNUJqZcCXzWy+OJxp8QXkSrzixP4Di/m5XXvm56bzizceOnPnDQfzu2and+2d 27WY338QDs9Qi3wLKCLAdBhmISyEDcUQ4jZ1cXsJCAspPL709u0/RvT/QH9a+hdxuURYLigleYJS oUgkFt2HfoFupI/ysl/8iPhvDrfLZjVoy0V6g9XmcjnojXC2Ljjb7uLZuFVthRMlE3Fuu1jhzCpi t1Ll82eym17dns36fSol85jNbn91UzbDPOKKM4duXMxPz83v2TWXXzyw/8RtB/fnF3fN7d01Pbsr f/AG2AR76cpHpJmsxlIMpTlyxqLcjkB6vpqvVsBlcybgAgrbuNPa+AV0EjI0IxIatH5vQ0Mi6rQr 5C8gHOE4/l1o0CN0ZsrtjSdaNjU2eb1yBVm91NMVT5ot5WK1EibV9eCLl79nszstNrVGQKpVRoPJ oAw7XFpDuQSYFQqsbc3hv2RwvXjlE+JzXh9mwzB5IiZnZMsCCKpiKo7ryiJuVgavi9+t3oeepbuQ 37PD5fd4gN4atdXm88diyUe6u4nzp5GO/t3ppXyXw4l4BI8U8Hm3CwQlghKSl818E3+YpQ9wXgsc 8cOeMRnDkxjHj1SUEz4QdY41Nmthfxh66QUCfhrK7HUnY0096cZgQKNCL0grDCa3J1QTSzhcKjV6 nvcWfSAWiQWDLodBKy1HKnUg1No2uhTCX+xMRCmTSKRSe/11Dd1Lpxg5PALcaiM7MDXLL8W1nEjh BaSIIjYcNZSr2Eq2WWz1DUObd80ODNU1WG0I3XTDP366d8/LSrXDHU80NqUqnR6lWqPyuBLxqsaq pMetVuGmOyamsq0WG7JZWrNTk3cg9akT6MRJ+vc39HZHIwo5kisj0Z7eAzf29EaicoWiIhrp7WEo +AegoBJwDsADg9dVGslWS7S6SFt2gFSGYom6vkxzIKTWoef5wJrSUv5TghJ+iYBHEjw9ZfJ7aqp6 U6mkl7hXICCR1VZV09ExSJP4hVRNVSLmcWs1ZoqyWWyGuljEbgUsQRmBjncATjngailWDnYUxAhM FTRXIqbE/xEduuxFj9OvoT/+9KenT58mTKd/9eqrzEnuhll+0JVSsIIJZGFMlkV5N35u6TCxfqkf /8XthPPE7Zf/7gTDqcPAqdvg1G3YNtghygmny8qduMgbZiBRNFqpxCo5EriK9AC2Khn1dHA8TCU4 CEY7VWS7RCIR2yibI2Z3qtQiEcE3WkDQq6rbHu7sQh5nU0Nvd9/H5WK90eNLRd1eg7FCwXu51KiP RtrXTf1kbFSpXPq7nvo6jxtIdLEyWeULGIwo4JvDETkP6oDEIqPe404mPD6DSSpD/Rvu29mScTtl YpysyYSCJoOkXFAiV1hsUVljMu52qpVbtj1LB7vcHj5lDodqqhMbSZxfotEEQutAPhhqPsdoFlAI JNlyHQWSxROsyUnEGPGFplyteEoZMbpan1i7A9YHERqL2e9NxDM9TY1+H8jvl/SJ6LU67TaLRl3C U6n1JoNZ/iUlBD4+AljeD5ZfjdkBT2Rj/FpR8YsWGhFxC8gPxxriAn3XP7+C/n7f0GBdtdmA5Aqv r7FpE7rzM/od+hOk6alO2S0yCd6w9Bovq9WFo83Zgfq6ejiBU7L0FPH2e7RXIbdZAgHY/diVj8kW oFEUywDJ+JweF82deoW5W+n9YkUCKVHRNVk4X4XSSCF3OqpT61KhgNOu04oekpkt8cT69vH80Ob6 BtBvEJfm9MaB7Uc3D1VV6bS0IxSJ+fwGE4GvKdXqHa5IFP1bf8uaWEJvROIytZIy2QOBQMjmVGns 9taW6Z2nHpja2dRoNHi969onpw5r0K9QucThrG8a3trQ4HTIpIx+HKcHSB25FothvXCyZf2PL/tv JVxqVhCYc8VTKzVGJk0ll72v9fpWDpelY1GPkzJpCm4I4c8UHBLnnnQmcEuReOPPt27bsR0H86Vw OGPJxuZw1EiVS8TlZlM4nK0GjXSBfq1FQhAcqz2oNep1mgopKZQrrLZwNH0piV7Umgx6ozHmcmv1 5WIEVlGFNHeeXnp/T1dnKKiUI60unuzsmZnq6I4n9HqFPBrp3wDy/wTw1k6uwwYYzl7LSFdKde1h UkVLuTLOKRJN4Cwqj5KTkOJF2pHBnKrs7p3Ytra9strhqnhYpNe67NFIVXU0YrczyOl9/tr6lqb6 hkjURCE0tfPNzmw2mXDaxY+UqNQWm8cb/BO4YZcrmWxqbMlUp5x2lGivrff4VWqxiDIlou3mSrNV WkHySwUqudUciVAmpVIiVkiV8BSLdNzd24NAAsxUJJpV+I0GmZTPvy+kN8oVIolUplBZbclKNno8 C9HjdzE+hqUSCCWQMk8MXX6c+ODs/WgOzZ6ltzIxJuMBK0EjqsAfO6+1Bywhli0IfwUFlxWF85RH kd/X2jI0tG24Y31VymYVvypraNrdX11rtUtkCMkkdmttVf90a0vFxVKrrbKqs2vk+Nbh6lq9Hjc9 Oj3V1KjXAle9gerajHhTIq43xpLrO0ZzHV2pSoMxEZ8VNdc1BENgQf3e9rUTY4y854DbY7whTI/5 vszvogdg3B4hLUSUMryAPDkGbi2d2bp9303btjc2mSlkszY1Dm+94d+OHXuzs+u+Bzs6UFfn/Y+u bcPPPX30G4NDvkAouGnw2NEnzh890r/B70Pnn6a/i8THjiJ09Bj9B/oPx4+fPAGUVIJl+yF4szjY NRuxMpIlbERMzomQskBieXGgSHN5jPjirTtKhGUlZaVCYamwrPSen7/4/S0EnxSQPFIoguGSW187 yisrhXeIR/LhR+SeRX+rt1kpu9Npo6x2Mx2AaPA7Gq8/FAZyBTxgkBXoSXpAaXVYPUFTIBAO+r06 fNu10iEH0UCMdHwA0jGE17yNHjlL30WfuR+SHtZe3wT22go2M7siRrIsm21l0WxzJ0SgWzabrGhV E/KiL7Itm3TyJq+vpXXrtnHajR7cvXlTU4PNIpVZbJFYZkO6MeDTqOj/u6793vd+211VZbfLpN1a XTDcmO68jIRtDXWhgE6LDk20rgmEFEpeVq5weuoaNlRFYuCHzeWlBqM3kKrC3TtDAXo7yB7jaKNL TzT4fSa9uJy2ioRGQyjIeMx5kKFOkKE6iCi+RoK+pAtKEKVU0ZIwcQ7Z7giGq2sy2Y5bRkYb0yBT lLmpMTd6+0j7usqU06F5ypltnR1qaHB5pBWov/d7Ya/bRunUYvo36L2bNXq9Si2RJOJbthw5fPbx o4c3DgQCjCEJ1NY3V87U11ptmeaR3BH6j8dPolJBuVAsKkVd32a444UTfIfXjm3BDmB3YRivaO9W O7KiG3Bee7qiyVvNQvWyNyy6RybYQkWjWSQDn4NkuExw2ypXOVUy7HVAKmIwqoxWu88fTVTPdnRF YxodUqvABsYbJOViYRmfDybR70unN2Zrqv0+jYaxEm1rO0yUyWZxOrxeyqw4o/P5I95oyKPVapQa g5F+GYIPCEddfrtTq5dIwBGrG6tSfo9Os3aoszvdHwwhmZQyR8NNLrvVbNRpRGXCCqlWBR5HV6Eo ExkN8Vg227W+sZ6JbCk97GR3Opx1lWyAjpC0wmqLRBtbk0mf32qzpCLRMKhVcGBkxwHfyV35LUmt DtKc0ltFJB9SAKNBIS8TIpGYNfJN1TVenU5rNDis4csPju6az4fa1o8mAiGLrUKBykrBnFeABO4C /u0BCWy6mnsvu6jV0Ugifm00ssJPFQBRtULu86YbtzTEIh6X0aB62Oj2VNes7xg7NTaRzpotlDmT zo2eGG1fX5lyOXRPSrU6uzMUrdnY0OT2yBX4uWOjYy2tNrtG43JBTtfU2tQcS5qpWGTLpqNHHnr8 yOGN/aGA3hgI1dY3NQX9PnCQSrClIJuMNt0ClmIzmwOsyADw97no/z30a4j9yWdPM7HKlX9gc0Af tq6geYwfkUkdUTZiAeFk2jW5MifGRRoVlS+xKjMjtka7uvdDBIJu29fbFWXDk+cL4cl5ps9cS7+V lFOmcKg5m4w7bYqKCoXNEU9km0JhMyWVPb0zGEYnjyMtnkA+/zCpUui0alUpevSS3GW3m0xKdQlZ IWMYq0fTuzq74glIpTSaRLyvb99iV0c4DDEiHCLW3QsU6QTuTgB3cyvspvU60UjimljkWm5/KSpZ HZ9dE59MmKn6pu0jN3949Bv2l0QajddTX9u/prba79VokNkaT6SbM9FYPBhye0xwWru9oaF/Q26x t5vx2oqXy5RqqwOMcFcyabGWS/TakL++NpuqTCViAZ+VglxmASLVeMJg3LzpGUelP2i2VFSIy42G YKChxe8zGiqkFeWScqUcgiJHLNK8PZsJ+GAWkqvcntr6TkvU49aDEUZSmcHocgVqHU6NTiKTiSUy hZJJPFKVjCSBnyFvBU+qYjwpiqGVVom5UAz/+a/pzp8hkUBYUiYsFQh44DaFZcISpHgTPGCj2kRZ bSZKqaTMFgtlUuOvc5lHDjxZxcpqEOPHuOUFV/0UY7zInNuzrn1m/gR9GqX+7OD+3h6/91WDsbJ6 Q//u/Y+8OzGOP3vu8JGBQV+Al0UOV3fPoRvO37p9W32t0XDpj+iWm+Ec6znfKViu3ynxv7xIZ8k4 ee7SAHnuwQeZ037M5c5lTD4kALiYjCmGEXfRdx17/nn0m3fpNvTX6I876DneW5eH8XI6tHQfM485 zw5YvYytISotXHuEuG/JjT+4NEogXvZBeugsHXsQoF8H6DqALmVwYSABHyU6gj+2tPkV4iB5jq54 aOkDmIBxlNoGsAqmMrQcW7FTVtBqhY8ntyGDqbZ+aPMB+vevoLcObd1SX0eZX+3pffRf6e76Go9T ISf+YsP6jtpau32JBnoZTPFk27qth9KNS/+E1AqnIxYFHBdAXzYWqpRqIMECkfj+5V8oeO9/QRXP 6y2cF87J0omphxJTS//6yiu48BV8bukML7v0Mzz5xY8Y+HsAfifAa5jqgkVWTHcSRfvKEO3P0IuK UKSusaU13dbW0lAXCeseR8NniCWP1aEFyUT3gAcxeb3RS+vPMLXST4A8v0E+BkNmb/TJR8hH/xoG C29AZtmaLotX4f1HLAQhKcAhbCtgNQNwLLcRZIcx9h/xGP0KfeF19DC9+BPkR9436UX0GHqZbsb9 uJjehP586dOlXzHzR2D+KMTrvf9+ls9ey1k+6zauefhyrU0pw+V8frlYqTZbtTq5orQMnQPb+U1o eHlFhU5rs4YG/V4FLlMrjAa7PVTn9eq05UL0JDcr43DhT3cm4lazpLwQs3UvfedqYYAvV2n1BiOY UqtBJ5OEw6NBp02nEZdfLdMVZ/f1Pbl0CmTxOchr02QXxGhbrsqii18s+yjUrJNQrjx5MahZXd8Q rCKXkn+tGSbTkLQGQ2vXz1RGoj4/ZVPxWJfxApz+Gc57kFrKBOFkpGFm/dpQUCF/SVRuMIWja2ri hYKJosJuT8Sza6IRk0Eswq2HxifWrfP6Ebh8tcpmjeESmUpjMBnojTzC5XSYDCplKVGh0OpMZm3c 6YAYRYjcnjVrxycOjXZ0JONgUhWh6Ib+W/PtXaGoQmnUV6a6u4Eup0BXGsC3VGKDX5HvpopljdUF 5hVxhGB1SLfKwZINTLKU3rp9T09jUyxmt6vOG2qrN7fV1UCYpcaVdmcgHE+lhtd3JFMGE2Wurdk4 MPfRgX0/Bq/qjCdbmuIJm12uqJDarUCVSCLmdRu0+Ct/ceutmzYHQzKpzVqV6tJv9gCBbNZ0esfw 0RDjEiDtt1nAc/Xlxvv7amstlsefeKYt3RgDoiKVxu2tqsmmq2q8fgjAYA1LLMJoxnHQjHVsVFG0 tl+KmJSrIia1Eixy8/P0F0wpKBrp7lwweFwet92qAja6PIB6OhI1U0wO+xFx/nIfcf60drStJRQA L48TBMkjzjBVaUQgYZnOEAytE55m7Oc452mETDW0gAuKyWKQZFmIc88vLeAHf/IyfSctQp+iBvo1 1HCSOHD5ttNEZmkdMzuPBskB4uOCJZEzRVFoTHJmJD4gBu+5h8buuYexOEqinfgBay0Z/wIpJtOI k6fd79PKU573iXb88NIR/DBQ5jP8MvHfeT/HxADnUPPUAoJwpRwpHhHDH0YlAfp3L+2998G9F+j/ E0BlotvIx8aPtX2xBuFXsDWftd0yhTwMVs9d+YhMF2M2hHPiZFMwasR8VImn2Iv5xKFgSk0F7VtZ Pf+KuhJo3ejYhfyG/hBbZ8TR06Buz+M4Gerv2/3GjuGXJBKzJRhOZ+IJu1OuUMidoGBNDeEwZa6Q 4lb6f586hfy+HTq9UaWWysgStdJkAuaR/0RvNELWoVdNhoPo+En67+e7OxNRnQaMYKK3/+Dezq5g WA64xKO9jD7dC/q05qv0aTl/ul5lRPl1Jmb1YdeA66uq6eufPbRpc129sVB82LZ575oGSEJcLvV5 Y21999raWq9XpY5sHMxv6+qoTJlML1ZU2CFKbYlGom6PVqeQuxyJeKYxEbPbmAJzrm+grtFqCwX7 Nxzaf/+zt9+2eVMkiCQSiy1Z2Wne5HEzGeTwyJFNQAozVVnd2TWVqUwxWY60wmyBHGdNY1Mkqjeq VR53TRWGrly6Yid/eeUY4+cEIH088m/+5/btIElpsMa3g/cCHbOspFGieMbUdcI1eQx/zenyhKM1 tR02g8ks12hkHa3ZcAXtfRWVCGVSiUQkJAiRUCqWSUSXL+7o6EpWGUw4KrmVQHhN9dEIGVq6Ue/y OFxmqkRImZx2SG/wI8A1xptG2PxpRW1i+Sp+6SteiVXqf83nALZ0kYgpyUiFwkQ5PW6wBCZKrkDP IGUFZXbBiMthNioqIJh1uJKVmeZUFcML/g/LnI6G+o0Du6Y3DjbU26xLd7xBfJiNJ9wei9VgNpis Nrc3lYlBimkxm2HAZvW6kymv12iQSOQKiLfjdaKN7euSCcqk0QTDmeyll998E0PL30jTK+pJK7+O XlNXunrK5cpSwZBfrS69M8FjP/WUCCqkcmmhV0LufOfdCzMCAaSwPImMGYPGn3lmhsd2+SVg+wj2 Ux5/4gL6hlynNRssZlO2vb3FZLYYTBAl0DfwspcvpOvqI1Wx5mYDZTIZjXo1uoPepdYbDSYTZWjO gpjHovV1SSLD2JLTIEUmch3Whk0yurbCZy0nvwnbahVcWYu/TlkbeC//KuXjqICPb8pkmaqs6IfS 6tSWylDAYpZLEa4wmIFDla1ja9YEQwr2i3Y42L5+dn5DT5Dgat1PFWrdO6eskBx7IvF4c5hxDPCj TNFwOh6Pelw6DT2IFHK7NRqp1a5ze2RSl6O2tv91kFuDSVphoZozudHbjo6PtWadoMzDGspk1Cvk ZKlSbTTZnc7Lf/XBQp54Z76rMxpWq0D/ox1d87s7OoMhkELAKdyxnolBz9IDxAWwxIJiJA8e4ixu o8+gOeaj/onPv3MCaJwE6TkB0qPHzABHABxhkzPNlohBs4BEMC0G4xY58UgGkfQ/DM7209/sm+17 87eZf0GCjbODaGpwdvDdpcYs2pkhmug3pukJ5i8U0LemUd10oUdPTNNvoDrASwx4RTi8Csm/DIkB pzOA28AJ/rYTn50Ae3KIq7mZsUbm7yC+VLldlfYKVkn9coBSrC7yGJXthAQs3bxxaGxicKgx7XA6 Hen00Map0aHBdNrp+AGEdS53qmpNe1WN0yNXKOUeV1Xl2pbqSo9TraQHP8IffePYLd29Vrvd2tt1 y81vvHXLzd2dlBmBrezsvvmWtx6a2tnQoNMipNU3NExOPfTAxGRjk96IkFHf1Dg58cC+zz8HfT0N HpLJsBwr4tTiqdhixrXlHVmMrANnUF07tHl/fmCgqsZgfAWJyyhTIt7VU5W0WSXl6CL68PbhHbX1 BiPSa2urtm25lZi5/L0dzcwfWoAnDPraWieIFqA9QX8Tf6GQlyA55BXEOVRKvwmD9y7tZAwJKrTv /6Lx2DZJ7Z+YP7ZZ/btyCbTyl8A/xNSEuR/M4Z9buh9kCbLUKzvIXxbs0opfhnwbY/5aJU++jTrg jpFv43Lo9xf6qAvuL0G7yN2PQvsDtDug3Q3tJmjPQXsE2s3QjkN7orAeCzsGTck9MzC7oPm4+y0c fCe0LPd+PbSPuf7r3H2Bu98D+HxSaNhWaCPc3qe4dca5czD7fca9u498+8oluKe5OVgBd3QW7km4 i+F+CNpp6AP1IWf2Y1VwtWJHsBewf0bN6Eb0l7gZn8SP4WcJH3EjcYH0kk/xYrwW3iO8j/hpfj// xwJHCa9kquSmkk9L7yz9UemnQoHQJqwWdglPCh8QPif8X8IPhXSZqexekVX0lOiTckm5rbyyfKj8 Z+Ju8Rbxn0vkkpukZmlUOiW9UfqRzCOrYrmUwe5m5IHj/uqfAfUvj2/FLnJ9hEkYXWb7OCZAW7g+ genQA1yfBJi/4fo8TIQX1+djYtzH9QXYASLM9UswBfFrrl+KickSrl+GGchuri/CguRbXL8cO8y7 xPXFmI//LuyOyFJ4epnFhOkjzISMXB/HxKid6xNYHOW4PgkwP+D6PEyDfsf1+ZgBL+f6AuxTvJrr l2Bu4imuX4oZiA+5fhlWSaq5vgjbTM5y/XKMJi9xfTHWzz8IFJ/D5rH92AL4tXFsAstjFHYOWhQL w5WCXg+Ww0bhvgYbhrd+6LVhs5DTB6HXhE3DRa2Yvcg+5eCeg/sedi4DuR5mpSHi6YE5fdDvxDpg dJKFH4aWB+hhgM1hM3BfwKZgbA4b+9r9sczc/P6FyfGJPHWOiobDKaonN0qtGc77qbbZkSDVND1N sa8XqYXcYm5hT240SK1vS2d7mvraOjuoyUVqmMovDI/mZoYXpqi5sWvnY4D0JLaDPQiz9SQgNAvb t7P3OXg9uSO3MJyfnJul2udmYYBBdRzbDSRhjoD15MZ3Tw9DpwmOOQLvZtkDLsAaAZYkX7t60+JI bnY0t0AFqC9t9J9FrJ+FXVyGjAD1GO5i/bmFRQYsEgynrr/sdRb9Ohz+/zhakJ1xdpU8u3YBcpJd ewNA9LJQXexMhqB5drdZFqrvOjt2wo5jMJ8h/1XIEXbtPDwXVp6D/gTHmp3AwAUWg1F2XvFsi4zE raDsvyM9IHLjk4v53AIMTs5SG4K9QaprOJ+bzVPDs6NU3/LEzrGxyZEcOziSW8gPA/BcfgL4vnP3 wuTi6OQIs9ti8HpSxCjvAqjv3DVMuCo5mbmF+bkCuhhQjqHYHpYO7Sx4ntVTdkpvPrcnR7UP5/O5 RQZ4gn09j1VjIbj2slcQJl2LwQi3f5DtzQAkNpHPz1eHQnv37g0Oc2iMABbBkbmZ0H992TxYqHlW FnKsFI8DbEGig+yaM6ByX7t1fv98bjS3ODk+CwIfnMjPAPwG1kgVhZIRgILwXl+wx9g7I26L7Iw8 oD7MCmhR6BdBcHaA+ORYoWFWnOPWZWCmOSGc5XYdhkMwsxlhLQry7hW83cviMwL/U3D4OXjHzBlh 15hnWTe6YvX/LM4gThsWc4zQ5idAkFeI9dgcSOji3Fh+7/BCjhHyxd07duZG8lR+DmBz1DQI6yxM HR5fyOVmGHHezcra3onJkQlq/9xuanhkJDefB7FnwL9q5eB/XRimr3PW/6AYTC9jw8kAhv0/HHpI FGVuZHN0cmVhbQplbmRvYmoKMzQzIDAgb2JqCjc2OTMKZW5kb2JqCjM0MSAwIG9iago8PCAvVHlw ZSAvRm9udAovU3VidHlwZSAvQ0lERm9udFR5cGUyCi9CYXNlRm9udCAvTGliZXJhdGlvbk1vbm8K L0NJRFN5c3RlbUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChJZGVudGl0eSkg L1N1cHBsZW1lbnQgMCA+PgovRm9udERlc2NyaXB0b3IgMzM5IDAgUgovQ0lEVG9HSURNYXAgL0lk ZW50aXR5Ci9EVyA1OTUgPj4KZW5kb2JqCjM0MiAwIG9iago8PCAvTGVuZ3RoIDgyNiA+PgpzdHJl YW0KL0NJREluaXQgL1Byb2NTZXQgZmluZHJlc291cmNlIGJlZ2luCjEyIGRpY3QgYmVnaW4KYmVn aW5jbWFwCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoVUNT KSAvU3VwcGxlbWVudCAwID4+IGRlZgovQ01hcE5hbWUgL0Fkb2JlLUlkZW50aXR5LVVDUyBkZWYK L0NNYXBUeXBlIDIgZGVmCjEgYmVnaW5jb2Rlc3BhY2VyYW5nZQo8MDAwMD4gPEZGRkY+CmVuZGNv ZGVzcGFjZXJhbmdlCjIgYmVnaW5iZnJhbmdlCjwwMDAwPiA8MDAwMD4gPDAwMDA+CjwwMDAxPiA8 MDA0Mj4gWzwwMDJCPiA8MDAyRD4gPDAwMjA+IDwwMDdDPiA8MDAyOD4gPDAwNDE+IDwwMDI5PiA8 MDA3NT4gPDAwNzQ+IDwwMDY4PiA8MDA2Rj4gPDAwNzI+IDwwMDY5PiA8MDA3QT4gPDAwNjE+IDww MDZFPiA8MDA1Mj4gPDAwNjU+IDwwMDcxPiA8MDA3Mz4gPDAwM0U+IDwwMDYzPiA8MDA0Rj4gPDAw Nzc+IDwwMDNDPiA8MDA0Mj4gPDAwNDc+IDwwMDI2PiA8MDA0Mz4gPDAwNkM+IDwwMDY0PiA8MDA1 Mz4gPDAwNzY+IDwwMDQ0PiA8MDA1ND4gPDAwNkI+IDwwMDQ1PiA8MDA0Nj4gPDAwNTA+IDwwMDJG PiA8MDA0OD4gPDAwMzE+IDwwMDJFPiA8MDAzQT4gPDAwNzg+IDwwMDZEPiA8MDA3MD4gPDAwMzk+ IDwwMDY2PiA8MDAzND4gPDAwM0Q+IDwwMDIyPiA8MDAyQT4gPDAwNjI+IDwwMDM2PiA8MDA1Rj4g PDAwNzk+IDwwMDNGPiA8MDA1Nz4gPDAwNjc+IDwwMDVCPiA8MDAyMz4gPDAwNUQ+IDwwMDMwPiA8 MDA1NT4gPDAwMkM+IF0KZW5kYmZyYW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9D TWFwIGRlZmluZXJlc291cmNlIHBvcAplbmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKNzIgMCBvYmoK PDwgL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUwCi9CYXNlRm9udCAvTGliZXJhdGlvbk1vbm8K L0VuY29kaW5nIC9JZGVudGl0eS1ICi9EZXNjZW5kYW50Rm9udHMgWzM0MSAwIFJdCi9Ub1VuaWNv ZGUgMzQyIDAgUj4+CmVuZG9iagozNDQgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9G b250TmFtZSAvUUdOQUFBK0JpdHN0cmVhbVZlcmFTYW5zLVJvbWFuCi9GbGFncyA0IAovRm9udEJC b3ggWy0xODMuMTA1NDY4IC0yMzUuODM5ODQzIDEyODcuMTA5MzcgOTI4LjIyMjY1NiBdCi9JdGFs aWNBbmdsZSAwIAovQXNjZW50IDkyOC4yMjI2NTYgCi9EZXNjZW50IC0yMzUuODM5ODQzIAovQ2Fw SGVpZ2h0IDkyOC4yMjI2NTYgCi9TdGVtViA2OS44MjQyMTg3IAovRm9udEZpbGUyIDM0NSAwIFIK Pj4gZW5kb2JqCjM0NSAwIG9iago8PAovTGVuZ3RoMSAxNTM0OCAKL0xlbmd0aCAzNDggMCBSCi9G aWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nLV6CVxTV77wOffeBMSiIiBdpp8XIlIrgoKU qnUJECUYAiZhcQNCFohkM4tIbcWlilRbaq22KkVKHccfY61jl6e2dp7dXLCdVx1/M9RpZ5RxbN/4 Wl6nM59Fcvn+59ybENC2/n7vfYn35txz/ue/b+ciwgihSLQOsQgV6dMz3qz83gQz2+AqrbE3WM+3 vFEH478idP/BWovRbC0q2IjQA2T9kVqYGLU6shCeP4TnCbUO3+qXctJK4PkrhPAyu8tknOSYuhSh B/Ng/YjDuNqNlqN8eP4ennmn0WHpfvfMWwj9nziY+zPC3Cj8HJIhTraAO4+QkCP+MnrUwlgjGWak nGUjOYbh1iH0+hjEFyDpk2PzedE8xN9i5HFCHN4T4cA9MI2lZQZZhV2cVbYfpIxAKDYmMSY5MSbR yqF+L/tA/zVhV8Som9955JMQHuhDiPtadonAsYnxiTGKmEQ5923gm67AN7JLnX2XZJMJ3hMAZZbH oQR4AJCJKRMV8gh5PAwzYx7JfiR7XMI4znwMz57zxK6S0uPHc5aUrzplMjH7A8uYtrbiIlxR9Wqg SR4XaDNnTsN41WrC4ynA1QA4RR4zCa54xalj8OGqbrXL474Guq6Bq+xpbg3KBNh4oJqSBFTlCeMS 4N+4+LgIeUoSTGbBQ2ZG9iNZBAL+TcyeCDxlJIxjt2oNhiVP56pwxtSdcz/U69Y8+Yclxmq71VRd vX7BfDwt89fzfq0pxHil+1PrksXc3MMPxcXihx82KBUT+VEPa7RbWpcuw2PHTHjvkfsemDJZVzAp ZeLoCQvVG18uK8GjRxMpTgil3H7gMA5NQCiZCgEKyQTiMWMi5Ap5ykRMtEX4jhO5xN7jx2cuLl9z fl1j47rza8oXM49iXcn2HTqDQbdje4nuYOCwPKrTlDG1o0O4Kdzs6MAZ6fjGOb/X6z/X5fWB5Rnk HrjKNQLV+5GCaCYRFJANqLPjwSopfMrE2DGiAiIk2hFcY//RkbXWf7NZTNXmGtsK4R972/DOF/qv PrXh3xidfsvepRXRTMWS31Zb8P33ZR1+eFwCbm3FUXjsq+14+/MfvrhkSVn5y8QT3AM97HWgnChZ hPoBkWycRF4BFolhsh8hPLHXtdriojdM8HmjqFirLdTplwsv7MQv7cQRJYuKuaxDDyfEY7fnk0/d HpwQl9o5YezYffvwKBzT9jIeE0vopYOSb4KXxBN6VI3xopsqsjKzpoOmmZtHzMkpOF347PiRI2Vl J+Vxux+aVGNq6U9nP2vRvlNaQqz0OOhrCnAdTfBhyRjZhOWsbMBEtAaWygK3yUzMkqSKyJIMybz3 l5JS5TzX7uVL8bFjcysqm14zW/G6tbcwg3WGF6uWLtObqyqW/mP1aiYzM3NN9YxZGDvtb07SBNZ3 WqdmYFxd1XGyqmrs2gUqPC4hrTMlLnbtWiJbNrD2nayNyhZDpCJ6hCAADWYR+WJwPV4jbJo4wXfy 5KVFi5qaZG3C+y2B9uaUlD3FRReYqhY8h0i3EqTzg3Sj0fhB6YirZZOAAAliGVHAGHALxruzpLS0 ZOeO0hKMS0p39DZvwXhLc+93Tc3NTeyfvb6zZ4mTnT3t977c2ircEP6rtQ3jtlYci+NaW4O5AKjd IRfE33Uu4KoOB1OByP8SsDGNIQwpRbRIksgwMQGWBMqaLvoz23Hs2KyyxU90Na5b19j1xOKywBka PAYDDST2babihxsHLekZGMInEkd2dEzNEMbR6OmikSTKwRaAHET7RE/hQmSCEAlsAa+YOPllnQHi dfmyzbEJ4x5k3xw7IgJjs/W9wFEQwZoBInAczQMgw36QYTSVYXjID0sJKfFAh702JOwDLUOSwszj x5n0sKBndEMzguUgEAMpShGSZ3FV6B6SQ2PpP6xgWUXpsb9d6/7btWPC5e7//q6bq+rfxa4g1612 dlf/CrLztYEerhx2JpAKkRkTdJmg+okXHj42Z/aTL5SXgNvnlS32v2+y4BPMgYBxX1FxZcUvmTW3 2g9Zp2WsXi15RSuwFEVzOc7EWAHeceI4k/z3wGGmrjdw+rg8rt+GewLfBw4xisAXsOcsQrJZUHtG 0j2JhDLcFWfPMV+eOxdIOie7FGhlzH2TmdOBGUTHAM89A/BRou/RlEM0nUxyTQLhGdIC3iE8U6jB WFP4jPAoPtO3oRHjxg19wjlZeuB3uEDdtKlAfQByzuUv3SsDB4n3QQZfQqOHWG6Yo+FhjpgAUanA 6eHOxniHeOKsY8eY9DBPC7w+1A1NnT/8C6h6B67KumW9UswClVhGpBzLgH/wYswm8yJlNuWLdRsx 3rjuiz+tJ+Ks/xOecfIdjN85KZwWPnzn5Ml3ZBr86n7hmnDt1f37X8UP4Af2v/rLC78X9gn7Lvwe X7iAq7Hx9xeIDseAzmtBhwyxFMaJmLhLIqtg3hW+YZKFNdeYGRe2BCq3XJKNCtzHHu6bjBuF9WCr XaD7AuCXVDlIVSQ30m+wwGRJUUOKMvniZuZUv8Zz5uNMY0oyBk/fVGmrq2+osy3+6umnkxRL79+0 ubOzc9W507PshQUFqzQLExNzz0+9/z7s9Z9aptO7H3x6G1C9DDweRgLp1rIhMV6+eFEQiBSbIdpa QtpLErVH8nnMGDHjkUgjGS8WKhGztVVbjHGxtrUValBxa9/mp57a3Hfrqc0Yb35KVrx7r/CJcP6l vRjvfQlPx5l7d7d/fEZoEpo+PoPxmY9xA2448zHwMlsogZpbhWJAg8QrIEGTeMkmvp7J7ChSFzyx w655+OHMRGHWB7gCV3xQe2b2HLxnwoTNBk7b/wJrJ1F3RPiOWSMfS7BgqXQmKECJpJZlM2ua5ilz 5m1uf1G9sED9knzs365cuX79as+1v/dcvfJlz9UbRPaP2E6GdGy0b8JiyMRgVyczoRMC5hIzmVxA aT9QcomUYjOlAIlQSDbb375roRpj9cJd7Zty5mE8L0c+9sbVni+vXO35+7Weq9evX7mChsTGdKA1 XcqSUowkgI4Th/RfwUIaFi1sh87wws5Fev2inS8YdMca1wm3qktKFxUXa/VvLVkys3zxE5+uhc+n Tywun3mMmX3a5cDY4Tp9xuF0Ov5TuPL0ttHR499IjY+vrPjtUtO0DFqJOMy2vTwto7pTzDsRDwKH DwN/UvVJAH1MH6xK0++Q27lJqqrKja9XVuDjM2b4n9Ppj8+YuepZ+Dk+Z3HZ4w1lJWzzE7NmYtyw 5iopW+1FWrFsMW0dWsgtwRJG8v/sOcQ3IDqIb8iJrjGJqdmiCwjL+iD3GthDt9qJ9dsGxuIPwJ9l 1J9ZRWzvxf3rdcIh4d/xPLI+2BPTjhi6YXncDzeQmCvxDmp1unL2HGTHPtqbm/GfmUZmI12ByDQz DwSuMRv3k3w5MCA7QvMl7TAyeTG7JCYnkvwC1ktOxDu+x1nPPYvxs88JXUIO3od/c/4cPn9eKBaM svRb9du24nScum3rgTffFtYLa996GwMdwMvdoHjHoUm0dwlmzMFhSmJKIvEAkg6CvTpQw3kdJAY7 hHfx5B0F+fkFO4RL5xju+pNP4HnKNeAhW5r7Al8xZwNf5OVs25qXw1iFOY9me9wzsvGBqqrfNC/S xSaaa14E98BEdpJFUyAPBLvRFF5MBcnBZljBid5IKoQsxer1bRAGmpoxbm7CeIPPa63z1z8lvPYB fLB+0+pVsupLFVPTcGub0C38ETrk9LSqi/kTJuDPfodrcA3ck5KB6kGwNsmhcqpxKHSJB9l/D1y9 iIVApuxSad96ODSx6Gmor1tpjpqK5g1GO00aoKBkck6ZLnpsfJiWSN2l5xdWPliKiAMzW8FP9brn ntPrsE4v/HLjggK8rvHLL9c15hes265f9NTmf93cCDlNr3u+ABfkb9xQoFYXbNiYX8B8BMWwaYum UKtpairUlI1fUr7+qK0G4xrb0fXlS8Yrqs3Pfk4K1ufPmqsVeK5/nlI5z+8V0wLJAusg2zaBJDxI grKzpMNGbHjXDA4VQwoWMI/DyicR+IpGq114us42elb5YvtfNmwE3fdgFrrOAweFa4WFWjxnS3FR UfGWZi0khfHHJsTG4aZNOLY0LR3MtPnGtW1baTomhWz0aObF5cs72iuXL69s71i+XIwL0LLYQ5AW WrrOskcC95O+gbnZPwcOssL8zkBPpwSvAPgRYfCKs+ySgJspDhw5R0DzOwPZUneSGYQkXSncFGfx GGbXh0JvYMWHsku3xnNX+iZzV26NJ1rqBRt/wCnEvEyqFTnP9l68SGoWpxDI6XwghzkqxjBJEUxk Z+Am5OwfHLA2C/hqgAwyklRlcCnyDzIJZxbqcGe3cEI40Y3fEDzdeBKexFUF/hw4hY8J+UwBM05Y iVsI/cPs16wDsMsoDkVWbCYro3e8niQZvIfc2a9fw3OFU6/R++27aE5KpneMBnfJLtEMdSiUp0A3 8vGw6x6qG0wrkIKqZwp+EjfiKR8JjV1CI+ioP5K92TdZNr4fcaiP1pQW8KZdUlwMOYsRpxHPlKTD l1pmmjiCQUwOY/upnzRTn8EjCjVazRlb3aiZS8rtVzZu2NJ8Rejf0nzwV/gXsMDOAmd5ZXklxpXL XwF3YRqOKeJim5qEb8vS07Y0//1vW7dJFR6aIzjOYwQMcktoZkPZiTGyrORM4iACLhB2Y8s5XNC/ v5Pz5h/L77vUiZiBy0IpzdbRYo2NIdELXcE42kWTdxmL9G/On2abmIzpO41tf6isasUZU3fLHyLv NqCOY5fkDWIFF8u3pF9uBbUK7YzBn88xf+ivhJQPhMVOWGaA9QSUBOCk5sUqWKI5BekHOFAbacFi gmdABfvMvLmz53zS/dsC1YL6P53DZzBauxbPyw08LWzXkD5As515N2FB/lqhFjfuzJgWaJZdwivq /vgMKK0o8E1e7sYNeTnAVxPYrgNsF3wfE4xx+j6G5PrkIf3AdOl9DD2og/G4fJ+lpuJA+ZLHZv7q 8av2FXj7DuGrulUNjY/Xr/IcqqzIzduzpsds2bb1n7VOh2z/R9kPPDBP6TdPyxx/X2qd863PXSvx vfem/8f8JEVebqNj7mz+3ilVVb/+2OOJjSNaMYPW9tPeNpr2tmwmMQPRSBYrFxgsZAmXLp0NVMiS +3vYT/ozDwrtuOoDou9yOAtehugTswImDS5OXMmuCGiYN/ufZN4MWLiqg/2XdxxkkwE7reI00gm8 GOm0ll8kwQKxHugORcpvBnpkk4CneNFDJE+HbEKaJ/Km5mhXWdkHp8rLup57Xrgu/LXleQxB4++1 1WFcZ+tlt/YvEy6/sHPnC5hQ9go3pVPDxNtPDbFYQepEKFqkQ8Rth4e5OOr7L5LGjB0jHh3wY+Jh osZ2h0NE338IX3zLYAbj31/ARhIn9FRx69hxhAf6Qd/XQbZI0B7tekDVXDduw3u7A71d4M17GGv/ d5CDT0s+LVshxhY5IZK0gelhrw1zgQfY+4V/BTLJka+ZqQ/k9/cwvwtMg1150N8dkDINpUEyJ2TH vPN4Jp7RQ26fCM2C8JHwvgAZeSz3Dbkg44zp6yU+0QaZKkH2HtiKnBQS4ajDJkJOBAvTSxFLr6xE enEJwhcGnJxXiyfY2mvwo8IrOjxH2FvbXiNcrnmlVvgIVxmE97DNym4SjrJNghHvE4x7hKO7hWrc Rq7dWLsH7yPStkKkeMFS08X4JPGYLJdiIzv4rlI8QgSLZegMRTp1du5z+kX4xZeEryqrLTa9xeQ8 aTHhpct/efjtF4qLFulfNFRUerwW8+JrUCzx/Hw2mTdWP/dFw+MYx8VM/CDj3vvxwoUtT0GTf+Cx mSu9c2aPjU1+c3zMGFL0nzSUQmZZOdATMYn6Eo+moUfQ/KE9Cg3esJ6ElnkKIB9826pIJtZIzBh8 GUtCXfZZ2bSMjGllJRnTpmWUvFwB1br1lWXLIQvvu3WzFJp4WCuD1nlaZgnb1N6/pJ090N/wcmXF 8sq29qXLIeVsx+qCpzaqFy5Ub9ygUa/DDuc779qdTvu777gcjBFOLRs2qQsK1JvWL1zY+MM/5NGw fhI6Qqfj3RNOh9hnX+XM4DXJUpUPKhaYTAxaIfT6gKj+C/a+QPvkKZOn9D2/He/aJXxbWWWqWVJV VXfIaibvew7pihYZSHPw/OjICLyl+T+/g+NjzBi+KyPhXrxsaeveZUtBwUNrPMQj7qRFntR4+Q6I mBvCg1yccIjmfMgxXNytPwqHWlpgX/BcDj1loujlTEHg44u4G39+IXAaPDuB+1rs92eHvzXB4psW +Le+G3uxv1vgGdQtLBMWf87ES8fBzP6bzJrAJvbB4PmzHGpWBNUMyVyJR/DB3l4BJlt+6G8hMKfp yTFOPF8mkjceWYxLKP/2W3nczS9b5FyL1HmT7jaZvPWG2ImRD63TCbQ8QDseMyZhXCKomvtAeJsZ 63/mmXbhlQ8//vhDXLl90wb3yifXbhX+a8vTT2/BsStK9Jfw9gOBRv3DqRh/eh47sOPT8xMmzP9D xbSpu3cLnwkXdu/GcWNBj7sEKz0NRdNcMkasu8Qnz56z1l4tnLvp0WyolTuE/254vHPhwvcRg7NI MqB2gZydTHN2DKtgcVZXV1dcR7wAySOwUtiLLQBB381E1NHImPDzb2dIPlH8/Csa/Fj28b/uvqsX NXiNcBP4oG/o5GOgyv8COPnRt3TQtSmyEuF2++s6JrWrS2jo6rrzazvZ7HPnzoEtu1GF7DJ3gPge 9J7xOAvLLt+6yUX2CTKG7RW2Czvexp8dwJ+hobCxWRS2W8b0CZyc7X1bSD8gpL+NHUTV3bhKdpnt kP66kxhPvxSUXGzHwd5O+vcquEpXGXIqRz/2T/KHueEfsPSDEQfAFphQlD6wJ8IhgDtHrRqoHqiO OBD6y1fwU8Z9gqxcz0CfbCw6wcxAp7jJyMVshciJQye4G2glZ0Urmc9QOncdrWEVKJu7hlYSWFhf yRbQ3xPyragU5g5zHTDm0FnuIjpL1uUa5JU1oDGyBLQLcF6G3ybuXTSbHY+OsIehrxuP9hO4iC6g BfMA00Z4YJahs0wPMssnAZ4n4doFeBLQQbi2wrVeNgpo7IH5foA7inrhQrB/FpcMPMAlvw5rCagF rivMjIHLTCb6iPPDXAvlqwnmzVwmKod9bbLL6CjhE3TQL5uLzkZ8jfLkb8J8AmqN2AOyJgBPBD8a uEFlWSPxPx6dlmciL7NsYBebhbOorKAD2NsdvEC/8eghpIN+6y349kLPb8Fb8EX8f5k0pox5njnO /JMdy85g9Wwdu4v9jIvmJnFmzs11cp9w38gY2QSZX3ZMdl72J9nXsn/JWXm63Cd/Xf5+REqEP+KZ iI6IExFdEd0RfZHxkVMjtZGtkW9EXoj8S2TviNQRa0a8NOL1ER+NuBGVGVUQZYnaFHVq5NiR60ae HHl+ZPfIb+6Jvmf8PdPucd/TfM++e3qiE6KnRCujDdQ7ytAC0k2H/ZU0/DMOjwrNzwzBYBQLT1j6 m6oMVUpjNmyeCxvLoEsxS2M5RG2hNI6Ak85r0jgSjYq0S+OR6N4RG6Vx9IhY5AbMmIP8hHwj9kpj jCZGjZbGDIqKWiyN2bB5LmwsQ/dGmaSxHKVFZUnjCFQV9U9pHIl+cb9XGo9EU3/xijSOHjsxak2u y93gsdXU+viHTJP4jKlTM/nqBp78xdnnsRgdqbzaaUrjlXY7ryNQXl5n8Vo8qyzmtBAMX2rxGHm9 0ekNTZEZMjFF53IYnTqL3WL0WvhpadOm3hW96Kg7EYyOGkbS5uWNvM9jNFscRk8d77Lejic6qtji cdi8XpvLSeBrLR4L0KvxGJ0+izmVt3osFrLRVGv01FhSeZ+LNzobeLfF44UNrmqf0ea0OWuAjgkY J5C+WgtvdTmBMaPJ5HK4AZwA+GoBu91msjhB0IeS5hOIpEmAzMwbvV6XyWYEerzZZfI7LE6f0Uf4 sdrsFi//EMFIN/B6l9VXb/RYkiZRTjwWt8dl9pssFI3ZBqLZqv0+C+VhyIZU3uY02f1mwkm9zVfr 8vuAGYdNIkTgPaI2Aa3fC/BEnFTeYaFSu/3Vdpu3NjWMRiqhme7y8F4LmAKgbcCqJP4w0oQ5QOsm ivZJqqOE6mtdjts3EDNY/R4nELTQjWYX73Wl8l5/9QqLyUdmRB3b7a56IpDJ5TTbiBzemcSgBlg0 VrtWWagMoi9RFkKO4HT5wBBecZbYxT3oA+Ia7601gljVFklvwIjNyRuHSOpygmd4eIfLY7mj4Lyv wW2xGoFQWpCtoesOYwOh4HCZbVYbcTaj3QfuBwNAazSbqfSi+oC42+gBzvx2o4eSMlu8thonZaTG 3uCu9ZJNxEuNJkDiJTuCHHmHUxK9ziwqzWi/MwJpT5CPQWzAntPewNuGuDqI47GQ/9FCYcnAS1RJ bBMMEQv4nUVkvt7lMXv5pFA0JhHawQU+iQRvkqQ0sI5GippqC8QTwesHOxARVrlsIdYsq30QN7zR 7YYgM1bbLWRBlB5wDzNMrdHH1xq9gNHiHKoVIDfo42be7zRLLCcNzS1Joow/bVmvy06im5qOGMrI 20kWgZgJArqNpjpjDYgG8eh0hXLI3bvWEFKQuIBJi90qspWv4ucXaQ28vmi+oUypU/FqPV+sKypV 56ny+CSlHp6TUvkytSG/qMTAA4ROqTUs5ovm80rtYn6hWpuXyqvKi3UqvZ4v0vHqwmKNWgVzam2u piRPrV3A58A+bZGB16gL1QZAaiiiWyVUapWeICtU6XLz4VGZo9aoDYtT+flqg5bgnA9IlXyxUmdQ 55ZolDq+uERXXKRXAY48QKtVa+frgIqqUAVCAKLcouLFOvWCfEMqbDLAZCpv0CnzVIVK3cJUwmER iKzjKUgacAk4eFUp2azPV2o0fI7aoDfoVMpCAku0s0BbVEh0VKLNUxrURVo+RwWiKHM0KpE3ECVX o1QXpvJ5ykLlApV+kAgBk8QZVAfZsEClVemUmlReX6zKVZMB6FGtU+UaKCToHjShoezmFmn1qkUl MAFwQRJgkHwVJQECKOFfLuWMiq8FcQkeQ5HOEGKlTK1XpfJKnVpPWJivKwJ2iT1hB5GxBPRJjKeV +CU2InO3ewdAkd2SgHkqpQYQ6gkbt8FS/1KtNlncPuLfUpCLSZImVDGLplLPFZMBuPECJ4SvOEeH 4NMQX7QCiVluMMRIcU6VkjBJI+DhUJXEJGxeZYFM6CUpBWLERZJKvc1L4x3KocMl1T+v0Q7EYFcI CnKm0Q7bvCE2hwZVsDC6PTbYUu+x+SCl8EY/zHpsj0sl2SOVrOESECrD+fdYvG6oWLZVFntDGsB6 SF2jnNicVpfHIYlO1WfyzQzmUh9fQ5GbQXCXpyat1udzz0xPr6+vT6sOUkiDVIhykQuaxAbkQTZU g2qRD46FDyETmgS/GdBkTkWZMKoGCB7lAIwPeeHyIAsyIgdKhVk1cgJ8GoyUyA5fHtr4IC4vfbLA rwX2rIK7GSBvx8OjUgphhJEe7k5YvR0qCBOEmAK4XTBPnggVO4UjtMjrpzS4pv4vyheNou5aQgL7 01La6E4y8tEZM6wQSTyoDuZcyHpX/JCrmOJ0UIxeuLtgPYi/lq5ZJPlqKCUn4CNcElxWumoJUTTB DsJDDcylUt5clEsn3e+m2LwSBRdg9cGaDZ7IVSPJY5I0HsTpo1wQWi5KW5TbROEcACliD2Ig0CLv dvg1wU6nZNGHUBKaH8KRRC1I9prpr5fyZYI9Rkk+Hi4y4wcqFrqLrAT1Y4WRndqNYA7yOEiB+CHh 34fqqUYslOKgTsiMG+4uoOKnfA5yY6YS+KjPVcOqj64Gafw4hVRqN2JdO+wyh3RST/2gFqD9dB/R jIPOhUsUxO8Z4psit36qw9Qw65Cxg9ozaGs3QFVT3F7YnfojcqSG5EwHTB548tLIs4dw2yStDrX+ T0sd1JzIrTvk0b5hXjcoUT3Vh+OuKASjwQoyeKi3eumeQYpmeic0Uukv0cQKgDBRfCJMuB8TeV3U LqKFTJS2mXJskzidGYpQg7TTCFhdNEcM2iE8Lw1q4faM4AR4nxQR3iGwwXgZ1Fp4Hgjfx1O5jZK1 qiXNDPqbqBEb3Wf8CZsSzGLO8FAvcklavluLE5gGyq+VZgKCO+02bf3UfqKXhpAMDhqFNhrTwcxG +PdJ2U+cEbklejWH2T7c+0TJ3ZSKqDM/YDHSfUGpzJRbYjNnmEZqAI5IVCvNecJyqZF6kejDQRrD deT9WZnCc515iKcZqZ3unoOhdIbr4068pUo2t9N9tp/I6h4pA1koX44heIMz3pBXBuNmeBWxSPnO MkTz9VQqM92fdIfamBSSe/gOAh+svEnDPE2MHc2wWlNNY98Vxq9fioegFVbBqu0OWrOg1VTXTimi 3fAVK5mRZldLaEe47UW+fzpiamm25+mvV+LRQr3px31FlO5OeZys+inUUC3fSbN8mPbC7fg/iVkv zaLB2j0YdcGIIp2EPdSLeKQdQzG6qWfXwb1GsppYH51Uv8P7kP8fWevHpaqWYsUn1UfrEG3lIxWl VYS08ERoFcGTAZVBh6mja2qY46G308FKKTzlwWwetY+SrpD1JBqZZTAmGItQCcUl4tDBneBeDDME N0+fydNCgNcCLrJXhcopDRVg01NIHcVdCLMa+FVJcGRHLsyUwDMZL0CkOxXpaWGXgcYQ2Ud4ETk1 wPwg1aFcqSnFIGeF8KQD/PnSqhJwqyk+wn8q1RQZa0N8zpc4VVIdEcwEZy5wpKFPZLYEfosBTk/1 qaQyi9xqqQzzYV2URUU5EC0hcpQLv8VAm0AsAL4MlAtCySBBplIJiTx5dD+hupDOipwVSVYm40Es aZIuRT6I/ktDlPVUfg18eSq/AWYM1DZKwB/EG/SdBRRDYciPSqh8SqqHIkohh64RLRJ9akKQujCr 5FJ9EbsRzvMoJSXViP6OkgSxDbXOnbwjSGEBlU9FNaWh0HrQowrg1aEZ0R/VVNZcSbciTtHvRZ/Q hGk3l8pILLsIqKokn1JS3Q2VQowQwv+gFKIFlNI9N0xng9bXStbNDdm6iHrZ7Vopo7GoolBKamt9 SAvzafwWSpyXhHlY0I4lkn8WhTgbqt9gHAXh7iZ3iLiCtIdaMI/6k0biUB/Sxs/jHcxfKqhxJnr+ 8YXy99BKHt5JDnao4b1oaljODe8MxGy8gMI6hsENzop5Wqxfg2eg8F7uTlUseHIWe/zBTjjYjYg5 XDwrhXfCZtqziz2hN9SliHXEFepU6unqYH0XT4cOChF+/vNSuqJkfmnHcFxin2mknQOh5r2DNn+q Ug0/Mbpp7Rep1NOxT+pSiHx+CZbMPz7slOwZdsr6ORsEZfk5/Xuovd3SGctGNUz6yzQJrwcFz2uD OiEasNI1xzCrD3ofwTYTDe9LiQ5qwjg3SxZ30f4ijZ6/fMDNTDjVpoOGyDcN/GG4DGlSV/j/AM6c YqdlbmRzdHJlYW0KZW5kb2JqCjM0OCAwIG9iago4NTgwCmVuZG9iagozNDYgMCBvYmoKPDwgL1R5 cGUgL0ZvbnQKL1N1YnR5cGUgL0NJREZvbnRUeXBlMgovQmFzZUZvbnQgL0JpdHN0cmVhbVZlcmFT YW5zLVJvbWFuCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAo SWRlbnRpdHkpIC9TdXBwbGVtZW50IDAgPj4KL0ZvbnREZXNjcmlwdG9yIDM0NCAwIFIKL0NJRFRv R0lETWFwIC9JZGVudGl0eQovVyBbMCBbNTk1IDYwNiA2MjkgMjc2IDUxNyAzMTUgNjMwIDYxMCA1 NDUgMzQ5IDYwOCAzODkgNjA3IDYyOSA2MzAgNDA4IDYzMCA4MTEgNjI5IDU3NCA3NDYgNTk4IDYz MCA3ODEgNjc5IDYzMSAzMTUgNjMxIDU4NyAzODcgNDU2IDM4NyA2MzAgOTY2IDU4NyAzMTUgMjc2 IDI5MyAzNTggNzY0IDY4MSA2OTMgNjMxIDYzMSA2MzEgNjI3IDU3MSA3NDIgMzM0IDMzNCA1ODcg NTE0IDUxNCA4NTYgNjMxIDYzMSAyNzYgMjczIDU1MyA2ODkgNjMwIDYzMSA1MjEgMzM0IDcyNiA3 ODEgNjA2IDY1MSA5ODEgODMxIDYzMSA5NDMgNjMxIDMzNCA0OTYgNjc5IDY4MCAzODcgMzg3IDc2 OSAyOTMgMzk4IDc4MSA2MjkgODMxIDgzMSA4MzEgXQpdCj4+CmVuZG9iagozNDcgMCBvYmoKPDwg L0xlbmd0aCA5NjYgPj4Kc3RyZWFtCi9DSURJbml0IC9Qcm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdp bgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAovQ0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFk b2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBsZW1lbnQgMCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9i ZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAyIGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UK PDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2VyYW5nZQoyIGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAw MDA+IDwwMDAwPgo8MDAwMT4gPDAwNTY+IFs8MDA1ND4gPDAwNjg+IDwwMDY5PiA8MDA3Mz4gPDAw MjA+IDwwMDcwPiA8MDA2NT4gPDAwNjM+IDwwMDY2PiA8MDA2MT4gPDAwNzQ+IDwwMDZGPiA8MDA2 RT4gPDAwNjQ+IDwwMDcyPiA8MDA2Mj4gPDAwNzc+IDwwMDc1PiA8MDA2Qj4gPDAwNDg+IDwwMDUw PiA8MDA3MT4gPDAwNEY+IDwwMDQxPiA8MDAzMj4gPDAwMkU+IDwwMDMwPiA8MDA3OT4gPDAwMjg+ IDwwMDIyPiA8MDAyOT4gPDAwNjc+IDwwMDZEPiA8MDA3Nj4gPDAwMkM+IDwwMDZDPiA8MDA0OT4g PDAwMkQ+IDwwMDQ0PiA8MDA0Mj4gPDAwNDM+IDwwMDM3PiA8MDAzOD4gPDAwMzk+IDwwMDQ1PiA8 MDA0Nj4gPDAwNEU+IDwwMDNBPiA8MDAyRj4gPDAwNzg+IDwyMDFDPiA8MjAxRD4gPDAwNEQ+IDww MDM2PiA8MDAzMT4gPDAwNkE+IDwwMDI3PiA8MDA0Qz4gPDAwNTI+IDwwMDUzPiA8MDAzND4gPDAw N0E+IDwwMDNCPiA8MDA1NT4gPDAwNTE+IDwwMDU5PiA8MDA0Qj4gPDAwNTc+IDwwMDIzPiA8MDAz Mz4gPDAwMjU+IDwwMDM1PiA8MDA1Qz4gPDAwNUY+IDwwMDU2PiA8MDA1OD4gPDAwNUI+IDwwMDVE PiA8MDA0Nz4gPDAwNEE+IDwwMDIxPiA8MDBEMz4gPDAwRkM+IDwwMDNDPiA8MDAzRT4gPDAwM0Q+ IF0KZW5kYmZyYW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9DTWFwIGRlZmluZXJl c291cmNlIHBvcAplbmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKOSAwIG9iago8PCAvVHlwZSAvRm9u dAovU3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9CaXRzdHJlYW1WZXJhU2Fucy1Sb21hbgovRW5j b2RpbmcgL0lkZW50aXR5LUgKL0Rlc2NlbmRhbnRGb250cyBbMzQ2IDAgUl0KL1RvVW5pY29kZSAz NDcgMCBSPj4KZW5kb2JqCjIgMCBvYmoKPDwKL1R5cGUgL1BhZ2VzCi9LaWRzIApbCjUgMCBSCjI5 IDAgUgo3MSAwIFIKODkgMCBSCjEwNCAwIFIKMTE2IDAgUgoxMjggMCBSCjE0MCAwIFIKMTU2IDAg UgoyMTIgMCBSCjI1NiAwIFIKMjY1IDAgUgoyNzMgMCBSCl0KL0NvdW50IDEzCi9Qcm9jU2V0IFsv UERGIC9UZXh0IC9JbWFnZUIgL0ltYWdlQ10KPj4KZW5kb2JqCnhyZWYKMCAzNDkKMDAwMDAwMDAw MCA2NTUzNSBmIAowMDAwMDAwMDA5IDAwMDAwIG4gCjAwMDAxNTkyNzQgMDAwMDAgbiAKMDAwMDAw MDIzNSAwMDAwMCBuIAowMDAwMDAwMzMwIDAwMDAwIG4gCjAwMDAwMDI3NzIgMDAwMDAgbiAKMDAw MDEzOTEwNCAwMDAwMCBuIAowMDAwMTE2ODQ0IDAwMDAwIG4gCjAwMDAxMjg1NzkgMDAwMDAgbiAK MDAwMDE1OTEyMyAwMDAwMCBuIAowMDAwMDAwMzY3IDAwMDAwIG4gCjAwMDAwMDA0MTkgMDAwMDAg biAKMDAwMDAwMDQ3MSAwMDAwMCBuIAowMDAwMDAwNTIzIDAwMDAwIG4gCjAwMDAwMDA1NzUgMDAw MDAgbiAKMDAwMDAwMDYyNyAwMDAwMCBuIAowMDAwMDAwNjc5IDAwMDAwIG4gCjAwMDAwMDA5MDYg MDAwMDAgbiAKMDAwMDAwMTEzNyAwMDAwMCBuIAowMDAwMDAxMzY4IDAwMDAwIG4gCjAwMDAwMDE1 OTkgMDAwMDAgbiAKMDAwMDAwMTgzMCAwMDAwMCBuIAowMDAwMDAyMDYxIDAwMDAwIG4gCjAwMDAw MDIyOTkgMDAwMDAgbiAKMDAwMDAwMjUzNSAwMDAwMCBuIAowMDAwMDAzMTcyIDAwMDAwIG4gCjAw MDAwMDY5MjAgMDAwMDAgbiAKMDAwMDAwMjg5MyAwMDAwMCBuIAowMDAwMDAzMDg5IDAwMDAwIG4g CjAwMDAwMTQzNzIgMDAwMDAgbiAKMDAwMDEyMjE5NSAwMDAwMCBuIAowMDAwMDA2OTQxIDAwMDAw IG4gCjAwMDAwMDY5OTMgMDAwMDAgbiAKMDAwMDAwNzA0NSAwMDAwMCBuIAowMDAwMDA3MDk3IDAw MDAwIG4gCjAwMDAwMDcxNDkgMDAwMDAgbiAKMDAwMDAwNzIwMSAwMDAwMCBuIAowMDAwMDA3MjUz IDAwMDAwIG4gCjAwMDAwMDc0OTEgMDAwMDAgbiAKMDAwMDAwNzczOSAwMDAwMCBuIAowMDAwMDA3 OTcyIDAwMDAwIG4gCjAwMDAwMDgyMDMgMDAwMDAgbiAKMDAwMDAwODQzNyAwMDAwMCBuIAowMDAw MDA4NjY4IDAwMDAwIG4gCjAwMDAwMDg4OTIgMDAwMDAgbiAKMDAwMDAwOTEyMyAwMDAwMCBuIAow MDAwMDA5MzU0IDAwMDAwIG4gCjAwMDAwMDk1ODYgMDAwMDAgbiAKMDAwMDAwOTgxOCAwMDAwMCBu IAowMDAwMDEwMDU3IDAwMDAwIG4gCjAwMDAwMTAyOTYgMDAwMDAgbiAKMDAwMDAxMDUzNSAwMDAw MCBuIAowMDAwMDEwNzY3IDAwMDAwIG4gCjAwMDAwMTA5OTkgMDAwMDAgbiAKMDAwMDAxMTIzNCAw MDAwMCBuIAowMDAwMDExNDYxIDAwMDAwIG4gCjAwMDAwMTE3MDggMDAwMDAgbiAKMDAwMDAxMTk2 OSAwMDAwMCBuIAowMDAwMDEyMjAwIDAwMDAwIG4gCjAwMDAwMTI0MjcgMDAwMDAgbiAKMDAwMDAx MjY1OCAwMDAwMCBuIAowMDAwMDEyOTE5IDAwMDAwIG4gCjAwMDAwMTMxNTAgMDAwMDAgbiAKMDAw MDAxMzQwNiAwMDAwMCBuIAowMDAwMDEzNjY3IDAwMDAwIG4gCjAwMDAwMTM4OTggMDAwMDAgbiAK MDAwMDAxNDEyNSAwMDAwMCBuIAowMDAwMDE0OTIyIDAwMDAwIG4gCjAwMDAwMTk0MjIgMDAwMDAg biAKMDAwMDAxNDQ5NCAwMDAwMCBuIAowMDAwMDE0NjkyIDAwMDAwIG4gCjAwMDAwMjA5NzggMDAw MDAgbiAKMDAwMDE0ODQxOSAwMDAwMCBuIAowMDAwMDE5NDQzIDAwMDAwIG4gCjAwMDAwMTk0OTUg MDAwMDAgbiAKMDAwMDAxOTU0NyAwMDAwMCBuIAowMDAwMDE5NTk5IDAwMDAwIG4gCjAwMDAwMTk2 NTEgMDAwMDAgbiAKMDAwMDAxOTcwMyAwMDAwMCBuIAowMDAwMDE5NzU1IDAwMDAwIG4gCjAwMDAw MTk4MDcgMDAwMDAgbiAKMDAwMDAyMDAzNCAwMDAwMCBuIAowMDAwMDIwMjY4IDAwMDAwIG4gCjAw MDAwMjA0OTUgMDAwMDAgbiAKMDAwMDAyMDcyMiAwMDAwMCBuIAowMDAwMDIxMzY1IDAwMDAwIG4g CjAwMDAwMjUwNjAgMDAwMDAgbiAKMDAwMDAyMTEwMCAwMDAwMCBuIAowMDAwMDIxMzEwIDAwMDAw IG4gCjAwMDAwMjY3MzEgMDAwMDAgbiAKMDAwMDAyNTA4MSAwMDAwMCBuIAowMDAwMDI1MTMzIDAw MDAwIG4gCjAwMDAwMjUxODUgMDAwMDAgbiAKMDAwMDAyNTIzNyAwMDAwMCBuIAowMDAwMDI1Mjg5 IDAwMDAwIG4gCjAwMDAwMjU1NDUgMDAwMDAgbiAKMDAwMDAyNTc5NCAwMDAwMCBuIAowMDAwMDI2 MDIxIDAwMDAwIG4gCjAwMDAwMjYyNzMgMDAwMDAgbiAKMDAwMDAyNjUwMCAwMDAwMCBuIAowMDAw MDI3MTMwIDAwMDAwIG4gCjAwMDAwMzEyMjQgMDAwMDAgbiAKMDAwMDAyNjg1NiAwMDAwMCBuIAow MDAwMDI3MDY3IDAwMDAwIG4gCjAwMDAwMzI1NzcgMDAwMDAgbiAKMDAwMDAzMTI0NiAwMDAwMCBu IAowMDAwMDMxMjk5IDAwMDAwIG4gCjAwMDAwMzEzNTIgMDAwMDAgbiAKMDAwMDAzMTU4NiAwMDAw MCBuIAowMDAwMDMxODE0IDAwMDAwIG4gCjAwMDAwMzIwNzEgMDAwMDAgbiAKMDAwMDAzMjMyOCAw MDAwMCBuIAowMDAwMDMyOTc1IDAwMDAwIG4gCjAwMDAwMzcyMjYgMDAwMDAgbiAKMDAwMDAzMjcw MyAwMDAwMCBuIAowMDAwMDMyOTE0IDAwMDAwIG4gCjAwMDAwMzc5NjkgMDAwMDAgbiAKMDAwMDAz NzI0OCAwMDAwMCBuIAowMDAwMDM3MzAxIDAwMDAwIG4gCjAwMDAwMzczNTQgMDAwMDAgbiAKMDAw MDAzNzQwNyAwMDAwMCBuIAowMDAwMDM3NDYwIDAwMDAwIG4gCjAwMDAwMzc1MTMgMDAwMDAgbiAK MDAwMDAzNzc0MSAwMDAwMCBuIAowMDAwMDM4MzMxIDAwMDAwIG4gCjAwMDAwNDE4MDIgMDAwMDAg biAKMDAwMDAzODA5NSAwMDAwMCBuIAowMDAwMDM4Mjk0IDAwMDAwIG4gCjAwMDAwNDI5MDggMDAw MDAgbiAKMDAwMDA0MTgyNCAwMDAwMCBuIAowMDAwMDQxODc3IDAwMDAwIG4gCjAwMDAwNDE5MzAg MDAwMDAgbiAKMDAwMDA0MTk4MyAwMDAwMCBuIAowMDAwMDQyMjExIDAwMDAwIG4gCjAwMDAwNDI0 NDggMDAwMDAgbiAKMDAwMDA0MjY3NiAwMDAwMCBuIAowMDAwMDQzMjg2IDAwMDAwIG4gCjAwMDAw NDc4NzEgMDAwMDAgbiAKMDAwMDA0MzAzNCAwMDAwMCBuIAowMDAwMDQzMjMzIDAwMDAwIG4gCjAw MDAwNDkzNTkgMDAwMDAgbiAKMDAwMDA0Nzg5MyAwMDAwMCBuIAowMDAwMDQ3OTQ2IDAwMDAwIG4g CjAwMDAwNDc5OTkgMDAwMDAgbiAKMDAwMDA0ODA1MiAwMDAwMCBuIAowMDAwMDQ4MTA1IDAwMDAw IG4gCjAwMDAwNDgxNTggMDAwMDAgbiAKMDAwMDA0ODIxMSAwMDAwMCBuIAowMDAwMDQ4NDQzIDAw MDAwIG4gCjAwMDAwNDg2NzEgMDAwMDAgbiAKMDAwMDA0ODkwMyAwMDAwMCBuIAowMDAwMDQ5MTMx IDAwMDAwIG4gCjAwMDAwNDk3MzMgMDAwMDAgbiAKMDAwMDA1NDUyMCAwMDAwMCBuIAowMDAwMDQ5 NDg1IDAwMDAwIG4gCjAwMDAwNDk2NzIgMDAwMDAgbiAKMDAwMDA2MjQ0MCAwMDAwMCBuIAowMDAw MDU0NTQyIDAwMDAwIG4gCjAwMDAwNTQ1OTUgMDAwMDAgbiAKMDAwMDA1NDY0OCAwMDAwMCBuIAow MDAwMDU0NzAxIDAwMDAwIG4gCjAwMDAwNTQ3NTQgMDAwMDAgbiAKMDAwMDA1NDgwNyAwMDAwMCBu IAowMDAwMDU0ODYwIDAwMDAwIG4gCjAwMDAwNTQ5MTMgMDAwMDAgbiAKMDAwMDA1NDk2NiAwMDAw MCBuIAowMDAwMDU1MDE5IDAwMDAwIG4gCjAwMDAwNTUwNzIgMDAwMDAgbiAKMDAwMDA1NTEyNSAw MDAwMCBuIAowMDAwMDU1MTc4IDAwMDAwIG4gCjAwMDAwNTUyMzEgMDAwMDAgbiAKMDAwMDA1NTI4 NCAwMDAwMCBuIAowMDAwMDU1MzM3IDAwMDAwIG4gCjAwMDAwNTUzOTAgMDAwMDAgbiAKMDAwMDA1 NTQ0MyAwMDAwMCBuIAowMDAwMDU1NDk2IDAwMDAwIG4gCjAwMDAwNTU3MjQgMDAwMDAgbiAKMDAw MDA1NTk1MiAwMDAwMCBuIAowMDAwMDU2MjA5IDAwMDAwIG4gCjAwMDAwNTY0MzcgMDAwMDAgbiAK MDAwMDA1NjY2NSAwMDAwMCBuIAowMDAwMDU2ODkzIDAwMDAwIG4gCjAwMDAwNTcxMTYgMDAwMDAg biAKMDAwMDA1NzM1MiAwMDAwMCBuIAowMDAwMDU3NTcwIDAwMDAwIG4gCjAwMDAwNTc4MDEgMDAw MDAgbiAKMDAwMDA1ODAxMiAwMDAwMCBuIAowMDAwMDU4MjM2IDAwMDAwIG4gCjAwMDAwNTg0NjAg MDAwMDAgbiAKMDAwMDA1ODY0NCAwMDAwMCBuIAowMDAwMDU4ODQwIDAwMDAwIG4gCjAwMDAwNTkw MzYgMDAwMDAgbiAKMDAwMDA1OTI1MCAwMDAwMCBuIAowMDAwMDU5NDYyIDAwMDAwIG4gCjAwMDAw NTk2NDMgMDAwMDAgbiAKMDAwMDA1OTgyOSAwMDAwMCBuIAowMDAwMDYwMDA5IDAwMDAwIG4gCjAw MDAwNjAxOTggMDAwMDAgbiAKMDAwMDA2MDQwMSAwMDAwMCBuIAowMDAwMDYwNjE1IDAwMDAwIG4g CjAwMDAwNjA4MjcgMDAwMDAgbiAKMDAwMDA2MTAyMyAwMDAwMCBuIAowMDAwMDYxMjI2IDAwMDAw IG4gCjAwMDAwNjE0MjIgMDAwMDAgbiAKMDAwMDA2MTYyNSAwMDAwMCBuIAowMDAwMDYxODIxIDAw MDAwIG4gCjAwMDAwNjIwMjQgMDAwMDAgbiAKMDAwMDA2MjIzMiAwMDAwMCBuIAowMDAwMDYzMDUw IDAwMDAwIG4gCjAwMDAwNjc5NDAgMDAwMDAgbiAKMDAwMDA2MjU2NiAwMDAwMCBuIAowMDAwMDYy NzY1IDAwMDAwIG4gCjAwMDAwNzQ1NjQgMDAwMDAgbiAKMDAwMDA2Nzk2MiAwMDAwMCBuIAowMDAw MDY4MDE1IDAwMDAwIG4gCjAwMDAwNjgwNjggMDAwMDAgbiAKMDAwMDA2ODEyMSAwMDAwMCBuIAow MDAwMDY4MTc0IDAwMDAwIG4gCjAwMDAwNjgyMjcgMDAwMDAgbiAKMDAwMDA2ODI4MCAwMDAwMCBu IAowMDAwMDY4MzMzIDAwMDAwIG4gCjAwMDAwNjgzODYgMDAwMDAgbiAKMDAwMDA2ODQzOSAwMDAw MCBuIAowMDAwMDY4NjY3IDAwMDAwIG4gCjAwMDAwNjg4OTUgMDAwMDAgbiAKMDAwMDA2OTEyMyAw MDAwMCBuIAowMDAwMDY5MzgwIDAwMDAwIG4gCjAwMDAwNjk2MTIgMDAwMDAgbiAKMDAwMDA2OTg3 NCAwMDAwMCBuIAowMDAwMDcwMTAyIDAwMDAwIG4gCjAwMDAwNzAyOTEgMDAwMDAgbiAKMDAwMDA3 MDQ2OSAwMDAwMCBuIAowMDAwMDcwNjU1IDAwMDAwIG4gCjAwMDAwNzA4MzggMDAwMDAgbiAKMDAw MDA3MTAzMCAwMDAwMCBuIAowMDAwMDcxMjE5IDAwMDAwIG4gCjAwMDAwNzE0MDAgMDAwMDAgbiAK MDAwMDA3MTU5NiAwMDAwMCBuIAowMDAwMDcxNzk5IDAwMDAwIG4gCjAwMDAwNzE5OTQgMDAwMDAg biAKMDAwMDA3MjE5NyAwMDAwMCBuIAowMDAwMDcyNDExIDAwMDAwIG4gCjAwMDAwNzI2MjMgMDAw MDAgbiAKMDAwMDA3MjgwOSAwMDAwMCBuIAowMDAwMDcyOTk3IDAwMDAwIG4gCjAwMDAwNzMxODQg MDAwMDAgbiAKMDAwMDA3MzM2NiAwMDAwMCBuIAowMDAwMDczNTU1IDAwMDAwIG4gCjAwMDAwNzM3 MzkgMDAwMDAgbiAKMDAwMDA3MzkzNSAwMDAwMCBuIAowMDAwMDc0MTM4IDAwMDAwIG4gCjAwMDAw NzQzNTIgMDAwMDAgbiAKMDAwMDA3NTE2MiAwMDAwMCBuIAowMDAwMDgxOTg0IDAwMDAwIG4gCjAw MDAwNzQ2OTAgMDAwMDAgbiAKMDAwMDA3NDkwMSAwMDAwMCBuIAowMDAwMDgzMDA5IDAwMDAwIG4g CjAwMDAwODIwMDYgMDAwMDAgbiAKMDAwMDA4MjI2MyAwMDAwMCBuIAowMDAwMDgyNDk1IDAwMDAw IG4gCjAwMDAwODI3NTIgMDAwMDAgbiAKMDAwMDA4MzM4OSAwMDAwMCBuIAowMDAwMDg4Mjg0IDAw MDAwIG4gCjAwMDAwODMxMzUgMDAwMDAgbiAKMDAwMDA4MzMzNiAwMDAwMCBuIAowMDAwMDg5MDI3 IDAwMDAwIG4gCjAwMDAwODgzMDYgMDAwMDAgbiAKMDAwMDA4ODUzOCAwMDAwMCBuIAowMDAwMDg4 NzcwIDAwMDAwIG4gCjAwMDAwODkzOTkgMDAwMDAgbiAKMDAwMDA5NDg5MyAwMDAwMCBuIAowMDAw MDg5MTUzIDAwMDAwIG4gCjAwMDAwODkzNTQgMDAwMDAgbiAKMDAwMDEwNjczNSAwMDAwMCBuIAow MDAwMDk0OTE1IDAwMDAwIG4gCjAwMDAwOTQ5NjkgMDAwMDAgbiAKMDAwMDA5NTAyMyAwMDAwMCBu IAowMDAwMDk1MjUxIDAwMDAwIG4gCjAwMDAwOTU0MzcgMDAwMDAgbiAKMDAwMDA5NTYyMyAwMDAw MCBuIAowMDAwMDk1ODA1IDAwMDAwIG4gCjAwMDAwOTU5ODggMDAwMDAgbiAKMDAwMDA5NjE2NiAw MDAwMCBuIAowMDAwMTAxNTI5IDAwMDAwIG4gCjAwMDAxMDEyNDkgMDAwMDAgbiAKMDAwMDA5NjM1 NyAwMDAwMCBuIAowMDAwMDk2NDc0IDAwMDAwIG4gCjAwMDAwOTY2MjkgMDAwMDAgbiAKMDAwMDA5 Njc3OCAwMDAwMCBuIAowMDAwMDk2OTI5IDAwMDAwIG4gCjAwMDAwOTcwNzggMDAwMDAgbiAKMDAw MDA5NzI1MSAwMDAwMCBuIAowMDAwMDk3NDAyIDAwMDAwIG4gCjAwMDAwOTc1NDcgMDAwMDAgbiAK MDAwMDA5NzcxNiAwMDAwMCBuIAowMDAwMDk3OTEzIDAwMDAwIG4gCjAwMDAwOTgwOTYgMDAwMDAg biAKMDAwMDA5ODI2MyAwMDAwMCBuIAowMDAwMDk4NDcyIDAwMDAwIG4gCjAwMDAwOTg2MjMgMDAw MDAgbiAKMDAwMDA5ODc5NCAwMDAwMCBuIAowMDAwMDk4OTU1IDAwMDAwIG4gCjAwMDAwOTkxMTkg MDAwMDAgbiAKMDAwMDA5OTMwMSAwMDAwMCBuIAowMDAwMDk5NDY1IDAwMDAwIG4gCjAwMDAwOTk2 NjcgMDAwMDAgbiAKMDAwMDA5OTg3MyAwMDAwMCBuIAowMDAwMTAwMDcxIDAwMDAwIG4gCjAwMDAx MDAyNzMgMDAwMDAgbiAKMDAwMDEwMDQxOSAwMDAwMCBuIAowMDAwMTAwNTg3IDAwMDAwIG4gCjAw MDAxMDA3NTkgMDAwMDAgbiAKMDAwMDEwMDkzNSAwMDAwMCBuIAowMDAwMTAxMTExIDAwMDAwIG4g CjAwMDAxMDE1OTUgMDAwMDAgbiAKMDAwMDEwNzEyNSAwMDAwMCBuIAowMDAwMTA5NDA0IDAwMDAw IG4gCjAwMDAxMDY4NjEgMDAwMDAgbiAKMDAwMDEwNzA0OCAwMDAwMCBuIAowMDAwMTA5NDI2IDAw MDAwIG4gCjAwMDAxMDk2OTIgMDAwMDAgbiAKMDAwMDExNTcyNCAwMDAwMCBuIAowMDAwMTE2MTIw IDAwMDAwIG4gCjAwMDAxMTU3MDIgMDAwMDAgbiAKMDAwMDExNjk4NiAwMDAwMCBuIAowMDAwMTE3 MjUzIDAwMDAwIG4gCjAwMDAxMjE1NTAgMDAwMDAgbiAKMDAwMDEyMTc3NSAwMDAwMCBuIAowMDAw MTIxNTI4IDAwMDAwIG4gCjAwMDAxMjIzMzkgMDAwMDAgbiAKMDAwMDEyMjU1MCAwMDAwMCBuIAow MDAwMTI3MzI2IDAwMDAwIG4gCjAwMDAxMjc3NzEgMDAwMDAgbiAKMDAwMDEyNzMwNCAwMDAwMCBu IAowMDAwMTI4NzIyIDAwMDAwIG4gCjAwMDAxMjg5OTYgMDAwMDAgbiAKMDAwMDEzNzYzMyAwMDAw MCBuIAowMDAwMTM4MTYzIDAwMDAwIG4gCjAwMDAxMzc2MTEgMDAwMDAgbiAKMDAwMDEzOTI1NCAw MDAwMCBuIAowMDAwMTM5NTIwIDAwMDAwIG4gCjAwMDAxNDczMjggMDAwMDAgbiAKMDAwMDE0NzU0 MSAwMDAwMCBuIAowMDAwMTQ3MzA2IDAwMDAwIG4gCjAwMDAxNDg1NjIgMDAwMDAgbiAKMDAwMDE0 ODgzNyAwMDAwMCBuIAowMDAwMTU3NTMyIDAwMDAwIG4gCjAwMDAxNTgxMDUgMDAwMDAgbiAKMDAw MDE1NzUxMCAwMDAwMCBuIAp0cmFpbGVyCjw8Ci9TaXplIDM0OQovSW5mbyAxIDAgUgovUm9vdCAz MTQgMCBSCj4+CnN0YXJ0eHJlZgoxNTk0NjYKJSVFT0YK --_007_4E1F6AAD24975D4BA5B16804296739435F6E777ETK5EX14MBXC283r_ Content-Type: text/html; name="draft-ietf-oauth-v2-bearer-14.html" Content-Description: draft-ietf-oauth-v2-bearer-14.html Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-14.html"; size=74537; creation-date="Thu, 03 Nov 2011 23:52:04 GMT"; modification-date="Thu, 03 Nov 2011 23:48:44 GMT" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL2h0bWw0L2xvb3NlLmR0ZCI+CjxodG1sIGxhbmc9 ImVuIj48aGVhZD48dGl0bGU+VGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sOiBC ZWFyZXIgVG9rZW5zPC90aXRsZT4KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPgo8bWV0YSBuYW1lPSJkZXNjcmlwdGlvbiIg Y29udGVudD0iVGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sOiBCZWFyZXIgVG9r ZW5zIj4KPG1ldGEgbmFtZT0iZ2VuZXJhdG9yIiBjb250ZW50PSJ4bWwycmZjIHYxLjM2IChodHRw Oi8veG1sLnJlc291cmNlLm9yZy8pIj4KPHN0eWxlIHR5cGU9J3RleHQvY3NzJz48IS0tCiAgICAg ICAgYm9keSB7CiAgICAgICAgICAgICAgICBmb250LWZhbWlseTogdmVyZGFuYSwgY2hhcmNvYWws IGhlbHZldGljYSwgYXJpYWwsIHNhbnMtc2VyaWY7CiAgICAgICAgICAgICAgICBmb250LXNpemU6 IHNtYWxsOyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjogI0ZGRjsKICAgICAgICAgICAg ICAgIG1hcmdpbjogMmVtOwogICAgICAgIH0KICAgICAgICBoMSwgaDIsIGgzLCBoNCwgaDUsIGg2 IHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBoZWx2ZXRpY2EsIG1vbmFjbywgIk1TIFNh bnMgU2VyaWYiLCBhcmlhbCwgc2Fucy1zZXJpZjsKICAgICAgICAgICAgICAgIGZvbnQtd2VpZ2h0 OiBib2xkOyBmb250LXN0eWxlOiBub3JtYWw7CiAgICAgICAgfQogICAgICAgIGgxIHsgY29sb3I6 ICM5MDA7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB0ZXh0LWFsaWduOiByaWdodDsg fQogICAgICAgIGgzIHsgY29sb3I6ICMzMzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50 OyB9CgogICAgICAgIHRkLlJGQ2J1ZyB7CiAgICAgICAgICAgICAgICBmb250LXNpemU6IHgtc21h bGw7IHRleHQtZGVjb3JhdGlvbjogbm9uZTsKICAgICAgICAgICAgICAgIHdpZHRoOiAzMHB4OyBo ZWlnaHQ6IDMwcHg7IHBhZGRpbmctdG9wOiAycHg7CiAgICAgICAgICAgICAgICB0ZXh0LWFsaWdu OiBqdXN0aWZ5OyB2ZXJ0aWNhbC1hbGlnbjogbWlkZGxlOwogICAgICAgICAgICAgICAgYmFja2dy b3VuZC1jb2xvcjogIzAwMDsKICAgICAgICB9CiAgICAgICAgdGQuUkZDYnVnIHNwYW4uUkZDIHsK ICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBtb25hY28sIGNoYXJjb2FsLCBnZW5ldmEsICJN UyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCB2ZXJkYW5hLCBzYW5zLXNlcmlmOwogICAgICAgICAg ICAgICAgZm9udC13ZWlnaHQ6IGJvbGQ7IGNvbG9yOiAjNjY2OwogICAgICAgIH0KICAgICAgICB0 ZC5SRkNidWcgc3Bhbi5ob3RUZXh0IHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBjaGFy Y29hbCwgbW9uYWNvLCBnZW5ldmEsICJNUyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCB2ZXJkYW5h LCBzYW5zLXNlcmlmOwogICAgICAgICAgICAgICAgZm9udC13ZWlnaHQ6IG5vcm1hbDsgdGV4dC1h bGlnbjogY2VudGVyOyBjb2xvcjogI0ZGRjsKICAgICAgICB9CgogICAgICAgIHRhYmxlLlRPQ2J1 ZyB7IHdpZHRoOiAzMHB4OyBoZWlnaHQ6IDE1cHg7IH0KICAgICAgICB0ZC5UT0NidWcgewogICAg ICAgICAgICAgICAgdGV4dC1hbGlnbjogY2VudGVyOyB3aWR0aDogMzBweDsgaGVpZ2h0OiAxNXB4 OwogICAgICAgICAgICAgICAgY29sb3I6ICNGRkY7IGJhY2tncm91bmQtY29sb3I6ICM5MDA7CiAg ICAgICAgfQogICAgICAgIHRkLlRPQ2J1ZyBhIHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5 OiBtb25hY28sIGNoYXJjb2FsLCBnZW5ldmEsICJNUyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCBz YW5zLXNlcmlmOwogICAgICAgICAgICAgICAgZm9udC13ZWlnaHQ6IGJvbGQ7IGZvbnQtc2l6ZTog eC1zbWFsbDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOwogICAgICAgICAgICAgICAgY29sb3I6ICNG RkY7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OwogICAgICAgIH0KCiAgICAgICAgdGQu aGVhZGVyIHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBhcmlhbCwgaGVsdmV0aWNhLCBz YW5zLXNlcmlmOyBmb250LXNpemU6IHgtc21hbGw7CiAgICAgICAgICAgICAgICB2ZXJ0aWNhbC1h bGlnbjogdG9wOyB3aWR0aDogMzMlOwogICAgICAgICAgICAgICAgY29sb3I6ICNGRkY7IGJhY2tn cm91bmQtY29sb3I6ICM2NjY7CiAgICAgICAgfQogICAgICAgIHRkLmF1dGhvciB7IGZvbnQtd2Vp Z2h0OiBib2xkOyBmb250LXNpemU6IHgtc21hbGw7IG1hcmdpbi1sZWZ0OiA0ZW07IH0KICAgICAg ICB0ZC5hdXRob3ItdGV4dCB7IGZvbnQtc2l6ZTogeC1zbWFsbDsgfQoKICAgICAgICAvKiBpbmZv IGNvZGUgZnJvbSBTYW50YUtsYXVzcyBhdCBodHRwOi8vd3d3Lm1hZGFib3V0c3R5bGUuY29tL3Rv b2x0aXAyLmh0bWwgKi8KICAgICAgICBhLmluZm8gewogICAgICAgICAgICAgICAgLyogVGhpcyBp cyB0aGUga2V5LiAqLwogICAgICAgICAgICAgICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgICAg ICAgICAgICAgei1pbmRleDogMjQ7CiAgICAgICAgICAgICAgICB0ZXh0LWRlY29yYXRpb246IG5v bmU7CiAgICAgICAgfQogICAgICAgIGEuaW5mbzpob3ZlciB7CiAgICAgICAgICAgICAgICB6LWlu ZGV4OiAyNTsKICAgICAgICAgICAgICAgIGNvbG9yOiAjRkZGOyBiYWNrZ3JvdW5kLWNvbG9yOiAj OTAwOwogICAgICAgIH0KICAgICAgICBhLmluZm8gc3BhbiB7IGRpc3BsYXk6IG5vbmU7IH0KICAg ICAgICBhLmluZm86aG92ZXIgc3Bhbi5pbmZvIHsKICAgICAgICAgICAgICAgIC8qIFRoZSBzcGFu IHdpbGwgZGlzcGxheSBqdXN0IG9uIDpob3ZlciBzdGF0ZS4gKi8KICAgICAgICAgICAgICAgIGRp c3BsYXk6IGJsb2NrOwogICAgICAgICAgICAgICAgcG9zaXRpb246IGFic29sdXRlOwogICAgICAg ICAgICAgICAgZm9udC1zaXplOiBzbWFsbGVyOwogICAgICAgICAgICAgICAgdG9wOiAyZW07IGxl ZnQ6IC01ZW07IHdpZHRoOiAxNWVtOwogICAgICAgICAgICAgICAgcGFkZGluZzogMnB4OyBib3Jk ZXI6IDFweCBzb2xpZCAjMzMzOwogICAgICAgICAgICAgICAgY29sb3I6ICM5MDA7IGJhY2tncm91 bmQtY29sb3I6ICNFRUU7CiAgICAgICAgICAgICAgICB0ZXh0LWFsaWduOiBsZWZ0OwogICAgICAg IH0KCiAgICAgICAgYSB7IGZvbnQtd2VpZ2h0OiBib2xkOyB9CiAgICAgICAgYTpsaW5rICAgIHsg Y29sb3I6ICM5MDA7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB9CiAgICAgICAgYTp2 aXNpdGVkIHsgY29sb3I6ICM2MzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB9CiAg ICAgICAgYTphY3RpdmUgIHsgY29sb3I6ICM2MzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFy ZW50OyB9CgogICAgICAgIHAgeyBtYXJnaW4tbGVmdDogMmVtOyBtYXJnaW4tcmlnaHQ6IDJlbTsg fQogICAgICAgIHAuY29weXJpZ2h0IHsgZm9udC1zaXplOiB4LXNtYWxsOyB9CiAgICAgICAgcC50 b2MgeyBmb250LXNpemU6IHNtYWxsOyBmb250LXdlaWdodDogYm9sZDsgbWFyZ2luLWxlZnQ6IDNl bTsgfQogICAgICAgIHRhYmxlLnRvYyB7IG1hcmdpbjogMCAwIDAgM2VtOyBwYWRkaW5nOiAwOyBi b3JkZXI6IDA7IHZlcnRpY2FsLWFsaWduOiB0ZXh0LXRvcDsgfQogICAgICAgIHRkLnRvYyB7IGZv bnQtc2l6ZTogc21hbGw7IGZvbnQtd2VpZ2h0OiBib2xkOyB2ZXJ0aWNhbC1hbGlnbjogdGV4dC10 b3A7IH0KCiAgICAgICAgb2wudGV4dCB7IG1hcmdpbi1sZWZ0OiAyZW07IG1hcmdpbi1yaWdodDog MmVtOyB9CiAgICAgICAgdWwudGV4dCB7IG1hcmdpbi1sZWZ0OiAyZW07IG1hcmdpbi1yaWdodDog MmVtOyB9CiAgICAgICAgbGkgICAgICB7IG1hcmdpbi1sZWZ0OiAzZW07IH0KCiAgICAgICAgLyog UkZDLTI2MjkgPHNwYW54PnMgYW5kIDxhcnR3b3JrPnMuICovCiAgICAgICAgZW0gICAgIHsgZm9u dC1zdHlsZTogaXRhbGljOyB9CiAgICAgICAgc3Ryb25nIHsgZm9udC13ZWlnaHQ6IGJvbGQ7IH0K ICAgICAgICBkZm4gICAgeyBmb250LXdlaWdodDogYm9sZDsgZm9udC1zdHlsZTogbm9ybWFsOyB9 CiAgICAgICAgY2l0ZSAgIHsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgZm9udC1zdHlsZTogbm9ybWFs OyB9CiAgICAgICAgdHQgICAgIHsgY29sb3I6ICMwMzY7IH0KICAgICAgICB0dCwgcHJlLCBwcmUg ZGZuLCBwcmUgZW0sIHByZSBjaXRlLCBwcmUgc3BhbiB7CiAgICAgICAgICAgICAgICBmb250LWZh bWlseTogIkNvdXJpZXIgTmV3IiwgQ291cmllciwgbW9ub3NwYWNlOyBmb250LXNpemU6IHNtYWxs OwogICAgICAgIH0KICAgICAgICBwcmUgewogICAgICAgICAgICAgICAgdGV4dC1hbGlnbjogbGVm dDsgcGFkZGluZzogNHB4OwogICAgICAgICAgICAgICAgY29sb3I6ICMwMDA7IGJhY2tncm91bmQt Y29sb3I6ICNDQ0M7CiAgICAgICAgfQogICAgICAgIHByZSBkZm4gIHsgY29sb3I6ICM5MDA7IH0K ICAgICAgICBwcmUgZW0gICB7IGNvbG9yOiAjNjZGOyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZDOyBm b250LXdlaWdodDogbm9ybWFsOyB9CiAgICAgICAgcHJlIC5rZXkgeyBjb2xvcjogIzMzQzsgZm9u dC13ZWlnaHQ6IGJvbGQ7IH0KICAgICAgICBwcmUgLmlkICB7IGNvbG9yOiAjOTAwOyB9CiAgICAg ICAgcHJlIC5zdHIgeyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjogI0NGRjsgfQogICAg ICAgIHByZSAudmFsIHsgY29sb3I6ICMwNjY7IH0KICAgICAgICBwcmUgLnJlcCB7IGNvbG9yOiAj OTA5OyB9CiAgICAgICAgcHJlIC5vdGggeyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjog I0ZDRjsgfQogICAgICAgIHByZSAuZXJyIHsgYmFja2dyb3VuZC1jb2xvcjogI0ZDQzsgfQoKICAg ICAgICAvKiBSRkMtMjYyOSA8dGV4dHRhYmxlPnMuICovCiAgICAgICAgdGFibGUuYWxsLCB0YWJs ZS5mdWxsLCB0YWJsZS5oZWFkZXJzLCB0YWJsZS5ub25lIHsKICAgICAgICAgICAgICAgIGZvbnQt c2l6ZTogc21hbGw7IHRleHQtYWxpZ246IGNlbnRlcjsgYm9yZGVyLXdpZHRoOiAycHg7CiAgICAg ICAgICAgICAgICB2ZXJ0aWNhbC1hbGlnbjogdG9wOyBib3JkZXItY29sbGFwc2U6IGNvbGxhcHNl OwogICAgICAgIH0KICAgICAgICB0YWJsZS5hbGwsIHRhYmxlLmZ1bGwgeyBib3JkZXItc3R5bGU6 IHNvbGlkOyBib3JkZXItY29sb3I6IGJsYWNrOyB9CiAgICAgICAgdGFibGUuaGVhZGVycywgdGFi bGUubm9uZSB7IGJvcmRlci1zdHlsZTogbm9uZTsgfQogICAgICAgIHRoIHsKICAgICAgICAgICAg ICAgIGZvbnQtd2VpZ2h0OiBib2xkOyBib3JkZXItY29sb3I6IGJsYWNrOwogICAgICAgICAgICAg ICAgYm9yZGVyLXdpZHRoOiAycHggMnB4IDNweCAycHg7CiAgICAgICAgfQogICAgICAgIHRhYmxl LmFsbCB0aCwgdGFibGUuZnVsbCB0aCB7IGJvcmRlci1zdHlsZTogc29saWQ7IH0KICAgICAgICB0 YWJsZS5oZWFkZXJzIHRoIHsgYm9yZGVyLXN0eWxlOiBub25lIG5vbmUgc29saWQgbm9uZTsgfQog ICAgICAgIHRhYmxlLm5vbmUgdGggeyBib3JkZXItc3R5bGU6IG5vbmU7IH0KICAgICAgICB0YWJs ZS5hbGwgdGQgewogICAgICAgICAgICAgICAgYm9yZGVyLXN0eWxlOiBzb2xpZDsgYm9yZGVyLWNv bG9yOiAjMzMzOwogICAgICAgICAgICAgICAgYm9yZGVyLXdpZHRoOiAxcHggMnB4OwogICAgICAg IH0KICAgICAgICB0YWJsZS5mdWxsIHRkLCB0YWJsZS5oZWFkZXJzIHRkLCB0YWJsZS5ub25lIHRk IHsgYm9yZGVyLXN0eWxlOiBub25lOyB9CgogICAgICAgIGhyIHsgaGVpZ2h0OiAxcHg7IH0KICAg ICAgICBoci5pbnNlcnQgewogICAgICAgICAgICAgICAgd2lkdGg6IDgwJTsgYm9yZGVyLXN0eWxl OiBub25lOyBib3JkZXItd2lkdGg6IDA7CiAgICAgICAgICAgICAgICBjb2xvcjogI0NDQzsgYmFj a2dyb3VuZC1jb2xvcjogI0NDQzsKICAgICAgICB9Ci0tPjwvc3R5bGU+CjwvaGVhZD4KPGJvZHk+ Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIg Y2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhy ZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPHRhYmxlIHN1 bW1hcnk9ImxheW91dCIgd2lkdGg9IjY2JSIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2Vs bHNwYWNpbmc9IjAiPjx0cj48dGQ+PHRhYmxlIHN1bW1hcnk9ImxheW91dCIgd2lkdGg9IjEwMCUi IGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjIiIGNlbGxzcGFjaW5nPSIxIj4KPHRyPjx0ZCBjbGFz cz0iaGVhZGVyIj5OZXR3b3JrIFdvcmtpbmcgR3JvdXA8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5N LiBKb25lczwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVyIj5JbnRlcm5ldC1EcmFmdDwv dGQ+PHRkIGNsYXNzPSJoZWFkZXIiPk1pY3Jvc29mdDwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0i aGVhZGVyIj5JbnRlbmRlZCBzdGF0dXM6IFN0YW5kYXJkcyBUcmFjazwvdGQ+PHRkIGNsYXNzPSJo ZWFkZXIiPkQuIEhhcmR0PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJoZWFkZXIiPkV4cGlyZXM6 IE1heSA2LCAyMDEyPC90ZD48dGQgY2xhc3M9ImhlYWRlciI+aW5kZXBlbmRlbnQ8L3RkPjwvdHI+ Cjx0cj48dGQgY2xhc3M9ImhlYWRlciI+Jm5ic3A7PC90ZD48dGQgY2xhc3M9ImhlYWRlciI+RC4g UmVjb3Jkb248L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImhlYWRlciI+Jm5ic3A7PC90ZD48dGQg Y2xhc3M9ImhlYWRlciI+RmFjZWJvb2s8L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImhlYWRlciI+ Jm5ic3A7PC90ZD48dGQgY2xhc3M9ImhlYWRlciI+Tm92ZW1iZXIgMywgMjAxMTwvdGQ+PC90cj4K PC90YWJsZT48L3RkPjwvdHI+PC90YWJsZT4KPGgxPjxiciAvPlRoZSBPQXV0aCAyLjAgQXV0aG9y aXphdGlvbiBQcm90b2NvbDogQmVhcmVyIFRva2VuczxiciAvPmRyYWZ0LWlldGYtb2F1dGgtdjIt YmVhcmVyLTE0PC9oMT4KCjxoMz5BYnN0cmFjdDwvaDM+Cgo8cD4KICAgICAgICBUaGlzIHNwZWNp ZmljYXRpb24gZGVzY3JpYmVzIGhvdyB0byB1c2UgYmVhcmVyIHRva2VucyBpbiBIVFRQCiAgICAg ICAgcmVxdWVzdHMgdG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90ZWN0ZWQgcmVzb3VyY2VzLiAgQW55 IHBhcnR5CiAgICAgICAgaW4gcG9zc2Vzc2lvbiBvZiBhIGJlYXJlciB0b2tlbiAoYSAiYmVhcmVy IikgY2FuIHVzZSBpdCB0byBnZXQKICAgICAgICBhY2Nlc3MgdG8gdGhlIGFzc29jaWF0ZWQgcmVz b3VyY2VzICh3aXRob3V0IGRlbW9uc3RyYXRpbmcgcG9zc2Vzc2lvbgogICAgICAgIG9mIGEgY3J5 cHRvZ3JhcGhpYyBrZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMKICAgICAg ICBuZWVkIHRvIGJlIHByb3RlY3RlZCBmcm9tIGRpc2Nsb3N1cmUgaW4gc3RvcmFnZSBhbmQgaW4g dHJhbnNwb3J0LgogICAgICAKPC9wPgo8aDM+U3RhdHVzIG9mIHRoaXMgTWVtbzwvaDM+CjxwPgpU aGlzIEludGVybmV0LURyYWZ0IGlzIHN1Ym1pdHRlZCAgaW4gZnVsbApjb25mb3JtYW5jZSB3aXRo IHRoZSBwcm92aXNpb25zIG9mIEJDUCZuYnNwOzc4IGFuZCBCQ1AmbmJzcDs3OS48L3A+CjxwPgpJ bnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5ldCBFbmdp bmVlcmluZwpUYXNrIEZvcmNlIChJRVRGKS4gIE5vdGUgdGhhdCBvdGhlciBncm91cHMgbWF5IGFs c28gZGlzdHJpYnV0ZQp3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMuICBUaGUg bGlzdCBvZiBjdXJyZW50CkludGVybmV0LURyYWZ0cyBpcyBhdCBodHRwOi8vZGF0YXRyYWNrZXIu aWV0Zi5vcmcvZHJhZnRzL2N1cnJlbnQvLjwvcD4KPHA+CkludGVybmV0LURyYWZ0cyBhcmUgZHJh ZnQgZG9jdW1lbnRzIHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocwphbmQgbWF5IGJl IHVwZGF0ZWQsIHJlcGxhY2VkLCBvciBvYnNvbGV0ZWQgYnkgb3RoZXIgZG9jdW1lbnRzIGF0IGFu eSB0aW1lLgpJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVm ZXJlbmNlIG1hdGVyaWFsIG9yIHRvIGNpdGUKdGhlbSBvdGhlciB0aGFuIGFzICZsZHF1bzt3b3Jr IGluIHByb2dyZXNzLiZyZHF1bzs8L3A+CjxwPgpUaGlzIEludGVybmV0LURyYWZ0IHdpbGwgZXhw aXJlIG9uIE1heSA2LCAyMDEyLjwvcD4KCjxoMz5Db3B5cmlnaHQgTm90aWNlPC9oMz4KPHA+CkNv cHlyaWdodCAoYykgMjAxMSBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29ucyBpZGVudGlmaWVkIGFz IHRoZQpkb2N1bWVudCBhdXRob3JzLiAgQWxsIHJpZ2h0cyByZXNlcnZlZC48L3A+CjxwPgpUaGlz IGRvY3VtZW50IGlzIHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBUcnVzdCdzIExlZ2Fs ClByb3Zpc2lvbnMgUmVsYXRpbmcgdG8gSUVURiBEb2N1bWVudHMKKGh0dHA6Ly90cnVzdGVlLmll dGYub3JnL2xpY2Vuc2UtaW5mbykgaW4gZWZmZWN0IG9uIHRoZSBkYXRlIG9mCnB1YmxpY2F0aW9u IG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50cwpjYXJlZnVs bHksIGFzIHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMgYW5kIHJlc3RyaWN0aW9ucyB3aXRoIHJl c3BlY3QKdG8gdGhpcyBkb2N1bWVudC4gQ29kZSBDb21wb25lbnRzIGV4dHJhY3RlZCBmcm9tIHRo aXMgZG9jdW1lbnQgbXVzdAppbmNsdWRlIFNpbXBsaWZpZWQgQlNEIExpY2Vuc2UgdGV4dCBhcyBk ZXNjcmliZWQgaW4gU2VjdGlvbiA0LmUgb2YKdGhlIFRydXN0IExlZ2FsIFByb3Zpc2lvbnMgYW5k IGFyZSBwcm92aWRlZCB3aXRob3V0IHdhcnJhbnR5IGFzCmRlc2NyaWJlZCBpbiB0aGUgU2ltcGxp ZmllZCBCU0QgTGljZW5zZS48L3A+CjxhIG5hbWU9InRvYyI+PC9hPjxiciAvPjxociAvPgo8aDM+ VGFibGUgb2YgQ29udGVudHM8L2gzPgo8cCBjbGFzcz0idG9jIj4KPGEgaHJlZj0iI2FuY2hvcjEi PjEuPC9hPiZuYnNwOwpJbnRyb2R1Y3Rpb248YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 PGEgaHJlZj0iI2FuY2hvcjIiPjEuMS48L2E+Jm5ic3A7Ck5vdGF0aW9uYWwgQ29udmVudGlvbnM8 YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI2FuY2hvcjMiPjEuMi48L2E+ Jm5ic3A7ClRlcm1pbm9sb2d5PGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxhIGhyZWY9 IiNhbmNob3I0Ij4xLjMuPC9hPiZuYnNwOwpPdmVydmlldzxiciAvPgo8YSBocmVmPSIjYW5jaG9y NSI+Mi48L2E+Jm5ic3A7CkF1dGhlbnRpY2F0ZWQgUmVxdWVzdHM8YnIgLz4KJm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI2F1dGh6LWhlYWRlciI+Mi4xLjwvYT4mbmJzcDsKQXV0aG9y aXphdGlvbiBSZXF1ZXN0IEhlYWRlciBGaWVsZDxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJz cDs8YSBocmVmPSIjYm9keS1wYXJhbSI+Mi4yLjwvYT4mbmJzcDsKRm9ybS1FbmNvZGVkIEJvZHkg UGFyYW1ldGVyPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxhIGhyZWY9IiNxdWVyeS1w YXJhbSI+Mi4zLjwvYT4mbmJzcDsKVVJJIFF1ZXJ5IFBhcmFtZXRlcjxiciAvPgo8YSBocmVmPSIj YXV0aG4taGVhZGVyIj4zLjwvYT4mbmJzcDsKVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2Ug SGVhZGVyIEZpZWxkPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxhIGhyZWY9IiNyZXNv dXJjZS1lcnJvci1jb2RlcyI+My4xLjwvYT4mbmJzcDsKRXJyb3IgQ29kZXM8YnIgLz4KPGEgaHJl Zj0iI3NlYy1jb24iPjQuPC9hPiZuYnNwOwpTZWN1cml0eSBDb25zaWRlcmF0aW9uczxiciAvPgom bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjdGhyZWF0cyI+NC4xLjwvYT4mbmJzcDsK U2VjdXJpdHkgVGhyZWF0czxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIj bWl0aWdhdGlvbiI+NC4yLjwvYT4mbmJzcDsKVGhyZWF0IE1pdGlnYXRpb248YnIgLz4KJm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI2FuY2hvcjYiPjQuMy48L2E+Jm5ic3A7ClN1bW1h cnkgb2YgUmVjb21tZW5kYXRpb25zPGJyIC8+CjxhIGhyZWY9IiNhbmNob3I3Ij41LjwvYT4mbmJz cDsKSUFOQSBDb25zaWRlcmF0aW9uczxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBo cmVmPSIjYW5jaG9yOCI+NS4xLjwvYT4mbmJzcDsKT0F1dGggQWNjZXNzIFRva2VuIFR5cGUgUmVn aXN0cmF0aW9uPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOzxhIGhyZWY9IiNhbmNob3I5Ij41LjEuMS48L2E+Jm5ic3A7ClRoZSAiQmVhcmVyIiBP QXV0aCBBY2Nlc3MgVG9rZW4gVHlwZTxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBo cmVmPSIjYW5jaG9yMTAiPjUuMi48L2E+Jm5ic3A7CkF1dGhlbnRpY2F0aW9uIFNjaGVtZSBSZWdp c3RyYXRpb248YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7PGEgaHJlZj0iI2FuY2hvcjExIj41LjIuMS48L2E+Jm5ic3A7ClRoZSAiQmVhcmVyIiBB dXRoZW50aWNhdGlvbiBTY2hlbWU8YnIgLz4KPGEgaHJlZj0iI3JmYy5yZWZlcmVuY2VzMSI+Ni48 L2E+Jm5ic3A7ClJlZmVyZW5jZXM8YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJl Zj0iI3JmYy5yZWZlcmVuY2VzMSI+Ni4xLjwvYT4mbmJzcDsKTm9ybWF0aXZlIFJlZmVyZW5jZXM8 YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI3JmYy5yZWZlcmVuY2VzMiI+ Ni4yLjwvYT4mbmJzcDsKSW5mb3JtYXRpdmUgUmVmZXJlbmNlczxiciAvPgo8YSBocmVmPSIjYW5j aG9yMTQiPkFwcGVuZGl4Jm5ic3A7QS48L2E+Jm5ic3A7CkFja25vd2xlZGdlbWVudHM8YnIgLz4K PGEgaHJlZj0iI2FuY2hvcjE1Ij5BcHBlbmRpeCZuYnNwO0IuPC9hPiZuYnNwOwpEb2N1bWVudCBI aXN0b3J5PGJyIC8+CjxhIGhyZWY9IiNyZmMuYXV0aG9ycyI+JiMxNjc7PC9hPiZuYnNwOwpBdXRo b3JzJyBBZGRyZXNzZXM8YnIgLz4KPC9wPgo8YnIgY2xlYXI9ImFsbCIgLz4KCjxhIG5hbWU9ImFu Y2hvcjEiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48 dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+ PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi4xIj48L2E+PGgzPjEuJm5ic3A7Cklu dHJvZHVjdGlvbjwvaDM+Cgo8cD4KICAgICAgICBPQXV0aCBlbmFibGVzIGNsaWVudHMgdG8gYWNj ZXNzIHByb3RlY3RlZCByZXNvdXJjZXMgYnkKICAgICAgICBvYnRhaW5pbmcgYW4gYWNjZXNzIHRv a2VuLCB3aGljaCBpcyBkZWZpbmVkIGluCglPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiA8YSBjbGFz cz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLW9hdXRoLXYyJz5bSSYjODIwOTtELmlldGYmIzgyMDk7 b2F1dGgmIzgyMDk7djJdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkhhbW1lci1M YWhhdiwgRS4sIFJlY29yZG9uLCBELiwgYW5kIEQuIEhhcmR0LCAmbGRxdW87VGhlIE9BdXRoIDIu MCBBdXRob3JpemF0aW9uIFByb3RvY29sLCZyZHF1bzsgU2VwdGVtYmVyJm5ic3A7MjAxMS48L3Nw YW4+PHNwYW4+KTwvc3Bhbj48L2E+CglhcyAiYSBzdHJpbmcgcmVwcmVzZW50aW5nIGFuIGFjY2Vz cwogICAgICAgIGF1dGhvcml6YXRpb24gaXNzdWVkIHRvIHRoZSBjbGllbnQiLCByYXRoZXIgdGhh biB1c2luZyB0aGUKICAgICAgICByZXNvdXJjZSBvd25lcidzIGNyZWRlbnRpYWxzIGRpcmVjdGx5 LgogICAgICAKPC9wPgo8cD4KICAgICAgICBUb2tlbnMgYXJlIGlzc3VlZCB0byBjbGllbnRzIGJ5 IGFuIGF1dGhvcml6YXRpb24gc2VydmVyIHdpdGggdGhlIGFwcHJvdmFsIG9mCiAgICAgICAgdGhl IHJlc291cmNlIG93bmVyLiBUaGUgY2xpZW50IHVzZXMgdGhlIGFjY2VzcyB0b2tlbiB0byBhY2Nl c3MgdGhlIHByb3RlY3RlZCByZXNvdXJjZXMKICAgICAgICBob3N0ZWQgYnkgdGhlIHJlc291cmNl IHNlcnZlci4gVGhpcyBzcGVjaWZpY2F0aW9uIGRlc2NyaWJlcyBob3cgdG8gbWFrZSBwcm90ZWN0 ZWQgcmVzb3VyY2UKICAgICAgICByZXF1ZXN0cyB3aGVuIHRoZSBPQXV0aCBhY2Nlc3MgdG9rZW4g aXMgYSBiZWFyZXIgdG9rZW4uCiAgICAgIAo8L3A+CjxwPgogICAgICAgIFRoaXMgc3BlY2lmaWNh dGlvbiBkZWZpbmVzIHRoZSB1c2Ugb2YgYmVhcmVyIHRva2VucyB3aXRoIE9BdXRoCiAgICAgICAg b3ZlcgoJSFRUUC8xLjEgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXAx LW1lc3NhZ2luZyc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMmIzgyMDk7cDEmIzgyMDk7 bWVzc2FnaW5nXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5GaWVsZGluZywgUi4s IEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwgSC4sIE1hc2ludGVyLCBMLiwgTGVhY2gs IFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kIEouIFJlc2Noa2UsICZsZHF1bztI VFRQLzEuMSwgcGFydCAxOiBVUklzLCBDb25uZWN0aW9ucywgYW5kIE1lc3NhZ2UgUGFyc2luZywm cmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4KCXVzaW5n CglUTFMgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNSRkM1MjQ2Jz5bUkZDNTI0Nl08c3Bhbj4gKDwv c3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RGllcmtzLCBULiBhbmQgRS4gUmVzY29ybGEsICZsZHF1 bztUaGUgVHJhbnNwb3J0IExheWVyIFNlY3VyaXR5IChUTFMpIFByb3RvY29sIFZlcnNpb24gMS4y LCZyZHF1bzsgQXVndXN0Jm5ic3A7MjAwOC48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgoJVExT IGlzIG1hbmRhdG9yeSB0byBpbXBsZW1lbnQKICAgICAgICBhbmQgdXNlIHdpdGggdGhpcyBzcGVj aWZpY2F0aW9uOyBvdGhlciBzcGVjaWZpY2F0aW9ucyBtYXkKICAgICAgICBleHRlbmQgdGhpcyBz cGVjaWZpY2F0aW9uIGZvciB1c2Ugd2l0aCBvdGhlciB0cmFuc3BvcnQKICAgICAgICBwcm90b2Nv bHMuCiAgICAgIAo8L3A+CjxhIG5hbWU9ImFuY2hvcjIiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxl IHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0i VE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3Rv YyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2Vj dGlvbi4xLjEiPjwvYT48aDM+MS4xLiZuYnNwOwpOb3RhdGlvbmFsIENvbnZlbnRpb25zPC9oMz4K CjxwPgogICAgICAgICAgVGhlIGtleSB3b3JkcyAnTVVTVCcsICdNVVNUIE5PVCcsICdSRVFVSVJF RCcsICdTSEFMTCcsICdTSEFMTCBOT1QnLCAnU0hPVUxEJywgJ1NIT1VMRAogICAgICAgICAgTk9U JywgJ1JFQ09NTUVOREVEJywgJ01BWScsIGFuZCAnT1BUSU9OQUwnIGluIHRoaXMgZG9jdW1lbnQg YXJlIHRvIGJlIGludGVycHJldGVkIGFzCiAgICAgICAgICBkZXNjcmliZWQgaW4KCSAgS2V5IHdv cmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZSBSZXF1aXJlbWVudCBMZXZlbHMgPGEgY2xh c3M9J2luZm8nIGhyZWY9JyNSRkMyMTE5Jz5bUkZDMjExOV08c3Bhbj4gKDwvc3Bhbj48c3BhbiBj bGFzcz0naW5mbyc+QnJhZG5lciwgUy4sICZsZHF1bztLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNz IHRvIEluZGljYXRlIFJlcXVpcmVtZW50IExldmVscywmcmRxdW87IE1hcmNoJm5ic3A7MTk5Ny48 L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgVGhp cyBkb2N1bWVudCB1c2VzIHRoZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikKICAg ICAgICAgIG5vdGF0aW9uIG9mCgkgIEhUVFAvMS4xLCBQYXJ0IDEgPGEgY2xhc3M9J2luZm8nIGhy ZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZyc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5 O2h0dHBiaXMmIzgyMDk7cDEmIzgyMDk7bWVzc2FnaW5nXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNs YXNzPSdpbmZvJz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwg SC4sIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwg YW5kIEouIFJlc2Noa2UsICZsZHF1bztIVFRQLzEuMSwgcGFydCAxOiBVUklzLCBDb25uZWN0aW9u cywgYW5kIE1lc3NhZ2UgUGFyc2luZywmcmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48 c3Bhbj4pPC9zcGFuPjwvYT4sCiAgICAgICAgICB3aGljaCBpcyBiYXNlZCB1cG9uIHRoZQoJICBB dWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNS RkM1MjM0Jz5bUkZDNTIzNF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+Q3JvY2tl ciwgRC4gYW5kIFAuIE92ZXJlbGwsICZsZHF1bztBdWdtZW50ZWQgQk5GIGZvciBTeW50YXggU3Bl Y2lmaWNhdGlvbnM6IEFCTkYsJnJkcXVvOyBKYW51YXJ5Jm5ic3A7MjAwOC48L3NwYW4+PHNwYW4+ KTwvc3Bhbj48L2E+CgkgIG5vdGF0aW9uLiAgQWRkaXRpb25hbGx5LCB0aGUgZm9sbG93aW5nIHJ1 bGVzIGFyZSBpbmNsdWRlZCBmcm9tCgkgIEhUVFAvMS4xLCBQYXJ0IDcgPGEgY2xhc3M9J2luZm8n IGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIwOTto dHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2lu Zm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFz aW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4g UmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsg T2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPjoKCSAgYjY0dG9rZW4s IGF1dGgtcGFyYW0sIGFuZCByZWFsbTsgZnJvbQoJICBIVFRQLzEuMSwgUGFydCAxIDxhIGNsYXNz PSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmcnPltJJiM4MjA5O0Qu aWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3AxJiM4MjA5O21lc3NhZ2luZ108c3Bhbj4gKDwvc3Bh bj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4s IE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBM YWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgMTogVVJJcywg Q29ubmVjdGlvbnMsIGFuZCBNZXNzYWdlIFBhcnNpbmcsJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAx MS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+OgoJICBxdW90ZWQtc3RyaW5nOyBhbmQgZnJvbQoJ ICBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSkgPGEgY2xhc3M9J2luZm8nIGhyZWY9 JyNSRkMzOTg2Jz5bUkZDMzk4Nl08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+QmVy bmVycy1MZWUsIFQuLCBGaWVsZGluZywgUi4sIGFuZCBMLiBNYXNpbnRlciwgJmxkcXVvO1VuaWZv cm0gUmVzb3VyY2UgSWRlbnRpZmllciAoVVJJKTogR2VuZXJpYyBTeW50YXgsJnJkcXVvOyBKYW51 YXJ5Jm5ic3A7MjAwNS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+OgoJICBVUkktUmVmZXJlbmNl LgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgVW5sZXNzIG90aGVyd2lzZSBub3RlZCwgYWxs IHRoZSBwcm90b2NvbCBwYXJhbWV0ZXIgbmFtZXMgYW5kIHZhbHVlcyBhcmUgY2FzZSBzZW5zaXRp dmUuCiAgICAgICAgCjwvcD4KPGEgbmFtZT0iYW5jaG9yMyI+PC9hPjxiciAvPjxociAvPgo8dGFi bGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNz PSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIj dG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5z ZWN0aW9uLjEuMiI+PC9hPjxoMz4xLjIuJm5ic3A7ClRlcm1pbm9sb2d5PC9oMz4KCjxwPgogICAg ICAgICAgPC9wPgo8YmxvY2txdW90ZSBjbGFzcz0idGV4dCI+PGRsPgo8ZHQ+QmVhcmVyIFRva2Vu PC9kdD4KPGRkPgogICAgICAgICAgICAgIAogICAgICAgICAgICAgIEEgc2VjdXJpdHkgdG9rZW4g d2l0aCB0aGUgcHJvcGVydHkgdGhhdCBhbnkgcGFydHkgaW4KICAgICAgICAgICAgICBwb3NzZXNz aW9uIG9mIHRoZSB0b2tlbiAoYSAiYmVhcmVyIikgY2FuIHVzZSB0aGUgdG9rZW4KICAgICAgICAg ICAgICBpbiBhbnkgd2F5IHRoYXQgYW55IG90aGVyIHBhcnR5IGluIHBvc3Nlc3Npb24gb2YgaXQg Y2FuLgogICAgICAgICAgICAgIFVzaW5nIGEgYmVhcmVyIHRva2VuIGRvZXMgbm90IHJlcXVpcmUg YSBiZWFyZXIgdG8gcHJvdmUKICAgICAgICAgICAgICBwb3NzZXNzaW9uIG9mIGNyeXB0b2dyYXBo aWMga2V5IG1hdGVyaWFsCiAgICAgICAgICAgICAgKHByb29mLW9mLXBvc3Nlc3Npb24pLgogICAg ICAgICAgICAKPC9kZD4KPC9kbD48L2Jsb2NrcXVvdGU+PHA+CiAgICAgICAgCjwvcD4KPHA+CiAg ICAgICAgICBBbGwgb3RoZXIgdGVybXMgYXJlIGFzIGRlZmluZWQgaW4KCSAgT0F1dGggMi4wIEF1 dGhvcml6YXRpb24gPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1vYXV0aC12Mic+W0km IzgyMDk7RC5pZXRmJiM4MjA5O29hdXRoJiM4MjA5O3YyXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNs YXNzPSdpbmZvJz5IYW1tZXItTGFoYXYsIEUuLCBSZWNvcmRvbiwgRC4sIGFuZCBELiBIYXJkdCwg JmxkcXVvO1RoZSBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiBQcm90b2NvbCwmcmRxdW87IFNlcHRl bWJlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KICAgICAgICAKPC9wPgo8 YSBuYW1lPSJhbmNob3I0Ij48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQi IGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJp Z2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNw OzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uMS4zIj48L2E+PGgz PjEuMy4mbmJzcDsKT3ZlcnZpZXc8L2gzPgoKPHA+CiAgICAgICAgICBPQXV0aCBwcm92aWRlcyBh IG1ldGhvZCBmb3IgY2xpZW50cyB0byBhY2Nlc3MgYSBwcm90ZWN0ZWQgcmVzb3VyY2Ugb24gYmVo YWxmIG9mIGEKICAgICAgICAgIHJlc291cmNlIG93bmVyLiBJbiB0aGUgZ2VuZXJhbCBjYXNlLAoJ ICBiZWZvcmUgYSBjbGllbnQgY2FuIGFjY2VzcyBhIHByb3RlY3RlZCByZXNvdXJjZSwgaXQgbXVz dCBmaXJzdCBvYnRhaW4KICAgICAgICAgIGFuIGF1dGhvcml6YXRpb24gZ3JhbnQgZnJvbSB0aGUg cmVzb3VyY2Ugb3duZXIgYW5kIHRoZW4gZXhjaGFuZ2UgdGhlIGF1dGhvcml6YXRpb24gZ3JhbnQg Zm9yCiAgICAgICAgICBhbiBhY2Nlc3MgdG9rZW4uCgkgIFRoZSBhY2Nlc3MgdG9rZW4gcmVwcmVz ZW50cyB0aGUgZ3JhbnQncyBzY29wZSwgZHVyYXRpb24sIGFuZAoJICBvdGhlciBhdHRyaWJ1dGVz IGdyYW50ZWQgYnkgdGhlIGF1dGhvcml6YXRpb24gZ3JhbnQuIFRoZQoJICBjbGllbnQgYWNjZXNz ZXMgdGhlIHByb3RlY3RlZCByZXNvdXJjZSBieSBwcmVzZW50aW5nIHRoZQoJICBhY2Nlc3MgdG9r ZW4gdG8gdGhlIHJlc291cmNlIHNlcnZlci4KCSAgSW4gc29tZSBjYXNlcywgYSBjbGllbnQgY2Fu IGRpcmVjdGx5IHByZXNlbnQgaXRzIG93bgoJICBjcmVkZW50aWFscyB0byBhbiBhdXRob3JpemF0 aW9uIHNlcnZlciB0byBvYnRhaW4gYW4gYWNjZXNzCgkgIHRva2VuIHdpdGhvdXQgaGF2aW5nIHRv IGZpcnN0IG9idGFpbiBhbiBhdXRob3JpemF0aW9uIGdyYW50IGZyb20gYQoJICByZXNvdXJjZSBv d25lci4KICAgICAgICAKPC9wPgo8cD4KICAgICAgICAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlk ZXMgYW4gYWJzdHJhY3Rpb24sIHJlcGxhY2luZyBkaWZmZXJlbnQgYXV0aG9yaXphdGlvbgogICAg ICAgICAgY29uc3RydWN0cyAoZS5nLiB1c2VybmFtZSBhbmQgcGFzc3dvcmQsIGFzc2VydGlvbikg Zm9yIGEgc2luZ2xlIHRva2VuIHVuZGVyc3Rvb2QgYnkgdGhlCiAgICAgICAgICByZXNvdXJjZSBz ZXJ2ZXIuIFRoaXMgYWJzdHJhY3Rpb24gZW5hYmxlcyBpc3N1aW5nIGFjY2VzcyB0b2tlbnMgdmFs aWQgZm9yIGEgc2hvcnQgdGltZQogICAgICAgICAgcGVyaW9kLCBhcyB3ZWxsIGFzIHJlbW92aW5n IHRoZSByZXNvdXJjZSBzZXJ2ZXIncyBuZWVkIHRvIHVuZGVyc3RhbmQgYSB3aWRlIHJhbmdlIG9m CiAgICAgICAgICBhdXRoZW50aWNhdGlvbiBzY2hlbWVzLgogICAgICAgIAo8L3A+PGJyIC8+PGhy IGNsYXNzPSJpbnNlcnQiIC8+CjxhIG5hbWU9IkZpZ3VyZS0xIj48L2E+CjxkaXYgc3R5bGU9J2Rp c3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6IDNlbTsgbWFyZ2luLXJpZ2h0OiBh dXRvJz48cHJlPgorLS0tLS0tLS0rICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0t LS0tLS0tLS0tLS0rCnwgICAgICAgIHwtLShBKS0gQXV0aG9yaXphdGlvbiBSZXF1ZXN0IC0mZ3Q7 fCAgIFJlc291cmNlICAgIHwKfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICB8ICAgICBPd25lciAgICAgfAp8ICAgICAgICB8Jmx0Oy0oQiktLSBBdXRob3JpemF0aW9uIEdy YW50IC0tLXwgICAgICAgICAgICAgICB8CnwgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKfCAgICAgICAgfAp8ICAgICAgICB8ICAgICAgICBB dXRob3JpemF0aW9uIEdyYW50ICZhbXA7ICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8LS0o QyktLS0gQ2xpZW50IENyZWRlbnRpYWxzIC0tJmd0O3wgQXV0aG9yaXphdGlvbiB8CnwgQ2xpZW50 IHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgU2VydmVyICAgIHwKfCAgICAg ICAgfCZsdDstKEQpLS0tLS0gQWNjZXNzIFRva2VuIC0tLS0tLS18ICAgICAgICAgICAgICAgfAp8 ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0r CnwgICAgICAgIHwKfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0t LS0tLS0tLS0tLS0tKwp8ICAgICAgICB8LS0oRSktLS0tLSBBY2Nlc3MgVG9rZW4gLS0tLS0tJmd0 O3wgICAgUmVzb3VyY2UgICB8CnwgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgfCAgICAgU2VydmVyICAgIHwKfCAgICAgICAgfCZsdDstKEYpLS0tIFByb3RlY3RlZCBSZXNv dXJjZSAtLS18ICAgICAgICAgICAgICAgfAorLS0tLS0tLS0rICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0rCjwvcHJlPjwvZGl2Pjx0YWJsZSBib3JkZXI9IjAi IGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgYWxpZ249ImNlbnRlciI+PHRyPjx0ZCBh bGlnbj0iY2VudGVyIj48Zm9udCBmYWNlPSJtb25hY28sIE1TIFNhbnMgU2VyaWYiIHNpemU9IjEi PjxiPiZuYnNwO0ZpZ3VyZSZuYnNwOzE6IEFic3RyYWN0IFByb3RvY29sIEZsb3cmbmJzcDs8L2I+ PC9mb250PjxiciAvPjwvdGQ+PC90cj48L3RhYmxlPjxociBjbGFzcz0iaW5zZXJ0IiAvPgoKPHA+ CiAgICAgICAgICBUaGUgYWJzdHJhY3QgZmxvdyBpbGx1c3RyYXRlZCBpbiA8YSBjbGFzcz0naW5m bycgaHJlZj0nI0ZpZ3VyZS0xJz5GaWd1cmUmbmJzcDsxPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xh c3M9J2luZm8nPkFic3RyYWN0IFByb3RvY29sIEZsb3c8L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+ IGRlc2NyaWJlcyB0aGUgb3ZlcmFsbAogICAgICAgICAgT0F1dGggMi4wIHByb3RvY29sIGFyY2hp dGVjdHVyZS4gVGhlIGZvbGxvd2luZyBzdGVwcyBhcmUgc3BlY2lmaWVkIHdpdGhpbiB0aGlzCiAg ICAgICAgICBkb2N1bWVudDoKCiAgICAgICAgICA8L3A+CjxibG9ja3F1b3RlIGNsYXNzPSJ0ZXh0 Ij4KPHA+CiAgICAgICAgICAgICAgRSkgVGhlIGNsaWVudCBtYWtlcyBhIHByb3RlY3RlZCByZXNv dXJjZSByZXF1ZXN0IHRvIHRoZSByZXNvdXJjZSBzZXJ2ZXIgYnkgcHJlc2VudGluZwogICAgICAg ICAgICAgIHRoZSBhY2Nlc3MgdG9rZW4uCiAgICAgICAgICAgIAo8L3A+CjxwPgogICAgICAgICAg ICAgIEYpIFRoZSByZXNvdXJjZSBzZXJ2ZXIgdmFsaWRhdGVzIHRoZSBhY2Nlc3MgdG9rZW4sIGFu ZCBpZiB2YWxpZCwgc2VydmVzIHRoZSByZXF1ZXN0LgogICAgICAgICAgICAKPC9wPgo8L2Jsb2Nr cXVvdGU+PHA+CiAgICAgICAgCjwvcD4KPGEgbmFtZT0iYW5jaG9yNSI+PC9hPjxiciAvPjxociAv Pgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIi IGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBo cmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9 InJmYy5zZWN0aW9uLjIiPjwvYT48aDM+Mi4mbmJzcDsKQXV0aGVudGljYXRlZCBSZXF1ZXN0czwv aDM+Cgo8cD4KCVRoaXMgc2VjdGlvbiBkZWZpbmVzIHRocmVlCgltZXRob2RzIG9mIHNlbmRpbmcg YmVhcmVyIGFjY2VzcyB0b2tlbnMgaW4gcmVzb3VyY2UgcmVxdWVzdHMKCXRvIHJlc291cmNlIHNl cnZlcnMuICBDbGllbnRzIE1VU1QgTk9UIHVzZSBtb3JlIHRoYW4gb25lCgltZXRob2QgdG8gdHJh bnNtaXQgdGhlIHRva2VuIGluIGVhY2ggcmVxdWVzdC4KICAgICAgCjwvcD4KPGEgbmFtZT0iYXV0 aHotaGVhZGVyIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxw YWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48 dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48 L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uMi4xIj48L2E+PGgzPjIuMS4m bmJzcDsKQXV0aG9yaXphdGlvbiBSZXF1ZXN0IEhlYWRlciBGaWVsZDwvaDM+Cgo8cD4KCSAgV2hl biBzZW5kaW5nIHRoZSBhY2Nlc3MgdG9rZW4gaW4gdGhlIDx0dD5BdXRob3JpemF0aW9uPC90dD4g cmVxdWVzdCBoZWFkZXIgZmllbGQKCSAgZGVmaW5lZCBieQoJICBIVFRQLzEuMSwgUGFydCA3IDxh IGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJz5bSSYjODIwOTtE LmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwNyYjODIwOTthdXRoXTxzcGFuPiAoPC9zcGFuPjxz cGFuIGNsYXNzPSdpbmZvJz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmll bHNlbiwgSC4sIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9u LCBZLiwgYW5kIEouIFJlc2Noa2UsICZsZHF1bztIVFRQLzEuMSwgcGFydCA3OiBBdXRoZW50aWNh dGlvbiwmcmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4s CgkgIHRoZQoJICBjbGllbnQgdXNlcyB0aGUgPHR0PkJlYXJlcjwvdHQ+CgkgIGF1dGhlbnRpY2F0 aW9uIHNjaGVtZSB0byB0cmFuc21pdCB0aGUgYWNjZXNzIHRva2VuLgogICAgICAgIAo8L3A+Cjxw PgogICAgICAgICAgICBGb3IgZXhhbXBsZToKICAgICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlz cGxheTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4tbGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1 dG8nPjxwcmU+CkdFVCAvcmVzb3VyY2UgSFRUUC8xLjEKSG9zdDogc2VydmVyLmV4YW1wbGUuY29t CkF1dGhvcml6YXRpb246IEJlYXJlciB2RjlkZnQ0cW1UCjwvcHJlPjwvZGl2Pgo8cD4KICAgICAg ICAgIFRoZSA8dHQ+QXV0aG9yaXphdGlvbjwvdHQ+IGhlYWRlciBmaWVsZCB1c2VzIHRoZSBmcmFt ZXdvcmsgZGVmaW5lZCBieQogICAgICAgICAgSFRUUC8xLjEsIFBhcnQgNyA8YSBjbGFzcz0naW5m bycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5 O2h0dHBiaXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0n aW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBN YXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBK LiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVv OyBPY3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+CgkgIGFzIGZvbGxv d3M6CiAgICAgICAgCjwvcD48ZGl2IHN0eWxlPSdkaXNwbGF5OiB0YWJsZTsgd2lkdGg6IDA7IG1h cmdpbi1sZWZ0OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+PHByZT4KY3JlZGVudGlhbHMgPSAi QmVhcmVyIiAxKlNQIGI2NHRva2VuCjwvcHJlPjwvZGl2Pgo8cD4KCSAgVGhlIGI2NHRva2VuIHN5 bnRheCB3YXMgY2hvc2VuIG92ZXIgdGhlIGFsdGVybmF0aXZlCgkgICNhdXRoLXBhcmFtIHN5bnRh eCBhbHNvIGRlZmluZWQgYnkKCSAgSFRUUC8xLjEsIFBhcnQgNyA8YSBjbGFzcz0naW5mbycgaHJl Zj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBi aXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+ RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRl ciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNj aGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3Rv YmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+CgkgIGJvdGggZm9yIHNpbXBs aWNpdHkKCSAgcmVhc29ucyBhbmQgZm9yIGNvbXBhdGliaWxpdHkgd2l0aCBleGlzdGluZyBpbXBs ZW1lbnRhdGlvbnMuCgkgIElmIGFkZGl0aW9uYWwgcGFyYW1ldGVycyBhcmUgZGVzaXJlZCBpbiB0 aGUgZnV0dXJlLCBhCgkgIGRpZmZlcmVudCBzY2hlbWUgY291bGQgYmUgZGVmaW5lZC4KCQo8L3A+ CjxwPgoJICBDbGllbnRzIFNIT1VMRCBtYWtlIGF1dGhlbnRpY2F0ZWQgcmVxdWVzdHMgd2l0aCBh IGJlYXJlcgoJICB0b2tlbiB1c2luZyB0aGUgPHR0PkF1dGhvcml6YXRpb248L3R0PgoJICByZXF1 ZXN0IGhlYWRlciBmaWVsZCB3aXRoIHRoZSA8dHQ+QmVhcmVyPC90dD4gSFRUUCBhdXRob3JpemF0 aW9uIHNjaGVtZS4KCSAgUmVzb3VyY2Ugc2VydmVycyBNVVNUIHN1cHBvcnQgdGhpcyBtZXRob2Qu CgkKPC9wPgo8YSBuYW1lPSJib2R5LXBhcmFtIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1t YXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1 ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZu YnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24u Mi4yIj48L2E+PGgzPjIuMi4mbmJzcDsKRm9ybS1FbmNvZGVkIEJvZHkgUGFyYW1ldGVyPC9oMz4K CjxwPgogICAgICAgICAgV2hlbiBzZW5kaW5nIHRoZSBhY2Nlc3MgdG9rZW4gaW4gdGhlIEhUVFAg cmVxdWVzdAogICAgICAgICAgZW50aXR5LWJvZHksIHRoZSBjbGllbnQgYWRkcyB0aGUgYWNjZXNz IHRva2VuIHRvIHRoZSByZXF1ZXN0CiAgICAgICAgICBib2R5IHVzaW5nIHRoZSA8dHQ+YWNjZXNz X3Rva2VuPC90dD4KICAgICAgICAgIHBhcmFtZXRlci4gIFRoZSBjbGllbnQgTVVTVCBOT1QgdXNl IHRoaXMgbWV0aG9kIHVubGVzcwoJICBhbGwgb2YgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zIGFy ZSBtZXQ6CiAgICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KICAgICAgICAgICAg ICBUaGUgSFRUUCByZXF1ZXN0IGVudGl0eS1ib2R5IGlzIHNpbmdsZS1wYXJ0LgogICAgICAgICAg ICAKPC9saT4KPGxpPgogICAgICAgICAgICAgIFRoZSBlbnRpdHktYm9keSBmb2xsb3dzIHRoZSBl bmNvZGluZyByZXF1aXJlbWVudHMgb2YgdGhlCiAgICAgICAgICAgICAgPHR0PmFwcGxpY2F0aW9u L3gtd3d3LWZvcm0tdXJsZW5jb2RlZDwvdHQ+IGNvbnRlbnQtdHlwZSBhcwogICAgICAgICAgICAg IGRlZmluZWQgYnkKCSAgICAgIEhUTUwgNC4wMSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI1czQy5S RUMtaHRtbDQwMS0xOTk5MTIyNCc+W1czQy5SRUMmIzgyMDk7aHRtbDQwMSYjODIwOTsxOTk5MTIy NF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+UmFnZ2V0dCwgRC4sIEphY29icywg SS4sIGFuZCBBLiBIb3JzLCAmbGRxdW87SFRNTCA0LjAxIFNwZWNpZmljYXRpb24sJnJkcXVvOyBE ZWNlbWJlciZuYnNwOzE5OTkuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KICAgICAgICAgICAg CjwvbGk+CjxsaT4KICAgICAgICAgICAgICBUaGUgSFRUUCByZXF1ZXN0IGVudGl0eS1oZWFkZXIg aW5jbHVkZXMgdGhlIDx0dD5Db250ZW50LVR5cGU8L3R0PgogICAgICAgICAgICAgIGhlYWRlciBm aWVsZCBzZXQgdG8gPHR0PmFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDwvdHQ+Lgog ICAgICAgICAgICAKPC9saT4KPGxpPgogICAgICAgICAgICAgIFRoZSBIVFRQIHJlcXVlc3QgbWV0 aG9kIGlzIG9uZSBmb3Igd2hpY2ggdGhlIHJlcXVlc3QKICAgICAgICAgICAgICBib2R5IGhhcyBk ZWZpbmVkIHNlbWFudGljcy4gIEluIHBhcnRpY3VsYXIsCiAgICAgICAgICAgICAgdGhpcyBtZWFu cyB0aGF0IHRoZSA8dHQ+R0VUPC90dD4KICAgICAgICAgICAgICBtZXRob2QgTVVTVCBOT1QgYmUg dXNlZC4KICAgICAgICAgICAgCjwvbGk+CjwvdWw+PHA+CiAgICAgICAgCjwvcD4KPHA+CiAgICAg ICAgICBUaGUgZW50aXR5LWJvZHkgTUFZIGluY2x1ZGUgb3RoZXIgcmVxdWVzdC1zcGVjaWZpYwog ICAgICAgICAgcGFyYW1ldGVycywgaW4gd2hpY2ggY2FzZSwgdGhlIDx0dD5hY2Nlc3NfdG9rZW48 L3R0PiBwYXJhbWV0ZXIgTVVTVCBiZSBwcm9wZXJseQogICAgICAgICAgc2VwYXJhdGVkIGZyb20g dGhlIHJlcXVlc3Qtc3BlY2lmaWMgcGFyYW1ldGVycyB1c2luZyA8dHQ+JmFtcDs8L3R0PiBjaGFy YWN0ZXIocykgKEFTQ0lJIGNvZGUgMzgpLgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgICBG b3IgZXhhbXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93aW5nIEhUVFAgcmVxdWVzdCB1 c2luZyB0cmFuc3BvcnQtbGF5ZXIKICAgICAgICAgICAgc2VjdXJpdHk6CiAgICAgICAgICAKPC9w PjxkaXYgc3R5bGU9J2Rpc3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6IDNlbTsg bWFyZ2luLXJpZ2h0OiBhdXRvJz48cHJlPgpQT1NUIC9yZXNvdXJjZSBIVFRQLzEuMQpIb3N0OiBz ZXJ2ZXIuZXhhbXBsZS5jb20KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVy bGVuY29kZWQKCmFjY2Vzc190b2tlbj12RjlkZnQ0cW1UCjwvcHJlPjwvZGl2Pgo8cD4KCSAgVGhl IDx0dD5hcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ8L3R0PgoJICBtZXRob2QgU0hP VUxEIE5PVCBiZSB1c2VkIGV4Y2VwdCBpbiBhcHBsaWNhdGlvbiBjb250ZXh0cwoJICB3aGVyZSBw YXJ0aWNpcGF0aW5nIGJyb3dzZXJzIGRvIG5vdCBoYXZlIGFjY2VzcyB0byB0aGUKCSAgPHR0PkF1 dGhvcml6YXRpb248L3R0PiByZXF1ZXN0IGhlYWRlcgoJICBmaWVsZC4gIFJlc291cmNlIHNlcnZl cnMgTUFZIHN1cHBvcnQgdGhpcyBtZXRob2QuCgkKPC9wPgo8YSBuYW1lPSJxdWVyeS1wYXJhbSI+ PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIg Y2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFz cz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwv dGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjIuMyI+PC9hPjxoMz4yLjMuJm5ic3A7ClVSSSBR dWVyeSBQYXJhbWV0ZXI8L2gzPgoKPHA+CiAgICAgICAgICBXaGVuIHNlbmRpbmcgdGhlIGFjY2Vz cyB0b2tlbiBpbiB0aGUgSFRUUCByZXF1ZXN0IFVSSSwgdGhlIGNsaWVudCBhZGRzIHRoZSBhY2Nl c3MKICAgICAgICAgIHRva2VuIHRvIHRoZSByZXF1ZXN0IFVSSSBxdWVyeSBjb21wb25lbnQgYXMg ZGVmaW5lZCBieQoJICBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSkgPGEgY2xhc3M9 J2luZm8nIGhyZWY9JyNSRkMzOTg2Jz5bUkZDMzk4Nl08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFz cz0naW5mbyc+QmVybmVycy1MZWUsIFQuLCBGaWVsZGluZywgUi4sIGFuZCBMLiBNYXNpbnRlciwg JmxkcXVvO1VuaWZvcm0gUmVzb3VyY2UgSWRlbnRpZmllciAoVVJJKTogR2VuZXJpYyBTeW50YXgs JnJkcXVvOyBKYW51YXJ5Jm5ic3A7MjAwNS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+CgkgIHVz aW5nCiAgICAgICAgICB0aGUgPHR0PmFjY2Vzc190b2tlbjwvdHQ+IHBhcmFtZXRlci4KICAgICAg ICAKPC9wPgo8cD4KICAgICAgICAgICAgRm9yIGV4YW1wbGUsIHRoZSBjbGllbnQgbWFrZXMgdGhl IGZvbGxvd2luZyBIVFRQIHJlcXVlc3QgdXNpbmcgdHJhbnNwb3J0LWxheWVyCiAgICAgICAgICAg IHNlY3VyaXR5OgogICAgICAgICAgCjwvcD48ZGl2IHN0eWxlPSdkaXNwbGF5OiB0YWJsZTsgd2lk dGg6IDA7IG1hcmdpbi1sZWZ0OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+PHByZT4KR0VUIC9y ZXNvdXJjZT9hY2Nlc3NfdG9rZW49dkY5ZGZ0NHFtVCBIVFRQLzEuMQpIb3N0OiBzZXJ2ZXIuZXhh bXBsZS5jb20KPC9wcmU+PC9kaXY+CjxwPgogICAgICAgICAgVGhlIEhUVFAgcmVxdWVzdCBVUkkg cXVlcnkgY2FuIGluY2x1ZGUgb3RoZXIKICAgICAgICAgIHJlcXVlc3Qtc3BlY2lmaWMgcGFyYW1l dGVycywgaW4gd2hpY2ggY2FzZSwgdGhlIDx0dD5hY2Nlc3NfdG9rZW48L3R0PiBwYXJhbWV0ZXIg TVVTVCBiZSBwcm9wZXJseQogICAgICAgICAgc2VwYXJhdGVkIGZyb20gdGhlIHJlcXVlc3Qtc3Bl Y2lmaWMgcGFyYW1ldGVycyB1c2luZyA8dHQ+JmFtcDs8L3R0PiBjaGFyYWN0ZXIocykgKEFTQ0lJ IGNvZGUgMzgpLgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgICBGb3IgZXhhbXBsZToKICAg ICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxheTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4t bGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8nPjxwcmU+Cmh0dHBzOi8vc2VydmVyLmV4YW1w bGUuY29tL3Jlc291cmNlP3g9eSZhbXA7YWNjZXNzX3Rva2VuPXZGOWRmdDRxbVQmYW1wO3A9cQo8 L3ByZT48L2Rpdj4KPHA+CgkgIEJlY2F1c2Ugb2YgdGhlIHNlY3VyaXR5IHdlYWtuZXNzZXMgYXNz b2NpYXRlZCB3aXRoIHRoZSBVUkkKCSAgbWV0aG9kIChzZWUgPGEgY2xhc3M9J2luZm8nIGhyZWY9 JyNzZWMtY29uJz5TZWN0aW9uJm5ic3A7NDxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZv Jz5TZWN1cml0eSBDb25zaWRlcmF0aW9uczwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4pLCBpbmNs dWRpbmcgdGhlIGhpZ2gKCSAgbGlrZWxpaG9vZCB0aGF0IHRoZSBVUkwgY29udGFpbmluZyB0aGUg YWNjZXNzIHRva2VuIHdpbGwgYmUKCSAgbG9nZ2VkLCBpdCBTSE9VTEQgTk9UIGJlIHVzZWQgdW5s ZXNzIGl0IGlzIGltcG9zc2libGUgdG8KCSAgdHJhbnNwb3J0IHRoZSBhY2Nlc3MgdG9rZW4gaW4g dGhlIDx0dD5BdXRob3JpemF0aW9uPC90dD4gcmVxdWVzdCBoZWFkZXIgZmllbGQgb3IKCSAgdGhl IEhUVFAgcmVxdWVzdCBlbnRpdHktYm9keS4gIFJlc291cmNlIHNlcnZlcnMgTUFZIHN1cHBvcnQK CSAgdGhpcyBtZXRob2QuCgkKPC9wPgo8YSBuYW1lPSJhdXRobi1oZWFkZXIiPjwvYT48YnIgLz48 aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5n PSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1ZyI+ PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8YSBu YW1lPSJyZmMuc2VjdGlvbi4zIj48L2E+PGgzPjMuJm5ic3A7ClRoZSBXV1ctQXV0aGVudGljYXRl IFJlc3BvbnNlIEhlYWRlciBGaWVsZDwvaDM+Cgo8cD4KCUlmIHRoZSBwcm90ZWN0ZWQgcmVzb3Vy Y2UgcmVxdWVzdCBkb2VzIG5vdCBpbmNsdWRlCglhdXRoZW50aWNhdGlvbiBjcmVkZW50aWFscyBv ciBkb2VzIG5vdCBjb250YWluIGFuIGFjY2VzcwoJdG9rZW4gdGhhdCBlbmFibGVzIGFjY2VzcyB0 byB0aGUgcHJvdGVjdGVkIHJlc291cmNlLAoJdGhlIHJlc291cmNlIHNlcnZlciBNVVNUIGluY2x1 ZGUgdGhlIEhUVFAgPHR0PldXVy1BdXRoZW50aWNhdGU8L3R0PiByZXNwb25zZSBoZWFkZXIgZmll bGQ7CglpdCBNQVkgaW5jbHVkZSBpdCBpbiByZXNwb25zZSB0byBvdGhlciBjb25kaXRpb25zIGFz IHdlbGwuCglUaGUgPHR0PldXVy1BdXRoZW50aWNhdGU8L3R0PiBoZWFkZXIKCWZpZWxkIHVzZXMg dGhlIGZyYW1ld29yayBkZWZpbmVkIGJ5CglIVFRQLzEuMSwgUGFydCA3IDxhIGNsYXNzPSdpbmZv JyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJz5bSSYjODIwOTtELmlldGYmIzgyMDk7 aHR0cGJpcyYjODIwOTtwNyYjODIwOTthdXRoXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdp bmZvJz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwgSC4sIE1h c2ludGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kIEou IFJlc2Noa2UsICZsZHF1bztIVFRQLzEuMSwgcGFydCA3OiBBdXRoZW50aWNhdGlvbiwmcmRxdW87 IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4KCWFzIGZvbGxvd3M6 CiAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxheTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4t bGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8nPjxwcmU+CmNoYWxsZW5nZSAgICAgICA9ICJC ZWFyZXIiIFsgMSpTUCAxI3BhcmFtIF0KCnBhcmFtICAgICAgICAgICA9IHJlYWxtIC8gc2NvcGUg LwogICAgICAgICAgICAgICAgICBlcnJvciAvIGVycm9yLWRlc2MgLyBlcnJvci11cmkgLwogICAg ICAgICAgICAgICAgICBhdXRoLXBhcmFtCgpzY29wZSAgICAgICAgICAgPSAic2NvcGUiICI9IiBx dW90ZWQtc3RyaW5nCmVycm9yICAgICAgICAgICA9ICJlcnJvciIgIj0iIHF1b3RlZC1zdHJpbmcK ZXJyb3ItZGVzYyAgICAgID0gImVycm9yX2Rlc2NyaXB0aW9uIiAiPSIgcXVvdGVkLXN0cmluZwpl cnJvci11cmkgICAgICAgPSAiZXJyb3JfdXJpIiAiPSIgcXVvdGVkLXN0cmluZwo8L3ByZT48L2Rp dj4KPHA+CglBIDx0dD5yZWFsbTwvdHQ+IGF0dHJpYnV0ZSBNQVkgYmUgaW5jbHVkZWQKCXRvIGlu ZGljYXRlIHRoZSBzY29wZSBvZiBwcm90ZWN0aW9uIGluIHRoZSBtYW5uZXIgZGVzY3JpYmVkIGlu CglIVFRQLzEuMSwgUGFydCA3IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJp cy1wNy1hdXRoJz5bSSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwNyYjODIwOTth dXRoXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5GaWVsZGluZywgUi4sIEdldHR5 cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwgSC4sIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBC ZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kIEouIFJlc2Noa2UsICZsZHF1bztIVFRQLzEu MSwgcGFydCA3OiBBdXRoZW50aWNhdGlvbiwmcmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bh bj48c3Bhbj4pPC9zcGFuPjwvYT4uCglUaGUgPHR0PnJlYWxtPC90dD4gYXR0cmlidXRlIE1VU1Qg Tk9UIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KCVRoZSA8dHQ+cmVhbG08L3R0PiB2YWx1ZSBpcyBp bnRlbmRlZCBmb3IKCXByb2dyYW1tYXRpYyB1c2UgYW5kIGlzIG5vdCBtZWFudCB0byBiZSBkaXNw bGF5ZWQgdG8KCWVuZCB1c2Vycy4KICAgICAgCjwvcD4KPHA+CglUaGUgPHR0PnNjb3BlPC90dD4g YXR0cmlidXRlIGlzIGEgc3BhY2UtZGVsaW1pdGVkIGxpc3Qgb2Ygc2NvcGUgdmFsdWVzCglpbmRp Y2F0aW5nIHRoZSByZXF1aXJlZCBzY29wZSBvZiB0aGUgYWNjZXNzIHRva2VuIGZvciBhY2Nlc3Np bmcgdGhlIHJlcXVlc3RlZCByZXNvdXJjZS4KCUluIHNvbWUgY2FzZXMsIHRoZSA8dHQ+c2NvcGU8 L3R0PiB2YWx1ZQoJd2lsbCBiZSB1c2VkIHdoZW4gcmVxdWVzdGluZyBhIG5ldyBhY2Nlc3MgdG9r ZW4gd2l0aAoJc3VmZmljaWVudCBzY29wZSBvZiBhY2Nlc3MgdG8gdXRpbGl6ZSB0aGUgcHJvdGVj dGVkIHJlc291cmNlLgoJVGhlIDx0dD5zY29wZTwvdHQ+IGF0dHJpYnV0ZSBNVVNUIE5PVCBhcHBl YXIgbW9yZSB0aGFuIG9uY2UuCglUaGUgPHR0PnNjb3BlPC90dD4gdmFsdWUgaXMgaW50ZW5kZWQg Zm9yCglwcm9ncmFtbWF0aWMgdXNlIGFuZCBpcyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRv CgllbmQgdXNlcnMuCiAgICAgIAo8L3A+CjxwPgoJSWYgdGhlIHByb3RlY3RlZCByZXNvdXJjZSBy ZXF1ZXN0IGluY2x1ZGVkIGFuIGFjY2VzcyB0b2tlbiBhbmQgZmFpbGVkIGF1dGhlbnRpY2F0aW9u LCB0aGUKCXJlc291cmNlIHNlcnZlciBTSE9VTEQgaW5jbHVkZSB0aGUgPHR0PmVycm9yPC90dD4g YXR0cmlidXRlIHRvIHByb3ZpZGUKCXRoZSBjbGllbnQgd2l0aCB0aGUgcmVhc29uIHdoeSB0aGUg YWNjZXNzIHJlcXVlc3Qgd2FzIGRlY2xpbmVkLiBUaGUgcGFyYW1ldGVyIHZhbHVlIGlzCglkZXNj cmliZWQgaW4gPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNyZXNvdXJjZS1lcnJvci1jb2Rlcyc+U2Vj dGlvbiZuYnNwOzMuMTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5FcnJvciBDb2Rl czwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4uCglJbiBhZGRpdGlvbiwgdGhlIHJlc291cmNlIHNl cnZlciBNQVkgaW5jbHVkZSB0aGUgPHR0PmVycm9yX2Rlc2NyaXB0aW9uPC90dD4gYXR0cmlidXRl IHRvIHByb3ZpZGUKCWRldmVsb3BlcnMgYSBodW1hbi1yZWFkYWJsZSBleHBsYW5hdGlvbiB0aGF0 IGlzIG5vdCBtZWFudAoJdG8gYmUgZGlzcGxheWVkIHRvIGVuZCB1c2Vycy4KCUl0IGFsc28gTUFZ IGluY2x1ZGUKCXRoZSA8dHQ+ZXJyb3JfdXJpPC90dD4gYXR0cmlidXRlIHdpdGgKCWFuIGFic29s dXRlIFVSSSBpZGVudGlmeWluZyBhIGh1bWFuLXJlYWRhYmxlIHdlYiBwYWdlIGV4cGxhaW5pbmcg dGhlIGVycm9yLgoJVGhlIDx0dD5lcnJvcjwvdHQ+LCA8dHQ+ZXJyb3JfZGVzY3JpcHRpb248L3R0 PiwgYW5kCgk8dHQ+ZXJyb3JfdXJpPC90dD4gYXR0cmlidXRlcyBNVVNUIE5PVCBhcHBlYXIgbW9y ZSB0aGFuIG9uY2UuCiAgICAgIAo8L3A+CjxwPgoJUHJvZHVjZXJzIG9mIDx0dD5zY29wZTwvdHQ+ IHN0cmluZ3MgTVVTVAoJTk9UIHVzZSBjaGFyYWN0ZXJzIG91dHNpZGUgdGhlIHNldCAleDIxIC8g JXgyMy01QiAvICV4NUQtN0UKCWZvciByZXByZXNlbnRpbmcgdGhlIHNjb3BlIHZhbHVlcyBhbmQg JXgyMCBmb3IgdGhlIGRlbGltaXRlci4KCVByb2R1Y2VycyBvZiA8dHQ+ZXJyb3I8L3R0PiBhbmQg PHR0PmVycm9yX2Rlc2NyaXB0aW9uPC90dD4gc3RyaW5ncyBNVVNUIE5PVCB1c2UKCWNoYXJhY3Rl cnMgb3V0c2lkZSB0aGUgc2V0ICV4MjAtMjEgLyAleDIzLTVCIC8gJXg1RC03RSBmb3IKCXJlcHJl c2VudGluZyB0aGVzZSB2YWx1ZXMuCglQcm9kdWNlcnMgb2YgPHR0PmVycm9yLXVyaTwvdHQ+IHN0 cmluZ3MKCU1VU1QgTk9UIHVzZSBjaGFyYWN0ZXJzIG91dHNpZGUgdGhlIHNldCAleDIxIC8gJXgy My01QiAvCgkleDVELTdFIGZvciByZXByZXNlbnRpbmcgdGhlc2UgdmFsdWVzLiAgRnVydGhlcm1v cmUsCgk8dHQ+ZXJyb3ItdXJpPC90dD4gc3RyaW5ncyBNVVNUIGNvbmZvcm0KCXRvIHRoZSBVUkkt cmVmZXJlbmNlIHN5bnRheC4KCUluIGFsbCB0aGVzZSBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rp bmcgd2lsbCBvY2N1ciwgYXMKCXNlbmRlcnMgYXJlIHByb2hpYml0ZWQgZnJvbSB1c2luZyB0aGUg JTVDICgnXCcpIGNoYXJhY3Rlci4KICAgICAgCjwvcD4KPHA+CgkgIEZvciBleGFtcGxlLCBpbiBy ZXNwb25zZSB0byBhIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IHdpdGhvdXQgYXV0aGVudGlj YXRpb246CgkKPC9wPjxkaXYgc3R5bGU9J2Rpc3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2lu LWxlZnQ6IDNlbTsgbWFyZ2luLXJpZ2h0OiBhdXRvJz48cHJlPgpIVFRQLzEuMSA0MDEgVW5hdXRo b3JpemVkCldXVy1BdXRoZW50aWNhdGU6IEJlYXJlciByZWFsbT0iZXhhbXBsZSIKPC9wcmU+PC9k aXY+CjxwPgogICAgICAgICAgICBBbmQgaW4gcmVzcG9uc2UgdG8gYSBwcm90ZWN0ZWQgcmVzb3Vy Y2UgcmVxdWVzdCB3aXRoIGFuIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHQgdXNpbmcgYW4KICAgICAg ICAgICAgZXhwaXJlZCBhY2Nlc3MgdG9rZW46CiAgICAgICAgICAKPC9wPjxkaXYgc3R5bGU9J2Rp c3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6IDNlbTsgbWFyZ2luLXJpZ2h0OiBh dXRvJz48cHJlPgpIVFRQLzEuMSA0MDEgVW5hdXRob3JpemVkCldXVy1BdXRoZW50aWNhdGU6IEJl YXJlciByZWFsbT0iZXhhbXBsZSIsCiAgICAgICAgICAgICAgICAgIGVycm9yPSJpbnZhbGlkX3Rv a2VuIiwKICAgICAgICAgICAgICAgICAgZXJyb3JfZGVzY3JpcHRpb249IlRoZSBhY2Nlc3MgdG9r ZW4gZXhwaXJlZCIKPC9wcmU+PC9kaXY+CjxhIG5hbWU9InJlc291cmNlLWVycm9yLWNvZGVzIj48 L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBj ZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNz PSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90 YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uMy4xIj48L2E+PGgzPjMuMS4mbmJzcDsKRXJyb3Ig Q29kZXM8L2gzPgoKPHA+CgkgIFdoZW4gYSByZXF1ZXN0IGZhaWxzLCB0aGUgcmVzb3VyY2Ugc2Vy dmVyIHJlc3BvbmRzIHVzaW5nIHRoZSBhcHByb3ByaWF0ZSBIVFRQIHN0YXR1cwoJICBjb2RlICh0 eXBpY2FsbHksIDQwMCwgNDAxLCBvciA0MDMpLCBhbmQgaW5jbHVkZXMgb25lIG9mIHRoZSBmb2xs b3dpbmcgZXJyb3IgY29kZXMgaW4KCSAgdGhlIHJlc3BvbnNlOgoKCSAgPC9wPgo8YmxvY2txdW90 ZSBjbGFzcz0idGV4dCI+PGRsPgo8ZHQ+aW52YWxpZF9yZXF1ZXN0PC9kdD4KPGRkPgoJICAgICAg CgkgICAgICBUaGUgcmVxdWVzdCBpcyBtaXNzaW5nIGEgcmVxdWlyZWQgcGFyYW1ldGVyLCBpbmNs dWRlcyBhbiB1bnN1cHBvcnRlZCBwYXJhbWV0ZXIgb3IKCSAgICAgIHBhcmFtZXRlciB2YWx1ZSwg cmVwZWF0cyB0aGUgc2FtZSBwYXJhbWV0ZXIsIHVzZXMgbW9yZSB0aGFuIG9uZSBtZXRob2QgZm9y CgkgICAgICBpbmNsdWRpbmcgYW4gYWNjZXNzIHRva2VuLCBvciBpcyBvdGhlcndpc2UgbWFsZm9y bWVkLiBUaGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRAoJICAgICAgcmVzcG9uZCB3aXRoIHRoZSBI VFRQIDQwMCAoQmFkIFJlcXVlc3QpIHN0YXR1cyBjb2RlLgoJICAgIAo8L2RkPgo8ZHQ+aW52YWxp ZF90b2tlbjwvZHQ+CjxkZD4KCSAgICAgIAoJICAgICAgVGhlIGFjY2VzcyB0b2tlbiBwcm92aWRl ZCBpcyBleHBpcmVkLCByZXZva2VkLCBtYWxmb3JtZWQsIG9yIGludmFsaWQgZm9yIG90aGVyCgkg ICAgICByZWFzb25zLiBUaGUgcmVzb3VyY2UgU0hPVUxEIHJlc3BvbmQgd2l0aCB0aGUgSFRUUCA0 MDEgKFVuYXV0aG9yaXplZCkgc3RhdHVzCgkgICAgICBjb2RlLiBUaGUgY2xpZW50IE1BWSByZXF1 ZXN0IGEgbmV3IGFjY2VzcyB0b2tlbiBhbmQgcmV0cnkgdGhlIHByb3RlY3RlZCByZXNvdXJjZQoJ ICAgICAgcmVxdWVzdC4KCSAgICAKPC9kZD4KPGR0Pmluc3VmZmljaWVudF9zY29wZTwvZHQ+Cjxk ZD4KCSAgICAgIAoJICAgICAgVGhlIHJlcXVlc3QgcmVxdWlyZXMgaGlnaGVyIHByaXZpbGVnZXMg dGhhbiBwcm92aWRlZCBieSB0aGUgYWNjZXNzIHRva2VuLiBUaGUKCSAgICAgIHJlc291cmNlIHNl cnZlciBTSE9VTEQgcmVzcG9uZCB3aXRoIHRoZSBIVFRQIDQwMyAoRm9yYmlkZGVuKSBzdGF0dXMg Y29kZSBhbmQgTUFZCgkgICAgICBpbmNsdWRlIHRoZSA8dHQ+c2NvcGU8L3R0PiBhdHRyaWJ1dGUg d2l0aCB0aGUgc2NvcGUgbmVjZXNzYXJ5IHRvCgkgICAgICBhY2Nlc3MgdGhlIHByb3RlY3RlZCBy ZXNvdXJjZS4KCSAgICAKPC9kZD4KPC9kbD48L2Jsb2NrcXVvdGU+PHA+CgkKPC9wPgo8cD4KCSAg SWYgdGhlIHJlcXVlc3QgbGFja3MgYW55IGF1dGhlbnRpY2F0aW9uIGluZm9ybWF0aW9uIChpLmUu IHRoZSBjbGllbnQgd2FzIHVuYXdhcmUKCSAgYXV0aGVudGljYXRpb24gaXMgbmVjZXNzYXJ5IG9y IGF0dGVtcHRlZCB1c2luZyBhbiB1bnN1cHBvcnRlZCBhdXRoZW50aWNhdGlvbiBtZXRob2QpLAoJ ICB0aGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBOT1QgaW5jbHVkZSBhbiBlcnJvciBjb2RlIG9y IG90aGVyIGVycm9yIGluZm9ybWF0aW9uLgoJCjwvcD4KPHA+CgkgICAgRm9yIGV4YW1wbGU6Cgkg IAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxheTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4tbGVmdDog M2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8nPjxwcmU+CkhUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQK V1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIgo8L3ByZT48L2Rpdj4KPGEg bmFtZT0ic2VjLWNvbiI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBj ZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdo dCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8 L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjQiPjwvYT48aDM+NC4m bmJzcDsKU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnM8L2gzPgoKPHA+CglUaGlzIHNlY3Rpb24gZGVz Y3JpYmVzIHRoZSByZWxldmFudCBzZWN1cml0eSB0aHJlYXRzIHJlZ2FyZGluZwoJdG9rZW4gaGFu ZGxpbmcgd2hlbiB1c2luZyBiZWFyZXIgdG9rZW5zIGFuZCBkZXNjcmliZXMgaG93IHRvCgltaXRp Z2F0ZSB0aGVzZSB0aHJlYXRzLgogICAgICAKPC9wPgo8YSBuYW1lPSJ0aHJlYXRzIj48L2E+PGJy IC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3Bh Y2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0Ni dWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4K PGEgbmFtZT0icmZjLnNlY3Rpb24uNC4xIj48L2E+PGgzPjQuMS4mbmJzcDsKU2VjdXJpdHkgVGhy ZWF0czwvaDM+Cgo8cD4KCSAgVGhlIGZvbGxvd2luZyBsaXN0IHByZXNlbnRzIHNldmVyYWwgY29t bW9uIHRocmVhdHMgYWdhaW5zdAoJICBwcm90b2NvbHMgdXRpbGl6aW5nIHNvbWUgZm9ybSBvZiB0 b2tlbnMuIFRoaXMgbGlzdCBvZgoJICB0aHJlYXRzIGlzIGJhc2VkIG9uCgkgIE5JU1QgU3BlY2lh bCBQdWJsaWNhdGlvbiA4MDAtNjMgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNOSVNUODAwLTYzJz5b TklTVDgwMCYjODIwOTs2M108c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+QnVyciwg Vy4sIERvZHNvbiwgRC4sIFBlcmxuZXIsIFIuLCBQb2xrLCBULiwgR3VwdGEsIFMuLCBhbmQgRS4g TmFiYnVzLCAmbGRxdW87TklTVCBTcGVjaWFsIFB1YmxpY2F0aW9uIDgwMC02My0xLCBJTkZPUk1B VElPTiBTRUNVUklUWSwmcmRxdW87IERlY2VtYmVyJm5ic3A7MjAwOC48L3NwYW4+PHNwYW4+KTwv c3Bhbj48L2E+LgoJICBTaW5jZSB0aGlzIGRvY3VtZW50IGJ1aWxkcyBvbiB0aGUKCSAgT0F1dGgg Mi4wIHNwZWNpZmljYXRpb24sIHdlIGV4Y2x1ZGUgYSBkaXNjdXNzaW9uIG9mIHRocmVhdHMKCSAg dGhhdCBhcmUgZGVzY3JpYmVkIHRoZXJlIG9yIGluIHJlbGF0ZWQgZG9jdW1lbnRzLgoJCjwvcD4K PHA+CgkgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQiPjxkbD4KPGR0PlRva2VuIG1hbnVm YWN0dXJlL21vZGlmaWNhdGlvbjo8L2R0Pgo8ZGQ+CgkgICAgICBBbiBhdHRhY2tlciBtYXkgZ2Vu ZXJhdGUgYSBib2d1cyB0b2tlbiBvciBtb2RpZnkgdGhlCgkgICAgICB0b2tlbiBjb250ZW50cyAo c3VjaCBhcyB0aGUgYXV0aGVudGljYXRpb24gb3IgYXR0cmlidXRlCgkgICAgICBzdGF0ZW1lbnRz KSBvZiBhbiBleGlzdGluZyB0b2tlbiwgY2F1c2luZyB0aGUgcmVzb3VyY2UKCSAgICAgIHNlcnZl ciB0byBncmFudCBpbmFwcHJvcHJpYXRlIGFjY2VzcyB0byB0aGUgY2xpZW50LgoJICAgICAgRm9y IGV4YW1wbGUsIGFuIGF0dGFja2VyIG1heSBtb2RpZnkgdGhlIHRva2VuIHRvIGV4dGVuZAoJICAg ICAgdGhlIHZhbGlkaXR5IHBlcmlvZDsgYSBtYWxpY2lvdXMgY2xpZW50IG1heSBtb2RpZnkgdGhl CgkgICAgICBhc3NlcnRpb24gdG8gZ2FpbiBhY2Nlc3MgdG8gaW5mb3JtYXRpb24gdGhhdCB0aGV5 CgkgICAgICBzaG91bGQgbm90IGJlIGFibGUgdG8gdmlldy4KCSAgICAKPC9kZD4KPGR0PlRva2Vu IGRpc2Nsb3N1cmU6PC9kdD4KPGRkPgoJICAgICAgVG9rZW5zIG1heSBjb250YWluIGF1dGhlbnRp Y2F0aW9uIGFuZCBhdHRyaWJ1dGUKCSAgICAgIHN0YXRlbWVudHMgdGhhdCBpbmNsdWRlIHNlbnNp dGl2ZSBpbmZvcm1hdGlvbi4KCSAgICAKPC9kZD4KPGR0PlRva2VuIHJlZGlyZWN0OjwvZHQ+Cjxk ZD4KCSAgICAgIEFuIGF0dGFja2VyIHVzZXMgYSB0b2tlbiBnZW5lcmF0ZWQgZm9yIGNvbnN1bXB0 aW9uIGJ5IAoJICAgICAgb25lIHJlc291cmNlIHNlcnZlciB0byBnYWluIGFjY2VzcyB0byBhIGRp ZmZlcmVudAoJICAgICAgcmVzb3VyY2Ugc2VydmVyIHRoYXQgbWlzdGFrZW5seSBiZWxpZXZlcyB0 aGUgdG9rZW4gdG8gYmUKCSAgICAgIGZvciBpdC4KCSAgICAKPC9kZD4KPGR0PlRva2VuIHJlcGxh eTo8L2R0Pgo8ZGQ+CgkgICAgICBBbiBhdHRhY2tlciBhdHRlbXB0cyB0byB1c2UgYSB0b2tlbiB0 aGF0IGhhcyBhbHJlYWR5CgkgICAgICBiZWVuIHVzZWQgd2l0aCB0aGF0IHJlc291cmNlIHNlcnZl ciBpbiB0aGUgcGFzdC4KCSAgICAKPC9kZD4KPC9kbD48L2Jsb2NrcXVvdGU+PHA+IAoJCjwvcD4K PGEgbmFtZT0ibWl0aWdhdGlvbiI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5 b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWdu PSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0Mm bmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjQuMiI+PC9h PjxoMz40LjIuJm5ic3A7ClRocmVhdCBNaXRpZ2F0aW9uPC9oMz4KCjxwPgoJICBBIGxhcmdlIHJh bmdlIG9mIHRocmVhdHMgY2FuIGJlIG1pdGlnYXRlZCBieSBwcm90ZWN0aW5nIHRoZQoJICBjb250 ZW50cyBvZiB0aGUgdG9rZW4gYnkgdXNpbmcgYSBkaWdpdGFsIHNpZ25hdHVyZSBvciBhCgkgIE1l c3NhZ2UgQXV0aGVudGljYXRpb24gQ29kZSAoTUFDKS4KCSAgQWx0ZXJuYXRpdmVseSwgYSBiZWFy ZXIgdG9rZW4gY2FuIGNvbnRhaW4gYSByZWZlcmVuY2UgdG8KCSAgYXV0aG9yaXphdGlvbiBpbmZv cm1hdGlvbiwgcmF0aGVyIHRoYW4gZW5jb2RpbmcgdGhlCgkgIGluZm9ybWF0aW9uIGRpcmVjdGx5 LiBTdWNoIHJlZmVyZW5jZXMgTVVTVCBiZSBpbmZlYXNpYmxlIGZvcgoJICBhbiBhdHRhY2tlciB0 byBndWVzczsgdXNpbmcgYSByZWZlcmVuY2UgbWF5IHJlcXVpcmUgYW4gZXh0cmEKCSAgaW50ZXJh Y3Rpb24gYmV0d2VlbiBhIHNlcnZlciBhbmQgdGhlIHRva2VuIGlzc3VlciB0byByZXNvbHZlCgkg IHRoZSByZWZlcmVuY2UgdG8gdGhlIGF1dGhvcml6YXRpb24gaW5mb3JtYXRpb24uCgkgIFRoZSBt ZWNoYW5pY3Mgb2Ygc3VjaCBhbiBpbnRlcmFjdGlvbiBhcmUgbm90IGRlZmluZWQgYnkgdGhpcwoJ ICBzcGVjaWZpY2F0aW9uLgoJCjwvcD4KPHA+CgkgIFRoaXMgZG9jdW1lbnQgZG9lcyBub3Qgc3Bl Y2lmeSB0aGUgZW5jb2Rpbmcgb3IgdGhlIGNvbnRlbnRzCgkgIG9mIHRoZSB0b2tlbjsgaGVuY2Ug ZGV0YWlsZWQgcmVjb21tZW5kYXRpb25zIGFib3V0IHRoZSBtZWFucwoJICBvZiBndWFyYW50ZWVp bmcgdG9rZW4gaW50ZWdyaXR5IHByb3RlY3Rpb24gYXJlIG91dHNpZGUgdGhlCgkgIHNjb3BlIG9m IHRoaXMgZG9jdW1lbnQuICBUaGUgdG9rZW4gaW50ZWdyaXR5IHByb3RlY3Rpb24gTVVTVAoJICBi ZSBzdWZmaWNpZW50IHRvIHByZXZlbnQgdGhlIHRva2VuIGZyb20gYmVpbmcgbW9kaWZpZWQuCgkK PC9wPgo8cD4KCSAgVG8gZGVhbCB3aXRoIHRva2VuIHJlZGlyZWN0LCBpdCBpcyBpbXBvcnRhbnQg Zm9yIHRoZQoJICBhdXRob3JpemF0aW9uIHNlcnZlciB0byBpbmNsdWRlIHRoZSBpZGVudGl0eSBv ZiB0aGUgaW50ZW5kZWQKCSAgcmVjaXBpZW50cyAodGhlIGF1ZGllbmNlKSwgdHlwaWNhbGx5IGEg c2luZ2xlIHJlc291cmNlCgkgIHNlcnZlciAob3IgYSBsaXN0IG9mIHJlc291cmNlIHNlcnZlcnMp LCBpbiB0aGUgdG9rZW4uCgkgIFJlc3RyaWN0aW5nIHRoZSB1c2Ugb2YgdGhlIHRva2VuIHRvIGEg c3BlY2lmaWMgc2NvcGUgaXMgYWxzbwoJICBSRUNPTU1FTkRFRC4KCQo8L3A+CjxwPgoJICBUbyBw cm90ZWN0IGFnYWluc3QgdG9rZW4gZGlzY2xvc3VyZSwgY29uZmlkZW50aWFsaXR5CgkgIHByb3Rl Y3Rpb24gTVVTVCBiZSBhcHBsaWVkIHVzaW5nCgkgIFRMUyA8YSBjbGFzcz0naW5mbycgaHJlZj0n I1JGQzUyNDYnPltSRkM1MjQ2XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5EaWVy a3MsIFQuIGFuZCBFLiBSZXNjb3JsYSwgJmxkcXVvO1RoZSBUcmFuc3BvcnQgTGF5ZXIgU2VjdXJp dHkgKFRMUykgUHJvdG9jb2wgVmVyc2lvbiAxLjIsJnJkcXVvOyBBdWd1c3QmbmJzcDsyMDA4Ljwv c3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4KCSAgd2l0aCBhIGNpcGhlcnN1aXRlIHRoYXQgcHJvdmlk ZXMgY29uZmlkZW50aWFsaXR5IGFuZAoJICBpbnRlZ3JpdHkgcHJvdGVjdGlvbi4gIFRoaXMKCSAg cmVxdWlyZXMgdGhhdCB0aGUgY29tbXVuaWNhdGlvbiBpbnRlcmFjdGlvbiBiZXR3ZWVuIHRoZQoJ ICBjbGllbnQgYW5kIHRoZSBhdXRob3JpemF0aW9uIHNlcnZlciwgYXMgd2VsbCBhcyB0aGUKCSAg aW50ZXJhY3Rpb24gYmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgcmVzb3VyY2Ugc2VydmVyLAoJ ICB1dGlsaXplIGNvbmZpZGVudGlhbGl0eSBhbmQgaW50ZWdyaXR5IHByb3RlY3Rpb24uCgkgIFNp bmNlIFRMUyBpcyBtYW5kYXRvcnkgdG8KCSAgaW1wbGVtZW50IGFuZCB0byB1c2Ugd2l0aCB0aGlz IHNwZWNpZmljYXRpb24sIGl0IGlzIHRoZQoJICBwcmVmZXJyZWQgYXBwcm9hY2ggZm9yIHByZXZl bnRpbmcgdG9rZW4gZGlzY2xvc3VyZSB2aWEgdGhlCgkgIGNvbW11bmljYXRpb24gY2hhbm5lbC4g Rm9yIHRob3NlIGNhc2VzIHdoZXJlIHRoZSBjbGllbnQKCSAgaXMgcHJldmVudGVkIGZyb20gb2Jz ZXJ2aW5nIHRoZSBjb250ZW50cyBvZiB0aGUgdG9rZW4sIHRva2VuCgkgIGVuY3J5cHRpb24gTVVT VCBiZSBhcHBsaWVkIGluIGFkZGl0aW9uIHRvIHRoZSB1c2FnZSBvZiBUTFMKCSAgcHJvdGVjdGlv bi4KCSAgQXMgYSBmdXJ0aGVyIGRlZmVuc2UgYWdhaW5zdCB0b2tlbiBkaXNjbG9zdXJlLCB0aGUg Y2xpZW50CgkgIE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFpbiB3aGVuIG1h a2luZyByZXF1ZXN0cwoJICB0byBwcm90ZWN0ZWQgcmVzb3VyY2VzLgoJCjwvcD4KPHA+CgkgIENv b2tpZXMgYXJlIHR5cGljYWxseSB0cmFuc21pdHRlZCBpbiB0aGUgY2xlYXIuICBUaHVzLCBhbnkK CSAgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRoZW0gaXMgYXQgcmlzayBvZiBkaXNjbG9zdXJl LgoJICBUaGVyZWZvcmUsIGJlYXJlciB0b2tlbnMgTVVTVCBOT1QgYmUgc3RvcmVkIGluIGNvb2tp ZXMgdGhhdAoJICBjYW4gYmUgc2VudCBpbiB0aGUgY2xlYXIuCgkKPC9wPgo8cD4KCSAgSW4gc29t ZSBkZXBsb3ltZW50cywgaW5jbHVkaW5nIHRob3NlIHV0aWxpemluZyBsb2FkCgkgIGJhbGFuY2Vy cywgdGhlIFRMUyBjb25uZWN0aW9uIHRvIHRoZSByZXNvdXJjZSBzZXJ2ZXIKCSAgdGVybWluYXRl cyBwcmlvciB0byB0aGUgYWN0dWFsIHNlcnZlciB0aGF0IHByb3ZpZGVzIHRoZQoJICByZXNvdXJj ZS4gIFRoaXMgY291bGQgbGVhdmUgdGhlIHRva2VuIHVucHJvdGVjdGVkIGJldHdlZW4KCSAgdGhl IGZyb250IGVuZCBzZXJ2ZXIgd2hlcmUgdGhlIFRMUyBjb25uZWN0aW9uIHRlcm1pbmF0ZXMgYW5k CgkgIHRoZSBiYWNrIGVuZCBzZXJ2ZXIgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3VyY2UuICBJbiBz dWNoCgkgIGRlcGxveW1lbnRzLCBzdWZmaWNpZW50IG1lYXN1cmVzIE1VU1QgYmUgZW1wbG95ZWQg dG8gZW5zdXJlCgkgIGNvbmZpZGVudGlhbGl0eSBvZiB0aGUgdG9rZW4gYmV0d2VlbiB0aGUgZnJv bnQgZW5kIGFuZAoJICBiYWNrIGVuZCBzZXJ2ZXJzOyBlbmNyeXB0aW9uIG9mIHRoZSB0b2tlbiBp cyBvbmUgcG9zc2libGUKCSAgc3VjaCBtZWFzdXJlLgoJCjwvcD4KPHA+CgkgIFRvIGRlYWwgd2l0 aCB0b2tlbiBjYXB0dXJlIGFuZCByZXBsYXksCgkgIHRoZSBmb2xsb3dpbmcgcmVjb21tZW5kYXRp b25zIGFyZQoJICBtYWRlOiBGaXJzdCwgdGhlIGxpZmV0aW1lIG9mIHRoZSB0b2tlbiBNVVNUIGJl IGxpbWl0ZWQ7CgkgIG9uZSBtZWFucyBvZiBhY2hpZXZpbmcgdGhpcyBpcyBieQoJICBwdXR0aW5n IGEgdmFsaWRpdHkgdGltZSBmaWVsZCBpbnNpZGUgdGhlIHByb3RlY3RlZCBwYXJ0IG9mCgkgIHRo ZSB0b2tlbi4gIE5vdGUgdGhhdCB1c2luZyBzaG9ydC1saXZlZCAob25lIGhvdXIgb3IgbGVzcykK CSAgdG9rZW5zIHJlZHVjZXMgdGhlIGltcGFjdCBvZiB0aGVtIGJlaW5nCgkgIGxlYWtlZC4gIFNl Y29uZCwgY29uZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gb2YgdGhlIGV4Y2hhbmdlcwoJICBiZXR3 ZWVuIHRoZSBjbGllbnQgYW5kIHRoZSBhdXRob3JpemF0aW9uIHNlcnZlciBhbmQgYmV0d2VlbgoJ ICB0aGUgY2xpZW50IGFuZCB0aGUgcmVzb3VyY2Ugc2VydmVyIE1VU1QgYmUgYXBwbGllZC4KCSAg QXMgYQoJICBjb25zZXF1ZW5jZSwgbm8gZWF2ZXNkcm9wcGVyIGFsb25nIHRoZSBjb21tdW5pY2F0 aW9uIHBhdGggaXMKCSAgYWJsZSB0byBvYnNlcnZlIHRoZSB0b2tlbiBleGNoYW5nZS4gQ29uc2Vx dWVudGx5LCBzdWNoIGFuCgkgIG9uLXBhdGggYWR2ZXJzYXJ5IGNhbm5vdCByZXBsYXkgdGhlIHRv a2VuLgoJICBGdXJ0aGVybW9yZSwgd2hlbgoJICBwcmVzZW50aW5nIHRoZSB0b2tlbiB0byBhIHJl c291cmNlIHNlcnZlciwgdGhlIGNsaWVudCBNVVNUCgkgIHZlcmlmeSB0aGUgaWRlbnRpdHkgb2Yg dGhhdCByZXNvdXJjZSBzZXJ2ZXIsIGFzIHBlcgoJICBSZXByZXNlbnRhdGlvbiBhbmQgVmVyaWZp Y2F0aW9uIG9mIERvbWFpbi1CYXNlZCBBcHBsaWNhdGlvbiBTZXJ2aWNlCgkgIElkZW50aXR5IHdp dGhpbiBJbnRlcm5ldCBQdWJsaWMgS2V5IEluZnJhc3RydWN0dXJlIFVzaW5nIFguNTA5IChQS0lY KQoJICBDZXJ0aWZpY2F0ZXMgaW4gdGhlIENvbnRleHQgb2YgVHJhbnNwb3J0IExheWVyIFNlY3Vy aXR5IChUTFMpCgkgIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZDNjEyNSc+W1JGQzYxMjVdPHNw YW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPlNhaW50LUFuZHJlLCBQLiBhbmQgSi4gSG9k Z2VzLCAmbGRxdW87UmVwcmVzZW50YXRpb24gYW5kIFZlcmlmaWNhdGlvbiBvZiBEb21haW4tQmFz ZWQgQXBwbGljYXRpb24gU2VydmljZSBJZGVudGl0eSB3aXRoaW4gSW50ZXJuZXQgUHVibGljIEtl eSBJbmZyYXN0cnVjdHVyZSBVc2luZyBYLjUwOSAoUEtJWCkgQ2VydGlmaWNhdGVzIGluIHRoZSBD b250ZXh0IG9mIFRyYW5zcG9ydCBMYXllciBTZWN1cml0eSAoVExTKSwmcmRxdW87IE1hcmNoJm5i c3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgoJICBOb3RlIHRoYXQgdGhlCgkgIGNs aWVudCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcK CSAgdGhlc2UgcmVxdWVzdHMgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4gIFByZXNlbnRpbmcgdGhl IHRva2VuCgkgIHRvIGFuIHVuYXV0aGVudGljYXRlZCBhbmQgdW5hdXRob3JpemVkIHJlc291cmNl IHNlcnZlciBvcgoJICBmYWlsaW5nIHRvIHZhbGlkYXRlIHRoZSBjZXJ0aWZpY2F0ZSBjaGFpbiB3 aWxsIGFsbG93CgkgIGFkdmVyc2FyaWVzIHRvIHN0ZWFsIHRoZSB0b2tlbiBhbmQgZ2FpbiB1bmF1 dGhvcml6ZWQgYWNjZXNzCgkgIHRvIHByb3RlY3RlZCByZXNvdXJjZXMuCgkKPC9wPgo8YSBuYW1l PSJhbmNob3I2Ij48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxw YWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48 dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48 L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNC4zIj48L2E+PGgzPjQuMy4m bmJzcDsKU3VtbWFyeSBvZiBSZWNvbW1lbmRhdGlvbnM8L2gzPgoKPHA+CgkgIDwvcD4KPGJsb2Nr cXVvdGUgY2xhc3M9InRleHQiPjxkbD4KPGR0PlNhZmVndWFyZCBiZWFyZXIgdG9rZW5zOjwvZHQ+ CjxkZD4KCSAgICAgIENsaWVudCBpbXBsZW1lbnRhdGlvbnMgTVVTVCBlbnN1cmUgdGhhdCBiZWFy ZXIgdG9rZW5zCgkgICAgICBhcmUgbm90IGxlYWtlZCB0byB1bmludGVuZGVkIHBhcnRpZXMsIGFz IHRoZXkgd2lsbCBiZQoJICAgICAgYWJsZSB0byB1c2UgdGhlbSB0byBnYWluIGFjY2VzcyB0byBw cm90ZWN0ZWQgcmVzb3VyY2VzLgoJICAgICAgVGhpcyBpcyB0aGUgcHJpbWFyeSBzZWN1cml0eSBj b25zaWRlcmF0aW9uIHdoZW4gdXNpbmcKCSAgICAgIGJlYXJlciB0b2tlbnMgYW5kIHVuZGVybGll cyBhbGwgdGhlIG1vcmUKCSAgICAgIHNwZWNpZmljIHJlY29tbWVuZGF0aW9ucyB0aGF0IGZvbGxv dy4KCSAgICAKPC9kZD4KPGR0PlZhbGlkYXRlIFNTTCBjZXJ0aWZpY2F0ZSBjaGFpbnM6PC9kdD4K PGRkPgoJICAgICAgVGhlIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUg Y2hhaW4gd2hlbgoJICAgICAgbWFraW5nIHJlcXVlc3RzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMu ICBGYWlsaW5nIHRvIGRvCgkgICAgICBzbyBtYXkgZW5hYmxlIEROUyBoaWphY2tpbmcgYXR0YWNr cyB0byBzdGVhbCB0aGUgdG9rZW4KCSAgICAgIGFuZCBnYWluIHVuaW50ZW5kZWQgYWNjZXNzLgoJ ICAgIAo8L2RkPgo8ZHQ+QWx3YXlzIHVzZSBUTFMgKGh0dHBzKTo8L2R0Pgo8ZGQ+CgkgICAgICBD bGllbnRzIE1VU1QgYWx3YXlzIHVzZQoJICAgICAgVExTIDxhIGNsYXNzPSdpbmZvJyBocmVmPScj UkZDNTI0Nic+W1JGQzUyNDZdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkRpZXJr cywgVC4gYW5kIEUuIFJlc2NvcmxhLCAmbGRxdW87VGhlIFRyYW5zcG9ydCBMYXllciBTZWN1cml0 eSAoVExTKSBQcm90b2NvbCBWZXJzaW9uIDEuMiwmcmRxdW87IEF1Z3VzdCZuYnNwOzIwMDguPC9z cGFuPjxzcGFuPik8L3NwYW4+PC9hPgoJICAgICAgKGh0dHBzKSBvciBlcXVpdmFsZW50IHRyYW5z cG9ydCBzZWN1cml0eSB3aGVuIG1ha2luZyByZXF1ZXN0cwoJICAgICAgd2l0aCBiZWFyZXIgdG9r ZW5zLiAgRmFpbGluZyB0byBkbyBzbyBleHBvc2VzIHRoZSB0b2tlbgoJICAgICAgdG8gbnVtZXJv dXMgYXR0YWNrcyB0aGF0IGNvdWxkIGdpdmUgYXR0YWNrZXJzIHVuaW50ZW5kZWQKCSAgICAgIGFj Y2Vzcy4KCSAgICAKPC9kZD4KPGR0PkRvbid0IHN0b3JlIGJlYXJlciB0b2tlbnMgaW4gY29va2ll czo8L2R0Pgo8ZGQ+CgkgICAgICBJbXBsZW1lbnRhdGlvbnMgTVVTVCBOT1Qgc3RvcmUgYmVhcmVy IHRva2VucyB3aXRoaW4KCSAgICAgIGNvb2tpZXMgdGhhdCBjYW4gYmUgc2VudCBpbiB0aGUgY2xl YXIgKHdoaWNoIGlzIHRoZQoJICAgICAgZGVmYXVsdCB0cmFuc21pc3Npb24gbW9kZSBmb3IgY29v a2llcykuCgkgICAgICBJbXBsZW1lbnRhdGlvbnMgdGhhdCBkbyBzdG9yZSBiZWFyZXIgdG9rZW5z IGluIGNvb2tpZXMKCSAgICAgIE1VU1QgdGFrZSBwcmVjYXV0aW9ucyBhZ2FpbnN0IGNyb3NzIHNp dGUgcmVxdWVzdCBmb3JnZXJ5LgoJICAgIAo8L2RkPgo8ZHQ+SXNzdWUgc2hvcnQtbGl2ZWQgYmVh cmVyIHRva2Vuczo8L2R0Pgo8ZGQ+CgkgICAgICBUb2tlbiBzZXJ2ZXJzIFNIT1VMRCBpc3N1ZSBz aG9ydC1saXZlZCAob25lIGhvdXIgb3IKCSAgICAgIGxlc3MpIGJlYXJlciB0b2tlbnMsIHBhcnRp Y3VsYXJseSB3aGVuIGlzc3VpbmcgdG9rZW5zIHRvCgkgICAgICBjbGllbnRzIHRoYXQgcnVuIHdp dGhpbiBhIHdlYiBicm93c2VyIG9yIG90aGVyCgkgICAgICBlbnZpcm9ubWVudHMgd2hlcmUgaW5m b3JtYXRpb24gbGVha2FnZSBtYXkgb2NjdXIuICBVc2luZwoJICAgICAgc2hvcnQtbGl2ZWQgYmVh cmVyIHRva2VucyBjYW4gcmVkdWNlIHRoZSBpbXBhY3Qgb2YgdGhlbQoJICAgICAgYmVpbmcgbGVh a2VkLgoJICAgIAo8L2RkPgo8ZHQ+SXNzdWUgc2NvcGVkIGJlYXJlciB0b2tlbnM6PC9kdD4KPGRk PgoJICAgICAgVG9rZW4gc2VydmVycyBTSE9VTEQgaXNzdWUgYmVhcmVyIHRva2VucyB0aGF0IGNv bnRhaW4gYW4gYXVkaWVuY2UKCSAgICAgIHJlc3RyaWN0aW9uLCBzY29waW5nIHRoZWlyIHVzZSB0 byB0aGUgaW50ZW5kZWQgcmVseWluZwoJICAgICAgcGFydHkgb3Igc2V0IG9mIHJlbHlpbmcgcGFy dGllcy4KCSAgICAKPC9kZD4KPGR0PkRvbid0IHBhc3MgYmVhcmVyIHRva2VucyBpbiBwYWdlIFVS THM6PC9kdD4KPGRkPgoJICAgICAgQmVhcmVyIHRva2VucyBTSE9VTEQgTk9UIGJlIHBhc3NlZCBp biBwYWdlIFVSTHMgKGZvcgoJICAgICAgZXhhbXBsZSBhcyBxdWVyeSBzdHJpbmcgcGFyYW1ldGVy cykuIEluc3RlYWQsIGJlYXJlcgoJICAgICAgdG9rZW5zIFNIT1VMRCBiZSBwYXNzZWQgaW4gSFRU UCBtZXNzYWdlIGhlYWRlcnMgb3IKCSAgICAgIG1lc3NhZ2UgYm9kaWVzIGZvciB3aGljaCBjb25m aWRlbnRpYWxpdHkgbWVhc3VyZXMgYXJlCgkgICAgICB0YWtlbi4gQnJvd3NlcnMsIHdlYiBzZXJ2 ZXJzLCBhbmQgb3RoZXIgc29mdHdhcmUgbWF5IG5vdAoJICAgICAgYWRlcXVhdGVseSBzZWN1cmUg VVJMcyBpbiB0aGUgYnJvd3NlciBoaXN0b3J5LCB3ZWIKCSAgICAgIHNlcnZlciBsb2dzLCBhbmQg b3RoZXIgZGF0YSBzdHJ1Y3R1cmVzLiBJZiBiZWFyZXIgdG9rZW5zCgkgICAgICBhcmUgcGFzc2Vk IGluIHBhZ2UgVVJMcywgYXR0YWNrZXJzIG1pZ2h0IGJlIGFibGUgdG8KCSAgICAgIHN0ZWFsIHRo ZW0gZnJvbSB0aGUgaGlzdG9yeSBkYXRhLCBsb2dzLCBvciBvdGhlcgoJICAgICAgdW5zZWN1cmVk IGxvY2F0aW9ucy4KCSAgICAKPC9kZD4KPC9kbD48L2Jsb2NrcXVvdGU+PHA+CgkKPC9wPgo8YSBu YW1lPSJhbmNob3I3Ij48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNl bGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0 Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwv YT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNSI+PC9hPjxoMz41LiZu YnNwOwpJQU5BIENvbnNpZGVyYXRpb25zPC9oMz4KCjxhIG5hbWU9ImFuY2hvcjgiPjwvYT48YnIg Lz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFj aW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1 ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8 YSBuYW1lPSJyZmMuc2VjdGlvbi41LjEiPjwvYT48aDM+NS4xLiZuYnNwOwpPQXV0aCBBY2Nlc3Mg VG9rZW4gVHlwZSBSZWdpc3RyYXRpb248L2gzPgoKPHA+CiAgICAgICAgICBUaGlzIHNwZWNpZmlj YXRpb24gcmVnaXN0ZXJzIHRoZSBmb2xsb3dpbmcgYWNjZXNzIHRva2VuIHR5cGUgaW4gdGhlIE9B dXRoIEFjY2VzcyBUb2tlbgogICAgICAgICAgVHlwZSBSZWdpc3RyeS4KICAgICAgICAKPC9wPgo8 YSBuYW1lPSJhbmNob3I5Ij48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQi IGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJp Z2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNw OzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNS4xLjEiPjwvYT48 aDM+NS4xLjEuJm5ic3A7ClRoZSAiQmVhcmVyIiBPQXV0aCBBY2Nlc3MgVG9rZW4gVHlwZTwvaDM+ Cgo8cD4KICAgICAgICAgICAgPC9wPgo8YmxvY2txdW90ZSBjbGFzcz0idGV4dCI+PGRsPgo8ZHQ+ VHlwZSBuYW1lOjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgQmVh cmVyCiAgICAgICAgICAgICAgCjwvZGQ+CjxkdD5BZGRpdGlvbmFsIFRva2VuIEVuZHBvaW50IFJl c3BvbnNlIFBhcmFtZXRlcnM6PC9kdD4KPGRkPgogICAgICAgICAgICAgICAgCiAgICAgICAgICAg ICAgICAobm9uZSkKICAgICAgICAgICAgICAKPC9kZD4KPGR0PkhUVFAgQXV0aGVudGljYXRpb24g U2NoZW1lKHMpOjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgQmVh cmVyCiAgICAgICAgICAgICAgCjwvZGQ+CjxkdD5DaGFuZ2UgY29udHJvbGxlcjo8L2R0Pgo8ZGQ+ CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIElFVEYKICAgICAgICAgICAgICAKPC9k ZD4KPGR0PlNwZWNpZmljYXRpb24gZG9jdW1lbnQocyk6PC9kdD4KPGRkPgogICAgICAgICAgICAg ICAgCiAgICAgICAgICAgICAgICBbWyB0aGlzIGRvY3VtZW50IF1dCiAgICAgICAgICAgICAgCjwv ZGQ+CjwvZGw+PC9ibG9ja3F1b3RlPjxwPgogICAgICAgICAgCjwvcD4KPGEgbmFtZT0iYW5jaG9y MTAiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9 IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQg Y2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90 cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi41LjIiPjwvYT48aDM+NS4yLiZuYnNwOwpB dXRoZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cmF0aW9uPC9oMz4KCjxwPgogICAgICAgICAgVGhp cyBzcGVjaWZpY2F0aW9uIHJlZ2lzdGVycyB0aGUgZm9sbG93aW5nIGF1dGhlbnRpY2F0aW9uCiAg ICAgICAgICBzY2hlbWUgaW4gdGhlIEF1dGhlbnRpY2F0aW9uIFNjaGVtZSBSZWdpc3RyeSBkZWZp bmVkIGluCiAgICAgICAgICBIVFRQLzEuMSwgUGFydCA3IDxhIGNsYXNzPSdpbmZvJyBocmVmPScj SS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJz5bSSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYj ODIwOTtwNyYjODIwOTthdXRoXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5GaWVs ZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwgSC4sIE1hc2ludGVyLCBM LiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kIEouIFJlc2Noa2Us ICZsZHF1bztIVFRQLzEuMSwgcGFydCA3OiBBdXRoZW50aWNhdGlvbiwmcmRxdW87IE9jdG9iZXIm bmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4uCiAgICAgICAgCjwvcD4KPGEgbmFt ZT0iYW5jaG9yMTEiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2Vs bHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQi Pjx0cj48dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9h PjwvdGQ+PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi41LjIuMSI+PC9hPjxoMz41 LjIuMS4mbmJzcDsKVGhlICJCZWFyZXIiIEF1dGhlbnRpY2F0aW9uIFNjaGVtZTwvaDM+Cgo8cD4K ICAgICAgICAgICAgPC9wPgo8YmxvY2txdW90ZSBjbGFzcz0idGV4dCI+PGRsPgo8ZHQ+QXV0aGVu dGljYXRpb24gU2NoZW1lIE5hbWU6PC9kdD4KPGRkPgogICAgICAgICAgICAgICAgCiAgICAgICAg ICAgICAgICBCZWFyZXIKICAgICAgICAgICAgICAKPC9kZD4KPGR0PlBvaW50ZXIgdG8gc3BlY2lm aWNhdGlvbiB0ZXh0OjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAg W1sgdGhpcyBkb2N1bWVudCBdXQogICAgICAgICAgICAgIAo8L2RkPgo8ZHQ+Tm90ZXMgKG9wdGlv bmFsKTo8L2R0Pgo8ZGQ+CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIChub25lKQog ICAgICAgICAgICAgIAo8L2RkPgo8L2RsPjwvYmxvY2txdW90ZT48cD4KICAgICAgICAgIAo8L3A+ CjxhIG5hbWU9InJmYy5yZWZlcmVuY2VzIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5 PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIg YWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNw O1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNiI+ PC9hPjxoMz42LiZuYnNwOwpSZWZlcmVuY2VzPC9oMz4KCjxhIG5hbWU9InJmYy5yZWZlcmVuY2Vz MSI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0i MCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBj bGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3Ry PjwvdGFibGU+CjxoMz42LjEuJm5ic3A7Tm9ybWF0aXZlIFJlZmVyZW5jZXM8L2gzPgo8dGFibGUg d2lkdGg9Ijk5JSIgYm9yZGVyPSIwIj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGln bj0idG9wIj48YSBuYW1lPSJJLUQuaWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZyI+W0ktRC5pZXRm LWh0dHBiaXMtcDEtbWVzc2FnaW5nXTwvYT48L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5G aWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwgSC4sIE1hc2ludGVy LCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kIEouIFJlc2No a2UsICZsZHF1bzs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm LWh0dHBiaXMtcDEtbWVzc2FnaW5nLTE3Ij5IVFRQLzEuMSwgcGFydCAxOiBVUklzLCBDb25uZWN0 aW9ucywgYW5kIE1lc3NhZ2UgUGFyc2luZzwvYT4sJnJkcXVvOyBkcmFmdC1pZXRmLWh0dHBiaXMt cDEtbWVzc2FnaW5nLTE3ICh3b3JrIGluIHByb2dyZXNzKSwgT2N0b2JlciZuYnNwOzIwMTEgKDxh IGhyZWY9Imh0dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWlldGYtaHR0 cGJpcy1wMS1tZXNzYWdpbmctMTcudHh0Ij5UWFQ8L2E+KS48L3RkPjwvdHI+Cjx0cj48dGQgY2xh c3M9ImF1dGhvci10ZXh0IiB2YWxpZ249InRvcCI+PGEgbmFtZT0iSS1ELmlldGYtaHR0cGJpcy1w Ny1hdXRoIj5bSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXTwvYT48L3RkPgo8dGQgY2xhc3M9ImF1 dGhvci10ZXh0Ij5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwg SC4sIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwg YW5kIEouIFJlc2Noa2UsICZsZHF1bzs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRt bC9kcmFmdC1pZXRmLWh0dHBiaXMtcDctYXV0aC0xNyI+SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVu dGljYXRpb248L2E+LCZyZHF1bzsgZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1dGgtMTcgKHdvcmsg aW4gcHJvZ3Jlc3MpLCBPY3RvYmVyJm5ic3A7MjAxMSAoPGEgaHJlZj0iaHR0cDovL3d3dy5pZXRm Lm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1dGgtMTcudHh0Ij5U WFQ8L2E+KS48L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0IiB2YWxpZ249InRv cCI+PGEgbmFtZT0iSS1ELmlldGYtb2F1dGgtdjIiPltJLUQuaWV0Zi1vYXV0aC12Ml08L2E+PC90 ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+SGFtbWVyLUxhaGF2LCBFLiwgUmVjb3Jkb24sIEQu LCBhbmQgRC4gSGFyZHQsICZsZHF1bzs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRt bC9kcmFmdC1pZXRmLW9hdXRoLXYyLTIyIj5UaGUgT0F1dGggMi4wIEF1dGhvcml6YXRpb24gUHJv dG9jb2w8L2E+LCZyZHF1bzsgZHJhZnQtaWV0Zi1vYXV0aC12Mi0yMiAod29yayBpbiBwcm9ncmVz cyksIFNlcHRlbWJlciZuYnNwOzIwMTEgKDxhIGhyZWY9Imh0dHA6Ly93d3cuaWV0Zi5vcmcvaW50 ZXJuZXQtZHJhZnRzL2RyYWZ0LWlldGYtb2F1dGgtdjItMjIudHh0Ij5UWFQ8L2E+LCA8YSBocmVm PSJodHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRmLW9hdXRoLXYy LTIyLnBkZiI+UERGPC9hPikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIg dmFsaWduPSJ0b3AiPjxhIG5hbWU9IlJGQzIxMTkiPltSRkMyMTE5XTwvYT48L3RkPgo8dGQgY2xh c3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJtYWlsdG86c29iQGhhcnZhcmQuZWR1Ij5CcmFkbmVy LCBTLjwvYT4sICZsZHF1bzs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMy MTE5Ij5LZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlIFJlcXVpcmVtZW50IExl dmVsczwvYT4sJnJkcXVvOyBCQ1AmbmJzcDsxNCwgUkZDJm5ic3A7MjExOSwgTWFyY2gmbmJzcDsx OTk3ICg8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMyMTE5LnR4dCI+ VFhUPC9hPiwgPGEgaHJlZj0iaHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9odG1s L3JmYzIxMTkuaHRtbCI+SFRNTDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uub3Jn L3B1YmxpYy9yZmMveG1sL3JmYzIxMTkueG1sIj5YTUw8L2E+KS48L3RkPjwvdHI+Cjx0cj48dGQg Y2xhc3M9ImF1dGhvci10ZXh0IiB2YWxpZ249InRvcCI+PGEgbmFtZT0iUkZDMzk4NiI+W1JGQzM5 ODZdPC9hPjwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPjxhIGhyZWY9Im1haWx0bzp0aW1i bEB3My5vcmciPkJlcm5lcnMtTGVlLCBULjwvYT4sIDxhIGhyZWY9Im1haWx0bzpmaWVsZGluZ0Bn Yml2LmNvbSI+RmllbGRpbmcsIFIuPC9hPiwgYW5kIDxhIGhyZWY9Im1haWx0bzpMTU1AYWNtLm9y ZyI+TC4gTWFzaW50ZXI8L2E+LCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3Jn L2h0bWwvcmZjMzk4NiI+VW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpOiBHZW5lcmlj IFN5bnRheDwvYT4sJnJkcXVvOyBTVEQmbmJzcDs2NiwgUkZDJm5ic3A7Mzk4NiwgSmFudWFyeSZu YnNwOzIwMDUgKDxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzM5ODYu dHh0Ij5UWFQ8L2E+LCA8YSBocmVmPSJodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZj L2h0bWwvcmZjMzk4Ni5odG1sIj5IVE1MPC9hPiwgPGEgaHJlZj0iaHR0cDovL3htbC5yZXNvdXJj ZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMzk4Ni54bWwiPlhNTDwvYT4pLjwvdGQ+PC90cj4KPHRy Pjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJSRkM1MjM0Ij5b UkZDNTIzNF08L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+Q3JvY2tlciwgRC4gYW5k IFAuIE92ZXJlbGwsICZsZHF1bzs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9y ZmM1MjM0Ij5BdWdtZW50ZWQgQk5GIGZvciBTeW50YXggU3BlY2lmaWNhdGlvbnM6IEFCTkY8L2E+ LCZyZHF1bzsgU1REJm5ic3A7NjgsIFJGQyZuYnNwOzUyMzQsIEphbnVhcnkmbmJzcDsyMDA4ICg8 YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM1MjM0LnR4dCI+VFhUPC9h PikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxh IG5hbWU9IlJGQzUyNDYiPltSRkM1MjQ2XTwvYT48L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0 Ij5EaWVya3MsIFQuIGFuZCBFLiBSZXNjb3JsYSwgJmxkcXVvOzxhIGhyZWY9Imh0dHA6Ly90b29s cy5pZXRmLm9yZy9odG1sL3JmYzUyNDYiPlRoZSBUcmFuc3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRM UykgUHJvdG9jb2wgVmVyc2lvbiAxLjI8L2E+LCZyZHF1bzsgUkZDJm5ic3A7NTI0NiwgQXVndXN0 Jm5ic3A7MjAwOCAoPGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjNTI0 Ni50eHQiPlRYVDwvYT4pLjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZh bGlnbj0idG9wIj48YSBuYW1lPSJSRkM2MTI1Ij5bUkZDNjEyNV08L2E+PC90ZD4KPHRkIGNsYXNz PSJhdXRob3ItdGV4dCI+U2FpbnQtQW5kcmUsIFAuIGFuZCBKLiBIb2RnZXMsICZsZHF1bzs8YSBo cmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM2MTI1Ij5SZXByZXNlbnRhdGlvbiBh bmQgVmVyaWZpY2F0aW9uIG9mIERvbWFpbi1CYXNlZCBBcHBsaWNhdGlvbiBTZXJ2aWNlIElkZW50 aXR5IHdpdGhpbiBJbnRlcm5ldCBQdWJsaWMgS2V5IEluZnJhc3RydWN0dXJlIFVzaW5nIFguNTA5 IChQS0lYKSBDZXJ0aWZpY2F0ZXMgaW4gdGhlIENvbnRleHQgb2YgVHJhbnNwb3J0IExheWVyIFNl Y3VyaXR5IChUTFMpPC9hPiwmcmRxdW87IFJGQyZuYnNwOzYxMjUsIE1hcmNoJm5ic3A7MjAxMSAo PGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjNjEyNS50eHQiPlRYVDwv YT4pLjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48 YSBuYW1lPSJXM0MuUkVDLWh0bWw0MDEtMTk5OTEyMjQiPltXM0MuUkVDLWh0bWw0MDEtMTk5OTEy MjRdPC9hPjwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPlJhZ2dldHQsIEQuLCBKYWNvYnMs IEkuLCBhbmQgQS4gSG9ycywgJmxkcXVvOzxhIGhyZWY9Imh0dHA6Ly93d3cudzMub3JnL1RSLzE5 OTkvUkVDLWh0bWw0MDEtMTk5OTEyMjQiPkhUTUwgNC4wMSBTcGVjaWZpY2F0aW9uPC9hPiwmcmRx dW87IFdvcmxkIFdpZGUgV2ViIENvbnNvcnRpdW0gUmVjb21tZW5kYXRpb24mbmJzcDtSRUMtaHRt bDQwMS0xOTk5MTIyNCwgRGVjZW1iZXImbmJzcDsxOTk5ICg8YSBocmVmPSJodHRwOi8vd3d3Lncz Lm9yZy9UUi8xOTk5L1JFQy1odG1sNDAxLTE5OTkxMjI0Ij5IVE1MPC9hPikuPC90ZD48L3RyPgo8 L3RhYmxlPgoKPGEgbmFtZT0icmZjLnJlZmVyZW5jZXMyIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJs ZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9 IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0 b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGgzPjYuMi4mbmJzcDtJ bmZvcm1hdGl2ZSBSZWZlcmVuY2VzPC9oMz4KPHRhYmxlIHdpZHRoPSI5OSUiIGJvcmRlcj0iMCI+ Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0IiB2YWxpZ249InRvcCI+PGEgbmFtZT0iTklTVDgw MC02MyI+W05JU1Q4MDAtNjNdPC9hPjwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPkJ1cnIs IFcuLCBEb2Rzb24sIEQuLCBQZXJsbmVyLCBSLiwgUG9saywgVC4sIEd1cHRhLCBTLiwgYW5kIEUu IE5hYmJ1cywgJmxkcXVvOzxhIGhyZWY9Imh0dHA6Ly9jc3JjLm5pc3QuZ292L3B1YmxpY2F0aW9u cy9QdWJzRHJhZnRzLmh0bWwjU1AtODAwLTYzLVJldi4lMjAxIj5OSVNUIFNwZWNpYWwgUHVibGlj YXRpb24gODAwLTYzLTEsIElORk9STUFUSU9OIFNFQ1VSSVRZPC9hPiwmcmRxdW87IERlY2VtYmVy Jm5ic3A7MjAwOC48L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0IiB2YWxpZ249 InRvcCI+PGEgbmFtZT0iUkZDMjYxNiI+W1JGQzI2MTZdPC9hPjwvdGQ+Cjx0ZCBjbGFzcz0iYXV0 aG9yLXRleHQiPjxhIGhyZWY9Im1haWx0bzpmaWVsZGluZ0BpY3MudWNpLmVkdSI+RmllbGRpbmcs IFIuPC9hPiwgPGEgaHJlZj0ibWFpbHRvOmpnQHczLm9yZyI+R2V0dHlzLCBKLjwvYT4sIDxhIGhy ZWY9Im1haWx0bzptb2d1bEB3cmwuZGVjLmNvbSI+TW9ndWwsIEouPC9hPiwgPGEgaHJlZj0ibWFp bHRvOmZyeXN0eWtAdzMub3JnIj5GcnlzdHlrLCBILjwvYT4sIDxhIGhyZWY9Im1haWx0bzptYXNp bnRlckBwYXJjLnhlcm94LmNvbSI+TWFzaW50ZXIsIEwuPC9hPiwgPGEgaHJlZj0ibWFpbHRvOnBh dWxsZUBtaWNyb3NvZnQuY29tIj5MZWFjaCwgUC48L2E+LCBhbmQgPGEgaHJlZj0ibWFpbHRvOnRp bWJsQHczLm9yZyI+VC4gQmVybmVycy1MZWU8L2E+LCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rv b2xzLmlldGYub3JnL2h0bWwvcmZjMjYxNiI+SHlwZXJ0ZXh0IFRyYW5zZmVyIFByb3RvY29sIC0t IEhUVFAvMS4xPC9hPiwmcmRxdW87IFJGQyZuYnNwOzI2MTYsIEp1bmUmbmJzcDsxOTk5ICg8YSBo cmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMyNjE2LnR4dCI+VFhUPC9hPiwg PGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjMjYxNi5wcyI+UFM8L2E+ LCA8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMyNjE2LnBkZiI+UERG PC9hPiwgPGEgaHJlZj0iaHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9odG1sL3Jm YzI2MTYuaHRtbCI+SFRNTDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1 YmxpYy9yZmMveG1sL3JmYzI2MTYueG1sIj5YTUw8L2E+KS48L3RkPjwvdHI+Cjx0cj48dGQgY2xh c3M9ImF1dGhvci10ZXh0IiB2YWxpZ249InRvcCI+PGEgbmFtZT0iUkZDMjYxNyI+W1JGQzI2MTdd PC9hPjwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPjxhIGhyZWY9Im1haWx0bzpqb2huQG1h dGgubnd1LmVkdSI+RnJhbmtzLCBKLjwvYT4sIDxhIGhyZWY9Im1haWx0bzpwYmFrZXJAdmVyaXNp Z24uY29tIj5IYWxsYW0tQmFrZXIsIFAuPC9hPiwgPGEgaHJlZj0ibWFpbHRvOmplZmZAQWJpU291 cmNlLmNvbSI+SG9zdGV0bGVyLCBKLjwvYT4sIDxhIGhyZWY9Im1haWx0bzpsYXdyZW5jZUBhZ3Jh bmF0LmNvbSI+TGF3cmVuY2UsIFMuPC9hPiwgPGEgaHJlZj0ibWFpbHRvOnBhdWxsZUBtaWNyb3Nv ZnQuY29tIj5MZWFjaCwgUC48L2E+LCBMdW90b25lbiwgQS4sIGFuZCA8YSBocmVmPSJtYWlsdG86 c3Rld2FydEBPcGVuTWFya2V0LmNvbSI+TC4gU3Rld2FydDwvYT4sICZsZHF1bzs8YSBocmVmPSJo dHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMyNjE3Ij5IVFRQIEF1dGhlbnRpY2F0aW9uOiBC YXNpYyBhbmQgRGlnZXN0IEFjY2VzcyBBdXRoZW50aWNhdGlvbjwvYT4sJnJkcXVvOyBSRkMmbmJz cDsyNjE3LCBKdW5lJm5ic3A7MTk5OSAoPGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9y Zy9yZmMvcmZjMjYxNy50eHQiPlRYVDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uu b3JnL3B1YmxpYy9yZmMvaHRtbC9yZmMyNjE3Lmh0bWwiPkhUTUw8L2E+LCA8YSBocmVmPSJodHRw Oi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMyNjE3LnhtbCI+WE1MPC9hPiku PC90ZD48L3RyPgo8L3RhYmxlPgoKPGEgbmFtZT0iYW5jaG9yMTQiPjwvYT48YnIgLz48aHIgLz4K PHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBj bGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJl Zj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8YSBuYW1lPSJy ZmMuc2VjdGlvbi5BIj48L2E+PGgzPkFwcGVuZGl4IEEuJm5ic3A7CkFja25vd2xlZGdlbWVudHM8 L2gzPgoKPHA+CiAgICAgICAgVGhlIGZvbGxvd2luZyBwZW9wbGUgY29udHJpYnV0ZWQgdG8gcHJl bGltaW5hcnkgdmVyc2lvbnMgb2YgdGhpcyBkb2N1bWVudDoKICAgICAgICBCbGFpbmUgQ29vayAo QlQpLCBCcmlhbiBFYXRvbiAoR29vZ2xlKSwgWWFyb24gWS4gR29sYW5kIChNaWNyb3NvZnQpLCBC cmVudCBHb2xkbWFuIChGYWNlYm9vayksCiAgICAgICAgUmFmZmkgS3Jpa29yaWFuIChUd2l0dGVy KSwgTHVrZSBTaGVwYXJkIChGYWNlYm9vayksIGFuZCBBbGxlbiBUb20gKFlhaG9vISkuIFRoZSBj b250ZW50IGFuZAogICAgICAgIGNvbmNlcHRzIHdpdGhpbiBhcmUgYSBwcm9kdWN0IG9mIHRoZSBP QXV0aCBjb21tdW5pdHksIHRoZSBXUkFQIGNvbW11bml0eSwgYW5kIHRoZSBPQXV0aCBXb3JraW5n CiAgICAgICAgR3JvdXAuCiAgICAgIAo8L3A+CjxwPgogICAgICAgIFRoZSBPQXV0aCBXb3JraW5n IEdyb3VwIGhhcyBkb3plbnMgb2YgdmVyeSBhY3RpdmUgY29udHJpYnV0b3JzIHdobyBwcm9wb3Nl ZCBpZGVhcyBhbmQKICAgICAgICB3b3JkaW5nIGZvciB0aGlzIGRvY3VtZW50LCBpbmNsdWRpbmc6 CglNaWNoYWVsIEFkYW1zLCBBbWFuZGEgQW5nYW5lcywgQW5kcmV3IEFybm90dCwgRGlyayBCYWxm YW56LAoJSm9obiBCcmFkbGV5LCBCcmlhbiBDYW1wYmVsbCwgTGVhaCBDdWx2ZXIsIEJpbGwgZGUg aMOTcmEsCglCcmlhbiBFbGxpbiwgSWdvciBGYXluYmVyZywgU3RlcGhlbiBGYXJyZWxsLCBHZW9y Z2UgRmxldGNoZXIsCglUaW0gRnJlZW1hbiwgRXZhbiBHaWxiZXJ0LCBZYXJvbiBZLiBHb2xhbmQs IFRob21hcyBIYXJkam9ubywKCUp1c3RpbiBIYXJ0LCBQaGlsIEh1bnQsIEpvaG4gS2VtcCwgRXJh biBIYW1tZXItTGFoYXYsCglDaGFzZW4gTGUgSGFyYSwgQmFycnkgTGVpYmEsIE1pY2hhZWwgQi4g Sm9uZXMsCglUb3JzdGVuIExvZGRlcnN0ZWR0LCBFdmUgTWFsZXIsIEphbWVzIE1hbmdlciwgTGF1 cmVuY2UgTWlhbywKCVdpbGxpYW0gSi4gTWlsbHMsIENodWNrIE1vcnRpbW9yZSwgQW50aG9ueSBO YWRhbGluLAoJSnVsaWFuIFJlc2Noa2UsIEp1c3RpbiBSaWNoZXIsIFBldGVyIFNhaW50LUFuZHJl LCBOYXQgU2FraW11cmEsCglSb2IgU2F5cmUsIE1hcml1cyBTY3VydGVzY3UsIE5haXRpayBTaGFo LCBKdXN0aW4gU21pdGgsCglKZXJlbXkgU3VyaWVsLCBDaHJpc3RpYW4gU3TDvGJuZXIsIFBhdWwg VGFyamFuLAoJSGFubmVzIFRzY2hvZmVuaWcsIEZyYW5rbGluIFRzZSwgYW5kIFNoYW5lIFdlZWRl bi4KICAgICAgCjwvcD4KPGEgbmFtZT0iYW5jaG9yMTUiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxl IHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0i VE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3Rv YyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2Vj dGlvbi5CIj48L2E+PGgzPkFwcGVuZGl4IEIuJm5ic3A7CkRvY3VtZW50IEhpc3Rvcnk8L2gzPgoK PHA+CiAgICAgICAgW1sgdG8gYmUgcmVtb3ZlZCBieSB0aGUgUkZDIGVkaXRvciBiZWZvcmUgcHVi bGljYXRpb24gYXMgYW4gUkZDIF1dCiAgICAgIAo8L3A+CjxwPgogICAgICAgIC0xNAogICAgICAg IDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxpPgoJICAgIENoYW5nZXMgbWFkZSBpbiByZXNwb25z ZSB0byByZXZpZXcgY29tbWVudHMgYnkgU2VjdXJpdHkKCSAgICBBcmVhIERpcmVjdG9yIFN0ZXBo ZW4gRmFycmVsbC4gIFNwZWNpZmljYWxseToKCSAgCjwvbGk+CjxsaT4KCSAgICBTdHJlbmd0aGVu ZWQgd2FybmluZ3MgYWJvdXQgcGFzc2luZyBhbiBhY2Nlc3MgdG9rZW4gYXMgYQoJICAgIHF1ZXJ5 IHBhcmFtZXRlciBhbmQgbW9yZSBwcmVjaXNlbHkgZGVzY3JpYmVkIHRoZQoJICAgIGxpbWl0YXRp b25zIHBsYWNlZCB1cG9uIHRoZSB1c2Ugb2YgdGhpcyBtZXRob2QuCgkgIAo8L2xpPgo8bGk+Cgkg ICAgQ2xhcmlmaWVkIHRoYXQgdGhlIDx0dD5yZWFsbTwvdHQ+CgkgICAgYXR0cmlidXRlIE1BWSBp bmNsdWRlZCB0byBpbmRpY2F0ZSB0aGUgc2NvcGUgb2YgcHJvdGVjdGlvbgoJICAgIGluIHRoZSBt YW5uZXIgZGVzY3JpYmVkIGluCgkgICAgSFRUUC8xLjEsIFBhcnQgNyA8YSBjbGFzcz0naW5mbycg aHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0 dHBiaXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5m byc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNp bnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBS ZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBP Y3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgoJICAKPC9saT4KPGxp PgoJICAgIE5vcm1hdGl2ZWx5IHN0YXRlZCB0aGF0ICJ0aGUgdG9rZW4gaW50ZWdyaXR5IHByb3Rl Y3Rpb24KCSAgICBNVVNUIGJlIHN1ZmZpY2llbnQgdG8gcHJldmVudCB0aGUgdG9rZW4gZnJvbSBi ZWluZwoJICAgIG1vZGlmaWVkIi4KCSAgCjwvbGk+CjxsaT4KCSAgICBBZGRlZCBzdGF0ZW1lbnQg dGhhdCAiVExTIGlzIG1hbmRhdG9yeSB0byBpbXBsZW1lbnQgYW5kCgkgICAgdXNlIHdpdGggdGhp cyBzcGVjaWZpY2F0aW9uIiB0byB0aGUgaW50cm9kdWN0aW9uLgoJICAKPC9saT4KPGxpPgoJICAg IFN0YXRlZCB0aGF0IFRMUyBNVVNUIGJlIHVzZWQgd2l0aCAiYSBjaXBoZXJzdWl0ZSB0aGF0Cgkg ICAgcHJvdmlkZXMgY29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbiIuCgkg IAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgIkFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWluc3QgdG9r ZW4gZGlzY2xvc3VyZSwgdGhlCgkgICAgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0 aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZwoJICAgIHJlcXVlc3RzIHRvIHByb3RlY3RlZCByZXNv dXJjZXMiIHRvIHRoZSBUaHJlYXQgTWl0aWdhdGlvbgoJICAgIHNlY3Rpb24uCgkgIAo8L2xpPgo8 bGk+CgkgICAgQ2xhcmlmaWVkIHRoYXQgcHV0dGluZyBhIHZhbGlkaXR5IHRpbWUgZmllbGQgaW5z aWRlIHRoZQoJICAgIHByb3RlY3RlZCBwYXJ0IG9mIHRoZSB0b2tlbiBpcyBvbmUgbWVhbnMsIGJ1 dCBub3QgdGhlIG9ubHkKCSAgICBtZWFucywgb2YgbGltaXRpbmcgdGhlIGxpZmV0aW1lIG9mIHRo ZSB0b2tlbi4KCSAgCjwvbGk+CjxsaT4KCSAgICBEcm9wcGVkIHRoZSBjb25mdXNpbmcgcGhyYXNl ICJmb3IgaW5zdGFuY2UsIHRocm91Z2ggdGhlCgkgICAgdXNlIG9mIFRMUyIgZnJvbSB0aGUgc2Vu dGVuY2UgYWJvdXQgY29uZmlkZW50aWFsaXR5CgkgICAgcHJvdGVjdGlvbiBvZiB0aGUgZXhjaGFu Z2VzLgoJICAKPC9saT4KPGxpPgoJICAgIFJlZmVyZW5jZSBSRkMgNjEyNSBmb3IgaWRlbnRpdHkg dmVyaWZpY2F0aW9uLCByYXRoZXIgdGhhbgoJICAgIFJGQyAyODE4LgoJICAKPC9saT4KPGxpPgoJ ICAgIFN0YXRlZCB0aGF0IHRoZSB0b2tlbiBNVVNUIGJlIHByb3RlY3RlZCBiZXR3ZWVuIGZyb250 IGVuZAoJICAgIGFuZCBiYWNrIGVuZCBzZXJ2ZXJzIHdoZW4gdGhlIFRMUyBjb25uZWN0aW9uIHRl cm1pbmF0ZXMgYXQKCSAgICBhIGZyb250IGVuZCBzZXJ2ZXIgdGhhdCBpcyBkaXN0aW5jdCBmcm9t IHRoZSBhY3R1YWwgc2VydmVyCgkgICAgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3VyY2UuCgkgIAo8 L2xpPgo8bGk+CgkgICAgU3RhdGVkIHRoYXQgYmVhcmVyIHRva2VucyBNVVNUIG5vdCBiZSBzdG9y ZWQgaW4gY29va2llcwoJICAgIHRoYXQgY2FuIGJlIHNlbnQgaW4gdGhlIGNsZWFyIGluIHRoZSBU aHJlYXQgTWl0aWdhdGlvbgoJICAgIHNlY3Rpb24uCgkgIAo8L2xpPgo8bGk+CgkgICAgUmVwbGFj ZWQgc29sZSByZW1haW5pbmcgcmVmZXJlbmNlIHRvIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZD MjYxNic+W1JGQzI2MTZdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5n LCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBGcnlzdHlrLCBILiwgTWFzaW50ZXIsIEwuLCBM ZWFjaCwgUC4sIGFuZCBULiBCZXJuZXJzLUxlZSwgJmxkcXVvO0h5cGVydGV4dCBUcmFuc2ZlciBQ cm90b2NvbCAtLSBIVFRQLzEuMSwmcmRxdW87IEp1bmUmbmJzcDsxOTk5Ljwvc3Bhbj48c3Bhbj4p PC9zcGFuPjwvYT4gd2l0aAoJICAgIEhUVFBiaXMgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQu aWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZyc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMm IzgyMDk7cDEmIzgyMDk7bWVzc2FnaW5nXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZv Jz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwgSC4sIE1hc2lu dGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kIEouIFJl c2Noa2UsICZsZHF1bztIVFRQLzEuMSwgcGFydCAxOiBVUklzLCBDb25uZWN0aW9ucywgYW5kIE1l c3NhZ2UgUGFyc2luZywmcmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9z cGFuPjwvYT4KCSAgICByZWZlcmVuY2UuCgkgIAo8L2xpPgo8bGk+CgkgICAgUmVwbGFjZWQgYWxs IHJlZmVyZW5jZXMgd2hlcmUgdGhlIHJlZmVyZW5jZSBpcyB1c2VkIGFzIGlmCgkgICAgaXQgd2Vy ZSBwYXJ0IG9mIHRoZSBzZW50ZW5jZSAoc3VjaCBhcyAiZGVmaW5lZCBieQoJICAgIFtJLUQud2hh dGV2ZXJdIikgd2l0aCBvbmVzIHdoZXJlIHRoZSBzcGVjaWZpY2F0aW9uIG5hbWUgaXMKCSAgICB1 c2VkLCBmb2xsb3dlZCBieSB0aGUgcmVmZXJlbmNlIChzdWNoIGFzICJkZWZpbmVkIGJ5CgkgICAg V2hhdGV2ZXIgW0ktRC53aGF0ZXZlcl0iKS4KCSAgCjwvbGk+CjxsaT4KCSAgICBPdGhlciBvbi1u b3JtYXRpdmUgZWRpdG9yaWFsIGltcHJvdmVtZW50cy4KCSAgCjwvbGk+CjwvdWw+PHA+CiAgICAg IAo8L3A+CjxwPgogICAgICAgIC0xMwogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxp PgoJICAgIEF0IHRoZSByZXF1ZXN0IG9mIEhhbm5lcyBUc2Nob2ZlbmlnLCBtYWRlIEFCTkYgY2hh bmdlcyB0bwoJICAgIG1ha2UgaXQgY2xlYXIgdGhhdCBubyBzcGVjaWFsIFdXVy1BdXRoZW50aWNh dGUgcmVzcG9uc2UKCSAgICBoZWFkZXIgZmllbGQgcGFyc2VycyBhcmUgbmVlZGVkLiAgVGhlIDx0 dD5zY29wZTwvdHQ+LCA8dHQ+ZXJyb3ItZGVzY3JpcHRpb248L3R0PiwgYW5kIDx0dD5lcnJvci11 cmk8L3R0PiBwYXJhbWV0ZXJzIGFyZSBhbGwgbm93CgkgICAgZGVmaW5lZCBhcyBxdW90ZWQtc3Ry aW5nIGluIHRoZSBBQk5GIChhcyA8dHQ+ZXJyb3I8L3R0PiBhbHJlYWR5IHdhcykuICBSZXN0cmlj dGlvbnMgb24KCSAgICB0aGVzZSB2YWx1ZXMgdGhhdCB3ZXJlIGZvcm1lcmx5IGRlc2NyaWJlZCBp biB0aGUgQUJORnMgYXJlCgkgICAgbm93IGRlc2NyaWJlZCBpbiBub3JtYXRpdmUgdGV4dCBpbnN0 ZWFkLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTEyCiAgICAg ICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CgkgICAgTWFkZSBub24tbm9ybWF0aXZlIGVk aXRvcmlhbCBjaGFuZ2VzIHRoYXQgSGFubmVzCgkgICAgVHNjaG9mZW5pZyByZXF1ZXN0ZWQgYmUg YXBwbGllZCBwcmlvciB0byBmb3J3YXJkaW5nIHRoZQoJICAgIHNwZWNpZmljYXRpb24gdG8gdGhl IElFU0cuCgkgIAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgcmF0aW9uYWxlIGZvciB0aGUgY2hvaWNl IG9mIHRoZSBiNjR0b2tlbiBzeW50YXguCgkgIAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgcmF0aW9u YWxlIHN0YXRpbmcgdGhhdCByZWNlaXZlcnMgYXJlIGZyZWUgdG8gcGFyc2UKCSAgICB0aGUgPHR0 PnNjb3BlPC90dD4gYXR0cmlidXRlIHVzaW5nIGEKCSAgICBzdGFuZGFyZCBxdW90ZWQtc3RyaW5n IHBhcnNlciwgc2luY2UgaXQgd2lsbCBjb3JyZWN0bHkKCSAgICBwcm9jZXNzIGFsbCBsZWdhbCA8 dHQ+c2NvcGU8L3R0PgoJICAgIHZhbHVlcy4KCSAgCjwvbGk+CjxsaT4KCSAgICBBZGRlZCBhZGRp dGlvbmFsIGFjdGl2ZSB3b3JraW5nIGdyb3VwIGNvbnRyaWJ1dG9ycyB0byB0aGUKCSAgICBBY2tu b3dsZWRnZW1lbnRzIHNlY3Rpb24uCgkgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4K ICAgICAgICAtMTEKICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KCSAgICBSZXBs YWNlZCB1c2VzIG9mICZsdDsiJmd0OyB3aXRoIERRVU9URSB0byBwYXNzIEFCTkYgc3ludGF4IGNo ZWNrLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTEwCiAgICAg ICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CgkgICAgUmVtb3ZlZCB0aGUgI2F1dGgtcGFy YW0gb3B0aW9uIGZyb20gQXV0aG9yaXphdGlvbiBoZWFkZXIKCSAgICBzeW50YXggKGxlYXZpbmcg b25seSB0aGUgYjY0dG9rZW4gc3ludGF4KS4KCSAgCjwvbGk+CjxsaT4KCSAgICBSZXN0cmljdGVk IHRoZSA8dHQ+c2NvcGU8L3R0PiB2YWx1ZQoJICAgIGNoYXJhY3RlciBzZXQgdG8gJXgyMSAvICV4 MjMtNUIgLyAleDVELTdFIChwcmludGFibGUgQVNDSUkKCSAgICBjaGFyYWN0ZXJzIGV4Y2x1ZGlu ZyBkb3VibGUtcXVvdGUgYW5kIGJhY2tzbGFzaCkuCgkgICAgSW5kaWNhdGVkIHRoYXQgc2NvcGUg aXMgaW50ZW5kZWQgZm9yIHByb2dyYW1tYXRpYyB1c2UgYW5kCgkgICAgaXMgbm90IG1lYW50IHRv IGJlIGRpc3BsYXllZCB0byBlbmQgdXNlcnMuCgkgIAo8L2xpPgo8bGk+CgkgICAgUmVzdHJpY3Rl ZCB0aGUgY2hhcmFjdGVyIHNldCBmb3IgPHR0PmVycm9yX2Rlc2NyaXB0aW9uPC90dD4gc3RyaW5n cyB0byBTUCAvCgkgICAgVkNIQVIgYW5kIGluZGljYXRlZCB0aGF0IHRoZXkgYXJlIG5vdCBtZWFu dCB0byBiZQoJICAgIGRpc3BsYXllZCB0byBlbmQgdXNlcnMuCgkgIAo8L2xpPgo8bGk+CgkgICAg SW5jbHVkZWQgbW9yZSBkZXNjcmlwdGlvbiBpbiB0aGUgQWJzdHJhY3QsIHNpbmNlIEhhbm5lcwoJ ICAgIFRzY2hvZmVuaWcgaW5kaWNhdGVkIHRoYXQgdGhlIFJGQyBlZGl0b3Igd291bGQgcmVxdWly ZQoJICAgIHRoaXMuCgkgIAo8L2xpPgo8bGk+CiAgICAgICAgICAgIENoYW5nZWQgIkFjY2VzcyBH cmFudCIgdG8gIkF1dGhvcml6YXRpb24gR3JhbnQiLCBhcyB3YXMKICAgICAgICAgICAgZG9uZSBp biB0aGUgY29yZSBzcGVjLgoJICAKPC9saT4KPGxpPgoJICAgIFNpbXBsaWZpZWQgdGhlIGludHJv ZHVjdGlvbiB0byB0aGUgQXV0aGVudGljYXRlZCBSZXF1ZXN0cwoJICAgIHNlY3Rpb24uCgkgIAo8 L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMDkKICAgICAgICA8L3A+Cjx1 bCBjbGFzcz0idGV4dCI+CjxsaT4KICAgICAgICAgICAgSW5jb3Jwb3JhdGVkIHdvcmtpbmcgZ3Jv dXAgbGFzdCBjYWxsIGNvbW1lbnRzLiAgU3BlY2lmaWMgY2hhbmdlcyB3ZXJlOgoJICAKPC9saT4K PGxpPgoJICAgIFVzZSBkZWZpbml0aW9ucyBmcm9tIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjSS1E LmlldGYtaHR0cGJpcy1wNy1hdXRoJz5bSSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIw OTtwNyYjODIwOTthdXRoXTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5GaWVsZGlu ZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgTmllbHNlbiwgSC4sIE1hc2ludGVyLCBMLiwg TGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kIEouIFJlc2Noa2UsICZs ZHF1bztIVFRQLzEuMSwgcGFydCA3OiBBdXRoZW50aWNhdGlvbiwmcmRxdW87IE9jdG9iZXImbmJz cDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4gcmF0aGVyIHRoYW4gPGEgY2xhc3M9J2lu Zm8nIGhyZWY9JyNSRkMyNjE3Jz5bUkZDMjYxN108c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0n aW5mbyc+RnJhbmtzLCBKLiwgSGFsbGFtLUJha2VyLCBQLiwgSG9zdGV0bGVyLCBKLiwgTGF3cmVu Y2UsIFMuLCBMZWFjaCwgUC4sIEx1b3RvbmVuLCBBLiwgYW5kIEwuIFN0ZXdhcnQsICZsZHF1bztI VFRQIEF1dGhlbnRpY2F0aW9uOiBCYXNpYyBhbmQgRGlnZXN0IEFjY2VzcyBBdXRoZW50aWNhdGlv biwmcmRxdW87IEp1bmUmbmJzcDsxOTk5Ljwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4uCgkgIAo8 L2xpPgo8bGk+CgkgICAgVXBkYXRlIGNyZWRlbnRpYWxzIGRlZmluaXRpb24gdG8gY29uZm9ybSB0 byA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgy MDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bh bj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4s IE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBM YWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVu dGljYXRpb24sJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48 L2E+LgoJICAKPC9saT4KPGxpPgoJICAgIEZ1cnRoZXIgY2xhcmlmaWVkIHRoYXQgcXVlcnkgcGFy YW1ldGVycyBtYXkgb2NjdXIgaW4gYW55IG9yZGVyLgoJICAKPC9saT4KPGxpPgoJICAgIFNwZWNp ZnkgdGhhdCBlcnJvcl9kZXNjcmlwdGlvbiBpcyBVVEYtOCBlbmNvZGVkCgkgICAgKG1hdGNoaW5n IHRoZSBjb3JlIHNwZWNpZmljYXRpb24pLgoJICAKPC9saT4KPGxpPgoJICAgIFJlZ2lzdGVyZWQg IkJlYXJlciIgQXV0aGVudGljYXRpb24gU2NoZW1lIGluCgkgICAgQXV0aGVudGljYXRpb24gU2No ZW1lIFJlZ2lzdHJ5IGRlZmluZWQgYnkKCSAgICA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5p ZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMmIzgyMDk7 cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcs IFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExl YWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRx dW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3RvYmVyJm5ic3A7 MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgoJICAKPC9saT4KPGxpPgogICAgICAgICAg ICBVcGRhdGVkIHJlZmVyZW5jZXMgdG8gb2F1dGgtdjIsIGh0dHBiaXMtcDEtbWVzc2FnaW5nLCBh bmQKICAgICAgICAgICAgaHR0cGJpcy1wNy1hdXRoIGRyYWZ0cy4KCSAgCjwvbGk+CjxsaT4KCSAg ICBPdGhlciB3b3JkaW5nIGltcHJvdmVtZW50cyBub3QgaW50cm9kdWNpbmcgbm9ybWF0aXZlIGNo YW5nZXMuCgkgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMDgKICAg ICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KICAgICAgICAgICAgVXBkYXRlZCByZWZl cmVuY2VzIHRvIG9hdXRoLXYyIGFuZCBIVFRQYmlzIGRyYWZ0cy4KCSAgCjwvbGk+CjwvdWw+PHA+ CiAgICAgIAo8L3A+CjxwPgogICAgICAgIC0wNwogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0 Ij4KPGxpPgogICAgICAgICAgICBBZGRlZCBtaXNzaW5nIGNvbW1hIGluIGVycm9yIHJlc3BvbnNl IGV4YW1wbGUuCgkgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMDYK ICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KICAgICAgICAgICAgQ2hhbmdlZCBw YXJhbWV0ZXIgbmFtZSA8dHQ+YmVhcmVyX3Rva2VuPC90dD4gdG8gPHR0PmFjY2Vzc190b2tlbjwv dHQ+LCBwZXIgd29ya2luZyBncm91cAogICAgICAgICAgICBjb25zZW5zdXMuCgkgIAo8L2xpPgo8 bGk+CgkgICAgQ2hhbmdlZCBIVFRQIHN0YXR1cyBjb2RlIGZvciA8dHQ+aW52YWxpZF9yZXF1ZXN0 PC90dD4gZXJyb3IgY29kZSBmcm9tIEhUVFAKCSAgICA0MDEgKFVuYXV0aG9yaXplZCkgYmFjayB0 byBIVFRQIDQwMCAoQmFkIFJlcXVlc3QpLCBwZXIKCSAgICBpbnB1dCBmcm9tIEhUVFAgd29ya2lu ZyBncm91cCBleHBlcnRzLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAg ICAgLTA1CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CgkgICAgUmVtb3ZlZCBP QXV0aCBFcnJvcnMgUmVnaXN0cnksIHBlciBkZXNpZ24gdGVhbSBpbnB1dC4KCSAgCjwvbGk+Cjxs aT4KCSAgICBDaGFuZ2VkIEhUVFAgc3RhdHVzIGNvZGUgZm9yIDx0dD5pbnZhbGlkX3JlcXVlc3Q8 L3R0PiBlcnJvciBjb2RlIGZyb20gSFRUUAoJICAgIDQwMCAoQmFkIFJlcXVlc3QpIHRvIEhUVFAg NDAxIChVbmF1dGhvcml6ZWQpIHRvIG1hdGNoIEhUVFAKCSAgICB1c2FnZSBbWyBjaGFuZ2UgcGVu ZGluZyB3b3JraW5nIGdyb3VwIGNvbnNlbnN1cyBdXS4KCSAgCjwvbGk+CjxsaT4KCSAgICBBZGRl ZCBtaXNzaW5nIHF1b3RhdGlvbiBtYXJrcyBpbiBlcnJvci11cmkgZGVmaW5pdGlvbi4KCSAgCjwv bGk+CjxsaT4KCSAgICBBZGRlZCBub3RlIHRvIGFkZCBsYW5ndWFnZSBhbmQgZW5jb2RpbmcgaW5m b3JtYXRpb24gdG8KCSAgICBlcnJvcl9kZXNjcmlwdGlvbiBpZiB0aGUgY29yZSBzcGVjaWZpY2F0 aW9uIGRvZXMuCgkgIAo8L2xpPgo8bGk+CgkgICAgRXhwbGljaXRseSByZWZlcmVuY2UgdGhlIEF1 Z21lbnRlZCBCYWNrdXMtTmF1ciBGb3JtIChBQk5GKQoJICAgIGRlZmluZWQgaW4gPGEgY2xhc3M9 J2luZm8nIGhyZWY9JyNSRkM1MjM0Jz5bUkZDNTIzNF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFz cz0naW5mbyc+Q3JvY2tlciwgRC4gYW5kIFAuIE92ZXJlbGwsICZsZHF1bztBdWdtZW50ZWQgQk5G IGZvciBTeW50YXggU3BlY2lmaWNhdGlvbnM6IEFCTkYsJnJkcXVvOyBKYW51YXJ5Jm5ic3A7MjAw OC48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgoJICAKPC9saT4KPGxpPgoJICAgIFVzZSBhdXRo LXBhcmFtIGluc3RlYWQgb2YgcmVwZWF0aW5nIGl0cyBkZWZpbml0aW9uLCB3aGljaAoJICAgIGlz ICggdG9rZW4gIj0iICggdG9rZW4gLyBxdW90ZWQtc3RyaW5nICkgKS4KCSAgCjwvbGk+CjxsaT4K CSAgICBDbGFyaWZ5IHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGFib3V0IGluY2x1ZGluZyBhbgoJ ICAgIGF1ZGllbmNlIHJlc3RyaWN0aW9uIGluIHRoZSB0b2tlbiBhbmQgaW5jbHVkZSBhCgkgICAg cmVjb21tZW5kYXRpb24gdG8gaXNzdWUgc2NvcGVkIGJlYXJlciB0b2tlbnMgaW4gdGhlCgkgICAg c3VtbWFyeSBvZiByZWNvbW1lbmRhdGlvbnMuCgkgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9w Pgo8cD4KICAgICAgICAtMDQKICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KCSAg ICBFZGl0cyByZXNwb25kaW5nIHRvIHdvcmtpbmcgZ3JvdXAgbGFzdCBjYWxsIGZlZWRiYWNrIG9u CgkgICAgLTAzLiAgU3BlY2lmaWMgZWRpdHMgZW51bWVyYXRlZCBiZWxvdy4KCSAgCjwvbGk+Cjxs aT4KCSAgICBBZGRlZCBCZWFyZXIgVG9rZW4gZGVmaW5pdGlvbiBpbiBUZXJtaW5vbG9neSBzZWN0 aW9uLgoJICAKPC9saT4KPGxpPgogICAgICAgICAgICBDaGFuZ2VkIHBhcmFtZXRlciBuYW1lIDx0 dD5vYXV0aF90b2tlbjwvdHQ+IHRvIDx0dD5iZWFyZXJfdG9rZW48L3R0Pi4KCSAgCjwvbGk+Cjxs aT4KCSAgICBBZGRlZCByZWFsbSBwYXJhbWV0ZXIgdG8gPHR0PldXVy1BdXRoZW50aWNhdGU8L3R0 PiByZXNwb25zZSB0byBjb21wbHkKCSAgICB3aXRoIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZD MjYxNyc+W1JGQzI2MTddPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZyYW5rcywg Si4sIEhhbGxhbS1CYWtlciwgUC4sIEhvc3RldGxlciwgSi4sIExhd3JlbmNlLCBTLiwgTGVhY2gs IFAuLCBMdW90b25lbiwgQS4sIGFuZCBMLiBTdGV3YXJ0LCAmbGRxdW87SFRUUCBBdXRoZW50aWNh dGlvbjogQmFzaWMgYW5kIERpZ2VzdCBBY2Nlc3MgQXV0aGVudGljYXRpb24sJnJkcXVvOyBKdW5l Jm5ic3A7MTk5OS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgoJICAKPC9saT4KPGxpPgoJICAg IFJlbW92ZWQgIlsgUldTIDEjYXV0aC1wYXJhbSBdIiBmcm9tIDx0dD5jcmVkZW50aWFsczwvdHQ+ IGRlZmluaXRpb24gc2luY2UgaXQgZGlkCgkgICAgbm90IGNvbXBseSB3aXRoIHRoZSBBQk5GIGlu IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJz5bSSYjODIw OTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwNyYjODIwOTthdXRoXTxzcGFuPiAoPC9zcGFu PjxzcGFuIGNsYXNzPSdpbmZvJz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwg TmllbHNlbiwgSC4sIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExh Zm9uLCBZLiwgYW5kIEouIFJlc2Noa2UsICZsZHF1bztIVFRQLzEuMSwgcGFydCA3OiBBdXRoZW50 aWNhdGlvbiwmcmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwv YT4uCgkgIAo8L2xpPgo8bGk+CgkgICAgUmVtb3ZlZCByZXN0cmljdGlvbiB0aGF0IHRoZSA8dHQ+ YmVhcmVyX3Rva2VuPC90dD4gKGZvcm1lcmx5IDx0dD5vYXV0aF90b2tlbjwvdHQ+KSBwYXJhbWV0 ZXIgYmUgdGhlIGxhc3QKCSAgICBwYXJhbWV0ZXIgaW4gdGhlIGVudGl0eS1ib2R5IGFuZCB0aGUg SFRUUCByZXF1ZXN0IFVSSQoJICAgIHF1ZXJ5LgoJICAKPC9saT4KPGxpPgoJICAgIERvIG5vdCBy ZXF1aXJlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgaW4gYSByZXBseSB0byBhCgkgICAgbWFs Zm9ybWVkIHJlcXVlc3QsIGFzIGFuIEhUVFAgNDAwIEJhZCBSZXF1ZXN0IHJlc3BvbnNlCgkgICAg d2l0aG91dCBhIFdXVy1BdXRoZW50aWNhdGUgaGVhZGVyIGlzIGxpa2VseSB0aGUgcmlnaHQKCSAg ICByZXNwb25zZSBpbiBzb21lIGNhc2VzIG9mIG1hbGZvcm1lZCByZXF1ZXN0cy4KCSAgCjwvbGk+ CjxsaT4KCSAgICBSZW1vdmVkIE9BdXRoIFBhcmFtZXRlcnMgcmVnaXN0cnkgZXh0ZW5zaW9uLgoJ ICAKPC9saT4KPGxpPgoJICAgIE51bWVyb3VzIGVkaXRvcmlhbCBpbXByb3ZlbWVudHMgc3VnZ2Vz dGVkIGJ5IHdvcmtpbmcgZ3JvdXAKCSAgICBtZW1iZXJzLgoJICAKPC9saT4KPC91bD48cD4KICAg ICAgCjwvcD4KPHA+CiAgICAgICAgLTAzCiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8 bGk+CgkgICAgUmVzdG9yZWQgdGhlIFdXVy1BdXRoZW50aWNhdGUgcmVzcG9uc2UgaGVhZGVyCgkg ICAgZnVuY3Rpb25hbGl0eSBkZWxldGVkIGZyb20gdGhlIGZyYW1ld29yayBzcGVjaWZpY2F0aW9u IGluCgkgICAgZHJhZnQgMTIgYmFzZWQgdXBvbiB0aGUgc3BlY2lmaWNhdGlvbiB0ZXh0IGZyb20g ZHJhZnQgMTEuCgkgIAo8L2xpPgo8bGk+CgkgICAgQXVnbWVudGVkIHRoZSBPQXV0aCBQYXJhbWV0 ZXJzIHJlZ2lzdHJ5IGJ5IGFkZGluZyB0d28KCSAgICBhZGRpdGlvbmFsIHBhcmFtZXRlciB1c2Fn ZSBsb2NhdGlvbnM6ICJyZXNvdXJjZSByZXF1ZXN0IgoJICAgIGFuZCAicmVzb3VyY2UgcmVzcG9u c2UiLgoJICAKPC9saT4KPGxpPgogICAgICAgICAgICBSZWdpc3RlcmVkIHRoZSAib2F1dGhfdG9r ZW4iIE9BdXRoIHBhcmFtZXRlciB3aXRoIHVzYWdlCiAgICAgICAgICAgIGxvY2F0aW9uICJyZXNv dXJjZSByZXF1ZXN0Ii4KICAgICAgICAgIAo8L2xpPgo8bGk+CiAgICAgICAgICAgIFJlZ2lzdGVy ZWQgdGhlICJlcnJvciIgT0F1dGggcGFyYW1ldGVyLgogICAgICAgICAgCjwvbGk+CjxsaT4KCSAg ICBDcmVhdGVkIHRoZSBPQXV0aCBFcnJvciByZWdpc3RyeSBhbmQgcmVnaXN0ZXJlZCBlcnJvcnMu CgkgIAo8L2xpPgo8bGk+CgkgICAgQ2hhbmdlZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNzIHRv a2VuIHR5cGUgbmFtZSB0bwoJICAgICJCZWFyZXIiLgoJICAKPC9saT4KPC91bD48cD4KICAgICAg CjwvcD4KPHA+CiAgICAgICAgLTAyCiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+ CiAgICAgICAgICAgIEluY29ycG9yYXRlZCBmZWVkYmFjayByZWNlaXZlZCBvbiBkcmFmdCAwMS4g IE1vc3QgY2hhbmdlcwogICAgICAgICAgICB3ZXJlIHRvIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0 aW9ucyBzZWN0aW9uLiAgTm8gbm9ybWF0aXZlCiAgICAgICAgICAgIGNoYW5nZXMgd2VyZSBtYWRl LiAgU3BlY2lmaWMgY2hhbmdlcyBpbmNsdWRlZDoKICAgICAgICAgIAo8L2xpPgo8bGk+CgkgICAg Q2hhbmdlZCB0ZXJtaW5vbG9neSBmcm9tICJ0b2tlbiByZXVzZSIgdG8gInRva2VuIGNhcHR1cmUK CSAgICBhbmQgcmVwbGF5Ii4KCSAgCjwvbGk+CjxsaT4KCSAgICBSZW1vdmVkIHNlbnRlbmNlICJF bmNyeXB0aW5nIHRoZSB0b2tlbiBjb250ZW50cyBpcyBhbm90aGVyCgkgICAgYWx0ZXJuYXRpdmUi IGZyb20gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNpbmNlIGl0IHdhcwoJICAgIHJlZHVu ZGFudCBhbmQgcG90ZW50aWFsbHkgY29uZnVzaW5nLgoJICAKPC9saT4KPGxpPgoJICAgIENvcnJl Y3RlZCBzb21lIHJlZmVyZW5jZXMgdG8gInJlc291cmNlIHNlcnZlciIgdG8gYmUKCSAgICAiYXV0 aG9yaXphdGlvbiBzZXJ2ZXIiIGluIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucy4KCSAgCjwv bGk+CjxsaT4KCSAgICBHZW5lcmFsaXplZCBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBsYW5ndWFn ZSBhYm91dAoJICAgIG9idGFpbmluZyBjb25zZW50IG9mIHRoZSByZXNvdXJjZSBvd25lci4KCSAg CjwvbGk+CjxsaT4KCSAgICBCcm9hZGVuZWQgc2NvcGUgb2Ygc2VjdXJpdHkgY29uc2lkZXJhdGlv bnMgZGVzY3JpcHRpb24gZm9yCgkgICAgcmVjb21tZW5kYXRpb24gIkRvbid0IHBhc3MgYmVhcmVy IHRva2VucyBpbiBwYWdlIFVSTHMiLgoJICAKPC9saT4KPGxpPgoJICAgIFJlbW92ZWQgdW51c2Vk IHJlZmVyZW5jZSB0byBPQXV0aCAxLjAuCgkgIAo8L2xpPgo8bGk+CgkgICAgVXBkYXRlZCByZWZl cmVuY2UgdG8gZnJhbWV3b3JrIHNwZWNpZmljYXRpb24gYW5kIHVwZGF0ZWQKCSAgICBEYXZpZCBS ZWNvcmRvbidzIGUtbWFpbCBhZGRyZXNzLgoJICAKPC9saT4KPGxpPgoJICAgIFJlbW92ZWQgc2Vj dXJpdHkgY29uc2lkZXJhdGlvbnMgdGV4dCBvbiBhdXRoZW50aWNhdGluZwoJICAgIGNsaWVudHMu CgkgIAo8L2xpPgo8bGk+CgkgICAgUmVnaXN0ZXJlZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNz IHRva2VuIHR5cGUgYW5kCgkgICAgIm9hdXRoX3Rva2VuIiBwYXJhbWV0ZXIuCgkgIAo8L2xpPgo8 L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMDEKICAgICAgICA8L3A+Cjx1bCBjbGFz cz0idGV4dCI+CjxsaT4KICAgICAgICAgICAgRmlyc3QgcHVibGljIGRyYWZ0LCB3aGljaCBpbmNv cnBvcmF0ZXMgZmVlZGJhY2sgcmVjZWl2ZWQKICAgICAgICAgICAgb24gLTAwIGluY2x1ZGluZyBl bmhhbmNlZCBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBjb250ZW50LgogICAgICAgICAgICBUaGlz IHZlcnNpb24gaXMgaW50ZW5kZWQgdG8gYWNjb21wYW55IE9BdXRoIDIuMCBkcmFmdCAxMS4KICAg ICAgICAgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMDAKICAgICAg ICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KICAgICAgICAgICAgSW5pdGlhbCBkcmFmdCBi YXNlZCBvbiBwcmVsaW1pbmFyeSB2ZXJzaW9uIG9mIE9BdXRoIDIuMCBkcmFmdCAxMS4KICAgICAg ICAgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8YSBuYW1lPSJyZmMuYXV0aG9ycyI+PC9h PjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2Vs bHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0i VE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFi bGU+CjxoMz5BdXRob3JzJyBBZGRyZXNzZXM8L2gzPgo8dGFibGUgd2lkdGg9Ijk5JSIgYm9yZGVy PSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiPgo8dHI+PHRkIGNsYXNzPSJhdXRo b3ItdGV4dCI+Jm5ic3A7PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+TWljaGFlbCBCLiBK b25lczwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPiZuYnNwOzwvdGQ+Cjx0 ZCBjbGFzcz0iYXV0aG9yLXRleHQiPk1pY3Jvc29mdDwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0i YXV0aG9yIiBhbGlnbj0icmlnaHQiPkVtYWlsOiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9y LXRleHQiPjxhIGhyZWY9Im1haWx0bzptYmpAbWljcm9zb2Z0LmNvbSI+bWJqQG1pY3Jvc29mdC5j b208L2E+PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3IiIGFsaWduPSJyaWdodCI+VVJJ OiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPjxhIGhyZWY9Imh0dHA6Ly9zZWxm LWlzc3VlZC5pbmZvLyI+aHR0cDovL3NlbGYtaXNzdWVkLmluZm8vPC9hPjwvdGQ+PC90cj4KPHRy IGNlbGxwYWRkaW5nPSIzIj48dGQ+Jm5ic3A7PC90ZD48dGQ+Jm5ic3A7PC90ZD48L3RyPgo8dHI+ PHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+Jm5ic3A7PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4 dCI+RGljayBIYXJkdDwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPiZuYnNw OzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPmluZGVwZW5kZW50PC90ZD48L3RyPgo8dHI+ PHRkIGNsYXNzPSJhdXRob3IiIGFsaWduPSJyaWdodCI+RW1haWw6Jm5ic3A7PC90ZD4KPHRkIGNs YXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0ibWFpbHRvOmRpY2suaGFyZHRAZ21haWwuY29tIj5k aWNrLmhhcmR0QGdtYWlsLmNvbTwvYT48L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvciIg YWxpZ249InJpZ2h0Ij5VUkk6Jm5ic3A7PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEg aHJlZj0iaHR0cDovL2RpY2toYXJkdC5vcmcvIj5odHRwOi8vZGlja2hhcmR0Lm9yZy88L2E+PC90 ZD48L3RyPgo8dHIgY2VsbHBhZGRpbmc9IjMiPjx0ZD4mbmJzcDs8L3RkPjx0ZD4mbmJzcDs8L3Rk PjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij4mbmJzcDs8L3RkPgo8dGQgY2xhc3M9 ImF1dGhvci10ZXh0Ij5EYXZpZCBSZWNvcmRvbjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0 aG9yLXRleHQiPiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPkZhY2Vib29rPC90 ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3IiIGFsaWduPSJyaWdodCI+RW1haWw6Jm5ic3A7 PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0ibWFpbHRvOmRyQGZiLmNvbSI+ ZHJAZmIuY29tPC9hPjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yIiBhbGlnbj0icmln aHQiPlVSSTombmJzcDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJodHRw Oi8vd3d3LmRhdmlkcmVjb3Jkb24uY29tLyI+aHR0cDovL3d3dy5kYXZpZHJlY29yZG9uLmNvbS88 L2E+PC90ZD48L3RyPgo8L3RhYmxlPgo8L2JvZHk+PC9odG1sPgo= --_007_4E1F6AAD24975D4BA5B16804296739435F6E777ETK5EX14MBXC283r_ Content-Type: text/plain; name="draft-ietf-oauth-v2-bearer-14.txt" Content-Description: draft-ietf-oauth-v2-bearer-14.txt Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-14.txt"; size=43916; creation-date="Thu, 03 Nov 2011 23:52:04 GMT"; modification-date="Thu, 03 Nov 2011 23:48:30 GMT" Content-Transfer-Encoding: base64 CgoKTmV0d29yayBXb3JraW5nIEdyb3VwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIE0uIEpvbmVzCkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIE1pY3Jvc29mdApJbnRlbmRlZCBzdGF0dXM6IFN0YW5k YXJkcyBUcmFjayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRC4gSGFyZHQKRXhwaXJl czogTWF5IDYsIDIwMTIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlu ZGVwZW5kZW50CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBELiBSZWNvcmRvbgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmFjZWJvb2sKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOb3ZlbWJlciAzLCAyMDEx CgoKICAgICAgICAgIFRoZSBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVy IFRva2VucwogICAgICAgICAgICAgICAgICAgICBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0x NAoKQWJzdHJhY3QKCiAgIFRoaXMgc3BlY2lmaWNhdGlvbiBkZXNjcmliZXMgaG93IHRvIHVzZSBi ZWFyZXIgdG9rZW5zIGluIEhUVFAKICAgcmVxdWVzdHMgdG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90 ZWN0ZWQgcmVzb3VyY2VzLiAgQW55IHBhcnR5IGluCiAgIHBvc3Nlc3Npb24gb2YgYSBiZWFyZXIg dG9rZW4gKGEgImJlYXJlciIpIGNhbiB1c2UgaXQgdG8gZ2V0IGFjY2VzcyB0bwogICB0aGUgYXNz b2NpYXRlZCByZXNvdXJjZXMgKHdpdGhvdXQgZGVtb25zdHJhdGluZyBwb3NzZXNzaW9uIG9mIGEK ICAgY3J5cHRvZ3JhcGhpYyBrZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMg bmVlZCB0byBiZQogICBwcm90ZWN0ZWQgZnJvbSBkaXNjbG9zdXJlIGluIHN0b3JhZ2UgYW5kIGlu IHRyYW5zcG9ydC4KClN0YXR1cyBvZiB0aGlzIE1lbW8KCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQg aXMgc3VibWl0dGVkIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUKICAgcHJvdmlzaW9ucyBv ZiBCQ1AgNzggYW5kIEJDUCA3OS4KCiAgIEludGVybmV0LURyYWZ0cyBhcmUgd29ya2luZyBkb2N1 bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2luZWVyaW5nCiAgIFRhc2sgRm9yY2UgKElFVEYpLiAg Tm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlCiAgIHdvcmtpbmcgZG9j dW1lbnRzIGFzIEludGVybmV0LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQt CiAgIERyYWZ0cyBpcyBhdCBodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZHJhZnRzL2N1cnJl bnQvLgoKICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMgdmFsaWQgZm9yIGEg bWF4aW11bSBvZiBzaXggbW9udGhzCiAgIGFuZCBtYXkgYmUgdXBkYXRlZCwgcmVwbGFjZWQsIG9y IG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55CiAgIHRpbWUuICBJdCBpcyBpbmFw cHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlCiAgIG1hdGVyaWFs IG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNzLiIKCiAgIFRo aXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gTWF5IDYsIDIwMTIuCgpDb3B5cmlnaHQg Tm90aWNlCgogICBDb3B5cmlnaHQgKGMpIDIwMTEgSUVURiBUcnVzdCBhbmQgdGhlIHBlcnNvbnMg aWRlbnRpZmllZCBhcyB0aGUKICAgZG9jdW1lbnQgYXV0aG9ycy4gIEFsbCByaWdodHMgcmVzZXJ2 ZWQuCgogICBUaGlzIGRvY3VtZW50IGlzIHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBU cnVzdCdzIExlZ2FsCiAgIFByb3Zpc2lvbnMgUmVsYXRpbmcgdG8gSUVURiBEb2N1bWVudHMKICAg KGh0dHA6Ly90cnVzdGVlLmlldGYub3JnL2xpY2Vuc2UtaW5mbykgaW4gZWZmZWN0IG9uIHRoZSBk YXRlIG9mCiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRo ZXNlIGRvY3VtZW50cwogICBjYXJlZnVsbHksIGFzIHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMg YW5kIHJlc3RyaWN0aW9ucyB3aXRoIHJlc3BlY3QKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAg ICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAgICAgICAgICAgICAgIFtQYWdlIDFdCgwKSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3Zl bWJlciAyMDExCgoKICAgdG8gdGhpcyBkb2N1bWVudC4gIENvZGUgQ29tcG9uZW50cyBleHRyYWN0 ZWQgZnJvbSB0aGlzIGRvY3VtZW50IG11c3QKICAgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNl bnNlIHRleHQgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mCiAgIHRoZSBUcnVzdCBMZWdh bCBQcm92aXNpb25zIGFuZCBhcmUgcHJvdmlkZWQgd2l0aG91dCB3YXJyYW50eSBhcwogICBkZXNj cmliZWQgaW4gdGhlIFNpbXBsaWZpZWQgQlNEIExpY2Vuc2UuCgoKVGFibGUgb2YgQ29udGVudHMK CiAgIDEuICBJbnRyb2R1Y3Rpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgMwogICAgIDEuMS4gIE5vdGF0aW9uYWwgQ29udmVudGlvbnMgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDMKICAgICAxLjIuICBUZXJtaW5vbG9neSAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAzCiAgICAgMS4z LiAgT3ZlcnZpZXcgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgNAogICAyLiAgQXV0aGVudGljYXRlZCBSZXF1ZXN0cyAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gIDUKICAgICAyLjEuICBBdXRob3JpemF0aW9uIFJlcXVlc3Qg SGVhZGVyIEZpZWxkIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA1CiAgICAgMi4yLiAgRm9ybS1F bmNvZGVkIEJvZHkgUGFyYW1ldGVyICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgNQog ICAgIDIuMy4gIFVSSSBRdWVyeSBQYXJhbWV0ZXIgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gIDYKICAgMy4gIFRoZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIEhlYWRl ciBGaWVsZCAuIC4gLiAuIC4gLiAuIC4gLiAuICA3CiAgICAgMy4xLiAgRXJyb3IgQ29kZXMgIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgOAogICA0LiAgU2Vj dXJpdHkgQ29uc2lkZXJhdGlvbnMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gIDkKICAgICA0LjEuICBTZWN1cml0eSBUaHJlYXRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICA5CiAgICAgNC4yLiAgVGhyZWF0IE1pdGlnYXRpb24gIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMAogICAgIDQuMy4gIFN1bW1hcnkg b2YgUmVjb21tZW5kYXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTEKICAg NS4gIElBTkEgQ29uc2lkZXJhdGlvbnMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIDEyCiAgICAgNS4xLiAgT0F1dGggQWNjZXNzIFRva2VuIFR5cGUgUmVnaXN0cmF0 aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMgogICAgICAgNS4xLjEuICBUaGUgIkJlYXJlciIg T0F1dGggQWNjZXNzIFRva2VuIFR5cGUgLiAuIC4gLiAuIC4gLiAuIC4gMTIKICAgICA1LjIuICBB dXRoZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cmF0aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IDEzCiAgICAgICA1LjIuMS4gIFRoZSAiQmVhcmVyIiBBdXRoZW50aWNhdGlvbiBTY2hlbWUgLiAu IC4gLiAuIC4gLiAuIC4gLiAxMwogICA2LiAgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTMKICAgICA2LjEuICBOb3JtYXRpdmUg UmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDEzCiAgICAg Ni4yLiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAxNAogICBBcHBlbmRpeCBBLiAgQWNrbm93bGVkZ2VtZW50cyAgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTQKICAgQXBwZW5kaXggQi4gIERvY3VtZW50IEhpc3Rv cnkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDE1CiAgIEF1dGhvcnMnIEFk ZHJlc3NlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAy MQoKCgoKCgoKCgoKCgoKCgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgICBFeHBpcmVzIE1h eSA2LCAyMDEyICAgICAgICAgICAgICAgICAgW1BhZ2UgMl0KDApJbnRlcm5ldC1EcmFmdCAgICAg ICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIE5vdmVtYmVyIDIwMTEKCgox LiAgSW50cm9kdWN0aW9uCgogICBPQXV0aCBlbmFibGVzIGNsaWVudHMgdG8gYWNjZXNzIHByb3Rl Y3RlZCByZXNvdXJjZXMgYnkgb2J0YWluaW5nIGFuCiAgIGFjY2VzcyB0b2tlbiwgd2hpY2ggaXMg ZGVmaW5lZCBpbiBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbgogICBbSS1ELmlldGYtb2F1dGgtdjJd IGFzICJhIHN0cmluZyByZXByZXNlbnRpbmcgYW4gYWNjZXNzIGF1dGhvcml6YXRpb24KICAgaXNz dWVkIHRvIHRoZSBjbGllbnQiLCByYXRoZXIgdGhhbiB1c2luZyB0aGUgcmVzb3VyY2Ugb3duZXIn cwogICBjcmVkZW50aWFscyBkaXJlY3RseS4KCiAgIFRva2VucyBhcmUgaXNzdWVkIHRvIGNsaWVu dHMgYnkgYW4gYXV0aG9yaXphdGlvbiBzZXJ2ZXIgd2l0aCB0aGUKICAgYXBwcm92YWwgb2YgdGhl IHJlc291cmNlIG93bmVyLiAgVGhlIGNsaWVudCB1c2VzIHRoZSBhY2Nlc3MgdG9rZW4gdG8KICAg YWNjZXNzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2VzIGhvc3RlZCBieSB0aGUgcmVzb3VyY2Ugc2Vy dmVyLiAgVGhpcwogICBzcGVjaWZpY2F0aW9uIGRlc2NyaWJlcyBob3cgdG8gbWFrZSBwcm90ZWN0 ZWQgcmVzb3VyY2UgcmVxdWVzdHMgd2hlbgogICB0aGUgT0F1dGggYWNjZXNzIHRva2VuIGlzIGEg YmVhcmVyIHRva2VuLgoKICAgVGhpcyBzcGVjaWZpY2F0aW9uIGRlZmluZXMgdGhlIHVzZSBvZiBi ZWFyZXIgdG9rZW5zIHdpdGggT0F1dGggb3ZlcgogICBIVFRQLzEuMSBbSS1ELmlldGYtaHR0cGJp cy1wMS1tZXNzYWdpbmddIHVzaW5nIFRMUyBbUkZDNTI0Nl0uICBUTFMgaXMKICAgbWFuZGF0b3J5 IHRvIGltcGxlbWVudCBhbmQgdXNlIHdpdGggdGhpcyBzcGVjaWZpY2F0aW9uOyBvdGhlcgogICBz cGVjaWZpY2F0aW9ucyBtYXkgZXh0ZW5kIHRoaXMgc3BlY2lmaWNhdGlvbiBmb3IgdXNlIHdpdGgg b3RoZXIKICAgdHJhbnNwb3J0IHByb3RvY29scy4KCjEuMS4gIE5vdGF0aW9uYWwgQ29udmVudGlv bnMKCiAgIFRoZSBrZXkgd29yZHMgJ01VU1QnLCAnTVVTVCBOT1QnLCAnUkVRVUlSRUQnLCAnU0hB TEwnLCAnU0hBTEwgTk9UJywKICAgJ1NIT1VMRCcsICdTSE9VTEQgTk9UJywgJ1JFQ09NTUVOREVE JywgJ01BWScsIGFuZCAnT1BUSU9OQUwnIGluIHRoaXMKICAgZG9jdW1lbnQgYXJlIHRvIGJlIGlu dGVycHJldGVkIGFzIGRlc2NyaWJlZCBpbiBLZXkgd29yZHMgZm9yIHVzZSBpbgogICBSRkNzIHRv IEluZGljYXRlIFJlcXVpcmVtZW50IExldmVscyBbUkZDMjExOV0uCgogICBUaGlzIGRvY3VtZW50 IHVzZXMgdGhlIEF1Z21lbnRlZCBCYWNrdXMtTmF1ciBGb3JtIChBQk5GKSBub3RhdGlvbiBvZgog ICBIVFRQLzEuMSwgUGFydCAxIFtJLUQuaWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZ10sIHdoaWNo IGlzIGJhc2VkIHVwb24KICAgdGhlIEF1Z21lbnRlZCBCYWNrdXMtTmF1ciBGb3JtIChBQk5GKSBb UkZDNTIzNF0gbm90YXRpb24uCiAgIEFkZGl0aW9uYWxseSwgdGhlIGZvbGxvd2luZyBydWxlcyBh cmUgaW5jbHVkZWQgZnJvbSBIVFRQLzEuMSwgUGFydCA3CiAgIFtJLUQuaWV0Zi1odHRwYmlzLXA3 LWF1dGhdOiBiNjR0b2tlbiwgYXV0aC1wYXJhbSwgYW5kIHJlYWxtOyBmcm9tCiAgIEhUVFAvMS4x LCBQYXJ0IDEgW0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nXTogcXVvdGVkLXN0cmluZzsg YW5kCiAgIGZyb20gVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpIFtSRkMzOTg2XTog VVJJLVJlZmVyZW5jZS4KCiAgIFVubGVzcyBvdGhlcndpc2Ugbm90ZWQsIGFsbCB0aGUgcHJvdG9j b2wgcGFyYW1ldGVyIG5hbWVzIGFuZCB2YWx1ZXMKICAgYXJlIGNhc2Ugc2Vuc2l0aXZlLgoKMS4y LiAgVGVybWlub2xvZ3kKCiAgIEJlYXJlciBUb2tlbgogICAgICBBIHNlY3VyaXR5IHRva2VuIHdp dGggdGhlIHByb3BlcnR5IHRoYXQgYW55IHBhcnR5IGluIHBvc3Nlc3Npb24gb2YKICAgICAgdGhl IHRva2VuIChhICJiZWFyZXIiKSBjYW4gdXNlIHRoZSB0b2tlbiBpbiBhbnkgd2F5IHRoYXQgYW55 IG90aGVyCiAgICAgIHBhcnR5IGluIHBvc3Nlc3Npb24gb2YgaXQgY2FuLiAgVXNpbmcgYSBiZWFy ZXIgdG9rZW4gZG9lcyBub3QKICAgICAgcmVxdWlyZSBhIGJlYXJlciB0byBwcm92ZSBwb3NzZXNz aW9uIG9mIGNyeXB0b2dyYXBoaWMga2V5IG1hdGVyaWFsCiAgICAgIChwcm9vZi1vZi1wb3NzZXNz aW9uKS4KCiAgIEFsbCBvdGhlciB0ZXJtcyBhcmUgYXMgZGVmaW5lZCBpbiBPQXV0aCAyLjAgQXV0 aG9yaXphdGlvbgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgICBFeHBpcmVzIE1heSA2LCAy MDEyICAgICAgICAgICAgICAgICAgW1BhZ2UgM10KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAg T0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIE5vdmVtYmVyIDIwMTEKCgogICBbSS1E LmlldGYtb2F1dGgtdjJdLgoKMS4zLiAgT3ZlcnZpZXcKCiAgIE9BdXRoIHByb3ZpZGVzIGEgbWV0 aG9kIGZvciBjbGllbnRzIHRvIGFjY2VzcyBhIHByb3RlY3RlZCByZXNvdXJjZSBvbgogICBiZWhh bGYgb2YgYSByZXNvdXJjZSBvd25lci4gIEluIHRoZSBnZW5lcmFsIGNhc2UsIGJlZm9yZSBhIGNs aWVudCBjYW4KICAgYWNjZXNzIGEgcHJvdGVjdGVkIHJlc291cmNlLCBpdCBtdXN0IGZpcnN0IG9i dGFpbiBhbiBhdXRob3JpemF0aW9uCiAgIGdyYW50IGZyb20gdGhlIHJlc291cmNlIG93bmVyIGFu ZCB0aGVuIGV4Y2hhbmdlIHRoZSBhdXRob3JpemF0aW9uCiAgIGdyYW50IGZvciBhbiBhY2Nlc3Mg dG9rZW4uICBUaGUgYWNjZXNzIHRva2VuIHJlcHJlc2VudHMgdGhlIGdyYW50J3MKICAgc2NvcGUs IGR1cmF0aW9uLCBhbmQgb3RoZXIgYXR0cmlidXRlcyBncmFudGVkIGJ5IHRoZSBhdXRob3JpemF0 aW9uCiAgIGdyYW50LiAgVGhlIGNsaWVudCBhY2Nlc3NlcyB0aGUgcHJvdGVjdGVkIHJlc291cmNl IGJ5IHByZXNlbnRpbmcgdGhlCiAgIGFjY2VzcyB0b2tlbiB0byB0aGUgcmVzb3VyY2Ugc2VydmVy LiAgSW4gc29tZSBjYXNlcywgYSBjbGllbnQgY2FuCiAgIGRpcmVjdGx5IHByZXNlbnQgaXRzIG93 biBjcmVkZW50aWFscyB0byBhbiBhdXRob3JpemF0aW9uIHNlcnZlciB0bwogICBvYnRhaW4gYW4g YWNjZXNzIHRva2VuIHdpdGhvdXQgaGF2aW5nIHRvIGZpcnN0IG9idGFpbiBhbgogICBhdXRob3Jp emF0aW9uIGdyYW50IGZyb20gYSByZXNvdXJjZSBvd25lci4KCiAgIFRoZSBhY2Nlc3MgdG9rZW4g cHJvdmlkZXMgYW4gYWJzdHJhY3Rpb24sIHJlcGxhY2luZyBkaWZmZXJlbnQKICAgYXV0aG9yaXph dGlvbiBjb25zdHJ1Y3RzIChlLmcuIHVzZXJuYW1lIGFuZCBwYXNzd29yZCwgYXNzZXJ0aW9uKSBm b3IKICAgYSBzaW5nbGUgdG9rZW4gdW5kZXJzdG9vZCBieSB0aGUgcmVzb3VyY2Ugc2VydmVyLiAg VGhpcyBhYnN0cmFjdGlvbgogICBlbmFibGVzIGlzc3VpbmcgYWNjZXNzIHRva2VucyB2YWxpZCBm b3IgYSBzaG9ydCB0aW1lIHBlcmlvZCwgYXMgd2VsbAogICBhcyByZW1vdmluZyB0aGUgcmVzb3Vy Y2Ugc2VydmVyJ3MgbmVlZCB0byB1bmRlcnN0YW5kIGEgd2lkZSByYW5nZSBvZgogICBhdXRoZW50 aWNhdGlvbiBzY2hlbWVzLgoKICAgKy0tLS0tLS0tKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICArLS0tLS0tLS0tLS0tLS0tKwogICB8ICAgICAgICB8LS0oQSktIEF1dGhvcml6YXRpb24g UmVxdWVzdCAtPnwgICBSZXNvdXJjZSAgICB8CiAgIHwgICAgICAgIHwgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgfCAgICAgT3duZXIgICAgIHwKICAgfCAgICAgICAgfDwtKEIpLS0gQXV0 aG9yaXphdGlvbiBHcmFudCAtLS18ICAgICAgICAgICAgICAgfAogICB8ICAgICAgICB8ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0rCiAgIHwgICAgICAgIHwK ICAgfCAgICAgICAgfCAgICAgICAgQXV0aG9yaXphdGlvbiBHcmFudCAmICArLS0tLS0tLS0tLS0t LS0tKwogICB8ICAgICAgICB8LS0oQyktLS0gQ2xpZW50IENyZWRlbnRpYWxzIC0tPnwgQXV0aG9y aXphdGlvbiB8CiAgIHwgQ2xpZW50IHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAg ICAgU2VydmVyICAgIHwKICAgfCAgICAgICAgfDwtKEQpLS0tLS0gQWNjZXNzIFRva2VuIC0tLS0t LS18ICAgICAgICAgICAgICAgfAogICB8ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICstLS0tLS0tLS0tLS0tLS0rCiAgIHwgICAgICAgIHwKICAgfCAgICAgICAgfCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwogICB8ICAgICAgICB8 LS0oRSktLS0tLSBBY2Nlc3MgVG9rZW4gLS0tLS0tPnwgICAgUmVzb3VyY2UgICB8CiAgIHwgICAg ICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgU2VydmVyICAgIHwKICAg fCAgICAgICAgfDwtKEYpLS0tIFByb3RlY3RlZCBSZXNvdXJjZSAtLS18ICAgICAgICAgICAgICAg fAogICArLS0tLS0tLS0rICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0t LS0tLS0rCgogICAgICAgICAgICAgICAgICAgICBGaWd1cmUgMTogQWJzdHJhY3QgUHJvdG9jb2wg RmxvdwoKICAgVGhlIGFic3RyYWN0IGZsb3cgaWxsdXN0cmF0ZWQgaW4gRmlndXJlIDEgZGVzY3Jp YmVzIHRoZSBvdmVyYWxsIE9BdXRoCiAgIDIuMCBwcm90b2NvbCBhcmNoaXRlY3R1cmUuICBUaGUg Zm9sbG93aW5nIHN0ZXBzIGFyZSBzcGVjaWZpZWQgd2l0aGluCiAgIHRoaXMgZG9jdW1lbnQ6CgoK CgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAgICAg ICAgICAgICAgIFtQYWdlIDRdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBC ZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3ZlbWJlciAyMDExCgoKICAgICAgRSkgVGhlIGNsaWVu dCBtYWtlcyBhIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IHRvIHRoZSByZXNvdXJjZQogICAg ICBzZXJ2ZXIgYnkgcHJlc2VudGluZyB0aGUgYWNjZXNzIHRva2VuLgoKICAgICAgRikgVGhlIHJl c291cmNlIHNlcnZlciB2YWxpZGF0ZXMgdGhlIGFjY2VzcyB0b2tlbiwgYW5kIGlmIHZhbGlkLAog ICAgICBzZXJ2ZXMgdGhlIHJlcXVlc3QuCgoKMi4gIEF1dGhlbnRpY2F0ZWQgUmVxdWVzdHMKCiAg IFRoaXMgc2VjdGlvbiBkZWZpbmVzIHRocmVlIG1ldGhvZHMgb2Ygc2VuZGluZyBiZWFyZXIgYWNj ZXNzIHRva2VucyBpbgogICByZXNvdXJjZSByZXF1ZXN0cyB0byByZXNvdXJjZSBzZXJ2ZXJzLiAg Q2xpZW50cyBNVVNUIE5PVCB1c2UgbW9yZQogICB0aGFuIG9uZSBtZXRob2QgdG8gdHJhbnNtaXQg dGhlIHRva2VuIGluIGVhY2ggcmVxdWVzdC4KCjIuMS4gIEF1dGhvcml6YXRpb24gUmVxdWVzdCBI ZWFkZXIgRmllbGQKCiAgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSAiQXV0 aG9yaXphdGlvbiIgcmVxdWVzdCBoZWFkZXIKICAgZmllbGQgZGVmaW5lZCBieSBIVFRQLzEuMSwg UGFydCA3IFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdLCB0aGUKICAgY2xpZW50IHVzZXMgdGhl ICJCZWFyZXIiIGF1dGhlbnRpY2F0aW9uIHNjaGVtZSB0byB0cmFuc21pdCB0aGUgYWNjZXNzCiAg IHRva2VuLgoKICAgRm9yIGV4YW1wbGU6CgogICBHRVQgL3Jlc291cmNlIEhUVFAvMS4xCiAgIEhv c3Q6IHNlcnZlci5leGFtcGxlLmNvbQogICBBdXRob3JpemF0aW9uOiBCZWFyZXIgdkY5ZGZ0NHFt VAoKICAgVGhlICJBdXRob3JpemF0aW9uIiBoZWFkZXIgZmllbGQgdXNlcyB0aGUgZnJhbWV3b3Jr IGRlZmluZWQgYnkKICAgSFRUUC8xLjEsIFBhcnQgNyBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRo XSBhcyBmb2xsb3dzOgoKICAgY3JlZGVudGlhbHMgPSAiQmVhcmVyIiAxKlNQIGI2NHRva2VuCgog ICBUaGUgYjY0dG9rZW4gc3ludGF4IHdhcyBjaG9zZW4gb3ZlciB0aGUgYWx0ZXJuYXRpdmUgI2F1 dGgtcGFyYW0KICAgc3ludGF4IGFsc28gZGVmaW5lZCBieSBIVFRQLzEuMSwgUGFydCA3IFtJLUQu aWV0Zi1odHRwYmlzLXA3LWF1dGhdCiAgIGJvdGggZm9yIHNpbXBsaWNpdHkgcmVhc29ucyBhbmQg Zm9yIGNvbXBhdGliaWxpdHkgd2l0aCBleGlzdGluZwogICBpbXBsZW1lbnRhdGlvbnMuICBJZiBh ZGRpdGlvbmFsIHBhcmFtZXRlcnMgYXJlIGRlc2lyZWQgaW4gdGhlIGZ1dHVyZSwKICAgYSBkaWZm ZXJlbnQgc2NoZW1lIGNvdWxkIGJlIGRlZmluZWQuCgogICBDbGllbnRzIFNIT1VMRCBtYWtlIGF1 dGhlbnRpY2F0ZWQgcmVxdWVzdHMgd2l0aCBhIGJlYXJlciB0b2tlbiB1c2luZwogICB0aGUgIkF1 dGhvcml6YXRpb24iIHJlcXVlc3QgaGVhZGVyIGZpZWxkIHdpdGggdGhlICJCZWFyZXIiIEhUVFAK ICAgYXV0aG9yaXphdGlvbiBzY2hlbWUuICBSZXNvdXJjZSBzZXJ2ZXJzIE1VU1Qgc3VwcG9ydCB0 aGlzIG1ldGhvZC4KCjIuMi4gIEZvcm0tRW5jb2RlZCBCb2R5IFBhcmFtZXRlcgoKICAgV2hlbiBz ZW5kaW5nIHRoZSBhY2Nlc3MgdG9rZW4gaW4gdGhlIEhUVFAgcmVxdWVzdCBlbnRpdHktYm9keSwg dGhlCiAgIGNsaWVudCBhZGRzIHRoZSBhY2Nlc3MgdG9rZW4gdG8gdGhlIHJlcXVlc3QgYm9keSB1 c2luZyB0aGUKICAgImFjY2Vzc190b2tlbiIgcGFyYW1ldGVyLiAgVGhlIGNsaWVudCBNVVNUIE5P VCB1c2UgdGhpcyBtZXRob2QgdW5sZXNzCiAgIGFsbCBvZiB0aGUgZm9sbG93aW5nIGNvbmRpdGlv bnMgYXJlIG1ldDoKCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAgIEV4cGlyZXMgTWF5IDYs IDIwMTIgICAgICAgICAgICAgICAgICBbUGFnZSA1XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAg ICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgTm92ZW1iZXIgMjAxMQoKCiAgIG8g IFRoZSBIVFRQIHJlcXVlc3QgZW50aXR5LWJvZHkgaXMgc2luZ2xlLXBhcnQuCgogICBvICBUaGUg ZW50aXR5LWJvZHkgZm9sbG93cyB0aGUgZW5jb2RpbmcgcmVxdWlyZW1lbnRzIG9mIHRoZQogICAg ICAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIiBjb250ZW50LXR5cGUgYXMgZGVm aW5lZCBieQogICAgICBIVE1MIDQuMDEgW1czQy5SRUMtaHRtbDQwMS0xOTk5MTIyNF0uCgogICBv ICBUaGUgSFRUUCByZXF1ZXN0IGVudGl0eS1oZWFkZXIgaW5jbHVkZXMgdGhlICJDb250ZW50LVR5 cGUiIGhlYWRlcgogICAgICBmaWVsZCBzZXQgdG8gImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJs ZW5jb2RlZCIuCgogICBvICBUaGUgSFRUUCByZXF1ZXN0IG1ldGhvZCBpcyBvbmUgZm9yIHdoaWNo IHRoZSByZXF1ZXN0IGJvZHkgaGFzCiAgICAgIGRlZmluZWQgc2VtYW50aWNzLiAgSW4gcGFydGlj dWxhciwgdGhpcyBtZWFucyB0aGF0IHRoZSAiR0VUIgogICAgICBtZXRob2QgTVVTVCBOT1QgYmUg dXNlZC4KCiAgIFRoZSBlbnRpdHktYm9keSBNQVkgaW5jbHVkZSBvdGhlciByZXF1ZXN0LXNwZWNp ZmljIHBhcmFtZXRlcnMsIGluCiAgIHdoaWNoIGNhc2UsIHRoZSAiYWNjZXNzX3Rva2VuIiBwYXJh bWV0ZXIgTVVTVCBiZSBwcm9wZXJseSBzZXBhcmF0ZWQKICAgZnJvbSB0aGUgcmVxdWVzdC1zcGVj aWZpYyBwYXJhbWV0ZXJzIHVzaW5nICImIiBjaGFyYWN0ZXIocykgKEFTQ0lJCiAgIGNvZGUgMzgp LgoKICAgRm9yIGV4YW1wbGUsIHRoZSBjbGllbnQgbWFrZXMgdGhlIGZvbGxvd2luZyBIVFRQIHJl cXVlc3QgdXNpbmcKICAgdHJhbnNwb3J0LWxheWVyIHNlY3VyaXR5OgoKICAgUE9TVCAvcmVzb3Vy Y2UgSFRUUC8xLjEKICAgSG9zdDogc2VydmVyLmV4YW1wbGUuY29tCiAgIENvbnRlbnQtVHlwZTog YXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkCgogICBhY2Nlc3NfdG9rZW49dkY5ZGZ0 NHFtVAoKICAgVGhlICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiIG1ldGhvZCBT SE9VTEQgTk9UIGJlIHVzZWQKICAgZXhjZXB0IGluIGFwcGxpY2F0aW9uIGNvbnRleHRzIHdoZXJl IHBhcnRpY2lwYXRpbmcgYnJvd3NlcnMgZG8gbm90CiAgIGhhdmUgYWNjZXNzIHRvIHRoZSAiQXV0 aG9yaXphdGlvbiIgcmVxdWVzdCBoZWFkZXIgZmllbGQuICBSZXNvdXJjZQogICBzZXJ2ZXJzIE1B WSBzdXBwb3J0IHRoaXMgbWV0aG9kLgoKMi4zLiAgVVJJIFF1ZXJ5IFBhcmFtZXRlcgoKICAgV2hl biBzZW5kaW5nIHRoZSBhY2Nlc3MgdG9rZW4gaW4gdGhlIEhUVFAgcmVxdWVzdCBVUkksIHRoZSBj bGllbnQKICAgYWRkcyB0aGUgYWNjZXNzIHRva2VuIHRvIHRoZSByZXF1ZXN0IFVSSSBxdWVyeSBj b21wb25lbnQgYXMgZGVmaW5lZAogICBieSBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVS SSkgW1JGQzM5ODZdIHVzaW5nIHRoZQogICAiYWNjZXNzX3Rva2VuIiBwYXJhbWV0ZXIuCgogICBG b3IgZXhhbXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93aW5nIEhUVFAgcmVxdWVzdCB1 c2luZwogICB0cmFuc3BvcnQtbGF5ZXIgc2VjdXJpdHk6CgogICBHRVQgL3Jlc291cmNlP2FjY2Vz c190b2tlbj12RjlkZnQ0cW1UIEhUVFAvMS4xCiAgIEhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbQoK ICAgVGhlIEhUVFAgcmVxdWVzdCBVUkkgcXVlcnkgY2FuIGluY2x1ZGUgb3RoZXIgcmVxdWVzdC1z cGVjaWZpYwogICBwYXJhbWV0ZXJzLCBpbiB3aGljaCBjYXNlLCB0aGUgImFjY2Vzc190b2tlbiIg cGFyYW1ldGVyIE1VU1QgYmUKICAgcHJvcGVybHkgc2VwYXJhdGVkIGZyb20gdGhlIHJlcXVlc3Qt c3BlY2lmaWMgcGFyYW1ldGVycyB1c2luZyAiJiIKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAg ICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAgICAgICAgICAgICAgIFtQYWdlIDZdCgwKSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3Zl bWJlciAyMDExCgoKICAgY2hhcmFjdGVyKHMpIChBU0NJSSBjb2RlIDM4KS4KCiAgIEZvciBleGFt cGxlOgoKICAgaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vcmVzb3VyY2U/eD15JmFjY2Vzc190 b2tlbj12RjlkZnQ0cW1UJnA9cQoKICAgQmVjYXVzZSBvZiB0aGUgc2VjdXJpdHkgd2Vha25lc3Nl cyBhc3NvY2lhdGVkIHdpdGggdGhlIFVSSSBtZXRob2QKICAgKHNlZSBTZWN0aW9uIDQpLCBpbmNs dWRpbmcgdGhlIGhpZ2ggbGlrZWxpaG9vZCB0aGF0IHRoZSBVUkwKICAgY29udGFpbmluZyB0aGUg YWNjZXNzIHRva2VuIHdpbGwgYmUgbG9nZ2VkLCBpdCBTSE9VTEQgTk9UIGJlIHVzZWQKICAgdW5s ZXNzIGl0IGlzIGltcG9zc2libGUgdG8gdHJhbnNwb3J0IHRoZSBhY2Nlc3MgdG9rZW4gaW4gdGhl CiAgICJBdXRob3JpemF0aW9uIiByZXF1ZXN0IGhlYWRlciBmaWVsZCBvciB0aGUgSFRUUCByZXF1 ZXN0IGVudGl0eS1ib2R5LgogICBSZXNvdXJjZSBzZXJ2ZXJzIE1BWSBzdXBwb3J0IHRoaXMgbWV0 aG9kLgoKCjMuICBUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQKCiAg IElmIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UgcmVxdWVzdCBkb2VzIG5vdCBpbmNsdWRlIGF1dGhl bnRpY2F0aW9uCiAgIGNyZWRlbnRpYWxzIG9yIGRvZXMgbm90IGNvbnRhaW4gYW4gYWNjZXNzIHRv a2VuIHRoYXQgZW5hYmxlcyBhY2Nlc3MKICAgdG8gdGhlIHByb3RlY3RlZCByZXNvdXJjZSwgdGhl IHJlc291cmNlIHNlcnZlciBNVVNUIGluY2x1ZGUgdGhlIEhUVFAKICAgIldXVy1BdXRoZW50aWNh dGUiIHJlc3BvbnNlIGhlYWRlciBmaWVsZDsgaXQgTUFZIGluY2x1ZGUgaXQgaW4KICAgcmVzcG9u c2UgdG8gb3RoZXIgY29uZGl0aW9ucyBhcyB3ZWxsLiAgVGhlICJXV1ctQXV0aGVudGljYXRlIiBo ZWFkZXIKICAgZmllbGQgdXNlcyB0aGUgZnJhbWV3b3JrIGRlZmluZWQgYnkgSFRUUC8xLjEsIFBh cnQgNwogICBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXSBhcyBmb2xsb3dzOgoKICAgY2hhbGxl bmdlICAgICAgID0gIkJlYXJlciIgWyAxKlNQIDEjcGFyYW0gXQoKICAgcGFyYW0gICAgICAgICAg ID0gcmVhbG0gLyBzY29wZSAvCiAgICAgICAgICAgICAgICAgICAgIGVycm9yIC8gZXJyb3ItZGVz YyAvIGVycm9yLXVyaSAvCiAgICAgICAgICAgICAgICAgICAgIGF1dGgtcGFyYW0KCiAgIHNjb3Bl ICAgICAgICAgICA9ICJzY29wZSIgIj0iIHF1b3RlZC1zdHJpbmcKICAgZXJyb3IgICAgICAgICAg ID0gImVycm9yIiAiPSIgcXVvdGVkLXN0cmluZwogICBlcnJvci1kZXNjICAgICAgPSAiZXJyb3Jf ZGVzY3JpcHRpb24iICI9IiBxdW90ZWQtc3RyaW5nCiAgIGVycm9yLXVyaSAgICAgICA9ICJlcnJv cl91cmkiICI9IiBxdW90ZWQtc3RyaW5nCgogICBBICJyZWFsbSIgYXR0cmlidXRlIE1BWSBiZSBp bmNsdWRlZCB0byBpbmRpY2F0ZSB0aGUgc2NvcGUgb2YKICAgcHJvdGVjdGlvbiBpbiB0aGUgbWFu bmVyIGRlc2NyaWJlZCBpbiBIVFRQLzEuMSwgUGFydCA3CiAgIFtJLUQuaWV0Zi1odHRwYmlzLXA3 LWF1dGhdLiAgVGhlICJyZWFsbSIgYXR0cmlidXRlIE1VU1QgTk9UIGFwcGVhcgogICBtb3JlIHRo YW4gb25jZS4gIFRoZSAicmVhbG0iIHZhbHVlIGlzIGludGVuZGVkIGZvciBwcm9ncmFtbWF0aWMg dXNlCiAgIGFuZCBpcyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRvIGVuZCB1c2Vycy4KCiAg IFRoZSAic2NvcGUiIGF0dHJpYnV0ZSBpcyBhIHNwYWNlLWRlbGltaXRlZCBsaXN0IG9mIHNjb3Bl IHZhbHVlcwogICBpbmRpY2F0aW5nIHRoZSByZXF1aXJlZCBzY29wZSBvZiB0aGUgYWNjZXNzIHRv a2VuIGZvciBhY2Nlc3NpbmcgdGhlCiAgIHJlcXVlc3RlZCByZXNvdXJjZS4gIEluIHNvbWUgY2Fz ZXMsIHRoZSAic2NvcGUiIHZhbHVlIHdpbGwgYmUgdXNlZAogICB3aGVuIHJlcXVlc3RpbmcgYSBu ZXcgYWNjZXNzIHRva2VuIHdpdGggc3VmZmljaWVudCBzY29wZSBvZiBhY2Nlc3MgdG8KICAgdXRp bGl6ZSB0aGUgcHJvdGVjdGVkIHJlc291cmNlLiAgVGhlICJzY29wZSIgYXR0cmlidXRlIE1VU1Qg Tk9UCiAgIGFwcGVhciBtb3JlIHRoYW4gb25jZS4gIFRoZSAic2NvcGUiIHZhbHVlIGlzIGludGVu ZGVkIGZvcgogICBwcm9ncmFtbWF0aWMgdXNlIGFuZCBpcyBub3QgbWVhbnQgdG8gYmUgZGlzcGxh eWVkIHRvIGVuZCB1c2Vycy4KCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICAgRXhwaXJlcyBN YXkgNiwgMjAxMiAgICAgICAgICAgICAgICAgIFtQYWdlIDddCgwKSW50ZXJuZXQtRHJhZnQgICAg ICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3ZlbWJlciAyMDExCgoK ICAgSWYgdGhlIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IGluY2x1ZGVkIGFuIGFjY2VzcyB0 b2tlbiBhbmQgZmFpbGVkCiAgIGF1dGhlbnRpY2F0aW9uLCB0aGUgcmVzb3VyY2Ugc2VydmVyIFNI T1VMRCBpbmNsdWRlIHRoZSAiZXJyb3IiCiAgIGF0dHJpYnV0ZSB0byBwcm92aWRlIHRoZSBjbGll bnQgd2l0aCB0aGUgcmVhc29uIHdoeSB0aGUgYWNjZXNzCiAgIHJlcXVlc3Qgd2FzIGRlY2xpbmVk LiAgVGhlIHBhcmFtZXRlciB2YWx1ZSBpcyBkZXNjcmliZWQgaW4KICAgU2VjdGlvbiAzLjEuICBJ biBhZGRpdGlvbiwgdGhlIHJlc291cmNlIHNlcnZlciBNQVkgaW5jbHVkZSB0aGUKICAgImVycm9y X2Rlc2NyaXB0aW9uIiBhdHRyaWJ1dGUgdG8gcHJvdmlkZSBkZXZlbG9wZXJzIGEgaHVtYW4tcmVh ZGFibGUKICAgZXhwbGFuYXRpb24gdGhhdCBpcyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRv IGVuZCB1c2Vycy4gIEl0IGFsc28KICAgTUFZIGluY2x1ZGUgdGhlICJlcnJvcl91cmkiIGF0dHJp YnV0ZSB3aXRoIGFuIGFic29sdXRlIFVSSQogICBpZGVudGlmeWluZyBhIGh1bWFuLXJlYWRhYmxl IHdlYiBwYWdlIGV4cGxhaW5pbmcgdGhlIGVycm9yLiAgVGhlCiAgICJlcnJvciIsICJlcnJvcl9k ZXNjcmlwdGlvbiIsIGFuZCAiZXJyb3JfdXJpIiBhdHRyaWJ1dGVzIE1VU1QgTk9UCiAgIGFwcGVh ciBtb3JlIHRoYW4gb25jZS4KCiAgIFByb2R1Y2VycyBvZiAic2NvcGUiIHN0cmluZ3MgTVVTVCBO T1QgdXNlIGNoYXJhY3RlcnMgb3V0c2lkZSB0aGUgc2V0CiAgICV4MjEgLyAleDIzLTVCIC8gJXg1 RC03RSBmb3IgcmVwcmVzZW50aW5nIHRoZSBzY29wZSB2YWx1ZXMgYW5kICV4MjAKICAgZm9yIHRo ZSBkZWxpbWl0ZXIuICBQcm9kdWNlcnMgb2YgImVycm9yIiBhbmQgImVycm9yX2Rlc2NyaXB0aW9u IgogICBzdHJpbmdzIE1VU1QgTk9UIHVzZSBjaGFyYWN0ZXJzIG91dHNpZGUgdGhlIHNldCAleDIw LTIxIC8gJXgyMy01QiAvCiAgICV4NUQtN0UgZm9yIHJlcHJlc2VudGluZyB0aGVzZSB2YWx1ZXMu ICBQcm9kdWNlcnMgb2YgImVycm9yLXVyaSIKICAgc3RyaW5ncyBNVVNUIE5PVCB1c2UgY2hhcmFj dGVycyBvdXRzaWRlIHRoZSBzZXQgJXgyMSAvICV4MjMtNUIgLwogICAleDVELTdFIGZvciByZXBy ZXNlbnRpbmcgdGhlc2UgdmFsdWVzLiAgRnVydGhlcm1vcmUsICJlcnJvci11cmkiCiAgIHN0cmlu Z3MgTVVTVCBjb25mb3JtIHRvIHRoZSBVUkktcmVmZXJlbmNlIHN5bnRheC4gIEluIGFsbCB0aGVz ZQogICBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwgYXMgc2VuZGVycyBh cmUgcHJvaGliaXRlZAogICBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hhcmFjdGVyLgoKICAg Rm9yIGV4YW1wbGUsIGluIHJlc3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3Qg d2l0aG91dAogICBhdXRoZW50aWNhdGlvbjoKCiAgIEhUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQK ICAgV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIgoKICAgQW5kIGluIHJl c3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3Qgd2l0aCBhbgogICBhdXRoZW50 aWNhdGlvbiBhdHRlbXB0IHVzaW5nIGFuIGV4cGlyZWQgYWNjZXNzIHRva2VuOgoKICAgSFRUUC8x LjEgNDAxIFVuYXV0aG9yaXplZAogICBXV1ctQXV0aGVudGljYXRlOiBCZWFyZXIgcmVhbG09ImV4 YW1wbGUiLAogICAgICAgICAgICAgICAgICAgICBlcnJvcj0iaW52YWxpZF90b2tlbiIsCiAgICAg ICAgICAgICAgICAgICAgIGVycm9yX2Rlc2NyaXB0aW9uPSJUaGUgYWNjZXNzIHRva2VuIGV4cGly ZWQiCgozLjEuICBFcnJvciBDb2RlcwoKICAgV2hlbiBhIHJlcXVlc3QgZmFpbHMsIHRoZSByZXNv dXJjZSBzZXJ2ZXIgcmVzcG9uZHMgdXNpbmcgdGhlCiAgIGFwcHJvcHJpYXRlIEhUVFAgc3RhdHVz IGNvZGUgKHR5cGljYWxseSwgNDAwLCA0MDEsIG9yIDQwMyksIGFuZAogICBpbmNsdWRlcyBvbmUg b2YgdGhlIGZvbGxvd2luZyBlcnJvciBjb2RlcyBpbiB0aGUgcmVzcG9uc2U6CgogICBpbnZhbGlk X3JlcXVlc3QKICAgICAgICAgVGhlIHJlcXVlc3QgaXMgbWlzc2luZyBhIHJlcXVpcmVkIHBhcmFt ZXRlciwgaW5jbHVkZXMgYW4KICAgICAgICAgdW5zdXBwb3J0ZWQgcGFyYW1ldGVyIG9yIHBhcmFt ZXRlciB2YWx1ZSwgcmVwZWF0cyB0aGUgc2FtZQogICAgICAgICBwYXJhbWV0ZXIsIHVzZXMgbW9y ZSB0aGFuIG9uZSBtZXRob2QgZm9yIGluY2x1ZGluZyBhbiBhY2Nlc3MKICAgICAgICAgdG9rZW4s IG9yIGlzIG90aGVyd2lzZSBtYWxmb3JtZWQuICBUaGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRAoK CgpKb25lcywgZXQgYWwuICAgICAgICAgICAgICBFeHBpcmVzIE1heSA2LCAyMDEyICAgICAgICAg ICAgICAgICAgW1BhZ2UgOF0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJl YXJlciBUb2tlbnMgICAgICAgICAgIE5vdmVtYmVyIDIwMTEKCgogICAgICAgICByZXNwb25kIHdp dGggdGhlIEhUVFAgNDAwIChCYWQgUmVxdWVzdCkgc3RhdHVzIGNvZGUuCgogICBpbnZhbGlkX3Rv a2VuCiAgICAgICAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZWQgaXMgZXhwaXJlZCwgcmV2b2tl ZCwgbWFsZm9ybWVkLCBvcgogICAgICAgICBpbnZhbGlkIGZvciBvdGhlciByZWFzb25zLiAgVGhl IHJlc291cmNlIFNIT1VMRCByZXNwb25kIHdpdGgKICAgICAgICAgdGhlIEhUVFAgNDAxIChVbmF1 dGhvcml6ZWQpIHN0YXR1cyBjb2RlLiAgVGhlIGNsaWVudCBNQVkKICAgICAgICAgcmVxdWVzdCBh IG5ldyBhY2Nlc3MgdG9rZW4gYW5kIHJldHJ5IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UKICAgICAg ICAgcmVxdWVzdC4KCiAgIGluc3VmZmljaWVudF9zY29wZQogICAgICAgICBUaGUgcmVxdWVzdCBy ZXF1aXJlcyBoaWdoZXIgcHJpdmlsZWdlcyB0aGFuIHByb3ZpZGVkIGJ5IHRoZQogICAgICAgICBh Y2Nlc3MgdG9rZW4uICBUaGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCByZXNwb25kIHdpdGggdGhl IEhUVFAKICAgICAgICAgNDAzIChGb3JiaWRkZW4pIHN0YXR1cyBjb2RlIGFuZCBNQVkgaW5jbHVk ZSB0aGUgInNjb3BlIgogICAgICAgICBhdHRyaWJ1dGUgd2l0aCB0aGUgc2NvcGUgbmVjZXNzYXJ5 IHRvIGFjY2VzcyB0aGUgcHJvdGVjdGVkCiAgICAgICAgIHJlc291cmNlLgoKICAgSWYgdGhlIHJl cXVlc3QgbGFja3MgYW55IGF1dGhlbnRpY2F0aW9uIGluZm9ybWF0aW9uIChpLmUuIHRoZSBjbGll bnQKICAgd2FzIHVuYXdhcmUgYXV0aGVudGljYXRpb24gaXMgbmVjZXNzYXJ5IG9yIGF0dGVtcHRl ZCB1c2luZyBhbgogICB1bnN1cHBvcnRlZCBhdXRoZW50aWNhdGlvbiBtZXRob2QpLCB0aGUgcmVz b3VyY2Ugc2VydmVyIFNIT1VMRCBOT1QKICAgaW5jbHVkZSBhbiBlcnJvciBjb2RlIG9yIG90aGVy IGVycm9yIGluZm9ybWF0aW9uLgoKICAgRm9yIGV4YW1wbGU6CgogICBIVFRQLzEuMSA0MDEgVW5h dXRob3JpemVkCiAgIFdXVy1BdXRoZW50aWNhdGU6IEJlYXJlciByZWFsbT0iZXhhbXBsZSIKCgo0 LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMKCiAgIFRoaXMgc2VjdGlvbiBkZXNjcmliZXMgdGhl IHJlbGV2YW50IHNlY3VyaXR5IHRocmVhdHMgcmVnYXJkaW5nIHRva2VuCiAgIGhhbmRsaW5nIHdo ZW4gdXNpbmcgYmVhcmVyIHRva2VucyBhbmQgZGVzY3JpYmVzIGhvdyB0byBtaXRpZ2F0ZSB0aGVz ZQogICB0aHJlYXRzLgoKNC4xLiAgU2VjdXJpdHkgVGhyZWF0cwoKICAgVGhlIGZvbGxvd2luZyBs aXN0IHByZXNlbnRzIHNldmVyYWwgY29tbW9uIHRocmVhdHMgYWdhaW5zdCBwcm90b2NvbHMKICAg dXRpbGl6aW5nIHNvbWUgZm9ybSBvZiB0b2tlbnMuICBUaGlzIGxpc3Qgb2YgdGhyZWF0cyBpcyBi YXNlZCBvbiBOSVNUCiAgIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzIFtOSVNUODAwLTYzXS4g IFNpbmNlIHRoaXMgZG9jdW1lbnQgYnVpbGRzCiAgIG9uIHRoZSBPQXV0aCAyLjAgc3BlY2lmaWNh dGlvbiwgd2UgZXhjbHVkZSBhIGRpc2N1c3Npb24gb2YgdGhyZWF0cwogICB0aGF0IGFyZSBkZXNj cmliZWQgdGhlcmUgb3IgaW4gcmVsYXRlZCBkb2N1bWVudHMuCgogICBUb2tlbiBtYW51ZmFjdHVy ZS9tb2RpZmljYXRpb246ICBBbiBhdHRhY2tlciBtYXkgZ2VuZXJhdGUgYSBib2d1cwogICAgICB0 b2tlbiBvciBtb2RpZnkgdGhlIHRva2VuIGNvbnRlbnRzIChzdWNoIGFzIHRoZSBhdXRoZW50aWNh dGlvbiBvcgogICAgICBhdHRyaWJ1dGUgc3RhdGVtZW50cykgb2YgYW4gZXhpc3RpbmcgdG9rZW4s IGNhdXNpbmcgdGhlIHJlc291cmNlCiAgICAgIHNlcnZlciB0byBncmFudCBpbmFwcHJvcHJpYXRl IGFjY2VzcyB0byB0aGUgY2xpZW50LiAgRm9yIGV4YW1wbGUsCiAgICAgIGFuIGF0dGFja2VyIG1h eSBtb2RpZnkgdGhlIHRva2VuIHRvIGV4dGVuZCB0aGUgdmFsaWRpdHkgcGVyaW9kOyBhCiAgICAg IG1hbGljaW91cyBjbGllbnQgbWF5IG1vZGlmeSB0aGUgYXNzZXJ0aW9uIHRvIGdhaW4gYWNjZXNz IHRvCiAgICAgIGluZm9ybWF0aW9uIHRoYXQgdGhleSBzaG91bGQgbm90IGJlIGFibGUgdG8gdmll dy4KCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAg ICAgICAgICAgICAgIFtQYWdlIDldCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIu MCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3ZlbWJlciAyMDExCgoKICAgVG9rZW4gZGlzY2xv c3VyZTogIFRva2VucyBtYXkgY29udGFpbiBhdXRoZW50aWNhdGlvbiBhbmQgYXR0cmlidXRlCiAg ICAgIHN0YXRlbWVudHMgdGhhdCBpbmNsdWRlIHNlbnNpdGl2ZSBpbmZvcm1hdGlvbi4KCiAgIFRv a2VuIHJlZGlyZWN0OiAgQW4gYXR0YWNrZXIgdXNlcyBhIHRva2VuIGdlbmVyYXRlZCBmb3IgY29u c3VtcHRpb24KICAgICAgYnkgb25lIHJlc291cmNlIHNlcnZlciB0byBnYWluIGFjY2VzcyB0byBh IGRpZmZlcmVudCByZXNvdXJjZQogICAgICBzZXJ2ZXIgdGhhdCBtaXN0YWtlbmx5IGJlbGlldmVz IHRoZSB0b2tlbiB0byBiZSBmb3IgaXQuCgogICBUb2tlbiByZXBsYXk6ICBBbiBhdHRhY2tlciBh dHRlbXB0cyB0byB1c2UgYSB0b2tlbiB0aGF0IGhhcyBhbHJlYWR5CiAgICAgIGJlZW4gdXNlZCB3 aXRoIHRoYXQgcmVzb3VyY2Ugc2VydmVyIGluIHRoZSBwYXN0LgoKNC4yLiAgVGhyZWF0IE1pdGln YXRpb24KCiAgIEEgbGFyZ2UgcmFuZ2Ugb2YgdGhyZWF0cyBjYW4gYmUgbWl0aWdhdGVkIGJ5IHBy b3RlY3RpbmcgdGhlIGNvbnRlbnRzCiAgIG9mIHRoZSB0b2tlbiBieSB1c2luZyBhIGRpZ2l0YWwg c2lnbmF0dXJlIG9yIGEgTWVzc2FnZSBBdXRoZW50aWNhdGlvbgogICBDb2RlIChNQUMpLiAgQWx0 ZXJuYXRpdmVseSwgYSBiZWFyZXIgdG9rZW4gY2FuIGNvbnRhaW4gYSByZWZlcmVuY2UgdG8KICAg YXV0aG9yaXphdGlvbiBpbmZvcm1hdGlvbiwgcmF0aGVyIHRoYW4gZW5jb2RpbmcgdGhlIGluZm9y bWF0aW9uCiAgIGRpcmVjdGx5LiAgU3VjaCByZWZlcmVuY2VzIE1VU1QgYmUgaW5mZWFzaWJsZSBm b3IgYW4gYXR0YWNrZXIgdG8KICAgZ3Vlc3M7IHVzaW5nIGEgcmVmZXJlbmNlIG1heSByZXF1aXJl IGFuIGV4dHJhIGludGVyYWN0aW9uIGJldHdlZW4gYQogICBzZXJ2ZXIgYW5kIHRoZSB0b2tlbiBp c3N1ZXIgdG8gcmVzb2x2ZSB0aGUgcmVmZXJlbmNlIHRvIHRoZQogICBhdXRob3JpemF0aW9uIGlu Zm9ybWF0aW9uLiAgVGhlIG1lY2hhbmljcyBvZiBzdWNoIGFuIGludGVyYWN0aW9uIGFyZQogICBu b3QgZGVmaW5lZCBieSB0aGlzIHNwZWNpZmljYXRpb24uCgogICBUaGlzIGRvY3VtZW50IGRvZXMg bm90IHNwZWNpZnkgdGhlIGVuY29kaW5nIG9yIHRoZSBjb250ZW50cyBvZiB0aGUKICAgdG9rZW47 IGhlbmNlIGRldGFpbGVkIHJlY29tbWVuZGF0aW9ucyBhYm91dCB0aGUgbWVhbnMgb2YgZ3VhcmFu dGVlaW5nCiAgIHRva2VuIGludGVncml0eSBwcm90ZWN0aW9uIGFyZSBvdXRzaWRlIHRoZSBzY29w ZSBvZiB0aGlzIGRvY3VtZW50LgogICBUaGUgdG9rZW4gaW50ZWdyaXR5IHByb3RlY3Rpb24gTVVT VCBiZSBzdWZmaWNpZW50IHRvIHByZXZlbnQgdGhlCiAgIHRva2VuIGZyb20gYmVpbmcgbW9kaWZp ZWQuCgogICBUbyBkZWFsIHdpdGggdG9rZW4gcmVkaXJlY3QsIGl0IGlzIGltcG9ydGFudCBmb3Ig dGhlIGF1dGhvcml6YXRpb24KICAgc2VydmVyIHRvIGluY2x1ZGUgdGhlIGlkZW50aXR5IG9mIHRo ZSBpbnRlbmRlZCByZWNpcGllbnRzICh0aGUKICAgYXVkaWVuY2UpLCB0eXBpY2FsbHkgYSBzaW5n bGUgcmVzb3VyY2Ugc2VydmVyIChvciBhIGxpc3Qgb2YgcmVzb3VyY2UKICAgc2VydmVycyksIGlu IHRoZSB0b2tlbi4gIFJlc3RyaWN0aW5nIHRoZSB1c2Ugb2YgdGhlIHRva2VuIHRvIGEKICAgc3Bl Y2lmaWMgc2NvcGUgaXMgYWxzbyBSRUNPTU1FTkRFRC4KCiAgIFRvIHByb3RlY3QgYWdhaW5zdCB0 b2tlbiBkaXNjbG9zdXJlLCBjb25maWRlbnRpYWxpdHkgcHJvdGVjdGlvbiBNVVNUCiAgIGJlIGFw cGxpZWQgdXNpbmcgVExTIFtSRkM1MjQ2XSB3aXRoIGEgY2lwaGVyc3VpdGUgdGhhdCBwcm92aWRl cwogICBjb25maWRlbnRpYWxpdHkgYW5kIGludGVncml0eSBwcm90ZWN0aW9uLiAgVGhpcyByZXF1 aXJlcyB0aGF0IHRoZQogICBjb21tdW5pY2F0aW9uIGludGVyYWN0aW9uIGJldHdlZW4gdGhlIGNs aWVudCBhbmQgdGhlIGF1dGhvcml6YXRpb24KICAgc2VydmVyLCBhcyB3ZWxsIGFzIHRoZSBpbnRl cmFjdGlvbiBiZXR3ZWVuIHRoZSBjbGllbnQgYW5kIHRoZQogICByZXNvdXJjZSBzZXJ2ZXIsIHV0 aWxpemUgY29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbi4KICAgU2luY2Ug VExTIGlzIG1hbmRhdG9yeSB0byBpbXBsZW1lbnQgYW5kIHRvIHVzZSB3aXRoIHRoaXMKICAgc3Bl Y2lmaWNhdGlvbiwgaXQgaXMgdGhlIHByZWZlcnJlZCBhcHByb2FjaCBmb3IgcHJldmVudGluZyB0 b2tlbgogICBkaXNjbG9zdXJlIHZpYSB0aGUgY29tbXVuaWNhdGlvbiBjaGFubmVsLiAgRm9yIHRo b3NlIGNhc2VzIHdoZXJlIHRoZQogICBjbGllbnQgaXMgcHJldmVudGVkIGZyb20gb2JzZXJ2aW5n IHRoZSBjb250ZW50cyBvZiB0aGUgdG9rZW4sIHRva2VuCiAgIGVuY3J5cHRpb24gTVVTVCBiZSBh cHBsaWVkIGluIGFkZGl0aW9uIHRvIHRoZSB1c2FnZSBvZiBUTFMKICAgcHJvdGVjdGlvbi4gIEFz IGEgZnVydGhlciBkZWZlbnNlIGFnYWluc3QgdG9rZW4gZGlzY2xvc3VyZSwgdGhlCiAgIGNsaWVu dCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcgcmVx dWVzdHMKICAgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4KCgoKSm9uZXMsIGV0IGFsLiAgICAgICAg ICAgICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgMTBdCgwKSW50 ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBO b3ZlbWJlciAyMDExCgoKICAgQ29va2llcyBhcmUgdHlwaWNhbGx5IHRyYW5zbWl0dGVkIGluIHRo ZSBjbGVhci4gIFRodXMsIGFueQogICBpbmZvcm1hdGlvbiBjb250YWluZWQgaW4gdGhlbSBpcyBh dCByaXNrIG9mIGRpc2Nsb3N1cmUuICBUaGVyZWZvcmUsCiAgIGJlYXJlciB0b2tlbnMgTVVTVCBO T1QgYmUgc3RvcmVkIGluIGNvb2tpZXMgdGhhdCBjYW4gYmUgc2VudCBpbiB0aGUKICAgY2xlYXIu CgogICBJbiBzb21lIGRlcGxveW1lbnRzLCBpbmNsdWRpbmcgdGhvc2UgdXRpbGl6aW5nIGxvYWQg YmFsYW5jZXJzLCB0aGUKICAgVExTIGNvbm5lY3Rpb24gdG8gdGhlIHJlc291cmNlIHNlcnZlciB0 ZXJtaW5hdGVzIHByaW9yIHRvIHRoZSBhY3R1YWwKICAgc2VydmVyIHRoYXQgcHJvdmlkZXMgdGhl IHJlc291cmNlLiAgVGhpcyBjb3VsZCBsZWF2ZSB0aGUgdG9rZW4KICAgdW5wcm90ZWN0ZWQgYmV0 d2VlbiB0aGUgZnJvbnQgZW5kIHNlcnZlciB3aGVyZSB0aGUgVExTIGNvbm5lY3Rpb24KICAgdGVy bWluYXRlcyBhbmQgdGhlIGJhY2sgZW5kIHNlcnZlciB0aGF0IHByb3ZpZGVzIHRoZSByZXNvdXJj ZS4gIEluCiAgIHN1Y2ggZGVwbG95bWVudHMsIHN1ZmZpY2llbnQgbWVhc3VyZXMgTVVTVCBiZSBl bXBsb3llZCB0byBlbnN1cmUKICAgY29uZmlkZW50aWFsaXR5IG9mIHRoZSB0b2tlbiBiZXR3ZWVu IHRoZSBmcm9udCBlbmQgYW5kIGJhY2sgZW5kCiAgIHNlcnZlcnM7IGVuY3J5cHRpb24gb2YgdGhl IHRva2VuIGlzIG9uZSBwb3NzaWJsZSBzdWNoIG1lYXN1cmUuCgogICBUbyBkZWFsIHdpdGggdG9r ZW4gY2FwdHVyZSBhbmQgcmVwbGF5LCB0aGUgZm9sbG93aW5nIHJlY29tbWVuZGF0aW9ucwogICBh cmUgbWFkZTogRmlyc3QsIHRoZSBsaWZldGltZSBvZiB0aGUgdG9rZW4gTVVTVCBiZSBsaW1pdGVk OyBvbmUgbWVhbnMKICAgb2YgYWNoaWV2aW5nIHRoaXMgaXMgYnkgcHV0dGluZyBhIHZhbGlkaXR5 IHRpbWUgZmllbGQgaW5zaWRlIHRoZQogICBwcm90ZWN0ZWQgcGFydCBvZiB0aGUgdG9rZW4uICBO b3RlIHRoYXQgdXNpbmcgc2hvcnQtbGl2ZWQgKG9uZSBob3VyCiAgIG9yIGxlc3MpIHRva2VucyBy ZWR1Y2VzIHRoZSBpbXBhY3Qgb2YgdGhlbSBiZWluZyBsZWFrZWQuICBTZWNvbmQsCiAgIGNvbmZp ZGVudGlhbGl0eSBwcm90ZWN0aW9uIG9mIHRoZSBleGNoYW5nZXMgYmV0d2VlbiB0aGUgY2xpZW50 IGFuZAogICB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgYW5kIGJldHdlZW4gdGhlIGNsaWVudCBh bmQgdGhlIHJlc291cmNlCiAgIHNlcnZlciBNVVNUIGJlIGFwcGxpZWQuICBBcyBhIGNvbnNlcXVl bmNlLCBubyBlYXZlc2Ryb3BwZXIgYWxvbmcgdGhlCiAgIGNvbW11bmljYXRpb24gcGF0aCBpcyBh YmxlIHRvIG9ic2VydmUgdGhlIHRva2VuIGV4Y2hhbmdlLgogICBDb25zZXF1ZW50bHksIHN1Y2gg YW4gb24tcGF0aCBhZHZlcnNhcnkgY2Fubm90IHJlcGxheSB0aGUgdG9rZW4uCiAgIEZ1cnRoZXJt b3JlLCB3aGVuIHByZXNlbnRpbmcgdGhlIHRva2VuIHRvIGEgcmVzb3VyY2Ugc2VydmVyLCB0aGUK ICAgY2xpZW50IE1VU1QgdmVyaWZ5IHRoZSBpZGVudGl0eSBvZiB0aGF0IHJlc291cmNlIHNlcnZl ciwgYXMgcGVyCiAgIFJlcHJlc2VudGF0aW9uIGFuZCBWZXJpZmljYXRpb24gb2YgRG9tYWluLUJh c2VkIEFwcGxpY2F0aW9uIFNlcnZpY2UKICAgSWRlbnRpdHkgd2l0aGluIEludGVybmV0IFB1Ymxp YyBLZXkgSW5mcmFzdHJ1Y3R1cmUgVXNpbmcgWC41MDkgKFBLSVgpCiAgIENlcnRpZmljYXRlcyBp biB0aGUgQ29udGV4dCBvZiBUcmFuc3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRMUykKICAgW1JGQzYx MjVdLiAgTm90ZSB0aGF0IHRoZSBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0aGUgVExTIGNlcnRpZmlj YXRlCiAgIGNoYWluIHdoZW4gbWFraW5nIHRoZXNlIHJlcXVlc3RzIHRvIHByb3RlY3RlZCByZXNv dXJjZXMuICBQcmVzZW50aW5nCiAgIHRoZSB0b2tlbiB0byBhbiB1bmF1dGhlbnRpY2F0ZWQgYW5k IHVuYXV0aG9yaXplZCByZXNvdXJjZSBzZXJ2ZXIgb3IKICAgZmFpbGluZyB0byB2YWxpZGF0ZSB0 aGUgY2VydGlmaWNhdGUgY2hhaW4gd2lsbCBhbGxvdyBhZHZlcnNhcmllcyB0bwogICBzdGVhbCB0 aGUgdG9rZW4gYW5kIGdhaW4gdW5hdXRob3JpemVkIGFjY2VzcyB0byBwcm90ZWN0ZWQgcmVzb3Vy Y2VzLgoKNC4zLiAgU3VtbWFyeSBvZiBSZWNvbW1lbmRhdGlvbnMKCiAgIFNhZmVndWFyZCBiZWFy ZXIgdG9rZW5zOiAgQ2xpZW50IGltcGxlbWVudGF0aW9ucyBNVVNUIGVuc3VyZSB0aGF0CiAgICAg IGJlYXJlciB0b2tlbnMgYXJlIG5vdCBsZWFrZWQgdG8gdW5pbnRlbmRlZCBwYXJ0aWVzLCBhcyB0 aGV5IHdpbGwKICAgICAgYmUgYWJsZSB0byB1c2UgdGhlbSB0byBnYWluIGFjY2VzcyB0byBwcm90 ZWN0ZWQgcmVzb3VyY2VzLiAgVGhpcwogICAgICBpcyB0aGUgcHJpbWFyeSBzZWN1cml0eSBjb25z aWRlcmF0aW9uIHdoZW4gdXNpbmcgYmVhcmVyIHRva2VucyBhbmQKICAgICAgdW5kZXJsaWVzIGFs bCB0aGUgbW9yZSBzcGVjaWZpYyByZWNvbW1lbmRhdGlvbnMgdGhhdCBmb2xsb3cuCgogICBWYWxp ZGF0ZSBTU0wgY2VydGlmaWNhdGUgY2hhaW5zOiAgVGhlIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRo ZSBUTFMKICAgICAgY2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcgcmVxdWVzdHMgdG8gcHJv dGVjdGVkIHJlc291cmNlcy4KICAgICAgRmFpbGluZyB0byBkbyBzbyBtYXkgZW5hYmxlIEROUyBo aWphY2tpbmcgYXR0YWNrcyB0byBzdGVhbCB0aGUKICAgICAgdG9rZW4gYW5kIGdhaW4gdW5pbnRl bmRlZCBhY2Nlc3MuCgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgICBFeHBpcmVzIE1heSA2 LCAyMDEyICAgICAgICAgICAgICAgICBbUGFnZSAxMV0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAg ICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIE5vdmVtYmVyIDIwMTEKCgogICBB bHdheXMgdXNlIFRMUyAoaHR0cHMpOiAgQ2xpZW50cyBNVVNUIGFsd2F5cyB1c2UgVExTIFtSRkM1 MjQ2XQogICAgICAoaHR0cHMpIG9yIGVxdWl2YWxlbnQgdHJhbnNwb3J0IHNlY3VyaXR5IHdoZW4g bWFraW5nIHJlcXVlc3RzIHdpdGgKICAgICAgYmVhcmVyIHRva2Vucy4gIEZhaWxpbmcgdG8gZG8g c28gZXhwb3NlcyB0aGUgdG9rZW4gdG8gbnVtZXJvdXMKICAgICAgYXR0YWNrcyB0aGF0IGNvdWxk IGdpdmUgYXR0YWNrZXJzIHVuaW50ZW5kZWQgYWNjZXNzLgoKICAgRG9uJ3Qgc3RvcmUgYmVhcmVy IHRva2VucyBpbiBjb29raWVzOiAgSW1wbGVtZW50YXRpb25zIE1VU1QgTk9UIHN0b3JlCiAgICAg IGJlYXJlciB0b2tlbnMgd2l0aGluIGNvb2tpZXMgdGhhdCBjYW4gYmUgc2VudCBpbiB0aGUgY2xl YXIgKHdoaWNoCiAgICAgIGlzIHRoZSBkZWZhdWx0IHRyYW5zbWlzc2lvbiBtb2RlIGZvciBjb29r aWVzKS4gIEltcGxlbWVudGF0aW9ucwogICAgICB0aGF0IGRvIHN0b3JlIGJlYXJlciB0b2tlbnMg aW4gY29va2llcyBNVVNUIHRha2UgcHJlY2F1dGlvbnMKICAgICAgYWdhaW5zdCBjcm9zcyBzaXRl IHJlcXVlc3QgZm9yZ2VyeS4KCiAgIElzc3VlIHNob3J0LWxpdmVkIGJlYXJlciB0b2tlbnM6ICBU b2tlbiBzZXJ2ZXJzIFNIT1VMRCBpc3N1ZSBzaG9ydC0KICAgICAgbGl2ZWQgKG9uZSBob3VyIG9y IGxlc3MpIGJlYXJlciB0b2tlbnMsIHBhcnRpY3VsYXJseSB3aGVuIGlzc3VpbmcKICAgICAgdG9r ZW5zIHRvIGNsaWVudHMgdGhhdCBydW4gd2l0aGluIGEgd2ViIGJyb3dzZXIgb3Igb3RoZXIKICAg ICAgZW52aXJvbm1lbnRzIHdoZXJlIGluZm9ybWF0aW9uIGxlYWthZ2UgbWF5IG9jY3VyLiAgVXNp bmcgc2hvcnQtCiAgICAgIGxpdmVkIGJlYXJlciB0b2tlbnMgY2FuIHJlZHVjZSB0aGUgaW1wYWN0 IG9mIHRoZW0gYmVpbmcgbGVha2VkLgoKICAgSXNzdWUgc2NvcGVkIGJlYXJlciB0b2tlbnM6ICBU b2tlbiBzZXJ2ZXJzIFNIT1VMRCBpc3N1ZSBiZWFyZXIgdG9rZW5zCiAgICAgIHRoYXQgY29udGFp biBhbiBhdWRpZW5jZSByZXN0cmljdGlvbiwgc2NvcGluZyB0aGVpciB1c2UgdG8gdGhlCiAgICAg IGludGVuZGVkIHJlbHlpbmcgcGFydHkgb3Igc2V0IG9mIHJlbHlpbmcgcGFydGllcy4KCiAgIERv bid0IHBhc3MgYmVhcmVyIHRva2VucyBpbiBwYWdlIFVSTHM6ICBCZWFyZXIgdG9rZW5zIFNIT1VM RCBOT1QgYmUKICAgICAgcGFzc2VkIGluIHBhZ2UgVVJMcyAoZm9yIGV4YW1wbGUgYXMgcXVlcnkg c3RyaW5nIHBhcmFtZXRlcnMpLgogICAgICBJbnN0ZWFkLCBiZWFyZXIgdG9rZW5zIFNIT1VMRCBi ZSBwYXNzZWQgaW4gSFRUUCBtZXNzYWdlIGhlYWRlcnMgb3IKICAgICAgbWVzc2FnZSBib2RpZXMg Zm9yIHdoaWNoIGNvbmZpZGVudGlhbGl0eSBtZWFzdXJlcyBhcmUgdGFrZW4uCiAgICAgIEJyb3dz ZXJzLCB3ZWIgc2VydmVycywgYW5kIG90aGVyIHNvZnR3YXJlIG1heSBub3QgYWRlcXVhdGVseQog ICAgICBzZWN1cmUgVVJMcyBpbiB0aGUgYnJvd3NlciBoaXN0b3J5LCB3ZWIgc2VydmVyIGxvZ3Ms IGFuZCBvdGhlcgogICAgICBkYXRhIHN0cnVjdHVyZXMuICBJZiBiZWFyZXIgdG9rZW5zIGFyZSBw YXNzZWQgaW4gcGFnZSBVUkxzLAogICAgICBhdHRhY2tlcnMgbWlnaHQgYmUgYWJsZSB0byBzdGVh bCB0aGVtIGZyb20gdGhlIGhpc3RvcnkgZGF0YSwgbG9ncywKICAgICAgb3Igb3RoZXIgdW5zZWN1 cmVkIGxvY2F0aW9ucy4KCgo1LiAgSUFOQSBDb25zaWRlcmF0aW9ucwoKNS4xLiAgT0F1dGggQWNj ZXNzIFRva2VuIFR5cGUgUmVnaXN0cmF0aW9uCgogICBUaGlzIHNwZWNpZmljYXRpb24gcmVnaXN0 ZXJzIHRoZSBmb2xsb3dpbmcgYWNjZXNzIHRva2VuIHR5cGUgaW4gdGhlCiAgIE9BdXRoIEFjY2Vz cyBUb2tlbiBUeXBlIFJlZ2lzdHJ5LgoKNS4xLjEuICBUaGUgIkJlYXJlciIgT0F1dGggQWNjZXNz IFRva2VuIFR5cGUKCiAgIFR5cGUgbmFtZToKICAgICAgQmVhcmVyCgogICBBZGRpdGlvbmFsIFRv a2VuIEVuZHBvaW50IFJlc3BvbnNlIFBhcmFtZXRlcnM6CiAgICAgIChub25lKQoKCgoKCkpvbmVz LCBldCBhbC4gICAgICAgICAgICAgIEV4cGlyZXMgTWF5IDYsIDIwMTIgICAgICAgICAgICAgICAg IFtQYWdlIDEyXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRv a2VucyAgICAgICAgICAgTm92ZW1iZXIgMjAxMQoKCiAgIEhUVFAgQXV0aGVudGljYXRpb24gU2No ZW1lKHMpOgogICAgICBCZWFyZXIKCiAgIENoYW5nZSBjb250cm9sbGVyOgogICAgICBJRVRGCgog ICBTcGVjaWZpY2F0aW9uIGRvY3VtZW50KHMpOgogICAgICBbWyB0aGlzIGRvY3VtZW50IF1dCgo1 LjIuICBBdXRoZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cmF0aW9uCgogICBUaGlzIHNwZWNpZmlj YXRpb24gcmVnaXN0ZXJzIHRoZSBmb2xsb3dpbmcgYXV0aGVudGljYXRpb24gc2NoZW1lIGluCiAg IHRoZSBBdXRoZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cnkgZGVmaW5lZCBpbiBIVFRQLzEuMSwg UGFydCA3CiAgIFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdLgoKNS4yLjEuICBUaGUgIkJlYXJl ciIgQXV0aGVudGljYXRpb24gU2NoZW1lCgogICBBdXRoZW50aWNhdGlvbiBTY2hlbWUgTmFtZToK ICAgICAgQmVhcmVyCgogICBQb2ludGVyIHRvIHNwZWNpZmljYXRpb24gdGV4dDoKICAgICAgW1sg dGhpcyBkb2N1bWVudCBdXQoKICAgTm90ZXMgKG9wdGlvbmFsKToKICAgICAgKG5vbmUpCgoKNi4g IFJlZmVyZW5jZXMKCjYuMS4gIE5vcm1hdGl2ZSBSZWZlcmVuY2VzCgogICBbSS1ELmlldGYtaHR0 cGJpcy1wMS1tZXNzYWdpbmddCiAgICAgICAgICAgICAgRmllbGRpbmcsIFIuLCBHZXR0eXMsIEou LCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLAogICAgICAgICAgICAgIE1hc2ludGVyLCBMLiwgTGVh Y2gsIFAuLCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kCiAgICAgICAgICAgICAgSi4g UmVzY2hrZSwgIkhUVFAvMS4xLCBwYXJ0IDE6IFVSSXMsIENvbm5lY3Rpb25zLCBhbmQKICAgICAg ICAgICAgICBNZXNzYWdlIFBhcnNpbmciLCBkcmFmdC1pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5n LTE3ICh3b3JrCiAgICAgICAgICAgICAgaW4gcHJvZ3Jlc3MpLCBPY3RvYmVyIDIwMTEuCgogICBb SS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXQogICAgICAgICAgICAgIEZpZWxkaW5nLCBSLiwgR2V0 dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwKICAgICAgICAgICAgICBNYXNpbnRlciwg TC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZAogICAgICAgICAg ICAgIEouIFJlc2Noa2UsICJIVFRQLzEuMSwgcGFydCA3OiBBdXRoZW50aWNhdGlvbiIsCiAgICAg ICAgICAgICAgZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1dGgtMTcgKHdvcmsgaW4gcHJvZ3Jlc3Mp LAogICAgICAgICAgICAgIE9jdG9iZXIgMjAxMS4KCiAgIFtJLUQuaWV0Zi1vYXV0aC12Ml0KICAg ICAgICAgICAgICBIYW1tZXItTGFoYXYsIEUuLCBSZWNvcmRvbiwgRC4sIGFuZCBELiBIYXJkdCwg IlRoZSBPQXV0aAogICAgICAgICAgICAgIDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sIiwgZHJh ZnQtaWV0Zi1vYXV0aC12Mi0yMiAod29yawoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgICBF eHBpcmVzIE1heSA2LCAyMDEyICAgICAgICAgICAgICAgICBbUGFnZSAxM10KDApJbnRlcm5ldC1E cmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIE5vdmVtYmVy IDIwMTEKCgogICAgICAgICAgICAgIGluIHByb2dyZXNzKSwgU2VwdGVtYmVyIDIwMTEuCgogICBb UkZDMjExOV0gIEJyYWRuZXIsIFMuLCAiS2V5IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRp Y2F0ZQogICAgICAgICAgICAgIFJlcXVpcmVtZW50IExldmVscyIsIEJDUCAxNCwgUkZDIDIxMTks IE1hcmNoIDE5OTcuCgogICBbUkZDMzk4Nl0gIEJlcm5lcnMtTGVlLCBULiwgRmllbGRpbmcsIFIu LCBhbmQgTC4gTWFzaW50ZXIsICJVbmlmb3JtCiAgICAgICAgICAgICAgUmVzb3VyY2UgSWRlbnRp ZmllciAoVVJJKTogR2VuZXJpYyBTeW50YXgiLCBTVEQgNjYsCiAgICAgICAgICAgICAgUkZDIDM5 ODYsIEphbnVhcnkgMjAwNS4KCiAgIFtSRkM1MjM0XSAgQ3JvY2tlciwgRC4gYW5kIFAuIE92ZXJl bGwsICJBdWdtZW50ZWQgQk5GIGZvciBTeW50YXgKICAgICAgICAgICAgICBTcGVjaWZpY2F0aW9u czogQUJORiIsIFNURCA2OCwgUkZDIDUyMzQsIEphbnVhcnkgMjAwOC4KCiAgIFtSRkM1MjQ2XSAg RGllcmtzLCBULiBhbmQgRS4gUmVzY29ybGEsICJUaGUgVHJhbnNwb3J0IExheWVyIFNlY3VyaXR5 CiAgICAgICAgICAgICAgKFRMUykgUHJvdG9jb2wgVmVyc2lvbiAxLjIiLCBSRkMgNTI0NiwgQXVn dXN0IDIwMDguCgogICBbUkZDNjEyNV0gIFNhaW50LUFuZHJlLCBQLiBhbmQgSi4gSG9kZ2VzLCAi UmVwcmVzZW50YXRpb24gYW5kCiAgICAgICAgICAgICAgVmVyaWZpY2F0aW9uIG9mIERvbWFpbi1C YXNlZCBBcHBsaWNhdGlvbiBTZXJ2aWNlIElkZW50aXR5CiAgICAgICAgICAgICAgd2l0aGluIElu dGVybmV0IFB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUgVXNpbmcgWC41MDkKICAgICAgICAgICAg ICAoUEtJWCkgQ2VydGlmaWNhdGVzIGluIHRoZSBDb250ZXh0IG9mIFRyYW5zcG9ydCBMYXllcgog ICAgICAgICAgICAgIFNlY3VyaXR5IChUTFMpIiwgUkZDIDYxMjUsIE1hcmNoIDIwMTEuCgogICBb VzNDLlJFQy1odG1sNDAxLTE5OTkxMjI0XQogICAgICAgICAgICAgIFJhZ2dldHQsIEQuLCBKYWNv YnMsIEkuLCBhbmQgQS4gSG9ycywgIkhUTUwgNC4wMQogICAgICAgICAgICAgIFNwZWNpZmljYXRp b24iLCBXb3JsZCBXaWRlIFdlYiBDb25zb3J0aXVtCiAgICAgICAgICAgICAgUmVjb21tZW5kYXRp b24gUkVDLWh0bWw0MDEtMTk5OTEyMjQsIERlY2VtYmVyIDE5OTksCiAgICAgICAgICAgICAgPGh0 dHA6Ly93d3cudzMub3JnL1RSLzE5OTkvUkVDLWh0bWw0MDEtMTk5OTEyMjQ+LgoKNi4yLiAgSW5m b3JtYXRpdmUgUmVmZXJlbmNlcwoKICAgW05JU1Q4MDAtNjNdCiAgICAgICAgICAgICAgQnVyciwg Vy4sIERvZHNvbiwgRC4sIFBlcmxuZXIsIFIuLCBQb2xrLCBULiwgR3VwdGEsIFMuLAogICAgICAg ICAgICAgIGFuZCBFLiBOYWJidXMsICJOSVNUIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzLTEs CiAgICAgICAgICAgICAgSU5GT1JNQVRJT04gU0VDVVJJVFkiLCBEZWNlbWJlciAyMDA4LgoKICAg W1JGQzI2MTZdICBGaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgRnJ5c3R5aywg SC4sCiAgICAgICAgICAgICAgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIGFuZCBULiBCZXJuZXJz LUxlZSwgIkh5cGVydGV4dAogICAgICAgICAgICAgIFRyYW5zZmVyIFByb3RvY29sIC0tIEhUVFAv MS4xIiwgUkZDIDI2MTYsIEp1bmUgMTk5OS4KCiAgIFtSRkMyNjE3XSAgRnJhbmtzLCBKLiwgSGFs bGFtLUJha2VyLCBQLiwgSG9zdGV0bGVyLCBKLiwgTGF3cmVuY2UsIFMuLAogICAgICAgICAgICAg IExlYWNoLCBQLiwgTHVvdG9uZW4sIEEuLCBhbmQgTC4gU3Rld2FydCwgIkhUVFAKICAgICAgICAg ICAgICBBdXRoZW50aWNhdGlvbjogQmFzaWMgYW5kIERpZ2VzdCBBY2Nlc3MgQXV0aGVudGljYXRp b24iLAogICAgICAgICAgICAgIFJGQyAyNjE3LCBKdW5lIDE5OTkuCgoKQXBwZW5kaXggQS4gIEFj a25vd2xlZGdlbWVudHMKCiAgIFRoZSBmb2xsb3dpbmcgcGVvcGxlIGNvbnRyaWJ1dGVkIHRvIHBy ZWxpbWluYXJ5IHZlcnNpb25zIG9mIHRoaXMKICAgZG9jdW1lbnQ6IEJsYWluZSBDb29rIChCVCks IEJyaWFuIEVhdG9uIChHb29nbGUpLCBZYXJvbiBZLiBHb2xhbmQKCgoKSm9uZXMsIGV0IGFsLiAg ICAgICAgICAgICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgMTRd CgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAg ICAgICBOb3ZlbWJlciAyMDExCgoKICAgKE1pY3Jvc29mdCksIEJyZW50IEdvbGRtYW4gKEZhY2Vi b29rKSwgUmFmZmkgS3Jpa29yaWFuIChUd2l0dGVyKSwKICAgTHVrZSBTaGVwYXJkIChGYWNlYm9v ayksIGFuZCBBbGxlbiBUb20gKFlhaG9vISkuICBUaGUgY29udGVudCBhbmQKICAgY29uY2VwdHMg d2l0aGluIGFyZSBhIHByb2R1Y3Qgb2YgdGhlIE9BdXRoIGNvbW11bml0eSwgdGhlIFdSQVAKICAg Y29tbXVuaXR5LCBhbmQgdGhlIE9BdXRoIFdvcmtpbmcgR3JvdXAuCgogICBUaGUgT0F1dGggV29y a2luZyBHcm91cCBoYXMgZG96ZW5zIG9mIHZlcnkgYWN0aXZlIGNvbnRyaWJ1dG9ycyB3aG8KICAg cHJvcG9zZWQgaWRlYXMgYW5kIHdvcmRpbmcgZm9yIHRoaXMgZG9jdW1lbnQsIGluY2x1ZGluZzog TWljaGFlbAogICBBZGFtcywgQW1hbmRhIEFuZ2FuZXMsIEFuZHJldyBBcm5vdHQsIERpcmsgQmFs ZmFueiwgSm9obiBCcmFkbGV5LAogICBCcmlhbiBDYW1wYmVsbCwgTGVhaCBDdWx2ZXIsIEJpbGwg ZGUgaE9yYSwgQnJpYW4gRWxsaW4sIElnb3IKICAgRmF5bmJlcmcsIFN0ZXBoZW4gRmFycmVsbCwg R2VvcmdlIEZsZXRjaGVyLCBUaW0gRnJlZW1hbiwgRXZhbgogICBHaWxiZXJ0LCBZYXJvbiBZLiBH b2xhbmQsIFRob21hcyBIYXJkam9ubywgSnVzdGluIEhhcnQsIFBoaWwgSHVudCwKICAgSm9obiBL ZW1wLCBFcmFuIEhhbW1lci1MYWhhdiwgQ2hhc2VuIExlIEhhcmEsIEJhcnJ5IExlaWJhLCBNaWNo YWVsIEIuCiAgIEpvbmVzLCBUb3JzdGVuIExvZGRlcnN0ZWR0LCBFdmUgTWFsZXIsIEphbWVzIE1h bmdlciwgTGF1cmVuY2UgTWlhbywKICAgV2lsbGlhbSBKLiBNaWxscywgQ2h1Y2sgTW9ydGltb3Jl LCBBbnRob255IE5hZGFsaW4sIEp1bGlhbiBSZXNjaGtlLAogICBKdXN0aW4gUmljaGVyLCBQZXRl ciBTYWludC1BbmRyZSwgTmF0IFNha2ltdXJhLCBSb2IgU2F5cmUsIE1hcml1cwogICBTY3VydGVz Y3UsIE5haXRpayBTaGFoLCBKdXN0aW4gU21pdGgsIEplcmVteSBTdXJpZWwsIENocmlzdGlhbgog ICBTdHVlYm5lciwgUGF1bCBUYXJqYW4sIEhhbm5lcyBUc2Nob2ZlbmlnLCBGcmFua2xpbiBUc2Us IGFuZCBTaGFuZQogICBXZWVkZW4uCgoKQXBwZW5kaXggQi4gIERvY3VtZW50IEhpc3RvcnkKCiAg IFtbIHRvIGJlIHJlbW92ZWQgYnkgdGhlIFJGQyBlZGl0b3IgYmVmb3JlIHB1YmxpY2F0aW9uIGFz IGFuIFJGQyBdXQoKICAgLTE0CgogICBvICBDaGFuZ2VzIG1hZGUgaW4gcmVzcG9uc2UgdG8gcmV2 aWV3IGNvbW1lbnRzIGJ5IFNlY3VyaXR5IEFyZWEKICAgICAgRGlyZWN0b3IgU3RlcGhlbiBGYXJy ZWxsLiAgU3BlY2lmaWNhbGx5OgoKICAgbyAgU3RyZW5ndGhlbmVkIHdhcm5pbmdzIGFib3V0IHBh c3NpbmcgYW4gYWNjZXNzIHRva2VuIGFzIGEgcXVlcnkKICAgICAgcGFyYW1ldGVyIGFuZCBtb3Jl IHByZWNpc2VseSBkZXNjcmliZWQgdGhlIGxpbWl0YXRpb25zIHBsYWNlZCB1cG9uCiAgICAgIHRo ZSB1c2Ugb2YgdGhpcyBtZXRob2QuCgogICBvICBDbGFyaWZpZWQgdGhhdCB0aGUgInJlYWxtIiBh dHRyaWJ1dGUgTUFZIGluY2x1ZGVkIHRvIGluZGljYXRlIHRoZQogICAgICBzY29wZSBvZiBwcm90 ZWN0aW9uIGluIHRoZSBtYW5uZXIgZGVzY3JpYmVkIGluIEhUVFAvMS4xLCBQYXJ0IDcKICAgICAg W0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0uCgogICBvICBOb3JtYXRpdmVseSBzdGF0ZWQgdGhh dCAidGhlIHRva2VuIGludGVncml0eSBwcm90ZWN0aW9uIE1VU1QgYmUKICAgICAgc3VmZmljaWVu dCB0byBwcmV2ZW50IHRoZSB0b2tlbiBmcm9tIGJlaW5nIG1vZGlmaWVkIi4KCiAgIG8gIEFkZGVk IHN0YXRlbWVudCB0aGF0ICJUTFMgaXMgbWFuZGF0b3J5IHRvIGltcGxlbWVudCBhbmQgdXNlIHdp dGgKICAgICAgdGhpcyBzcGVjaWZpY2F0aW9uIiB0byB0aGUgaW50cm9kdWN0aW9uLgoKICAgbyAg U3RhdGVkIHRoYXQgVExTIE1VU1QgYmUgdXNlZCB3aXRoICJhIGNpcGhlcnN1aXRlIHRoYXQgcHJv dmlkZXMKICAgICAgY29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbiIuCgog ICBvICBBZGRlZCAiQXMgYSBmdXJ0aGVyIGRlZmVuc2UgYWdhaW5zdCB0b2tlbiBkaXNjbG9zdXJl LCB0aGUgY2xpZW50CiAgICAgIE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFp biB3aGVuIG1ha2luZyByZXF1ZXN0cyB0bwoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgICBF eHBpcmVzIE1heSA2LCAyMDEyICAgICAgICAgICAgICAgICBbUGFnZSAxNV0KDApJbnRlcm5ldC1E cmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIE5vdmVtYmVy IDIwMTEKCgogICAgICBwcm90ZWN0ZWQgcmVzb3VyY2VzIiB0byB0aGUgVGhyZWF0IE1pdGlnYXRp b24gc2VjdGlvbi4KCiAgIG8gIENsYXJpZmllZCB0aGF0IHB1dHRpbmcgYSB2YWxpZGl0eSB0aW1l IGZpZWxkIGluc2lkZSB0aGUgcHJvdGVjdGVkCiAgICAgIHBhcnQgb2YgdGhlIHRva2VuIGlzIG9u ZSBtZWFucywgYnV0IG5vdCB0aGUgb25seSBtZWFucywgb2YKICAgICAgbGltaXRpbmcgdGhlIGxp ZmV0aW1lIG9mIHRoZSB0b2tlbi4KCiAgIG8gIERyb3BwZWQgdGhlIGNvbmZ1c2luZyBwaHJhc2Ug ImZvciBpbnN0YW5jZSwgdGhyb3VnaCB0aGUgdXNlIG9mCiAgICAgIFRMUyIgZnJvbSB0aGUgc2Vu dGVuY2UgYWJvdXQgY29uZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gb2YgdGhlCiAgICAgIGV4Y2hh bmdlcy4KCiAgIG8gIFJlZmVyZW5jZSBSRkMgNjEyNSBmb3IgaWRlbnRpdHkgdmVyaWZpY2F0aW9u LCByYXRoZXIgdGhhbiBSRkMKICAgICAgMjgxOC4KCiAgIG8gIFN0YXRlZCB0aGF0IHRoZSB0b2tl biBNVVNUIGJlIHByb3RlY3RlZCBiZXR3ZWVuIGZyb250IGVuZCBhbmQgYmFjawogICAgICBlbmQg c2VydmVycyB3aGVuIHRoZSBUTFMgY29ubmVjdGlvbiB0ZXJtaW5hdGVzIGF0IGEgZnJvbnQgZW5k CiAgICAgIHNlcnZlciB0aGF0IGlzIGRpc3RpbmN0IGZyb20gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhh dCBwcm92aWRlcyB0aGUKICAgICAgcmVzb3VyY2UuCgogICBvICBTdGF0ZWQgdGhhdCBiZWFyZXIg dG9rZW5zIE1VU1Qgbm90IGJlIHN0b3JlZCBpbiBjb29raWVzIHRoYXQgY2FuCiAgICAgIGJlIHNl bnQgaW4gdGhlIGNsZWFyIGluIHRoZSBUaHJlYXQgTWl0aWdhdGlvbiBzZWN0aW9uLgoKICAgbyAg UmVwbGFjZWQgc29sZSByZW1haW5pbmcgcmVmZXJlbmNlIHRvIFtSRkMyNjE2XSB3aXRoIEhUVFBi aXMKICAgICAgW0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nXSByZWZlcmVuY2UuCgogICBv ICBSZXBsYWNlZCBhbGwgcmVmZXJlbmNlcyB3aGVyZSB0aGUgcmVmZXJlbmNlIGlzIHVzZWQgYXMg aWYgaXQgd2VyZQogICAgICBwYXJ0IG9mIHRoZSBzZW50ZW5jZSAoc3VjaCBhcyAiZGVmaW5lZCBi eSBbSS1ELndoYXRldmVyXSIpIHdpdGgKICAgICAgb25lcyB3aGVyZSB0aGUgc3BlY2lmaWNhdGlv biBuYW1lIGlzIHVzZWQsIGZvbGxvd2VkIGJ5IHRoZQogICAgICByZWZlcmVuY2UgKHN1Y2ggYXMg ImRlZmluZWQgYnkgV2hhdGV2ZXIgW0ktRC53aGF0ZXZlcl0iKS4KCiAgIG8gIE90aGVyIG9uLW5v cm1hdGl2ZSBlZGl0b3JpYWwgaW1wcm92ZW1lbnRzLgoKICAgLTEzCgogICBvICBBdCB0aGUgcmVx dWVzdCBvZiBIYW5uZXMgVHNjaG9mZW5pZywgbWFkZSBBQk5GIGNoYW5nZXMgdG8gbWFrZSBpdAog ICAgICBjbGVhciB0aGF0IG5vIHNwZWNpYWwgV1dXLUF1dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFk ZXIgZmllbGQKICAgICAgcGFyc2VycyBhcmUgbmVlZGVkLiAgVGhlICJzY29wZSIsICJlcnJvci1k ZXNjcmlwdGlvbiIsIGFuZAogICAgICAiZXJyb3ItdXJpIiBwYXJhbWV0ZXJzIGFyZSBhbGwgbm93 IGRlZmluZWQgYXMgcXVvdGVkLXN0cmluZyBpbiB0aGUKICAgICAgQUJORiAoYXMgImVycm9yIiBh bHJlYWR5IHdhcykuICBSZXN0cmljdGlvbnMgb24gdGhlc2UgdmFsdWVzIHRoYXQKICAgICAgd2Vy ZSBmb3JtZXJseSBkZXNjcmliZWQgaW4gdGhlIEFCTkZzIGFyZSBub3cgZGVzY3JpYmVkIGluCiAg ICAgIG5vcm1hdGl2ZSB0ZXh0IGluc3RlYWQuCgogICAtMTIKCiAgIG8gIE1hZGUgbm9uLW5vcm1h dGl2ZSBlZGl0b3JpYWwgY2hhbmdlcyB0aGF0IEhhbm5lcyBUc2Nob2ZlbmlnCiAgICAgIHJlcXVl c3RlZCBiZSBhcHBsaWVkIHByaW9yIHRvIGZvcndhcmRpbmcgdGhlIHNwZWNpZmljYXRpb24gdG8g dGhlCiAgICAgIElFU0cuCgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICAgRXhwaXJlcyBN YXkgNiwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgMTZdCgwKSW50ZXJuZXQtRHJhZnQgICAg ICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3ZlbWJlciAyMDExCgoK ICAgbyAgQWRkZWQgcmF0aW9uYWxlIGZvciB0aGUgY2hvaWNlIG9mIHRoZSBiNjR0b2tlbiBzeW50 YXguCgogICBvICBBZGRlZCByYXRpb25hbGUgc3RhdGluZyB0aGF0IHJlY2VpdmVycyBhcmUgZnJl ZSB0byBwYXJzZSB0aGUKICAgICAgInNjb3BlIiBhdHRyaWJ1dGUgdXNpbmcgYSBzdGFuZGFyZCBx dW90ZWQtc3RyaW5nIHBhcnNlciwgc2luY2UgaXQKICAgICAgd2lsbCBjb3JyZWN0bHkgcHJvY2Vz cyBhbGwgbGVnYWwgInNjb3BlIiB2YWx1ZXMuCgogICBvICBBZGRlZCBhZGRpdGlvbmFsIGFjdGl2 ZSB3b3JraW5nIGdyb3VwIGNvbnRyaWJ1dG9ycyB0byB0aGUKICAgICAgQWNrbm93bGVkZ2VtZW50 cyBzZWN0aW9uLgoKICAgLTExCgogICBvICBSZXBsYWNlZCB1c2VzIG9mIDwiPiB3aXRoIERRVU9U RSB0byBwYXNzIEFCTkYgc3ludGF4IGNoZWNrLgoKICAgLTEwCgogICBvICBSZW1vdmVkIHRoZSAj YXV0aC1wYXJhbSBvcHRpb24gZnJvbSBBdXRob3JpemF0aW9uIGhlYWRlciBzeW50YXgKICAgICAg KGxlYXZpbmcgb25seSB0aGUgYjY0dG9rZW4gc3ludGF4KS4KCiAgIG8gIFJlc3RyaWN0ZWQgdGhl ICJzY29wZSIgdmFsdWUgY2hhcmFjdGVyIHNldCB0byAleDIxIC8gJXgyMy01QiAvCiAgICAgICV4 NUQtN0UgKHByaW50YWJsZSBBU0NJSSBjaGFyYWN0ZXJzIGV4Y2x1ZGluZyBkb3VibGUtcXVvdGUg YW5kCiAgICAgIGJhY2tzbGFzaCkuICBJbmRpY2F0ZWQgdGhhdCBzY29wZSBpcyBpbnRlbmRlZCBm b3IgcHJvZ3JhbW1hdGljIHVzZQogICAgICBhbmQgaXMgbm90IG1lYW50IHRvIGJlIGRpc3BsYXll ZCB0byBlbmQgdXNlcnMuCgogICBvICBSZXN0cmljdGVkIHRoZSBjaGFyYWN0ZXIgc2V0IGZvciAi ZXJyb3JfZGVzY3JpcHRpb24iIHN0cmluZ3MgdG8gU1AKICAgICAgLyBWQ0hBUiBhbmQgaW5kaWNh dGVkIHRoYXQgdGhleSBhcmUgbm90IG1lYW50IHRvIGJlIGRpc3BsYXllZCB0bwogICAgICBlbmQg dXNlcnMuCgogICBvICBJbmNsdWRlZCBtb3JlIGRlc2NyaXB0aW9uIGluIHRoZSBBYnN0cmFjdCwg c2luY2UgSGFubmVzIFRzY2hvZmVuaWcKICAgICAgaW5kaWNhdGVkIHRoYXQgdGhlIFJGQyBlZGl0 b3Igd291bGQgcmVxdWlyZSB0aGlzLgoKICAgbyAgQ2hhbmdlZCAiQWNjZXNzIEdyYW50IiB0byAi QXV0aG9yaXphdGlvbiBHcmFudCIsIGFzIHdhcyBkb25lIGluCiAgICAgIHRoZSBjb3JlIHNwZWMu CgogICBvICBTaW1wbGlmaWVkIHRoZSBpbnRyb2R1Y3Rpb24gdG8gdGhlIEF1dGhlbnRpY2F0ZWQg UmVxdWVzdHMgc2VjdGlvbi4KCiAgIC0wOQoKICAgbyAgSW5jb3Jwb3JhdGVkIHdvcmtpbmcgZ3Jv dXAgbGFzdCBjYWxsIGNvbW1lbnRzLiAgU3BlY2lmaWMgY2hhbmdlcwogICAgICB3ZXJlOgoKICAg byAgVXNlIGRlZmluaXRpb25zIGZyb20gW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0gcmF0aGVy IHRoYW4KICAgICAgW1JGQzI2MTddLgoKICAgbyAgVXBkYXRlIGNyZWRlbnRpYWxzIGRlZmluaXRp b24gdG8gY29uZm9ybSB0bwogICAgICBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCiAgIG8g IEZ1cnRoZXIgY2xhcmlmaWVkIHRoYXQgcXVlcnkgcGFyYW1ldGVycyBtYXkgb2NjdXIgaW4gYW55 IG9yZGVyLgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICAgRXhwaXJlcyBNYXkgNiwgMjAx MiAgICAgICAgICAgICAgICAgW1BhZ2UgMTddCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9B dXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3ZlbWJlciAyMDExCgoKICAgbyAgU3Bl Y2lmeSB0aGF0IGVycm9yX2Rlc2NyaXB0aW9uIGlzIFVURi04IGVuY29kZWQgKG1hdGNoaW5nIHRo ZSBjb3JlCiAgICAgIHNwZWNpZmljYXRpb24pLgoKICAgbyAgUmVnaXN0ZXJlZCAiQmVhcmVyIiBB dXRoZW50aWNhdGlvbiBTY2hlbWUgaW4gQXV0aGVudGljYXRpb24gU2NoZW1lCiAgICAgIFJlZ2lz dHJ5IGRlZmluZWQgYnkgW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0uCgogICBvICBVcGRhdGVk IHJlZmVyZW5jZXMgdG8gb2F1dGgtdjIsIGh0dHBiaXMtcDEtbWVzc2FnaW5nLCBhbmQgaHR0cGJp cy0KICAgICAgcDctYXV0aCBkcmFmdHMuCgogICBvICBPdGhlciB3b3JkaW5nIGltcHJvdmVtZW50 cyBub3QgaW50cm9kdWNpbmcgbm9ybWF0aXZlIGNoYW5nZXMuCgogICAtMDgKCiAgIG8gIFVwZGF0 ZWQgcmVmZXJlbmNlcyB0byBvYXV0aC12MiBhbmQgSFRUUGJpcyBkcmFmdHMuCgogICAtMDcKCiAg IG8gIEFkZGVkIG1pc3NpbmcgY29tbWEgaW4gZXJyb3IgcmVzcG9uc2UgZXhhbXBsZS4KCiAgIC0w NgoKICAgbyAgQ2hhbmdlZCBwYXJhbWV0ZXIgbmFtZSAiYmVhcmVyX3Rva2VuIiB0byAiYWNjZXNz X3Rva2VuIiwgcGVyCiAgICAgIHdvcmtpbmcgZ3JvdXAgY29uc2Vuc3VzLgoKICAgbyAgQ2hhbmdl ZCBIVFRQIHN0YXR1cyBjb2RlIGZvciAiaW52YWxpZF9yZXF1ZXN0IiBlcnJvciBjb2RlIGZyb20K ICAgICAgSFRUUCA0MDEgKFVuYXV0aG9yaXplZCkgYmFjayB0byBIVFRQIDQwMCAoQmFkIFJlcXVl c3QpLCBwZXIgaW5wdXQKICAgICAgZnJvbSBIVFRQIHdvcmtpbmcgZ3JvdXAgZXhwZXJ0cy4KCiAg IC0wNQoKICAgbyAgUmVtb3ZlZCBPQXV0aCBFcnJvcnMgUmVnaXN0cnksIHBlciBkZXNpZ24gdGVh bSBpbnB1dC4KCiAgIG8gIENoYW5nZWQgSFRUUCBzdGF0dXMgY29kZSBmb3IgImludmFsaWRfcmVx dWVzdCIgZXJyb3IgY29kZSBmcm9tCiAgICAgIEhUVFAgNDAwIChCYWQgUmVxdWVzdCkgdG8gSFRU UCA0MDEgKFVuYXV0aG9yaXplZCkgdG8gbWF0Y2ggSFRUUAogICAgICB1c2FnZSBbWyBjaGFuZ2Ug cGVuZGluZyB3b3JraW5nIGdyb3VwIGNvbnNlbnN1cyBdXS4KCiAgIG8gIEFkZGVkIG1pc3Npbmcg cXVvdGF0aW9uIG1hcmtzIGluIGVycm9yLXVyaSBkZWZpbml0aW9uLgoKICAgbyAgQWRkZWQgbm90 ZSB0byBhZGQgbGFuZ3VhZ2UgYW5kIGVuY29kaW5nIGluZm9ybWF0aW9uIHRvCiAgICAgIGVycm9y X2Rlc2NyaXB0aW9uIGlmIHRoZSBjb3JlIHNwZWNpZmljYXRpb24gZG9lcy4KCiAgIG8gIEV4cGxp Y2l0bHkgcmVmZXJlbmNlIHRoZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikgZGVm aW5lZAogICAgICBpbiBbUkZDNTIzNF0uCgogICBvICBVc2UgYXV0aC1wYXJhbSBpbnN0ZWFkIG9m IHJlcGVhdGluZyBpdHMgZGVmaW5pdGlvbiwgd2hpY2ggaXMgKAogICAgICB0b2tlbiAiPSIgKCB0 b2tlbiAvIHF1b3RlZC1zdHJpbmcgKSApLgoKCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAg IEV4cGlyZXMgTWF5IDYsIDIwMTIgICAgICAgICAgICAgICAgIFtQYWdlIDE4XQoMCkludGVybmV0 LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgTm92ZW1i ZXIgMjAxMQoKCiAgIG8gIENsYXJpZnkgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgYWJvdXQgaW5j bHVkaW5nIGFuIGF1ZGllbmNlCiAgICAgIHJlc3RyaWN0aW9uIGluIHRoZSB0b2tlbiBhbmQgaW5j bHVkZSBhIHJlY29tbWVuZGF0aW9uIHRvIGlzc3VlCiAgICAgIHNjb3BlZCBiZWFyZXIgdG9rZW5z IGluIHRoZSBzdW1tYXJ5IG9mIHJlY29tbWVuZGF0aW9ucy4KCiAgIC0wNAoKICAgbyAgRWRpdHMg cmVzcG9uZGluZyB0byB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBmZWVkYmFjayBvbiAtMDMuCiAg ICAgIFNwZWNpZmljIGVkaXRzIGVudW1lcmF0ZWQgYmVsb3cuCgogICBvICBBZGRlZCBCZWFyZXIg VG9rZW4gZGVmaW5pdGlvbiBpbiBUZXJtaW5vbG9neSBzZWN0aW9uLgoKICAgbyAgQ2hhbmdlZCBw YXJhbWV0ZXIgbmFtZSAib2F1dGhfdG9rZW4iIHRvICJiZWFyZXJfdG9rZW4iLgoKICAgbyAgQWRk ZWQgcmVhbG0gcGFyYW1ldGVyIHRvICJXV1ctQXV0aGVudGljYXRlIiByZXNwb25zZSB0byBjb21w bHkKICAgICAgd2l0aCBbUkZDMjYxN10uCgogICBvICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFy YW0gXSIgZnJvbSAiY3JlZGVudGlhbHMiIGRlZmluaXRpb24gc2luY2UKICAgICAgaXQgZGlkIG5v dCBjb21wbHkgd2l0aCB0aGUgQUJORiBpbiBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCiAg IG8gIFJlbW92ZWQgcmVzdHJpY3Rpb24gdGhhdCB0aGUgImJlYXJlcl90b2tlbiIgKGZvcm1lcmx5 CiAgICAgICJvYXV0aF90b2tlbiIpIHBhcmFtZXRlciBiZSB0aGUgbGFzdCBwYXJhbWV0ZXIgaW4g dGhlIGVudGl0eS1ib2R5CiAgICAgIGFuZCB0aGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeS4KCiAg IG8gIERvIG5vdCByZXF1aXJlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgaW4gYSByZXBseSB0 byBhIG1hbGZvcm1lZAogICAgICByZXF1ZXN0LCBhcyBhbiBIVFRQIDQwMCBCYWQgUmVxdWVzdCBy ZXNwb25zZSB3aXRob3V0IGEgV1dXLQogICAgICBBdXRoZW50aWNhdGUgaGVhZGVyIGlzIGxpa2Vs eSB0aGUgcmlnaHQgcmVzcG9uc2UgaW4gc29tZSBjYXNlcyBvZgogICAgICBtYWxmb3JtZWQgcmVx dWVzdHMuCgogICBvICBSZW1vdmVkIE9BdXRoIFBhcmFtZXRlcnMgcmVnaXN0cnkgZXh0ZW5zaW9u LgoKICAgbyAgTnVtZXJvdXMgZWRpdG9yaWFsIGltcHJvdmVtZW50cyBzdWdnZXN0ZWQgYnkgd29y a2luZyBncm91cAogICAgICBtZW1iZXJzLgoKICAgLTAzCgogICBvICBSZXN0b3JlZCB0aGUgV1dX LUF1dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIgZnVuY3Rpb25hbGl0eQogICAgICBkZWxldGVk IGZyb20gdGhlIGZyYW1ld29yayBzcGVjaWZpY2F0aW9uIGluIGRyYWZ0IDEyIGJhc2VkIHVwb24K ICAgICAgdGhlIHNwZWNpZmljYXRpb24gdGV4dCBmcm9tIGRyYWZ0IDExLgoKICAgbyAgQXVnbWVu dGVkIHRoZSBPQXV0aCBQYXJhbWV0ZXJzIHJlZ2lzdHJ5IGJ5IGFkZGluZyB0d28gYWRkaXRpb25h bAogICAgICBwYXJhbWV0ZXIgdXNhZ2UgbG9jYXRpb25zOiAicmVzb3VyY2UgcmVxdWVzdCIgYW5k ICJyZXNvdXJjZQogICAgICByZXNwb25zZSIuCgogICBvICBSZWdpc3RlcmVkIHRoZSAib2F1dGhf dG9rZW4iIE9BdXRoIHBhcmFtZXRlciB3aXRoIHVzYWdlIGxvY2F0aW9uCiAgICAgICJyZXNvdXJj ZSByZXF1ZXN0Ii4KCiAgIG8gIFJlZ2lzdGVyZWQgdGhlICJlcnJvciIgT0F1dGggcGFyYW1ldGVy LgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAg ICAgICAgICAgICAgW1BhZ2UgMTldCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIu MCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBOb3ZlbWJlciAyMDExCgoKICAgbyAgQ3JlYXRlZCB0 aGUgT0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVyZWQgZXJyb3JzLgoKICAgbyAgQ2hh bmdlZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNzIHRva2VuIHR5cGUgbmFtZSB0byAiQmVhcmVy Ii4KCiAgIC0wMgoKICAgbyAgSW5jb3Jwb3JhdGVkIGZlZWRiYWNrIHJlY2VpdmVkIG9uIGRyYWZ0 IDAxLiAgTW9zdCBjaGFuZ2VzIHdlcmUgdG8KICAgICAgdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRp b25zIHNlY3Rpb24uICBObyBub3JtYXRpdmUgY2hhbmdlcyB3ZXJlCiAgICAgIG1hZGUuICBTcGVj aWZpYyBjaGFuZ2VzIGluY2x1ZGVkOgoKICAgbyAgQ2hhbmdlZCB0ZXJtaW5vbG9neSBmcm9tICJ0 b2tlbiByZXVzZSIgdG8gInRva2VuIGNhcHR1cmUgYW5kCiAgICAgIHJlcGxheSIuCgogICBvICBS ZW1vdmVkIHNlbnRlbmNlICJFbmNyeXB0aW5nIHRoZSB0b2tlbiBjb250ZW50cyBpcyBhbm90aGVy CiAgICAgIGFsdGVybmF0aXZlIiBmcm9tIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzaW5j ZSBpdCB3YXMKICAgICAgcmVkdW5kYW50IGFuZCBwb3RlbnRpYWxseSBjb25mdXNpbmcuCgogICBv ICBDb3JyZWN0ZWQgc29tZSByZWZlcmVuY2VzIHRvICJyZXNvdXJjZSBzZXJ2ZXIiIHRvIGJlCiAg ICAgICJhdXRob3JpemF0aW9uIHNlcnZlciIgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25z LgoKICAgbyAgR2VuZXJhbGl6ZWQgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgbGFuZ3VhZ2UgYWJv dXQgb2J0YWluaW5nCiAgICAgIGNvbnNlbnQgb2YgdGhlIHJlc291cmNlIG93bmVyLgoKICAgbyAg QnJvYWRlbmVkIHNjb3BlIG9mIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGRlc2NyaXB0aW9uIGZv cgogICAgICByZWNvbW1lbmRhdGlvbiAiRG9uJ3QgcGFzcyBiZWFyZXIgdG9rZW5zIGluIHBhZ2Ug VVJMcyIuCgogICBvICBSZW1vdmVkIHVudXNlZCByZWZlcmVuY2UgdG8gT0F1dGggMS4wLgoKICAg byAgVXBkYXRlZCByZWZlcmVuY2UgdG8gZnJhbWV3b3JrIHNwZWNpZmljYXRpb24gYW5kIHVwZGF0 ZWQgRGF2aWQKICAgICAgUmVjb3Jkb24ncyBlLW1haWwgYWRkcmVzcy4KCiAgIG8gIFJlbW92ZWQg c2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgdGV4dCBvbiBhdXRoZW50aWNhdGluZyBjbGllbnRzLgoK ICAgbyAgUmVnaXN0ZXJlZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNzIHRva2VuIHR5cGUgYW5k ICJvYXV0aF90b2tlbiIKICAgICAgcGFyYW1ldGVyLgoKICAgLTAxCgogICBvICBGaXJzdCBwdWJs aWMgZHJhZnQsIHdoaWNoIGluY29ycG9yYXRlcyBmZWVkYmFjayByZWNlaXZlZCBvbiAtMDAKICAg ICAgaW5jbHVkaW5nIGVuaGFuY2VkIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIGNvbnRlbnQuICBU aGlzIHZlcnNpb24KICAgICAgaXMgaW50ZW5kZWQgdG8gYWNjb21wYW55IE9BdXRoIDIuMCBkcmFm dCAxMS4KCiAgIC0wMAoKICAgbyAgSW5pdGlhbCBkcmFmdCBiYXNlZCBvbiBwcmVsaW1pbmFyeSB2 ZXJzaW9uIG9mIE9BdXRoIDIuMCBkcmFmdCAxMS4KCgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAg ICAgICAgRXhwaXJlcyBNYXkgNiwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgMjBdCgwKSW50 ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBO b3ZlbWJlciAyMDExCgoKQXV0aG9ycycgQWRkcmVzc2VzCgogICBNaWNoYWVsIEIuIEpvbmVzCiAg IE1pY3Jvc29mdAoKICAgRW1haWw6IG1iakBtaWNyb3NvZnQuY29tCiAgIFVSSTogICBodHRwOi8v c2VsZi1pc3N1ZWQuaW5mby8KCgogICBEaWNrIEhhcmR0CiAgIGluZGVwZW5kZW50CgogICBFbWFp bDogZGljay5oYXJkdEBnbWFpbC5jb20KICAgVVJJOiAgIGh0dHA6Ly9kaWNraGFyZHQub3JnLwoK CiAgIERhdmlkIFJlY29yZG9uCiAgIEZhY2Vib29rCgogICBFbWFpbDogZHJAZmIuY29tCiAgIFVS STogICBodHRwOi8vd3d3LmRhdmlkcmVjb3Jkb24uY29tLwoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgICBFeHBpcmVzIE1heSA2LCAyMDEyICAg ICAgICAgICAgICAgICBbUGFnZSAyMV0KDAo= --_007_4E1F6AAD24975D4BA5B16804296739435F6E777ETK5EX14MBXC283r_ Content-Type: text/xml; name="draft-ietf-oauth-v2-bearer-14.xml" Content-Description: draft-ietf-oauth-v2-bearer-14.xml Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-14.xml"; size=47161; creation-date="Thu, 03 Nov 2011 23:52:04 GMT"; modification-date="Thu, 03 Nov 2011 23:46:50 GMT" Content-Transfer-Encoding: base64 PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnID8+CjwhRE9DVFlQRSByZmMgU1lT VEVNICdyZmMyNjI5LmR0ZCc+Cjw/eG1sLXN0eWxlc2hlZXQgdHlwZT0ndGV4dC94c2wnIGhyZWY9 J3JmYzI2MjkueHNsdCcgPz4KCjxyZmMgY2F0ZWdvcnk9J3N0ZCcgaXByPSd0cnVzdDIwMDkwMicg ZG9jTmFtZT0nZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQnPgogIDw/cmZjIHN0cmljdD0n eWVzJyA/PgogIDw/cmZjIHRvYz0neWVzJyA/PgogIDw/cmZjIHRvY2RlcHRoPSczJyA/PgogIDw/ cmZjIHN5bXJlZnM9J3llcycgPz4KICA8P3JmYyBzb3J0cmVmcz0neWVzJyA/PgogIDw/cmZjIGNv bXBhY3Q9J3llcycgPz4KICA8P3JmYyBzdWJjb21wYWN0PSdubycgPz4KCiAgPGZyb250PgogICAg PHRpdGxlIGFiYnJldj0nT0F1dGggMi4wIEJlYXJlciBUb2tlbnMnPlRoZSBPQXV0aCAyLjAgQXV0 aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVyIFRva2VuczwvdGl0bGU+CgogICAgPGF1dGhvciBm dWxsbmFtZT0iTWljaGFlbCBCLiBKb25lcyIgc3VybmFtZT0iSm9uZXMiIGluaXRpYWxzPSJNLkIu Ij4gPCEtLSByb2xlPSJlZGl0b3IiIC0tPgogICAgICA8b3JnYW5pemF0aW9uPk1pY3Jvc29mdDwv b3JnYW5pemF0aW9uPgogICAgICA8YWRkcmVzcz4KICAgICAgICA8ZW1haWw+bWJqQG1pY3Jvc29m dC5jb208L2VtYWlsPgogICAgICAgIDx1cmk+aHR0cDovL3NlbGYtaXNzdWVkLmluZm8vPC91cmk+ CiAgICAgIDwvYWRkcmVzcz4KICAgIDwvYXV0aG9yPgogICAgPGF1dGhvciBmdWxsbmFtZT0nRGlj ayBIYXJkdCcgc3VybmFtZT0nSGFyZHQnIGluaXRpYWxzPSdEJz4KICAgICAgPG9yZ2FuaXphdGlv bj5pbmRlcGVuZGVudDwvb3JnYW5pemF0aW9uPgogICAgICA8YWRkcmVzcz4KICAgICAgICA8ZW1h aWw+ZGljay5oYXJkdEBnbWFpbC5jb208L2VtYWlsPgogICAgICAgIDx1cmk+aHR0cDovL2RpY2to YXJkdC5vcmcvPC91cmk+CiAgICAgIDwvYWRkcmVzcz4KICAgIDwvYXV0aG9yPgogICAgPGF1dGhv ciBmdWxsbmFtZT0nRGF2aWQgUmVjb3Jkb24nIHN1cm5hbWU9J1JlY29yZG9uJyBpbml0aWFscz0n RCc+CiAgICAgIDxvcmdhbml6YXRpb24+RmFjZWJvb2s8L29yZ2FuaXphdGlvbj4KICAgICAgPGFk ZHJlc3M+CiAgICAgICAgPGVtYWlsPmRyQGZiLmNvbTwvZW1haWw+CiAgICAgICAgPHVyaT5odHRw Oi8vd3d3LmRhdmlkcmVjb3Jkb24uY29tLzwvdXJpPgogICAgICA8L2FkZHJlc3M+CiAgICA8L2F1 dGhvcj4KCiAgICA8ZGF0ZSB5ZWFyPSIyMDExIiBtb250aD0iTm92ZW1iZXIiIGRheT0iMyIgLz4K CiAgICA8YWJzdHJhY3Q+CiAgICAgIDx0PgogICAgICAgIFRoaXMgc3BlY2lmaWNhdGlvbiBkZXNj cmliZXMgaG93IHRvIHVzZSBiZWFyZXIgdG9rZW5zIGluIEhUVFAKICAgICAgICByZXF1ZXN0cyB0 byBhY2Nlc3MgT0F1dGggMi4wIHByb3RlY3RlZCByZXNvdXJjZXMuICBBbnkgcGFydHkKICAgICAg ICBpbiBwb3NzZXNzaW9uIG9mIGEgYmVhcmVyIHRva2VuIChhICJiZWFyZXIiKSBjYW4gdXNlIGl0 IHRvIGdldAogICAgICAgIGFjY2VzcyB0byB0aGUgYXNzb2NpYXRlZCByZXNvdXJjZXMgKHdpdGhv dXQgZGVtb25zdHJhdGluZyBwb3NzZXNzaW9uCiAgICAgICAgb2YgYSBjcnlwdG9ncmFwaGljIGtl eSkuICBUbyBwcmV2ZW50IG1pc3VzZSwgYmVhcmVyIHRva2VucwogICAgICAgIG5lZWQgdG8gYmUg cHJvdGVjdGVkIGZyb20gZGlzY2xvc3VyZSBpbiBzdG9yYWdlIGFuZCBpbiB0cmFuc3BvcnQuCiAg ICAgIDwvdD4KICAgIDwvYWJzdHJhY3Q+CiAgPC9mcm9udD4KCiAgPG1pZGRsZT4KCiAgICA8c2Vj dGlvbiB0aXRsZT0nSW50cm9kdWN0aW9uJz4KICAgICAgPHQ+CiAgICAgICAgT0F1dGggZW5hYmxl cyBjbGllbnRzIHRvIGFjY2VzcyBwcm90ZWN0ZWQgcmVzb3VyY2VzIGJ5CiAgICAgICAgb2J0YWlu aW5nIGFuIGFjY2VzcyB0b2tlbiwgd2hpY2ggaXMgZGVmaW5lZCBpbgoJT0F1dGggMi4wIEF1dGhv cml6YXRpb24gPHhyZWYgdGFyZ2V0PSJJLUQuaWV0Zi1vYXV0aC12MiIvPgoJYXMgImEgc3RyaW5n IHJlcHJlc2VudGluZyBhbiBhY2Nlc3MKICAgICAgICBhdXRob3JpemF0aW9uIGlzc3VlZCB0byB0 aGUgY2xpZW50IiwgcmF0aGVyIHRoYW4gdXNpbmcgdGhlCiAgICAgICAgcmVzb3VyY2Ugb3duZXIn cyBjcmVkZW50aWFscyBkaXJlY3RseS4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICBUb2tl bnMgYXJlIGlzc3VlZCB0byBjbGllbnRzIGJ5IGFuIGF1dGhvcml6YXRpb24gc2VydmVyIHdpdGgg dGhlIGFwcHJvdmFsIG9mCiAgICAgICAgdGhlIHJlc291cmNlIG93bmVyLiBUaGUgY2xpZW50IHVz ZXMgdGhlIGFjY2VzcyB0b2tlbiB0byBhY2Nlc3MgdGhlIHByb3RlY3RlZCByZXNvdXJjZXMKICAg ICAgICBob3N0ZWQgYnkgdGhlIHJlc291cmNlIHNlcnZlci4gVGhpcyBzcGVjaWZpY2F0aW9uIGRl c2NyaWJlcyBob3cgdG8gbWFrZSBwcm90ZWN0ZWQgcmVzb3VyY2UKICAgICAgICByZXF1ZXN0cyB3 aGVuIHRoZSBPQXV0aCBhY2Nlc3MgdG9rZW4gaXMgYSBiZWFyZXIgdG9rZW4uCiAgICAgIDwvdD4K ICAgICAgPHQ+CiAgICAgICAgVGhpcyBzcGVjaWZpY2F0aW9uIGRlZmluZXMgdGhlIHVzZSBvZiBi ZWFyZXIgdG9rZW5zIHdpdGggT0F1dGgKICAgICAgICBvdmVyCglIVFRQLzEuMSA8eHJlZiB0YXJn ZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nJyAvPgoJdXNpbmcKCVRMUyA8eHJlZiB0 YXJnZXQ9J1JGQzUyNDYnIC8+LgoJVExTIGlzIG1hbmRhdG9yeSB0byBpbXBsZW1lbnQKICAgICAg ICBhbmQgdXNlIHdpdGggdGhpcyBzcGVjaWZpY2F0aW9uOyBvdGhlciBzcGVjaWZpY2F0aW9ucyBt YXkKICAgICAgICBleHRlbmQgdGhpcyBzcGVjaWZpY2F0aW9uIGZvciB1c2Ugd2l0aCBvdGhlciB0 cmFuc3BvcnQKICAgICAgICBwcm90b2NvbHMuCiAgICAgIDwvdD4KCiAgICAgIDxzZWN0aW9uIHRp dGxlPSdOb3RhdGlvbmFsIENvbnZlbnRpb25zJz4KICAgICAgICA8dD4KICAgICAgICAgIFRoZSBr ZXkgd29yZHMgJ01VU1QnLCAnTVVTVCBOT1QnLCAnUkVRVUlSRUQnLCAnU0hBTEwnLCAnU0hBTEwg Tk9UJywgJ1NIT1VMRCcsICdTSE9VTEQKICAgICAgICAgIE5PVCcsICdSRUNPTU1FTkRFRCcsICdN QVknLCBhbmQgJ09QVElPTkFMJyBpbiB0aGlzIGRvY3VtZW50IGFyZSB0byBiZSBpbnRlcnByZXRl ZCBhcwogICAgICAgICAgZGVzY3JpYmVkIGluCgkgIEtleSB3b3JkcyBmb3IgdXNlIGluIFJGQ3Mg dG8gSW5kaWNhdGUgUmVxdWlyZW1lbnQgTGV2ZWxzIDx4cmVmIHRhcmdldD0nUkZDMjExOScgLz4u CiAgICAgICAgPC90PgogICAgICAgIDx0PgogICAgICAgICAgVGhpcyBkb2N1bWVudCB1c2VzIHRo ZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikKICAgICAgICAgIG5vdGF0aW9uIG9m CgkgIEhUVFAvMS4xLCBQYXJ0IDEgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXAxLW1l c3NhZ2luZycgLz4sCiAgICAgICAgICB3aGljaCBpcyBiYXNlZCB1cG9uIHRoZQoJICBBdWdtZW50 ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikgPHhyZWYgdGFyZ2V0PSdSRkM1MjM0JyAvPgoJICBu b3RhdGlvbi4gIEFkZGl0aW9uYWxseSwgdGhlIGZvbGxvd2luZyBydWxlcyBhcmUgaW5jbHVkZWQg ZnJvbQoJICBIVFRQLzEuMSwgUGFydCA3IDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1w Ny1hdXRoJyAvPjoKCSAgYjY0dG9rZW4sIGF1dGgtcGFyYW0sIGFuZCByZWFsbTsgZnJvbQoJICBI VFRQLzEuMSwgUGFydCAxIDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdp bmcnIC8+OgoJICBxdW90ZWQtc3RyaW5nOyBhbmQgZnJvbQoJICBVbmlmb3JtIFJlc291cmNlIElk ZW50aWZpZXIgKFVSSSkgPHhyZWYgdGFyZ2V0PSdSRkMzOTg2JyAvPjoKCSAgVVJJLVJlZmVyZW5j ZS4KICAgICAgICA8L3Q+CiAgICAgICAgPHQ+CiAgICAgICAgICBVbmxlc3Mgb3RoZXJ3aXNlIG5v dGVkLCBhbGwgdGhlIHByb3RvY29sIHBhcmFtZXRlciBuYW1lcyBhbmQgdmFsdWVzIGFyZSBjYXNl IHNlbnNpdGl2ZS4KICAgICAgICA8L3Q+CiAgICAgIDwvc2VjdGlvbj4KCiAgICAgIDxzZWN0aW9u IHRpdGxlPSdUZXJtaW5vbG9neSc+CiAgICAgICAgPHQ+CiAgICAgICAgICA8bGlzdCBzdHlsZT0n aGFuZ2luZyc+CiAgICAgICAgICAgIDx0IGhhbmdUZXh0PSJCZWFyZXIgVG9rZW4iPgogICAgICAg ICAgICAgIDx2c3BhY2UgLz4KICAgICAgICAgICAgICBBIHNlY3VyaXR5IHRva2VuIHdpdGggdGhl IHByb3BlcnR5IHRoYXQgYW55IHBhcnR5IGluCiAgICAgICAgICAgICAgcG9zc2Vzc2lvbiBvZiB0 aGUgdG9rZW4gKGEgImJlYXJlciIpIGNhbiB1c2UgdGhlIHRva2VuCiAgICAgICAgICAgICAgaW4g YW55IHdheSB0aGF0IGFueSBvdGhlciBwYXJ0eSBpbiBwb3NzZXNzaW9uIG9mIGl0IGNhbi4KICAg ICAgICAgICAgICBVc2luZyBhIGJlYXJlciB0b2tlbiBkb2VzIG5vdCByZXF1aXJlIGEgYmVhcmVy IHRvIHByb3ZlCiAgICAgICAgICAgICAgcG9zc2Vzc2lvbiBvZiBjcnlwdG9ncmFwaGljIGtleSBt YXRlcmlhbAogICAgICAgICAgICAgIChwcm9vZi1vZi1wb3NzZXNzaW9uKS4KICAgICAgICAgICAg PC90PgogICAgICAgICAgPC9saXN0PgogICAgICAgIDwvdD4KICAgICAgICA8dD4KICAgICAgICAg IEFsbCBvdGhlciB0ZXJtcyBhcmUgYXMgZGVmaW5lZCBpbgoJICBPQXV0aCAyLjAgQXV0aG9yaXph dGlvbiA8eHJlZiB0YXJnZXQ9IkktRC5pZXRmLW9hdXRoLXYyIiAvPi4KICAgICAgICA8L3Q+CiAg ICAgIDwvc2VjdGlvbj4KCiAgICAgIDxzZWN0aW9uIHRpdGxlPSdPdmVydmlldyc+CiAgICAgICAg PHQ+CiAgICAgICAgICBPQXV0aCBwcm92aWRlcyBhIG1ldGhvZCBmb3IgY2xpZW50cyB0byBhY2Nl c3MgYSBwcm90ZWN0ZWQgcmVzb3VyY2Ugb24gYmVoYWxmIG9mIGEKICAgICAgICAgIHJlc291cmNl IG93bmVyLiBJbiB0aGUgZ2VuZXJhbCBjYXNlLAoJICBiZWZvcmUgYSBjbGllbnQgY2FuIGFjY2Vz cyBhIHByb3RlY3RlZCByZXNvdXJjZSwgaXQgbXVzdCBmaXJzdCBvYnRhaW4KICAgICAgICAgIGFu IGF1dGhvcml6YXRpb24gZ3JhbnQgZnJvbSB0aGUgcmVzb3VyY2Ugb3duZXIgYW5kIHRoZW4gZXhj aGFuZ2UgdGhlIGF1dGhvcml6YXRpb24gZ3JhbnQgZm9yCiAgICAgICAgICBhbiBhY2Nlc3MgdG9r ZW4uCgkgIFRoZSBhY2Nlc3MgdG9rZW4gcmVwcmVzZW50cyB0aGUgZ3JhbnQncyBzY29wZSwgZHVy YXRpb24sIGFuZAoJICBvdGhlciBhdHRyaWJ1dGVzIGdyYW50ZWQgYnkgdGhlIGF1dGhvcml6YXRp b24gZ3JhbnQuIFRoZQoJICBjbGllbnQgYWNjZXNzZXMgdGhlIHByb3RlY3RlZCByZXNvdXJjZSBi eSBwcmVzZW50aW5nIHRoZQoJICBhY2Nlc3MgdG9rZW4gdG8gdGhlIHJlc291cmNlIHNlcnZlci4K CSAgSW4gc29tZSBjYXNlcywgYSBjbGllbnQgY2FuIGRpcmVjdGx5IHByZXNlbnQgaXRzIG93bgoJ ICBjcmVkZW50aWFscyB0byBhbiBhdXRob3JpemF0aW9uIHNlcnZlciB0byBvYnRhaW4gYW4gYWNj ZXNzCgkgIHRva2VuIHdpdGhvdXQgaGF2aW5nIHRvIGZpcnN0IG9idGFpbiBhbiBhdXRob3JpemF0 aW9uIGdyYW50IGZyb20gYQoJICByZXNvdXJjZSBvd25lci4KICAgICAgICA8L3Q+CiAgICAgICAg PHQ+CiAgICAgICAgICBUaGUgYWNjZXNzIHRva2VuIHByb3ZpZGVzIGFuIGFic3RyYWN0aW9uLCBy ZXBsYWNpbmcgZGlmZmVyZW50IGF1dGhvcml6YXRpb24KICAgICAgICAgIGNvbnN0cnVjdHMgKGUu Zy4gdXNlcm5hbWUgYW5kIHBhc3N3b3JkLCBhc3NlcnRpb24pIGZvciBhIHNpbmdsZSB0b2tlbiB1 bmRlcnN0b29kIGJ5IHRoZQogICAgICAgICAgcmVzb3VyY2Ugc2VydmVyLiBUaGlzIGFic3RyYWN0 aW9uIGVuYWJsZXMgaXNzdWluZyBhY2Nlc3MgdG9rZW5zIHZhbGlkIGZvciBhIHNob3J0IHRpbWUK ICAgICAgICAgIHBlcmlvZCwgYXMgd2VsbCBhcyByZW1vdmluZyB0aGUgcmVzb3VyY2Ugc2VydmVy J3MgbmVlZCB0byB1bmRlcnN0YW5kIGEgd2lkZSByYW5nZSBvZgogICAgICAgICAgYXV0aGVudGlj YXRpb24gc2NoZW1lcy4KICAgICAgICA8L3Q+CiAgICAgICAgPGZpZ3VyZSB0aXRsZT0nQWJzdHJh Y3QgUHJvdG9jb2wgRmxvdycgYW5jaG9yPSdGaWd1cmUtMSc+CiAgICAgICAgICA8YXJ0d29yaz4K PCFbQ0RBVEFbKy0tLS0tLS0tKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0t LS0tLS0tLS0tKwp8ICAgICAgICB8LS0oQSktIEF1dGhvcml6YXRpb24gUmVxdWVzdCAtPnwgICBS ZXNvdXJjZSAgICB8CnwgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAg ICAgT3duZXIgICAgIHwKfCAgICAgICAgfDwtKEIpLS0gQXV0aG9yaXphdGlvbiBHcmFudCAtLS18 ICAgICAgICAgICAgICAgfAp8ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICstLS0tLS0tLS0tLS0tLS0rCnwgICAgICAgIHwKfCAgICAgICAgfCAgICAgICAgQXV0aG9yaXph dGlvbiBHcmFudCAmICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8LS0oQyktLS0gQ2xpZW50 IENyZWRlbnRpYWxzIC0tPnwgQXV0aG9yaXphdGlvbiB8CnwgQ2xpZW50IHwgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgfCAgICAgU2VydmVyICAgIHwKfCAgICAgICAgfDwtKEQpLS0tLS0g QWNjZXNzIFRva2VuIC0tLS0tLS18ICAgICAgICAgICAgICAgfAp8ICAgICAgICB8ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0rCnwgICAgICAgIHwKfCAgICAg ICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwp8ICAg ICAgICB8LS0oRSktLS0tLSBBY2Nlc3MgVG9rZW4gLS0tLS0tPnwgICAgUmVzb3VyY2UgICB8Cnwg ICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgU2VydmVyICAgIHwK fCAgICAgICAgfDwtKEYpLS0tIFByb3RlY3RlZCBSZXNvdXJjZSAtLS18ICAgICAgICAgICAgICAg fAorLS0tLS0tLS0rICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0t LS0rXV0+CiAgICAgICAgICA8L2FydHdvcms+CiAgICAgICAgPC9maWd1cmU+CiAgICAgICAgPHQ+ CiAgICAgICAgICBUaGUgYWJzdHJhY3QgZmxvdyBpbGx1c3RyYXRlZCBpbiA8eHJlZiB0YXJnZXQ9 J0ZpZ3VyZS0xJyAvPiBkZXNjcmliZXMgdGhlIG92ZXJhbGwKICAgICAgICAgIE9BdXRoIDIuMCBw cm90b2NvbCBhcmNoaXRlY3R1cmUuIFRoZSBmb2xsb3dpbmcgc3RlcHMgYXJlIHNwZWNpZmllZCB3 aXRoaW4gdGhpcwogICAgICAgICAgZG9jdW1lbnQ6CgogICAgICAgICAgPGxpc3Q+CiAgICAgICAg ICAgIDx0PgogICAgICAgICAgICAgIEUpIFRoZSBjbGllbnQgbWFrZXMgYSBwcm90ZWN0ZWQgcmVz b3VyY2UgcmVxdWVzdCB0byB0aGUgcmVzb3VyY2Ugc2VydmVyIGJ5IHByZXNlbnRpbmcKICAgICAg ICAgICAgICB0aGUgYWNjZXNzIHRva2VuLgogICAgICAgICAgICA8L3Q+CiAgICAgICAgICAgIDx0 PgogICAgICAgICAgICAgIEYpIFRoZSByZXNvdXJjZSBzZXJ2ZXIgdmFsaWRhdGVzIHRoZSBhY2Nl c3MgdG9rZW4sIGFuZCBpZiB2YWxpZCwgc2VydmVzIHRoZSByZXF1ZXN0LgogICAgICAgICAgICA8 L3Q+CiAgICAgICAgICA8L2xpc3Q+CiAgICAgICAgPC90PgogICAgICA8L3NlY3Rpb24+CiAgICA8 L3NlY3Rpb24+CgogICAgPHNlY3Rpb24gdGl0bGU9J0F1dGhlbnRpY2F0ZWQgUmVxdWVzdHMnPgog ICAgICA8dD4KCVRoaXMgc2VjdGlvbiBkZWZpbmVzIHRocmVlCgltZXRob2RzIG9mIHNlbmRpbmcg YmVhcmVyIGFjY2VzcyB0b2tlbnMgaW4gcmVzb3VyY2UgcmVxdWVzdHMKCXRvIHJlc291cmNlIHNl cnZlcnMuICBDbGllbnRzIE1VU1QgTk9UIHVzZSBtb3JlIHRoYW4gb25lCgltZXRob2QgdG8gdHJh bnNtaXQgdGhlIHRva2VuIGluIGVhY2ggcmVxdWVzdC4KICAgICAgPC90PgoKICAgICAgPHNlY3Rp b24gdGl0bGU9J0F1dGhvcml6YXRpb24gUmVxdWVzdCBIZWFkZXIgRmllbGQnIGFuY2hvcj0nYXV0 aHotaGVhZGVyJz4KICAgICAgICA8dD4KCSAgV2hlbiBzZW5kaW5nIHRoZSBhY2Nlc3MgdG9rZW4g aW4gdGhlIDxzcGFueAoJICBzdHlsZT0ndmVyYic+QXV0aG9yaXphdGlvbjwvc3Bhbng+IHJlcXVl c3QgaGVhZGVyIGZpZWxkCgkgIGRlZmluZWQgYnkKCSAgSFRUUC8xLjEsIFBhcnQgNyA8eHJlZiB0 YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4sCgkgIHRoZQoJICBjbGllbnQgdXNl cyB0aGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5CZWFyZXI8L3NwYW54PgoJICBhdXRoZW50aWNhdGlv biBzY2hlbWUgdG8gdHJhbnNtaXQgdGhlIGFjY2VzcyB0b2tlbi4KICAgICAgICA8L3Q+CiAgICAg ICAgPGZpZ3VyZT4KICAgICAgICAgIDxwcmVhbWJsZT4KICAgICAgICAgICAgRm9yIGV4YW1wbGU6 CiAgICAgICAgICA8L3ByZWFtYmxlPgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBW0dFVCAv cmVzb3VyY2UgSFRUUC8xLjEKSG9zdDogc2VydmVyLmV4YW1wbGUuY29tCkF1dGhvcml6YXRpb246 IEJlYXJlciB2RjlkZnQ0cW1UXV0+CiAgICAgICAgICA8L2FydHdvcms+CiAgICAgICAgPC9maWd1 cmU+CiAgICAgICAgPHQ+CiAgICAgICAgICBUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5BdXRob3Jp emF0aW9uPC9zcGFueD4gaGVhZGVyIGZpZWxkIHVzZXMgdGhlIGZyYW1ld29yayBkZWZpbmVkIGJ5 CiAgICAgICAgICBIVFRQLzEuMSwgUGFydCA3IDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJp cy1wNy1hdXRoJyAvPgoJICBhcyBmb2xsb3dzOgogICAgICAgIDwvdD4KICAgICAgICA8ZmlndXJl PgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBW2NyZWRlbnRpYWxzID0gIkJlYXJlciIgMSpT UCBiNjR0b2tlbl1dPgogICAgICAgICAgPC9hcnR3b3JrPgogICAgICAgIDwvZmlndXJlPgoJPHQ+ CgkgIFRoZSBiNjR0b2tlbiBzeW50YXggd2FzIGNob3NlbiBvdmVyIHRoZSBhbHRlcm5hdGl2ZQoJ ICAjYXV0aC1wYXJhbSBzeW50YXggYWxzbyBkZWZpbmVkIGJ5CgkgIEhUVFAvMS4xLCBQYXJ0IDcg PHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnIC8+CgkgIGJvdGggZm9yIHNp bXBsaWNpdHkKCSAgcmVhc29ucyBhbmQgZm9yIGNvbXBhdGliaWxpdHkgd2l0aCBleGlzdGluZyBp bXBsZW1lbnRhdGlvbnMuCgkgIElmIGFkZGl0aW9uYWwgcGFyYW1ldGVycyBhcmUgZGVzaXJlZCBp biB0aGUgZnV0dXJlLCBhCgkgIGRpZmZlcmVudCBzY2hlbWUgY291bGQgYmUgZGVmaW5lZC4KCTwv dD4KCTx0PgoJICBDbGllbnRzIFNIT1VMRCBtYWtlIGF1dGhlbnRpY2F0ZWQgcmVxdWVzdHMgd2l0 aCBhIGJlYXJlcgoJICB0b2tlbiB1c2luZyB0aGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5BdXRob3Jp emF0aW9uPC9zcGFueD4KCSAgcmVxdWVzdCBoZWFkZXIgZmllbGQgd2l0aCB0aGUgPHNwYW54Cgkg IHN0eWxlPSd2ZXJiJz5CZWFyZXI8L3NwYW54PiBIVFRQIGF1dGhvcml6YXRpb24gc2NoZW1lLgoJ ICBSZXNvdXJjZSBzZXJ2ZXJzIE1VU1Qgc3VwcG9ydCB0aGlzIG1ldGhvZC4KCTwvdD4KICAgICAg PC9zZWN0aW9uPgoKICAgICAgPHNlY3Rpb24gdGl0bGU9J0Zvcm0tRW5jb2RlZCBCb2R5IFBhcmFt ZXRlcicgYW5jaG9yPSdib2R5LXBhcmFtJz4KICAgICAgICA8dD4KICAgICAgICAgIFdoZW4gc2Vu ZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSBIVFRQIHJlcXVlc3QKICAgICAgICAgIGVudGl0 eS1ib2R5LCB0aGUgY2xpZW50IGFkZHMgdGhlIGFjY2VzcyB0b2tlbiB0byB0aGUgcmVxdWVzdAog ICAgICAgICAgYm9keSB1c2luZyB0aGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5hY2Nlc3NfdG9rZW48 L3NwYW54PgogICAgICAgICAgcGFyYW1ldGVyLiAgVGhlIGNsaWVudCBNVVNUIE5PVCB1c2UgdGhp cyBtZXRob2QgdW5sZXNzCgkgIGFsbCBvZiB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlIG1l dDoKICAgICAgICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xzJz4KICAgICAgICAgICAgPHQ+CiAgICAg ICAgICAgICAgVGhlIEhUVFAgcmVxdWVzdCBlbnRpdHktYm9keSBpcyBzaW5nbGUtcGFydC4KICAg ICAgICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAgICAgICAgICAgICBUaGUgZW50aXR5LWJv ZHkgZm9sbG93cyB0aGUgZW5jb2RpbmcgcmVxdWlyZW1lbnRzIG9mIHRoZQogICAgICAgICAgICAg IDxzcGFueCBzdHlsZT0ndmVyYic+YXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkPC9z cGFueD4gY29udGVudC10eXBlIGFzCiAgICAgICAgICAgICAgZGVmaW5lZCBieQoJICAgICAgSFRN TCA0LjAxIDx4cmVmIHRhcmdldD0nVzNDLlJFQy1odG1sNDAxLTE5OTkxMjI0JyAvPi4KICAgICAg ICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAgICAgICAgICAgICBUaGUgSFRUUCByZXF1ZXN0 IGVudGl0eS1oZWFkZXIgaW5jbHVkZXMgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+Q29udGVudC1U eXBlPC9zcGFueD4KICAgICAgICAgICAgICBoZWFkZXIgZmllbGQgc2V0IHRvIDxzcGFueCBzdHls ZT0ndmVyYic+YXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkPC9zcGFueD4uCiAgICAg ICAgICAgIDwvdD4KICAgICAgICAgICAgPHQ+CiAgICAgICAgICAgICAgVGhlIEhUVFAgcmVxdWVz dCBtZXRob2QgaXMgb25lIGZvciB3aGljaCB0aGUgcmVxdWVzdAogICAgICAgICAgICAgIGJvZHkg aGFzIGRlZmluZWQgc2VtYW50aWNzLiAgSW4gcGFydGljdWxhciwKICAgICAgICAgICAgICB0aGlz IG1lYW5zIHRoYXQgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+R0VUPC9zcGFueD4KICAgICAgICAg ICAgICBtZXRob2QgTVVTVCBOT1QgYmUgdXNlZC4KICAgICAgICAgICAgPC90PgogICAgICAgICAg PC9saXN0PgogICAgICAgIDwvdD4KICAgICAgICA8dD4KICAgICAgICAgIFRoZSBlbnRpdHktYm9k eSBNQVkgaW5jbHVkZSBvdGhlciByZXF1ZXN0LXNwZWNpZmljCiAgICAgICAgICBwYXJhbWV0ZXJz LCBpbiB3aGljaCBjYXNlLCB0aGUgPHNwYW54CiAgICAgICAgICBzdHlsZT0ndmVyYic+YWNjZXNz X3Rva2VuPC9zcGFueD4gcGFyYW1ldGVyIE1VU1QgYmUgcHJvcGVybHkKICAgICAgICAgIHNlcGFy YXRlZCBmcm9tIHRoZSByZXF1ZXN0LXNwZWNpZmljIHBhcmFtZXRlcnMgdXNpbmcgPHNwYW54CiAg ICAgICAgICBzdHlsZT0ndmVyYic+JmFtcDs8L3NwYW54PiBjaGFyYWN0ZXIocykgKEFTQ0lJIGNv ZGUgMzgpLgogICAgICAgIDwvdD4KICAgICAgICA8ZmlndXJlPgogICAgICAgICAgPHByZWFtYmxl PgogICAgICAgICAgICBGb3IgZXhhbXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93aW5n IEhUVFAgcmVxdWVzdCB1c2luZyB0cmFuc3BvcnQtbGF5ZXIKICAgICAgICAgICAgc2VjdXJpdHk6 CiAgICAgICAgICA8L3ByZWFtYmxlPgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBW1BPU1Qg L3Jlc291cmNlIEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbQpDb250ZW50LVR5cGU6 IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAoKYWNjZXNzX3Rva2VuPXZGOWRmdDRx bVRdXT4KICAgICAgICAgIDwvYXJ0d29yaz4KICAgICAgICA8L2ZpZ3VyZT4KCTx0PgoJICBUaGUg PHNwYW54IHN0eWxlPSd2ZXJiJz5hcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ8L3Nw YW54PgoJICBtZXRob2QgU0hPVUxEIE5PVCBiZSB1c2VkIGV4Y2VwdCBpbiBhcHBsaWNhdGlvbiBj b250ZXh0cwoJICB3aGVyZSBwYXJ0aWNpcGF0aW5nIGJyb3dzZXJzIGRvIG5vdCBoYXZlIGFjY2Vz cyB0byB0aGUKCSAgPHNwYW54IHN0eWxlPSd2ZXJiJz5BdXRob3JpemF0aW9uPC9zcGFueD4gcmVx dWVzdCBoZWFkZXIKCSAgZmllbGQuICBSZXNvdXJjZSBzZXJ2ZXJzIE1BWSBzdXBwb3J0IHRoaXMg bWV0aG9kLgoJPC90PgogICAgICA8L3NlY3Rpb24+CgogICAgICA8c2VjdGlvbiB0aXRsZT0nVVJJ IFF1ZXJ5IFBhcmFtZXRlcicgYW5jaG9yPSdxdWVyeS1wYXJhbSc+CiAgICAgICAgPHQ+CiAgICAg ICAgICBXaGVuIHNlbmRpbmcgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUgSFRUUCByZXF1ZXN0IFVS SSwgdGhlIGNsaWVudCBhZGRzIHRoZSBhY2Nlc3MKICAgICAgICAgIHRva2VuIHRvIHRoZSByZXF1 ZXN0IFVSSSBxdWVyeSBjb21wb25lbnQgYXMgZGVmaW5lZCBieQoJICBVbmlmb3JtIFJlc291cmNl IElkZW50aWZpZXIgKFVSSSkgPHhyZWYgdGFyZ2V0PSdSRkMzOTg2JyAvPgoJICB1c2luZwogICAg ICAgICAgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+YWNjZXNzX3Rva2VuPC9zcGFueD4gcGFyYW1l dGVyLgogICAgICAgIDwvdD4KICAgICAgICA8ZmlndXJlPgogICAgICAgICAgPHByZWFtYmxlPgog ICAgICAgICAgICBGb3IgZXhhbXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93aW5nIEhU VFAgcmVxdWVzdCB1c2luZyB0cmFuc3BvcnQtbGF5ZXIKICAgICAgICAgICAgc2VjdXJpdHk6CiAg ICAgICAgICA8L3ByZWFtYmxlPgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBW0dFVCAvcmVz b3VyY2U/YWNjZXNzX3Rva2VuPXZGOWRmdDRxbVQgSFRUUC8xLjEKSG9zdDogc2VydmVyLmV4YW1w bGUuY29tXV0+CiAgICAgICAgICA8L2FydHdvcms+CiAgICAgICAgPC9maWd1cmU+CiAgICAgICAg PHQ+CiAgICAgICAgICBUaGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeSBjYW4gaW5jbHVkZSBvdGhl cgogICAgICAgICAgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzLCBpbiB3aGljaCBjYXNlLCB0 aGUgPHNwYW54CiAgICAgICAgICBzdHlsZT0ndmVyYic+YWNjZXNzX3Rva2VuPC9zcGFueD4gcGFy YW1ldGVyIE1VU1QgYmUgcHJvcGVybHkKICAgICAgICAgIHNlcGFyYXRlZCBmcm9tIHRoZSByZXF1 ZXN0LXNwZWNpZmljIHBhcmFtZXRlcnMgdXNpbmcgPHNwYW54CiAgICAgICAgICBzdHlsZT0ndmVy Yic+JmFtcDs8L3NwYW54PiBjaGFyYWN0ZXIocykgKEFTQ0lJIGNvZGUgMzgpLgogICAgICAgIDwv dD4KICAgICAgICA8ZmlndXJlPgogICAgICAgICAgPHByZWFtYmxlPgogICAgICAgICAgICBGb3Ig ZXhhbXBsZToKICAgICAgICAgIDwvcHJlYW1ibGU+CiAgICAgICAgICA8YXJ0d29yaz4KPCFbQ0RB VEFbaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vcmVzb3VyY2U/eD15JmFjY2Vzc190b2tlbj12 RjlkZnQ0cW1UJnA9cV1dPgogICAgICAgICAgPC9hcnR3b3JrPgogICAgICAgIDwvZmlndXJlPgoJ PHQ+CgkgIEJlY2F1c2Ugb2YgdGhlIHNlY3VyaXR5IHdlYWtuZXNzZXMgYXNzb2NpYXRlZCB3aXRo IHRoZSBVUkkKCSAgbWV0aG9kIChzZWUgPHhyZWYgdGFyZ2V0PSJzZWMtY29uIiAvPiksIGluY2x1 ZGluZyB0aGUgaGlnaAoJICBsaWtlbGlob29kIHRoYXQgdGhlIFVSTCBjb250YWluaW5nIHRoZSBh Y2Nlc3MgdG9rZW4gd2lsbCBiZQoJICBsb2dnZWQsIGl0IFNIT1VMRCBOT1QgYmUgdXNlZCB1bmxl c3MgaXQgaXMgaW1wb3NzaWJsZSB0bwoJICB0cmFuc3BvcnQgdGhlIGFjY2VzcyB0b2tlbiBpbiB0 aGUgPHNwYW54CgkgIHN0eWxlPSd2ZXJiJz5BdXRob3JpemF0aW9uPC9zcGFueD4gcmVxdWVzdCBo ZWFkZXIgZmllbGQgb3IKCSAgdGhlIEhUVFAgcmVxdWVzdCBlbnRpdHktYm9keS4gIFJlc291cmNl IHNlcnZlcnMgTUFZIHN1cHBvcnQKCSAgdGhpcyBtZXRob2QuCgk8L3Q+CiAgICAgIDwvc2VjdGlv bj4KCiAgICA8L3NlY3Rpb24+CgogICAgPHNlY3Rpb24gdGl0bGU9J1RoZSBXV1ctQXV0aGVudGlj YXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZCcgYW5jaG9yPSdhdXRobi1oZWFkZXInPgogICAgICA8 dD4KCUlmIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UgcmVxdWVzdCBkb2VzIG5vdCBpbmNsdWRlCglh dXRoZW50aWNhdGlvbiBjcmVkZW50aWFscyBvciBkb2VzIG5vdCBjb250YWluIGFuIGFjY2VzcwoJ dG9rZW4gdGhhdCBlbmFibGVzIGFjY2VzcyB0byB0aGUgcHJvdGVjdGVkIHJlc291cmNlLAoJdGhl IHJlc291cmNlIHNlcnZlciBNVVNUIGluY2x1ZGUgdGhlIEhUVFAgPHNwYW54CglzdHlsZT0ndmVy Yic+V1dXLUF1dGhlbnRpY2F0ZTwvc3Bhbng+IHJlc3BvbnNlIGhlYWRlciBmaWVsZDsKCWl0IE1B WSBpbmNsdWRlIGl0IGluIHJlc3BvbnNlIHRvIG90aGVyIGNvbmRpdGlvbnMgYXMgd2VsbC4KCVRo ZSA8c3Bhbnggc3R5bGU9J3ZlcmInPldXVy1BdXRoZW50aWNhdGU8L3NwYW54PiBoZWFkZXIKCWZp ZWxkIHVzZXMgdGhlIGZyYW1ld29yayBkZWZpbmVkIGJ5CglIVFRQLzEuMSwgUGFydCA3IDx4cmVm IHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPgoJYXMgZm9sbG93czoKICAgICAg PC90PgogICAgICA8ZmlndXJlPgoJPGFydHdvcms+CjwhW0NEQVRBW2NoYWxsZW5nZSAgICAgICA9 ICJCZWFyZXIiIFsgMSpTUCAxI3BhcmFtIF0KCnBhcmFtICAgICAgICAgICA9IHJlYWxtIC8gc2Nv cGUgLwogICAgICAgICAgICAgICAgICBlcnJvciAvIGVycm9yLWRlc2MgLyBlcnJvci11cmkgLwog ICAgICAgICAgICAgICAgICBhdXRoLXBhcmFtCgpzY29wZSAgICAgICAgICAgPSAic2NvcGUiICI9 IiBxdW90ZWQtc3RyaW5nCmVycm9yICAgICAgICAgICA9ICJlcnJvciIgIj0iIHF1b3RlZC1zdHJp bmcKZXJyb3ItZGVzYyAgICAgID0gImVycm9yX2Rlc2NyaXB0aW9uIiAiPSIgcXVvdGVkLXN0cmlu ZwplcnJvci11cmkgICAgICAgPSAiZXJyb3JfdXJpIiAiPSIgcXVvdGVkLXN0cmluZ11dPgoJPC9h cnR3b3JrPgogICAgICA8L2ZpZ3VyZT4KICAgICAgPHQ+CglBIDxzcGFueCBzdHlsZT0ndmVyYic+ cmVhbG08L3NwYW54PiBhdHRyaWJ1dGUgTUFZIGJlIGluY2x1ZGVkCgl0byBpbmRpY2F0ZSB0aGUg c2NvcGUgb2YgcHJvdGVjdGlvbiBpbiB0aGUgbWFubmVyIGRlc2NyaWJlZCBpbgoJSFRUUC8xLjEs IFBhcnQgNyA8eHJlZiB0YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4uCglUaGUg PHNwYW54IHN0eWxlPSd2ZXJiJz5yZWFsbTwvc3Bhbng+IGF0dHJpYnV0ZSBNVVNUIE5PVCBhcHBl YXIgbW9yZSB0aGFuIG9uY2UuCglUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5yZWFsbTwvc3Bhbng+ IHZhbHVlIGlzIGludGVuZGVkIGZvcgoJcHJvZ3JhbW1hdGljIHVzZSBhbmQgaXMgbm90IG1lYW50 IHRvIGJlIGRpc3BsYXllZCB0bwoJZW5kIHVzZXJzLgogICAgICA8L3Q+CgogICAgICA8dD4KCVRo ZSA8c3Bhbnggc3R5bGU9J3ZlcmInPnNjb3BlPC9zcGFueD4gYXR0cmlidXRlIGlzIGEgc3BhY2Ut ZGVsaW1pdGVkIGxpc3Qgb2Ygc2NvcGUgdmFsdWVzCglpbmRpY2F0aW5nIHRoZSByZXF1aXJlZCBz Y29wZSBvZiB0aGUgYWNjZXNzIHRva2VuIGZvciBhY2Nlc3NpbmcgdGhlIHJlcXVlc3RlZCByZXNv dXJjZS4KCUluIHNvbWUgY2FzZXMsIHRoZSA8c3Bhbnggc3R5bGU9J3ZlcmInPnNjb3BlPC9zcGFu eD4gdmFsdWUKCXdpbGwgYmUgdXNlZCB3aGVuIHJlcXVlc3RpbmcgYSBuZXcgYWNjZXNzIHRva2Vu IHdpdGgKCXN1ZmZpY2llbnQgc2NvcGUgb2YgYWNjZXNzIHRvIHV0aWxpemUgdGhlIHByb3RlY3Rl ZCByZXNvdXJjZS4KCVRoZSA8c3Bhbnggc3R5bGU9J3ZlcmInPnNjb3BlPC9zcGFueD4gYXR0cmli dXRlIE1VU1QgTk9UIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KCVRoZSA8c3Bhbnggc3R5bGU9J3Zl cmInPnNjb3BlPC9zcGFueD4gdmFsdWUgaXMgaW50ZW5kZWQgZm9yCglwcm9ncmFtbWF0aWMgdXNl IGFuZCBpcyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRvCgllbmQgdXNlcnMuCiAgICAgIDwv dD4KICAgICAgPHQ+CglJZiB0aGUgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3QgaW5jbHVkZWQg YW4gYWNjZXNzIHRva2VuIGFuZCBmYWlsZWQgYXV0aGVudGljYXRpb24sIHRoZQoJcmVzb3VyY2Ug c2VydmVyIFNIT1VMRCBpbmNsdWRlIHRoZSA8c3Bhbnggc3R5bGU9J3ZlcmInPmVycm9yPC9zcGFu eD4gYXR0cmlidXRlIHRvIHByb3ZpZGUKCXRoZSBjbGllbnQgd2l0aCB0aGUgcmVhc29uIHdoeSB0 aGUgYWNjZXNzIHJlcXVlc3Qgd2FzIGRlY2xpbmVkLiBUaGUgcGFyYW1ldGVyIHZhbHVlIGlzCglk ZXNjcmliZWQgaW4gPHhyZWYgdGFyZ2V0PSdyZXNvdXJjZS1lcnJvci1jb2RlcycgLz4uCglJbiBh ZGRpdGlvbiwgdGhlIHJlc291cmNlIHNlcnZlciBNQVkgaW5jbHVkZSB0aGUgPHNwYW54CglzdHls ZT0ndmVyYic+ZXJyb3JfZGVzY3JpcHRpb248L3NwYW54PiBhdHRyaWJ1dGUgdG8gcHJvdmlkZQoJ ZGV2ZWxvcGVycyBhIGh1bWFuLXJlYWRhYmxlIGV4cGxhbmF0aW9uIHRoYXQgaXMgbm90IG1lYW50 Cgl0byBiZSBkaXNwbGF5ZWQgdG8gZW5kIHVzZXJzLgoJSXQgYWxzbyBNQVkgaW5jbHVkZQoJdGhl IDxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3JfdXJpPC9zcGFueD4gYXR0cmlidXRlIHdpdGgKCWFu IGFic29sdXRlIFVSSSBpZGVudGlmeWluZyBhIGh1bWFuLXJlYWRhYmxlIHdlYiBwYWdlIGV4cGxh aW5pbmcgdGhlIGVycm9yLgoJVGhlIDxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3I8L3NwYW54Piwg PHNwYW54IHN0eWxlPSd2ZXJiJz5lcnJvcl9kZXNjcmlwdGlvbjwvc3Bhbng+LCBhbmQKCTxzcGFu eCBzdHlsZT0ndmVyYic+ZXJyb3JfdXJpPC9zcGFueD4gYXR0cmlidXRlcyBNVVNUIE5PVCBhcHBl YXIgbW9yZSB0aGFuIG9uY2UuCiAgICAgIDwvdD4KICAgICAgPHQ+CglQcm9kdWNlcnMgb2YgPHNw YW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IHN0cmluZ3MgTVVTVAoJTk9UIHVzZSBjaGFy YWN0ZXJzIG91dHNpZGUgdGhlIHNldCAleDIxIC8gJXgyMy01QiAvICV4NUQtN0UKCWZvciByZXBy ZXNlbnRpbmcgdGhlIHNjb3BlIHZhbHVlcyBhbmQgJXgyMCBmb3IgdGhlIGRlbGltaXRlci4KCVBy b2R1Y2VycyBvZiA8c3Bhbnggc3R5bGU9J3ZlcmInPmVycm9yPC9zcGFueD4gYW5kIDxzcGFueAoJ c3R5bGU9J3ZlcmInPmVycm9yX2Rlc2NyaXB0aW9uPC9zcGFueD4gc3RyaW5ncyBNVVNUIE5PVCB1 c2UKCWNoYXJhY3RlcnMgb3V0c2lkZSB0aGUgc2V0ICV4MjAtMjEgLyAleDIzLTVCIC8gJXg1RC03 RSBmb3IKCXJlcHJlc2VudGluZyB0aGVzZSB2YWx1ZXMuCglQcm9kdWNlcnMgb2YgPHNwYW54IHN0 eWxlPSd2ZXJiJz5lcnJvci11cmk8L3NwYW54PiBzdHJpbmdzCglNVVNUIE5PVCB1c2UgY2hhcmFj dGVycyBvdXRzaWRlIHRoZSBzZXQgJXgyMSAvICV4MjMtNUIgLwoJJXg1RC03RSBmb3IgcmVwcmVz ZW50aW5nIHRoZXNlIHZhbHVlcy4gIEZ1cnRoZXJtb3JlLAoJPHNwYW54IHN0eWxlPSd2ZXJiJz5l cnJvci11cmk8L3NwYW54PiBzdHJpbmdzIE1VU1QgY29uZm9ybQoJdG8gdGhlIFVSSS1yZWZlcmVu Y2Ugc3ludGF4LgoJSW4gYWxsIHRoZXNlIGNhc2VzLCBubyBjaGFyYWN0ZXIgcXVvdGluZyB3aWxs IG9jY3VyLCBhcwoJc2VuZGVycyBhcmUgcHJvaGliaXRlZCBmcm9tIHVzaW5nIHRoZSAlNUMgKCdc JykgY2hhcmFjdGVyLgogICAgICA8L3Q+CiAgICAgIDxmaWd1cmU+Cgk8cHJlYW1ibGU+CgkgIEZv ciBleGFtcGxlLCBpbiByZXNwb25zZSB0byBhIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IHdp dGhvdXQgYXV0aGVudGljYXRpb246Cgk8L3ByZWFtYmxlPgoJPGFydHdvcms+CjwhW0NEQVRBW0hU VFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQKV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJlYWxtPSJl eGFtcGxlIl1dPgogICAgICAgICAgPC9hcnR3b3JrPgogICAgICAgIDwvZmlndXJlPgogICAgICAg IDxmaWd1cmU+CiAgICAgICAgICA8cHJlYW1ibGU+CiAgICAgICAgICAgIEFuZCBpbiByZXNwb25z ZSB0byBhIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IHdpdGggYW4gYXV0aGVudGljYXRpb24g YXR0ZW1wdCB1c2luZyBhbgogICAgICAgICAgICBleHBpcmVkIGFjY2VzcyB0b2tlbjoKICAgICAg ICAgIDwvcHJlYW1ibGU+CiAgICAgICAgICA8YXJ0d29yaz4KPCFbQ0RBVEFbSFRUUC8xLjEgNDAx IFVuYXV0aG9yaXplZApXV1ctQXV0aGVudGljYXRlOiBCZWFyZXIgcmVhbG09ImV4YW1wbGUiLAog ICAgICAgICAgICAgICAgICBlcnJvcj0iaW52YWxpZF90b2tlbiIsCiAgICAgICAgICAgICAgICAg IGVycm9yX2Rlc2NyaXB0aW9uPSJUaGUgYWNjZXNzIHRva2VuIGV4cGlyZWQiXV0+Cgk8L2FydHdv cms+CiAgICAgIDwvZmlndXJlPgoKICAgICAgPHNlY3Rpb24gdGl0bGU9J0Vycm9yIENvZGVzJyBh bmNob3I9J3Jlc291cmNlLWVycm9yLWNvZGVzJz4KCTx0PgoJICBXaGVuIGEgcmVxdWVzdCBmYWls cywgdGhlIHJlc291cmNlIHNlcnZlciByZXNwb25kcyB1c2luZyB0aGUgYXBwcm9wcmlhdGUgSFRU UCBzdGF0dXMKCSAgY29kZSAodHlwaWNhbGx5LCA0MDAsIDQwMSwgb3IgNDAzKSwgYW5kIGluY2x1 ZGVzIG9uZSBvZiB0aGUgZm9sbG93aW5nIGVycm9yIGNvZGVzIGluCgkgIHRoZSByZXNwb25zZToK CgkgIDxsaXN0IHN0eWxlPSdoYW5naW5nJyBoYW5nSW5kZW50PSc2Jz4KCSAgICA8dCBoYW5nVGV4 dD0naW52YWxpZF9yZXF1ZXN0Jz4KCSAgICAgIDx2c3BhY2UgLz4KCSAgICAgIFRoZSByZXF1ZXN0 IGlzIG1pc3NpbmcgYSByZXF1aXJlZCBwYXJhbWV0ZXIsIGluY2x1ZGVzIGFuIHVuc3VwcG9ydGVk IHBhcmFtZXRlciBvcgoJICAgICAgcGFyYW1ldGVyIHZhbHVlLCByZXBlYXRzIHRoZSBzYW1lIHBh cmFtZXRlciwgdXNlcyBtb3JlIHRoYW4gb25lIG1ldGhvZCBmb3IKCSAgICAgIGluY2x1ZGluZyBh biBhY2Nlc3MgdG9rZW4sIG9yIGlzIG90aGVyd2lzZSBtYWxmb3JtZWQuIFRoZSByZXNvdXJjZSBz ZXJ2ZXIgU0hPVUxECgkgICAgICByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAwIChCYWQgUmVxdWVz dCkgc3RhdHVzIGNvZGUuCgkgICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSdpbnZhbGlkX3Rva2Vu Jz4KCSAgICAgIDx2c3BhY2UgLz4KCSAgICAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZWQgaXMg ZXhwaXJlZCwgcmV2b2tlZCwgbWFsZm9ybWVkLCBvciBpbnZhbGlkIGZvciBvdGhlcgoJICAgICAg cmVhc29ucy4gVGhlIHJlc291cmNlIFNIT1VMRCByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAxIChV bmF1dGhvcml6ZWQpIHN0YXR1cwoJICAgICAgY29kZS4gVGhlIGNsaWVudCBNQVkgcmVxdWVzdCBh IG5ldyBhY2Nlc3MgdG9rZW4gYW5kIHJldHJ5IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UKCSAgICAg IHJlcXVlc3QuCgkgICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSdpbnN1ZmZpY2llbnRfc2NvcGUn PgoJICAgICAgPHZzcGFjZSAvPgoJICAgICAgVGhlIHJlcXVlc3QgcmVxdWlyZXMgaGlnaGVyIHBy aXZpbGVnZXMgdGhhbiBwcm92aWRlZCBieSB0aGUgYWNjZXNzIHRva2VuLiBUaGUKCSAgICAgIHJl c291cmNlIHNlcnZlciBTSE9VTEQgcmVzcG9uZCB3aXRoIHRoZSBIVFRQIDQwMyAoRm9yYmlkZGVu KSBzdGF0dXMgY29kZSBhbmQgTUFZCgkgICAgICBpbmNsdWRlIHRoZSA8c3Bhbnggc3R5bGU9J3Zl cmInPnNjb3BlPC9zcGFueD4gYXR0cmlidXRlIHdpdGggdGhlIHNjb3BlIG5lY2Vzc2FyeSB0bwoJ ICAgICAgYWNjZXNzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuCgkgICAgPC90PgoJICA8L2xpc3Q+ Cgk8L3Q+Cgk8dD4KCSAgSWYgdGhlIHJlcXVlc3QgbGFja3MgYW55IGF1dGhlbnRpY2F0aW9uIGlu Zm9ybWF0aW9uIChpLmUuIHRoZSBjbGllbnQgd2FzIHVuYXdhcmUKCSAgYXV0aGVudGljYXRpb24g aXMgbmVjZXNzYXJ5IG9yIGF0dGVtcHRlZCB1c2luZyBhbiB1bnN1cHBvcnRlZCBhdXRoZW50aWNh dGlvbiBtZXRob2QpLAoJICB0aGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBOT1QgaW5jbHVkZSBh biBlcnJvciBjb2RlIG9yIG90aGVyIGVycm9yIGluZm9ybWF0aW9uLgoJPC90PgoJPGZpZ3VyZT4K CSAgPHByZWFtYmxlPgoJICAgIEZvciBleGFtcGxlOgoJICA8L3ByZWFtYmxlPgoJICA8YXJ0d29y az4KPCFbQ0RBVEFbSFRUUC8xLjEgNDAxIFVuYXV0aG9yaXplZApXV1ctQXV0aGVudGljYXRlOiBC ZWFyZXIgcmVhbG09ImV4YW1wbGUiXV0+CgkgIDwvYXJ0d29yaz4KCTwvZmlndXJlPgogICAgICA8 L3NlY3Rpb24+CgogICAgPC9zZWN0aW9uPgoKICAgIDxzZWN0aW9uIHRpdGxlPSdTZWN1cml0eSBD b25zaWRlcmF0aW9ucycgYW5jaG9yPSJzZWMtY29uIj4KCiAgICAgIDx0PgoJVGhpcyBzZWN0aW9u IGRlc2NyaWJlcyB0aGUgcmVsZXZhbnQgc2VjdXJpdHkgdGhyZWF0cyByZWdhcmRpbmcKCXRva2Vu IGhhbmRsaW5nIHdoZW4gdXNpbmcgYmVhcmVyIHRva2VucyBhbmQgZGVzY3JpYmVzIGhvdyB0bwoJ bWl0aWdhdGUgdGhlc2UgdGhyZWF0cy4KICAgICAgPC90PgoKICAgICAgPHNlY3Rpb24gdGl0bGU9 IlNlY3VyaXR5IFRocmVhdHMiIGFuY2hvcj0idGhyZWF0cyI+CgoJPHQ+CgkgIFRoZSBmb2xsb3dp bmcgbGlzdCBwcmVzZW50cyBzZXZlcmFsIGNvbW1vbiB0aHJlYXRzIGFnYWluc3QKCSAgcHJvdG9j b2xzIHV0aWxpemluZyBzb21lIGZvcm0gb2YgdG9rZW5zLiBUaGlzIGxpc3Qgb2YKCSAgdGhyZWF0 cyBpcyBiYXNlZCBvbgoJICBOSVNUIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzIDx4cmVmIHRh cmdldD0iTklTVDgwMC02MyIvPi4KCSAgU2luY2UgdGhpcyBkb2N1bWVudCBidWlsZHMgb24gdGhl CgkgIE9BdXRoIDIuMCBzcGVjaWZpY2F0aW9uLCB3ZSBleGNsdWRlIGEgZGlzY3Vzc2lvbiBvZiB0 aHJlYXRzCgkgIHRoYXQgYXJlIGRlc2NyaWJlZCB0aGVyZSBvciBpbiByZWxhdGVkIGRvY3VtZW50 cy4KCTwvdD4KCgk8dD4KCSAgPGxpc3Qgc3R5bGU9ImhhbmdpbmciPgoJICAgIDx0IGhhbmdUZXh0 PSJUb2tlbiBtYW51ZmFjdHVyZS9tb2RpZmljYXRpb246Ij4KCSAgICAgIEFuIGF0dGFja2VyIG1h eSBnZW5lcmF0ZSBhIGJvZ3VzIHRva2VuIG9yIG1vZGlmeSB0aGUKCSAgICAgIHRva2VuIGNvbnRl bnRzIChzdWNoIGFzIHRoZSBhdXRoZW50aWNhdGlvbiBvciBhdHRyaWJ1dGUKCSAgICAgIHN0YXRl bWVudHMpIG9mIGFuIGV4aXN0aW5nIHRva2VuLCBjYXVzaW5nIHRoZSByZXNvdXJjZQoJICAgICAg c2VydmVyIHRvIGdyYW50IGluYXBwcm9wcmlhdGUgYWNjZXNzIHRvIHRoZSBjbGllbnQuCgkgICAg ICBGb3IgZXhhbXBsZSwgYW4gYXR0YWNrZXIgbWF5IG1vZGlmeSB0aGUgdG9rZW4gdG8gZXh0ZW5k CgkgICAgICB0aGUgdmFsaWRpdHkgcGVyaW9kOyBhIG1hbGljaW91cyBjbGllbnQgbWF5IG1vZGlm eSB0aGUKCSAgICAgIGFzc2VydGlvbiB0byBnYWluIGFjY2VzcyB0byBpbmZvcm1hdGlvbiB0aGF0 IHRoZXkKCSAgICAgIHNob3VsZCBub3QgYmUgYWJsZSB0byB2aWV3LgoJICAgIDwvdD4KCSAgICA8 dCBoYW5nVGV4dD0iVG9rZW4gZGlzY2xvc3VyZToiPgoJICAgICAgVG9rZW5zIG1heSBjb250YWlu IGF1dGhlbnRpY2F0aW9uIGFuZCBhdHRyaWJ1dGUKCSAgICAgIHN0YXRlbWVudHMgdGhhdCBpbmNs dWRlIHNlbnNpdGl2ZSBpbmZvcm1hdGlvbi4KCSAgICA8L3Q+CgkgICAgPHQgaGFuZ1RleHQ9IlRv a2VuIHJlZGlyZWN0OiI+CgkgICAgICBBbiBhdHRhY2tlciB1c2VzIGEgdG9rZW4gZ2VuZXJhdGVk IGZvciBjb25zdW1wdGlvbiBieSAKCSAgICAgIG9uZSByZXNvdXJjZSBzZXJ2ZXIgdG8gZ2FpbiBh Y2Nlc3MgdG8gYSBkaWZmZXJlbnQKCSAgICAgIHJlc291cmNlIHNlcnZlciB0aGF0IG1pc3Rha2Vu bHkgYmVsaWV2ZXMgdGhlIHRva2VuIHRvIGJlCgkgICAgICBmb3IgaXQuCgkgICAgPC90PgoJICAg IDx0IGhhbmdUZXh0PSJUb2tlbiByZXBsYXk6Ij4KCSAgICAgIEFuIGF0dGFja2VyIGF0dGVtcHRz IHRvIHVzZSBhIHRva2VuIHRoYXQgaGFzIGFscmVhZHkKCSAgICAgIGJlZW4gdXNlZCB3aXRoIHRo YXQgcmVzb3VyY2Ugc2VydmVyIGluIHRoZSBwYXN0LgoJICAgIDwvdD4KCSAgPC9saXN0PiAKCTwv dD4KICAgICAgPC9zZWN0aW9uPiAKCiAgICAgIDxzZWN0aW9uIHRpdGxlPSJUaHJlYXQgTWl0aWdh dGlvbiIgYW5jaG9yPSJtaXRpZ2F0aW9uIj4gCgoJPHQ+CgkgIEEgbGFyZ2UgcmFuZ2Ugb2YgdGhy ZWF0cyBjYW4gYmUgbWl0aWdhdGVkIGJ5IHByb3RlY3RpbmcgdGhlCgkgIGNvbnRlbnRzIG9mIHRo ZSB0b2tlbiBieSB1c2luZyBhIGRpZ2l0YWwgc2lnbmF0dXJlIG9yIGEKCSAgTWVzc2FnZSBBdXRo ZW50aWNhdGlvbiBDb2RlIChNQUMpLgoJICBBbHRlcm5hdGl2ZWx5LCBhIGJlYXJlciB0b2tlbiBj YW4gY29udGFpbiBhIHJlZmVyZW5jZSB0bwoJICBhdXRob3JpemF0aW9uIGluZm9ybWF0aW9uLCBy YXRoZXIgdGhhbiBlbmNvZGluZyB0aGUKCSAgaW5mb3JtYXRpb24gZGlyZWN0bHkuIFN1Y2ggcmVm ZXJlbmNlcyBNVVNUIGJlIGluZmVhc2libGUgZm9yCgkgIGFuIGF0dGFja2VyIHRvIGd1ZXNzOyB1 c2luZyBhIHJlZmVyZW5jZSBtYXkgcmVxdWlyZSBhbiBleHRyYQoJICBpbnRlcmFjdGlvbiBiZXR3 ZWVuIGEgc2VydmVyIGFuZCB0aGUgdG9rZW4gaXNzdWVyIHRvIHJlc29sdmUKCSAgdGhlIHJlZmVy ZW5jZSB0byB0aGUgYXV0aG9yaXphdGlvbiBpbmZvcm1hdGlvbi4KCSAgVGhlIG1lY2hhbmljcyBv ZiBzdWNoIGFuIGludGVyYWN0aW9uIGFyZSBub3QgZGVmaW5lZCBieSB0aGlzCgkgIHNwZWNpZmlj YXRpb24uCgk8L3Q+Cgk8dD4KCSAgVGhpcyBkb2N1bWVudCBkb2VzIG5vdCBzcGVjaWZ5IHRoZSBl bmNvZGluZyBvciB0aGUgY29udGVudHMKCSAgb2YgdGhlIHRva2VuOyBoZW5jZSBkZXRhaWxlZCBy ZWNvbW1lbmRhdGlvbnMgYWJvdXQgdGhlIG1lYW5zCgkgIG9mIGd1YXJhbnRlZWluZyB0b2tlbiBp bnRlZ3JpdHkgcHJvdGVjdGlvbiBhcmUgb3V0c2lkZSB0aGUKCSAgc2NvcGUgb2YgdGhpcyBkb2N1 bWVudC4gIFRoZSB0b2tlbiBpbnRlZ3JpdHkgcHJvdGVjdGlvbiBNVVNUCgkgIGJlIHN1ZmZpY2ll bnQgdG8gcHJldmVudCB0aGUgdG9rZW4gZnJvbSBiZWluZyBtb2RpZmllZC4KCTwvdD4KCTx0PgoJ ICBUbyBkZWFsIHdpdGggdG9rZW4gcmVkaXJlY3QsIGl0IGlzIGltcG9ydGFudCBmb3IgdGhlCgkg IGF1dGhvcml6YXRpb24gc2VydmVyIHRvIGluY2x1ZGUgdGhlIGlkZW50aXR5IG9mIHRoZSBpbnRl bmRlZAoJICByZWNpcGllbnRzICh0aGUgYXVkaWVuY2UpLCB0eXBpY2FsbHkgYSBzaW5nbGUgcmVz b3VyY2UKCSAgc2VydmVyIChvciBhIGxpc3Qgb2YgcmVzb3VyY2Ugc2VydmVycyksIGluIHRoZSB0 b2tlbi4KCSAgUmVzdHJpY3RpbmcgdGhlIHVzZSBvZiB0aGUgdG9rZW4gdG8gYSBzcGVjaWZpYyBz Y29wZSBpcyBhbHNvCgkgIFJFQ09NTUVOREVELgoJPC90PgoJPHQ+CgkgIFRvIHByb3RlY3QgYWdh aW5zdCB0b2tlbiBkaXNjbG9zdXJlLCBjb25maWRlbnRpYWxpdHkKCSAgcHJvdGVjdGlvbiBNVVNU IGJlIGFwcGxpZWQgdXNpbmcKCSAgVExTIDx4cmVmIHRhcmdldD0nUkZDNTI0NicgLz4KCSAgd2l0 aCBhIGNpcGhlcnN1aXRlIHRoYXQgcHJvdmlkZXMgY29uZmlkZW50aWFsaXR5IGFuZAoJICBpbnRl Z3JpdHkgcHJvdGVjdGlvbi4gIFRoaXMKCSAgcmVxdWlyZXMgdGhhdCB0aGUgY29tbXVuaWNhdGlv biBpbnRlcmFjdGlvbiBiZXR3ZWVuIHRoZQoJICBjbGllbnQgYW5kIHRoZSBhdXRob3JpemF0aW9u IHNlcnZlciwgYXMgd2VsbCBhcyB0aGUKCSAgaW50ZXJhY3Rpb24gYmV0d2VlbiB0aGUgY2xpZW50 IGFuZCB0aGUgcmVzb3VyY2Ugc2VydmVyLAoJICB1dGlsaXplIGNvbmZpZGVudGlhbGl0eSBhbmQg aW50ZWdyaXR5IHByb3RlY3Rpb24uCgkgIFNpbmNlIFRMUyBpcyBtYW5kYXRvcnkgdG8KCSAgaW1w bGVtZW50IGFuZCB0byB1c2Ugd2l0aCB0aGlzIHNwZWNpZmljYXRpb24sIGl0IGlzIHRoZQoJICBw cmVmZXJyZWQgYXBwcm9hY2ggZm9yIHByZXZlbnRpbmcgdG9rZW4gZGlzY2xvc3VyZSB2aWEgdGhl CgkgIGNvbW11bmljYXRpb24gY2hhbm5lbC4gRm9yIHRob3NlIGNhc2VzIHdoZXJlIHRoZSBjbGll bnQKCSAgaXMgcHJldmVudGVkIGZyb20gb2JzZXJ2aW5nIHRoZSBjb250ZW50cyBvZiB0aGUgdG9r ZW4sIHRva2VuCgkgIGVuY3J5cHRpb24gTVVTVCBiZSBhcHBsaWVkIGluIGFkZGl0aW9uIHRvIHRo ZSB1c2FnZSBvZiBUTFMKCSAgcHJvdGVjdGlvbi4KCSAgQXMgYSBmdXJ0aGVyIGRlZmVuc2UgYWdh aW5zdCB0b2tlbiBkaXNjbG9zdXJlLCB0aGUgY2xpZW50CgkgIE1VU1QgdmFsaWRhdGUgdGhlIFRM UyBjZXJ0aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZyByZXF1ZXN0cwoJICB0byBwcm90ZWN0ZWQg cmVzb3VyY2VzLgoJPC90PgoJPHQ+CgkgIENvb2tpZXMgYXJlIHR5cGljYWxseSB0cmFuc21pdHRl ZCBpbiB0aGUgY2xlYXIuICBUaHVzLCBhbnkKCSAgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRo ZW0gaXMgYXQgcmlzayBvZiBkaXNjbG9zdXJlLgoJICBUaGVyZWZvcmUsIGJlYXJlciB0b2tlbnMg TVVTVCBOT1QgYmUgc3RvcmVkIGluIGNvb2tpZXMgdGhhdAoJICBjYW4gYmUgc2VudCBpbiB0aGUg Y2xlYXIuCgk8L3Q+Cgk8dD4KCSAgSW4gc29tZSBkZXBsb3ltZW50cywgaW5jbHVkaW5nIHRob3Nl IHV0aWxpemluZyBsb2FkCgkgIGJhbGFuY2VycywgdGhlIFRMUyBjb25uZWN0aW9uIHRvIHRoZSBy ZXNvdXJjZSBzZXJ2ZXIKCSAgdGVybWluYXRlcyBwcmlvciB0byB0aGUgYWN0dWFsIHNlcnZlciB0 aGF0IHByb3ZpZGVzIHRoZQoJICByZXNvdXJjZS4gIFRoaXMgY291bGQgbGVhdmUgdGhlIHRva2Vu IHVucHJvdGVjdGVkIGJldHdlZW4KCSAgdGhlIGZyb250IGVuZCBzZXJ2ZXIgd2hlcmUgdGhlIFRM UyBjb25uZWN0aW9uIHRlcm1pbmF0ZXMgYW5kCgkgIHRoZSBiYWNrIGVuZCBzZXJ2ZXIgdGhhdCBw cm92aWRlcyB0aGUgcmVzb3VyY2UuICBJbiBzdWNoCgkgIGRlcGxveW1lbnRzLCBzdWZmaWNpZW50 IG1lYXN1cmVzIE1VU1QgYmUgZW1wbG95ZWQgdG8gZW5zdXJlCgkgIGNvbmZpZGVudGlhbGl0eSBv ZiB0aGUgdG9rZW4gYmV0d2VlbiB0aGUgZnJvbnQgZW5kIGFuZAoJICBiYWNrIGVuZCBzZXJ2ZXJz OyBlbmNyeXB0aW9uIG9mIHRoZSB0b2tlbiBpcyBvbmUgcG9zc2libGUKCSAgc3VjaCBtZWFzdXJl LgoJPC90PgoJPHQ+CgkgIFRvIGRlYWwgd2l0aCB0b2tlbiBjYXB0dXJlIGFuZCByZXBsYXksCgkg IHRoZSBmb2xsb3dpbmcgcmVjb21tZW5kYXRpb25zIGFyZQoJICBtYWRlOiBGaXJzdCwgdGhlIGxp ZmV0aW1lIG9mIHRoZSB0b2tlbiBNVVNUIGJlIGxpbWl0ZWQ7CgkgIG9uZSBtZWFucyBvZiBhY2hp ZXZpbmcgdGhpcyBpcyBieQoJICBwdXR0aW5nIGEgdmFsaWRpdHkgdGltZSBmaWVsZCBpbnNpZGUg dGhlIHByb3RlY3RlZCBwYXJ0IG9mCgkgIHRoZSB0b2tlbi4gIE5vdGUgdGhhdCB1c2luZyBzaG9y dC1saXZlZCAob25lIGhvdXIgb3IgbGVzcykKCSAgdG9rZW5zIHJlZHVjZXMgdGhlIGltcGFjdCBv ZiB0aGVtIGJlaW5nCgkgIGxlYWtlZC4gIFNlY29uZCwgY29uZmlkZW50aWFsaXR5IHByb3RlY3Rp b24gb2YgdGhlIGV4Y2hhbmdlcwoJICBiZXR3ZWVuIHRoZSBjbGllbnQgYW5kIHRoZSBhdXRob3Jp emF0aW9uIHNlcnZlciBhbmQgYmV0d2VlbgoJICB0aGUgY2xpZW50IGFuZCB0aGUgcmVzb3VyY2Ug c2VydmVyIE1VU1QgYmUgYXBwbGllZC4KCSAgQXMgYQoJICBjb25zZXF1ZW5jZSwgbm8gZWF2ZXNk cm9wcGVyIGFsb25nIHRoZSBjb21tdW5pY2F0aW9uIHBhdGggaXMKCSAgYWJsZSB0byBvYnNlcnZl IHRoZSB0b2tlbiBleGNoYW5nZS4gQ29uc2VxdWVudGx5LCBzdWNoIGFuCgkgIG9uLXBhdGggYWR2 ZXJzYXJ5IGNhbm5vdCByZXBsYXkgdGhlIHRva2VuLgoJICBGdXJ0aGVybW9yZSwgd2hlbgoJICBw cmVzZW50aW5nIHRoZSB0b2tlbiB0byBhIHJlc291cmNlIHNlcnZlciwgdGhlIGNsaWVudCBNVVNU CgkgIHZlcmlmeSB0aGUgaWRlbnRpdHkgb2YgdGhhdCByZXNvdXJjZSBzZXJ2ZXIsIGFzIHBlcgoJ ICBSZXByZXNlbnRhdGlvbiBhbmQgVmVyaWZpY2F0aW9uIG9mIERvbWFpbi1CYXNlZCBBcHBsaWNh dGlvbiBTZXJ2aWNlCgkgIElkZW50aXR5IHdpdGhpbiBJbnRlcm5ldCBQdWJsaWMgS2V5IEluZnJh c3RydWN0dXJlIFVzaW5nIFguNTA5IChQS0lYKQoJICBDZXJ0aWZpY2F0ZXMgaW4gdGhlIENvbnRl eHQgb2YgVHJhbnNwb3J0IExheWVyIFNlY3VyaXR5IChUTFMpCgkgIDx4cmVmIHRhcmdldD0iUkZD NjEyNSIgLz4uCgkgIE5vdGUgdGhhdCB0aGUKCSAgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRM UyBjZXJ0aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZwoJICB0aGVzZSByZXF1ZXN0cyB0byBwcm90 ZWN0ZWQgcmVzb3VyY2VzLiAgUHJlc2VudGluZyB0aGUgdG9rZW4KCSAgdG8gYW4gdW5hdXRoZW50 aWNhdGVkIGFuZCB1bmF1dGhvcml6ZWQgcmVzb3VyY2Ugc2VydmVyIG9yCgkgIGZhaWxpbmcgdG8g dmFsaWRhdGUgdGhlIGNlcnRpZmljYXRlIGNoYWluIHdpbGwgYWxsb3cKCSAgYWR2ZXJzYXJpZXMg dG8gc3RlYWwgdGhlIHRva2VuIGFuZCBnYWluIHVuYXV0aG9yaXplZCBhY2Nlc3MKCSAgdG8gcHJv dGVjdGVkIHJlc291cmNlcy4KCTwvdD4KICAgICAgPC9zZWN0aW9uPiAKIAogICAgICA8c2VjdGlv biB0aXRsZT0iU3VtbWFyeSBvZiBSZWNvbW1lbmRhdGlvbnMiPgoJPHQ+CgkgIDxsaXN0IHN0eWxl PSJoYW5naW5nIj4KCSAgICA8dCBoYW5nVGV4dD0iU2FmZWd1YXJkIGJlYXJlciB0b2tlbnM6Ij4K CSAgICAgIENsaWVudCBpbXBsZW1lbnRhdGlvbnMgTVVTVCBlbnN1cmUgdGhhdCBiZWFyZXIgdG9r ZW5zCgkgICAgICBhcmUgbm90IGxlYWtlZCB0byB1bmludGVuZGVkIHBhcnRpZXMsIGFzIHRoZXkg d2lsbCBiZQoJICAgICAgYWJsZSB0byB1c2UgdGhlbSB0byBnYWluIGFjY2VzcyB0byBwcm90ZWN0 ZWQgcmVzb3VyY2VzLgoJICAgICAgVGhpcyBpcyB0aGUgcHJpbWFyeSBzZWN1cml0eSBjb25zaWRl cmF0aW9uIHdoZW4gdXNpbmcKCSAgICAgIGJlYXJlciB0b2tlbnMgYW5kIHVuZGVybGllcyBhbGwg dGhlIG1vcmUKCSAgICAgIHNwZWNpZmljIHJlY29tbWVuZGF0aW9ucyB0aGF0IGZvbGxvdy4KCSAg ICA8L3Q+CgkgICAgPHQgaGFuZ1RleHQ9IlZhbGlkYXRlIFNTTCBjZXJ0aWZpY2F0ZSBjaGFpbnM6 Ij4KCSAgICAgIFRoZSBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0aGUgVExTIGNlcnRpZmljYXRlIGNo YWluIHdoZW4KCSAgICAgIG1ha2luZyByZXF1ZXN0cyB0byBwcm90ZWN0ZWQgcmVzb3VyY2VzLiAg RmFpbGluZyB0byBkbwoJICAgICAgc28gbWF5IGVuYWJsZSBETlMgaGlqYWNraW5nIGF0dGFja3Mg dG8gc3RlYWwgdGhlIHRva2VuCgkgICAgICBhbmQgZ2FpbiB1bmludGVuZGVkIGFjY2Vzcy4KCSAg ICA8L3Q+CgkgICAgPHQgaGFuZ1RleHQ9IkFsd2F5cyB1c2UgVExTIChodHRwcyk6Ij4KCSAgICAg IENsaWVudHMgTVVTVCBhbHdheXMgdXNlCgkgICAgICBUTFMgPHhyZWYgdGFyZ2V0PSdSRkM1MjQ2 JyAvPgoJICAgICAgKGh0dHBzKSBvciBlcXVpdmFsZW50IHRyYW5zcG9ydCBzZWN1cml0eSB3aGVu IG1ha2luZyByZXF1ZXN0cwoJICAgICAgd2l0aCBiZWFyZXIgdG9rZW5zLiAgRmFpbGluZyB0byBk byBzbyBleHBvc2VzIHRoZSB0b2tlbgoJICAgICAgdG8gbnVtZXJvdXMgYXR0YWNrcyB0aGF0IGNv dWxkIGdpdmUgYXR0YWNrZXJzIHVuaW50ZW5kZWQKCSAgICAgIGFjY2Vzcy4KCSAgICA8L3Q+Cgkg ICAgPHQgaGFuZ1RleHQ9IkRvbid0IHN0b3JlIGJlYXJlciB0b2tlbnMgaW4gY29va2llczoiPgoJ ICAgICAgSW1wbGVtZW50YXRpb25zIE1VU1QgTk9UIHN0b3JlIGJlYXJlciB0b2tlbnMgd2l0aGlu CgkgICAgICBjb29raWVzIHRoYXQgY2FuIGJlIHNlbnQgaW4gdGhlIGNsZWFyICh3aGljaCBpcyB0 aGUKCSAgICAgIGRlZmF1bHQgdHJhbnNtaXNzaW9uIG1vZGUgZm9yIGNvb2tpZXMpLgoJICAgICAg SW1wbGVtZW50YXRpb25zIHRoYXQgZG8gc3RvcmUgYmVhcmVyIHRva2VucyBpbiBjb29raWVzCgkg ICAgICBNVVNUIHRha2UgcHJlY2F1dGlvbnMgYWdhaW5zdCBjcm9zcyBzaXRlIHJlcXVlc3QgZm9y Z2VyeS4KCSAgICA8L3Q+CgkgICAgPHQgaGFuZ1RleHQ9Iklzc3VlIHNob3J0LWxpdmVkIGJlYXJl ciB0b2tlbnM6Ij4KCSAgICAgIFRva2VuIHNlcnZlcnMgU0hPVUxEIGlzc3VlIHNob3J0LWxpdmVk IChvbmUgaG91ciBvcgoJICAgICAgbGVzcykgYmVhcmVyIHRva2VucywgcGFydGljdWxhcmx5IHdo ZW4gaXNzdWluZyB0b2tlbnMgdG8KCSAgICAgIGNsaWVudHMgdGhhdCBydW4gd2l0aGluIGEgd2Vi IGJyb3dzZXIgb3Igb3RoZXIKCSAgICAgIGVudmlyb25tZW50cyB3aGVyZSBpbmZvcm1hdGlvbiBs ZWFrYWdlIG1heSBvY2N1ci4gIFVzaW5nCgkgICAgICBzaG9ydC1saXZlZCBiZWFyZXIgdG9rZW5z IGNhbiByZWR1Y2UgdGhlIGltcGFjdCBvZiB0aGVtCgkgICAgICBiZWluZyBsZWFrZWQuCgkgICAg PC90PgoJICAgIDx0IGhhbmdUZXh0PSJJc3N1ZSBzY29wZWQgYmVhcmVyIHRva2VuczoiPgoJICAg ICAgVG9rZW4gc2VydmVycyBTSE9VTEQgaXNzdWUgYmVhcmVyIHRva2VucyB0aGF0IGNvbnRhaW4g YW4gYXVkaWVuY2UKCSAgICAgIHJlc3RyaWN0aW9uLCBzY29waW5nIHRoZWlyIHVzZSB0byB0aGUg aW50ZW5kZWQgcmVseWluZwoJICAgICAgcGFydHkgb3Igc2V0IG9mIHJlbHlpbmcgcGFydGllcy4K CSAgICA8L3Q+CgkgICAgPHQgaGFuZ1RleHQ9IkRvbid0IHBhc3MgYmVhcmVyIHRva2VucyBpbiBw YWdlIFVSTHM6Ij4KCSAgICAgIEJlYXJlciB0b2tlbnMgU0hPVUxEIE5PVCBiZSBwYXNzZWQgaW4g cGFnZSBVUkxzIChmb3IKCSAgICAgIGV4YW1wbGUgYXMgcXVlcnkgc3RyaW5nIHBhcmFtZXRlcnMp LiBJbnN0ZWFkLCBiZWFyZXIKCSAgICAgIHRva2VucyBTSE9VTEQgYmUgcGFzc2VkIGluIEhUVFAg bWVzc2FnZSBoZWFkZXJzIG9yCgkgICAgICBtZXNzYWdlIGJvZGllcyBmb3Igd2hpY2ggY29uZmlk ZW50aWFsaXR5IG1lYXN1cmVzIGFyZQoJICAgICAgdGFrZW4uIEJyb3dzZXJzLCB3ZWIgc2VydmVy cywgYW5kIG90aGVyIHNvZnR3YXJlIG1heSBub3QKCSAgICAgIGFkZXF1YXRlbHkgc2VjdXJlIFVS THMgaW4gdGhlIGJyb3dzZXIgaGlzdG9yeSwgd2ViCgkgICAgICBzZXJ2ZXIgbG9ncywgYW5kIG90 aGVyIGRhdGEgc3RydWN0dXJlcy4gSWYgYmVhcmVyIHRva2VucwoJICAgICAgYXJlIHBhc3NlZCBp biBwYWdlIFVSTHMsIGF0dGFja2VycyBtaWdodCBiZSBhYmxlIHRvCgkgICAgICBzdGVhbCB0aGVt IGZyb20gdGhlIGhpc3RvcnkgZGF0YSwgbG9ncywgb3Igb3RoZXIKCSAgICAgIHVuc2VjdXJlZCBs b2NhdGlvbnMuCgkgICAgPC90PgoJICA8L2xpc3Q+Cgk8L3Q+CiAgICAgIDwvc2VjdGlvbj4KICAg IDwvc2VjdGlvbj4KCiAgICA8c2VjdGlvbiB0aXRsZT0nSUFOQSBDb25zaWRlcmF0aW9ucyc+ICAg CgogICAgICA8c2VjdGlvbiB0aXRsZT0nT0F1dGggQWNjZXNzIFRva2VuIFR5cGUgUmVnaXN0cmF0 aW9uJz4KICAgICAgICA8dD4KICAgICAgICAgIFRoaXMgc3BlY2lmaWNhdGlvbiByZWdpc3RlcnMg dGhlIGZvbGxvd2luZyBhY2Nlc3MgdG9rZW4gdHlwZSBpbiB0aGUgT0F1dGggQWNjZXNzIFRva2Vu CiAgICAgICAgICBUeXBlIFJlZ2lzdHJ5LgogICAgICAgIDwvdD4KCiAgICAgICAgPHNlY3Rpb24g dGl0bGU9J1RoZSAiQmVhcmVyIiBPQXV0aCBBY2Nlc3MgVG9rZW4gVHlwZSc+CiAgICAgICAgICA8 dD4KICAgICAgICAgICAgPGxpc3Qgc3R5bGU9J2hhbmdpbmcnPgogICAgICAgICAgICAgIDx0IGhh bmdUZXh0PSdUeXBlIG5hbWU6Jz4KICAgICAgICAgICAgICAgIDx2c3BhY2UgLz4KICAgICAgICAg ICAgICAgIEJlYXJlcgogICAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAgICA8dCBoYW5nVGV4 dD0nQWRkaXRpb25hbCBUb2tlbiBFbmRwb2ludCBSZXNwb25zZSBQYXJhbWV0ZXJzOic+CiAgICAg ICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAgICAgICAobm9uZSkKICAgICAgICAgICAg ICA8L3Q+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9J0hUVFAgQXV0aGVudGljYXRpb24gU2No ZW1lKHMpOic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAgICAgICBCZWFy ZXIKICAgICAgICAgICAgICA8L3Q+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9J0NoYW5nZSBj b250cm9sbGVyOic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAgICAgICBJ RVRGCiAgICAgICAgICAgICAgPC90PgogICAgICAgICAgICAgIDx0IGhhbmdUZXh0PSdTcGVjaWZp Y2F0aW9uIGRvY3VtZW50KHMpOic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAg ICAgICAgICBbWyB0aGlzIGRvY3VtZW50IF1dCiAgICAgICAgICAgICAgPC90PgogICAgICAgICAg ICA8L2xpc3Q+CiAgICAgICAgICA8L3Q+CiAgICAgICAgPC9zZWN0aW9uPgogICAgICA8L3NlY3Rp b24+CgogICAgICA8c2VjdGlvbiB0aXRsZT0nQXV0aGVudGljYXRpb24gU2NoZW1lIFJlZ2lzdHJh dGlvbic+CiAgICAgICAgPHQ+CiAgICAgICAgICBUaGlzIHNwZWNpZmljYXRpb24gcmVnaXN0ZXJz IHRoZSBmb2xsb3dpbmcgYXV0aGVudGljYXRpb24KICAgICAgICAgIHNjaGVtZSBpbiB0aGUgQXV0 aGVudGljYXRpb24gU2NoZW1lIFJlZ2lzdHJ5IGRlZmluZWQgaW4KICAgICAgICAgIEhUVFAvMS4x LCBQYXJ0IDcgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnIC8+LgogICAg ICAgIDwvdD4KCiAgICAgICAgPHNlY3Rpb24gdGl0bGU9J1RoZSAiQmVhcmVyIiBBdXRoZW50aWNh dGlvbiBTY2hlbWUnPgogICAgICAgICAgPHQ+CiAgICAgICAgICAgIDxsaXN0IHN0eWxlPSdoYW5n aW5nJz4KICAgICAgICAgICAgICA8dCBoYW5nVGV4dD0nQXV0aGVudGljYXRpb24gU2NoZW1lIE5h bWU6Jz4KICAgICAgICAgICAgICAgIDx2c3BhY2UgLz4KICAgICAgICAgICAgICAgIEJlYXJlcgog ICAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAgICA8dCBoYW5nVGV4dD0nUG9pbnRlciB0byBz cGVjaWZpY2F0aW9uIHRleHQ6Jz4KICAgICAgICAgICAgICAgIDx2c3BhY2UgLz4KICAgICAgICAg ICAgICAgIFtbIHRoaXMgZG9jdW1lbnQgXV0KICAgICAgICAgICAgICA8L3Q+CiAgICAgICAgICAg ICAgPHQgaGFuZ1RleHQ9J05vdGVzIChvcHRpb25hbCk6Jz4KICAgICAgICAgICAgICAgIDx2c3Bh Y2UgLz4KICAgICAgICAgICAgICAgIChub25lKQogICAgICAgICAgICAgIDwvdD4KICAgICAgICAg ICAgPC9saXN0PgogICAgICAgICAgPC90PgogICAgICAgIDwvc2VjdGlvbj4KICAgICAgPC9zZWN0 aW9uPgoKICAgIDwvc2VjdGlvbj4gCgogIDwvbWlkZGxlPgoKICA8YmFjaz4KCiAgICA8cmVmZXJl bmNlcyB0aXRsZT0nTm9ybWF0aXZlIFJlZmVyZW5jZXMnPgoKICAgICAgPD9yZmMgaW5jbHVkZT0n aHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWwvcmVmZXJlbmNlLlJGQy4y MTE5LnhtbCcgPz4KICAgICAgPD9yZmMgaW5jbHVkZT0naHR0cDovL3htbC5yZXNvdXJjZS5vcmcv cHVibGljL3JmYy9iaWJ4bWwvcmVmZXJlbmNlLlJGQy4zOTg2LnhtbCcgPz4KICAgICAgPD9yZmMg aW5jbHVkZT0naHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWwvcmVmZXJl bmNlLlJGQy41MjM0LnhtbCcgPz4KICAgICAgPD9yZmMgaW5jbHVkZT0naHR0cDovL3htbC5yZXNv dXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWwvcmVmZXJlbmNlLlJGQy41MjQ2LnhtbCcgPz4KICAg ICAgPD9yZmMgaW5jbHVkZT0naHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4 bWwvcmVmZXJlbmNlLlJGQy42MTI1LnhtbCcgPz4KICAgICAgPD9yZmMgaW5jbHVkZT0naHR0cDov L3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWw0L3JlZmVyZW5jZS5XM0MuUkVDLWh0 bWw0MDEtMTk5OTEyMjQueG1sJyA/PgoKICAgICAgPD9yZmMgaW5jbHVkZT0naHR0cDovL3htbC5y ZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWwzL3JlZmVyZW5jZS5JLUQuZHJhZnQtaWV0Zi1o dHRwYmlzLXAxLW1lc3NhZ2luZy0xNy54bWwnPz4KICAgICAgPD9yZmMgaW5jbHVkZT0naHR0cDov L3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWwzL3JlZmVyZW5jZS5JLUQuZHJhZnQt aWV0Zi1odHRwYmlzLXA3LWF1dGgtMTcueG1sJz8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6 Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sMy9yZWZlcmVuY2UuSS1ELmRyYWZ0 LWlldGYtb2F1dGgtdjItMjIueG1sJyA/PgoKICAgIDwvcmVmZXJlbmNlcz4KCiAgICA8cmVmZXJl bmNlcyB0aXRsZT0iSW5mb3JtYXRpdmUgUmVmZXJlbmNlcyI+CgogICAgICA8P3JmYyBpbmNsdWRl PSdodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL2JpYnhtbC9yZWZlcmVuY2UuUkZD LjI2MTYueG1sJyA/PgogICAgICA8P3JmYyBpbmNsdWRlPSdodHRwOi8veG1sLnJlc291cmNlLm9y Zy9wdWJsaWMvcmZjL2JpYnhtbC9yZWZlcmVuY2UuUkZDLjI2MTcueG1sJyA/PgoKICAgICAgPHJl ZmVyZW5jZSBhbmNob3I9Ik5JU1Q4MDAtNjMiPgogICAgICAgIDxmcm9udD4KICAgICAgICAgIDx0 aXRsZT5OSVNUIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzLTEsIElORk9STUFUSU9OIFNFQ1VS SVRZPC90aXRsZT4KICAgICAgICAgIDxhdXRob3IgZnVsbG5hbWU9IldpbGxpYW0gRS4gQnVyciIg aW5pdGlhbHM9IlcuIiBzdXJuYW1lPSJCdXJyIj4KICAgICAgICAgICAgPG9yZ2FuaXphdGlvbj5O SVNUPC9vcmdhbml6YXRpb24+CiAgICAgICAgICA8L2F1dGhvcj4KICAgICAgICAgIDxhdXRob3Ig ZnVsbG5hbWU9IkRvbm5hIEYuIERvZHNvbiIgaW5pdGlhbHM9IkQuIiBzdXJuYW1lPSJEb2Rzb24i PgogICAgICAgICAgICA8b3JnYW5pemF0aW9uPk5JU1Q8L29yZ2FuaXphdGlvbj4KICAgICAgICAg IDwvYXV0aG9yPgogICAgICAgICAgPGF1dGhvciBmdWxsbmFtZT0iUmF5IEEuIFBlcmxuZXIiIGlu aXRpYWxzPSJSLiIgc3VybmFtZT0iUGVybG5lciI+CiAgICAgICAgICAgIDxvcmdhbml6YXRpb24+ TklTVDwvb3JnYW5pemF0aW9uPgogICAgICAgICAgPC9hdXRob3I+CiAgICAgICAgICA8YXV0aG9y IGZ1bGxuYW1lPSJXLiBUaW1vdGh5IFBvbGsiIGluaXRpYWxzPSJULiIgc3VybmFtZT0iUG9sayI+ CiAgICAgICAgICAgIDxvcmdhbml6YXRpb24+TklTVDwvb3JnYW5pemF0aW9uPgogICAgICAgICAg PC9hdXRob3I+CiAgICAgICAgICA8YXV0aG9yIGZ1bGxuYW1lPSJTYXJiYXJpIEd1cHRhIiBpbml0 aWFscz0iUy4iIHN1cm5hbWU9Ikd1cHRhIj4KICAgICAgICAgICAgPG9yZ2FuaXphdGlvbj5OSVNU PC9vcmdhbml6YXRpb24+CiAgICAgICAgICA8L2F1dGhvcj4KICAgICAgICAgIDxhdXRob3IgZnVs bG5hbWU9IkVtYWQgQS4gTmFiYnVzIiBpbml0aWFscz0iRS4iIHN1cm5hbWU9Ik5hYmJ1cyI+CiAg ICAgICAgICAgIDxvcmdhbml6YXRpb24+TklTVDwvb3JnYW5pemF0aW9uPgogICAgICAgICAgPC9h dXRob3I+CiAgICAgICAgICA8ZGF0ZSBtb250aD0iRGVjZW1iZXIiIHllYXI9IjIwMDgiLz4KICAg ICAgICA8L2Zyb250PgogICAgICAgIDxmb3JtYXQgdGFyZ2V0PSJodHRwOi8vY3NyYy5uaXN0Lmdv di9wdWJsaWNhdGlvbnMvUHVic0RyYWZ0cy5odG1sI1NQLTgwMC02My1SZXYuJTIwMSIgdHlwZT0i SFRNTCIvPgogICAgICA8L3JlZmVyZW5jZT4KCiAgICA8L3JlZmVyZW5jZXM+IAoKICAgIDxzZWN0 aW9uIHRpdGxlPSdBY2tub3dsZWRnZW1lbnRzJz4KICAgICAgPHQ+CiAgICAgICAgVGhlIGZvbGxv d2luZyBwZW9wbGUgY29udHJpYnV0ZWQgdG8gcHJlbGltaW5hcnkgdmVyc2lvbnMgb2YgdGhpcyBk b2N1bWVudDoKICAgICAgICBCbGFpbmUgQ29vayAoQlQpLCBCcmlhbiBFYXRvbiAoR29vZ2xlKSwg WWFyb24gWS4gR29sYW5kIChNaWNyb3NvZnQpLCBCcmVudCBHb2xkbWFuIChGYWNlYm9vayksCiAg ICAgICAgUmFmZmkgS3Jpa29yaWFuIChUd2l0dGVyKSwgTHVrZSBTaGVwYXJkIChGYWNlYm9vayks IGFuZCBBbGxlbiBUb20gKFlhaG9vISkuIFRoZSBjb250ZW50IGFuZAogICAgICAgIGNvbmNlcHRz IHdpdGhpbiBhcmUgYSBwcm9kdWN0IG9mIHRoZSBPQXV0aCBjb21tdW5pdHksIHRoZSBXUkFQIGNv bW11bml0eSwgYW5kIHRoZSBPQXV0aCBXb3JraW5nCiAgICAgICAgR3JvdXAuCiAgICAgIDwvdD4K ICAgICAgPHQ+CiAgICAgICAgVGhlIE9BdXRoIFdvcmtpbmcgR3JvdXAgaGFzIGRvemVucyBvZiB2 ZXJ5IGFjdGl2ZSBjb250cmlidXRvcnMgd2hvIHByb3Bvc2VkIGlkZWFzIGFuZAogICAgICAgIHdv cmRpbmcgZm9yIHRoaXMgZG9jdW1lbnQsIGluY2x1ZGluZzoKCU1pY2hhZWwgQWRhbXMsIEFtYW5k YSBBbmdhbmVzLCBBbmRyZXcgQXJub3R0LCBEaXJrIEJhbGZhbnosCglKb2huIEJyYWRsZXksIEJy aWFuIENhbXBiZWxsLCBMZWFoIEN1bHZlciwgQmlsbCBkZSBow5NyYSwKCUJyaWFuIEVsbGluLCBJ Z29yIEZheW5iZXJnLCBTdGVwaGVuIEZhcnJlbGwsIEdlb3JnZSBGbGV0Y2hlciwKCVRpbSBGcmVl bWFuLCBFdmFuIEdpbGJlcnQsIFlhcm9uIFkuIEdvbGFuZCwgVGhvbWFzIEhhcmRqb25vLAoJSnVz dGluIEhhcnQsIFBoaWwgSHVudCwgSm9obiBLZW1wLCBFcmFuIEhhbW1lci1MYWhhdiwKCUNoYXNl biBMZSBIYXJhLCBCYXJyeSBMZWliYSwgTWljaGFlbCBCLiBKb25lcywKCVRvcnN0ZW4gTG9kZGVy c3RlZHQsIEV2ZSBNYWxlciwgSmFtZXMgTWFuZ2VyLCBMYXVyZW5jZSBNaWFvLAoJV2lsbGlhbSBK LiBNaWxscywgQ2h1Y2sgTW9ydGltb3JlLCBBbnRob255IE5hZGFsaW4sCglKdWxpYW4gUmVzY2hr ZSwgSnVzdGluIFJpY2hlciwgUGV0ZXIgU2FpbnQtQW5kcmUsIE5hdCBTYWtpbXVyYSwKCVJvYiBT YXlyZSwgTWFyaXVzIFNjdXJ0ZXNjdSwgTmFpdGlrIFNoYWgsIEp1c3RpbiBTbWl0aCwKCUplcmVt eSBTdXJpZWwsIENocmlzdGlhbiBTdMO8Ym5lciwgUGF1bCBUYXJqYW4sCglIYW5uZXMgVHNjaG9m ZW5pZywgRnJhbmtsaW4gVHNlLCBhbmQgU2hhbmUgV2VlZGVuLgogICAgICA8L3Q+CiAgICA8L3Nl Y3Rpb24+CgogICAgPHNlY3Rpb24gdGl0bGU9J0RvY3VtZW50IEhpc3RvcnknPgogICAgICA8dD4K ICAgICAgICBbWyB0byBiZSByZW1vdmVkIGJ5IHRoZSBSRkMgZWRpdG9yIGJlZm9yZSBwdWJsaWNh dGlvbiBhcyBhbiBSRkMgXV0KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMTQKICAgICAg ICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIENoYW5nZXMgbWFkZSBpbiByZXNw b25zZSB0byByZXZpZXcgY29tbWVudHMgYnkgU2VjdXJpdHkKCSAgICBBcmVhIERpcmVjdG9yIFN0 ZXBoZW4gRmFycmVsbC4gIFNwZWNpZmljYWxseToKCSAgPC90PgoJICA8dD4KCSAgICBTdHJlbmd0 aGVuZWQgd2FybmluZ3MgYWJvdXQgcGFzc2luZyBhbiBhY2Nlc3MgdG9rZW4gYXMgYQoJICAgIHF1 ZXJ5IHBhcmFtZXRlciBhbmQgbW9yZSBwcmVjaXNlbHkgZGVzY3JpYmVkIHRoZQoJICAgIGxpbWl0 YXRpb25zIHBsYWNlZCB1cG9uIHRoZSB1c2Ugb2YgdGhpcyBtZXRob2QuCgkgIDwvdD4KCSAgPHQ+ CgkgICAgQ2xhcmlmaWVkIHRoYXQgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+cmVhbG08L3NwYW54 PgoJICAgIGF0dHJpYnV0ZSBNQVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHBy b3RlY3Rpb24KCSAgICBpbiB0aGUgbWFubmVyIGRlc2NyaWJlZCBpbgoJICAgIEhUVFAvMS4xLCBQ YXJ0IDcgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnIC8+LgoJICA8L3Q+ CgkgIDx0PgoJICAgIE5vcm1hdGl2ZWx5IHN0YXRlZCB0aGF0ICJ0aGUgdG9rZW4gaW50ZWdyaXR5 IHByb3RlY3Rpb24KCSAgICBNVVNUIGJlIHN1ZmZpY2llbnQgdG8gcHJldmVudCB0aGUgdG9rZW4g ZnJvbSBiZWluZwoJICAgIG1vZGlmaWVkIi4KCSAgPC90PgoJICA8dD4KCSAgICBBZGRlZCBzdGF0 ZW1lbnQgdGhhdCAiVExTIGlzIG1hbmRhdG9yeSB0byBpbXBsZW1lbnQgYW5kCgkgICAgdXNlIHdp dGggdGhpcyBzcGVjaWZpY2F0aW9uIiB0byB0aGUgaW50cm9kdWN0aW9uLgoJICA8L3Q+CgkgIDx0 PgoJICAgIFN0YXRlZCB0aGF0IFRMUyBNVVNUIGJlIHVzZWQgd2l0aCAiYSBjaXBoZXJzdWl0ZSB0 aGF0CgkgICAgcHJvdmlkZXMgY29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlv biIuCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgIkFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWlu c3QgdG9rZW4gZGlzY2xvc3VyZSwgdGhlCgkgICAgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRM UyBjZXJ0aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZwoJICAgIHJlcXVlc3RzIHRvIHByb3RlY3Rl ZCByZXNvdXJjZXMiIHRvIHRoZSBUaHJlYXQgTWl0aWdhdGlvbgoJICAgIHNlY3Rpb24uCgkgIDwv dD4KCSAgPHQ+CgkgICAgQ2xhcmlmaWVkIHRoYXQgcHV0dGluZyBhIHZhbGlkaXR5IHRpbWUgZmll bGQgaW5zaWRlIHRoZQoJICAgIHByb3RlY3RlZCBwYXJ0IG9mIHRoZSB0b2tlbiBpcyBvbmUgbWVh bnMsIGJ1dCBub3QgdGhlIG9ubHkKCSAgICBtZWFucywgb2YgbGltaXRpbmcgdGhlIGxpZmV0aW1l IG9mIHRoZSB0b2tlbi4KCSAgPC90PgoJICA8dD4KCSAgICBEcm9wcGVkIHRoZSBjb25mdXNpbmcg cGhyYXNlICJmb3IgaW5zdGFuY2UsIHRocm91Z2ggdGhlCgkgICAgdXNlIG9mIFRMUyIgZnJvbSB0 aGUgc2VudGVuY2UgYWJvdXQgY29uZmlkZW50aWFsaXR5CgkgICAgcHJvdGVjdGlvbiBvZiB0aGUg ZXhjaGFuZ2VzLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlZmVyZW5jZSBSRkMgNjEyNSBmb3IgaWRl bnRpdHkgdmVyaWZpY2F0aW9uLCByYXRoZXIgdGhhbgoJICAgIFJGQyAyODE4LgoJICA8L3Q+Cgkg IDx0PgoJICAgIFN0YXRlZCB0aGF0IHRoZSB0b2tlbiBNVVNUIGJlIHByb3RlY3RlZCBiZXR3ZWVu IGZyb250IGVuZAoJICAgIGFuZCBiYWNrIGVuZCBzZXJ2ZXJzIHdoZW4gdGhlIFRMUyBjb25uZWN0 aW9uIHRlcm1pbmF0ZXMgYXQKCSAgICBhIGZyb250IGVuZCBzZXJ2ZXIgdGhhdCBpcyBkaXN0aW5j dCBmcm9tIHRoZSBhY3R1YWwgc2VydmVyCgkgICAgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3VyY2Uu CgkgIDwvdD4KCSAgPHQ+CgkgICAgU3RhdGVkIHRoYXQgYmVhcmVyIHRva2VucyBNVVNUIG5vdCBi ZSBzdG9yZWQgaW4gY29va2llcwoJICAgIHRoYXQgY2FuIGJlIHNlbnQgaW4gdGhlIGNsZWFyIGlu IHRoZSBUaHJlYXQgTWl0aWdhdGlvbgoJICAgIHNlY3Rpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAg UmVwbGFjZWQgc29sZSByZW1haW5pbmcgcmVmZXJlbmNlIHRvIDx4cmVmIHRhcmdldD0nUkZDMjYx NicgLz4gd2l0aAoJICAgIEhUVFBiaXMgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXAx LW1lc3NhZ2luZycgLz4KCSAgICByZWZlcmVuY2UuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVwbGFj ZWQgYWxsIHJlZmVyZW5jZXMgd2hlcmUgdGhlIHJlZmVyZW5jZSBpcyB1c2VkIGFzIGlmCgkgICAg aXQgd2VyZSBwYXJ0IG9mIHRoZSBzZW50ZW5jZSAoc3VjaCBhcyAiZGVmaW5lZCBieQoJICAgIFtJ LUQud2hhdGV2ZXJdIikgd2l0aCBvbmVzIHdoZXJlIHRoZSBzcGVjaWZpY2F0aW9uIG5hbWUgaXMK CSAgICB1c2VkLCBmb2xsb3dlZCBieSB0aGUgcmVmZXJlbmNlIChzdWNoIGFzICJkZWZpbmVkIGJ5 CgkgICAgV2hhdGV2ZXIgW0ktRC53aGF0ZXZlcl0iKS4KCSAgPC90PgoJICA8dD4KCSAgICBPdGhl ciBvbi1ub3JtYXRpdmUgZWRpdG9yaWFsIGltcHJvdmVtZW50cy4KCSAgPC90PgogICAgICAgIDwv bGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMTMKICAgICAgICA8bGlzdCBzdHls ZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIEF0IHRoZSByZXF1ZXN0IG9mIEhhbm5lcyBUc2Nob2Zl bmlnLCBtYWRlIEFCTkYgY2hhbmdlcyB0bwoJICAgIG1ha2UgaXQgY2xlYXIgdGhhdCBubyBzcGVj aWFsIFdXVy1BdXRoZW50aWNhdGUgcmVzcG9uc2UKCSAgICBoZWFkZXIgZmllbGQgcGFyc2VycyBh cmUgbmVlZGVkLiAgVGhlIDxzcGFueAoJICAgIHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+LCA8 c3BhbngKCSAgICBzdHlsZT0ndmVyYic+ZXJyb3ItZGVzY3JpcHRpb248L3NwYW54PiwgYW5kIDxz cGFueAoJICAgIHN0eWxlPSd2ZXJiJz5lcnJvci11cmk8L3NwYW54PiBwYXJhbWV0ZXJzIGFyZSBh bGwgbm93CgkgICAgZGVmaW5lZCBhcyBxdW90ZWQtc3RyaW5nIGluIHRoZSBBQk5GIChhcyA8c3Bh bngKCSAgICBzdHlsZT0ndmVyYic+ZXJyb3I8L3NwYW54PiBhbHJlYWR5IHdhcykuICBSZXN0cmlj dGlvbnMgb24KCSAgICB0aGVzZSB2YWx1ZXMgdGhhdCB3ZXJlIGZvcm1lcmx5IGRlc2NyaWJlZCBp biB0aGUgQUJORnMgYXJlCgkgICAgbm93IGRlc2NyaWJlZCBpbiBub3JtYXRpdmUgdGV4dCBpbnN0 ZWFkLgoJICA8L3Q+CiAgICAgICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAg IC0xMgogICAgICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xzJz4KCSAgPHQ+CgkgICAgTWFkZSBub24t bm9ybWF0aXZlIGVkaXRvcmlhbCBjaGFuZ2VzIHRoYXQgSGFubmVzCgkgICAgVHNjaG9mZW5pZyBy ZXF1ZXN0ZWQgYmUgYXBwbGllZCBwcmlvciB0byBmb3J3YXJkaW5nIHRoZQoJICAgIHNwZWNpZmlj YXRpb24gdG8gdGhlIElFU0cuCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgcmF0aW9uYWxlIGZv ciB0aGUgY2hvaWNlIG9mIHRoZSBiNjR0b2tlbiBzeW50YXguCgkgIDwvdD4KCSAgPHQ+CgkgICAg QWRkZWQgcmF0aW9uYWxlIHN0YXRpbmcgdGhhdCByZWNlaXZlcnMgYXJlIGZyZWUgdG8gcGFyc2UK CSAgICB0aGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IGF0dHJpYnV0ZSB1c2lu ZyBhCgkgICAgc3RhbmRhcmQgcXVvdGVkLXN0cmluZyBwYXJzZXIsIHNpbmNlIGl0IHdpbGwgY29y cmVjdGx5CgkgICAgcHJvY2VzcyBhbGwgbGVnYWwgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwv c3Bhbng+CgkgICAgdmFsdWVzLgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIGFkZGl0aW9uYWwg YWN0aXZlIHdvcmtpbmcgZ3JvdXAgY29udHJpYnV0b3JzIHRvIHRoZQoJICAgIEFja25vd2xlZGdl bWVudHMgc2VjdGlvbi4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8 dD4KICAgICAgICAtMTEKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAg IFJlcGxhY2VkIHVzZXMgb2YgJmx0OyImZ3Q7IHdpdGggRFFVT1RFIHRvIHBhc3MgQUJORiBzeW50 YXggY2hlY2suCgkgIDwvdD4KICAgICAgICA8L2xpc3Q+CiAgICAgIDwvdD4KICAgICAgPHQ+CiAg ICAgICAgLTEwCiAgICAgICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJICA8dD4KCSAgICBSZW1v dmVkIHRoZSAjYXV0aC1wYXJhbSBvcHRpb24gZnJvbSBBdXRob3JpemF0aW9uIGhlYWRlcgoJICAg IHN5bnRheCAobGVhdmluZyBvbmx5IHRoZSBiNjR0b2tlbiBzeW50YXgpLgoJICA8L3Q+CgkgIDx0 PgoJICAgIFJlc3RyaWN0ZWQgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+c2NvcGU8L3NwYW54PiB2 YWx1ZQoJICAgIGNoYXJhY3RlciBzZXQgdG8gJXgyMSAvICV4MjMtNUIgLyAleDVELTdFIChwcmlu dGFibGUgQVNDSUkKCSAgICBjaGFyYWN0ZXJzIGV4Y2x1ZGluZyBkb3VibGUtcXVvdGUgYW5kIGJh Y2tzbGFzaCkuCgkgICAgSW5kaWNhdGVkIHRoYXQgc2NvcGUgaXMgaW50ZW5kZWQgZm9yIHByb2dy YW1tYXRpYyB1c2UgYW5kCgkgICAgaXMgbm90IG1lYW50IHRvIGJlIGRpc3BsYXllZCB0byBlbmQg dXNlcnMuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVzdHJpY3RlZCB0aGUgY2hhcmFjdGVyIHNldCBm b3IgPHNwYW54CgkgICAgc3R5bGU9J3ZlcmInPmVycm9yX2Rlc2NyaXB0aW9uPC9zcGFueD4gc3Ry aW5ncyB0byBTUCAvCgkgICAgVkNIQVIgYW5kIGluZGljYXRlZCB0aGF0IHRoZXkgYXJlIG5vdCBt ZWFudCB0byBiZQoJICAgIGRpc3BsYXllZCB0byBlbmQgdXNlcnMuCgkgIDwvdD4KCSAgPHQ+Cgkg ICAgSW5jbHVkZWQgbW9yZSBkZXNjcmlwdGlvbiBpbiB0aGUgQWJzdHJhY3QsIHNpbmNlIEhhbm5l cwoJICAgIFRzY2hvZmVuaWcgaW5kaWNhdGVkIHRoYXQgdGhlIFJGQyBlZGl0b3Igd291bGQgcmVx dWlyZQoJICAgIHRoaXMuCgkgIDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBDaGFuZ2Vk ICJBY2Nlc3MgR3JhbnQiIHRvICJBdXRob3JpemF0aW9uIEdyYW50IiwgYXMgd2FzCiAgICAgICAg ICAgIGRvbmUgaW4gdGhlIGNvcmUgc3BlYy4KCSAgPC90PgoJICA8dD4KCSAgICBTaW1wbGlmaWVk IHRoZSBpbnRyb2R1Y3Rpb24gdG8gdGhlIEF1dGhlbnRpY2F0ZWQgUmVxdWVzdHMKCSAgICBzZWN0 aW9uLgoJICA8L3Q+CiAgICAgICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAg IC0wOQogICAgICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xzJz4KICAgICAgICAgIDx0PgogICAgICAg ICAgICBJbmNvcnBvcmF0ZWQgd29ya2luZyBncm91cCBsYXN0IGNhbGwgY29tbWVudHMuICBTcGVj aWZpYyBjaGFuZ2VzIHdlcmU6CgkgIDwvdD4KCSAgPHQ+CgkgICAgVXNlIGRlZmluaXRpb25zIGZy b20gPHhyZWYKCSAgICB0YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4gcmF0aGVy IHRoYW4gPHhyZWYKCSAgICB0YXJnZXQ9J1JGQzI2MTcnIC8+LgoJICA8L3Q+CgkgIDx0PgoJICAg IFVwZGF0ZSBjcmVkZW50aWFscyBkZWZpbml0aW9uIHRvIGNvbmZvcm0gdG8gPHhyZWYKCSAgICB0 YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4uCgkgIDwvdD4KCSAgPHQ+CgkgICAg RnVydGhlciBjbGFyaWZpZWQgdGhhdCBxdWVyeSBwYXJhbWV0ZXJzIG1heSBvY2N1ciBpbiBhbnkg b3JkZXIuCgkgIDwvdD4KCSAgPHQ+CgkgICAgU3BlY2lmeSB0aGF0IGVycm9yX2Rlc2NyaXB0aW9u IGlzIFVURi04IGVuY29kZWQKCSAgICAobWF0Y2hpbmcgdGhlIGNvcmUgc3BlY2lmaWNhdGlvbiku CgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVnaXN0ZXJlZCAiQmVhcmVyIiBBdXRoZW50aWNhdGlvbiBT Y2hlbWUgaW4KCSAgICBBdXRoZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cnkgZGVmaW5lZCBieQoJ ICAgIDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KCSAgPC90Pgog ICAgICAgICAgPHQ+CiAgICAgICAgICAgIFVwZGF0ZWQgcmVmZXJlbmNlcyB0byBvYXV0aC12Miwg aHR0cGJpcy1wMS1tZXNzYWdpbmcsIGFuZAogICAgICAgICAgICBodHRwYmlzLXA3LWF1dGggZHJh ZnRzLgoJICA8L3Q+CgkgIDx0PgoJICAgIE90aGVyIHdvcmRpbmcgaW1wcm92ZW1lbnRzIG5vdCBp bnRyb2R1Y2luZyBub3JtYXRpdmUgY2hhbmdlcy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAg ICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDgKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9s cyc+CiAgICAgICAgICA8dD4KICAgICAgICAgICAgVXBkYXRlZCByZWZlcmVuY2VzIHRvIG9hdXRo LXYyIGFuZCBIVFRQYmlzIGRyYWZ0cy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90 PgogICAgICA8dD4KICAgICAgICAtMDcKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAg ICAgICAgICA8dD4KICAgICAgICAgICAgQWRkZWQgbWlzc2luZyBjb21tYSBpbiBlcnJvciByZXNw b25zZSBleGFtcGxlLgoJICA8L3Q+CiAgICAgICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0 PgogICAgICAgIC0wNgogICAgICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xzJz4KICAgICAgICAgIDx0 PgogICAgICAgICAgICBDaGFuZ2VkIHBhcmFtZXRlciBuYW1lIDxzcGFueAogICAgICAgICAgICBz dHlsZT0idmVyYiI+YmVhcmVyX3Rva2VuPC9zcGFueD4gdG8gPHNwYW54CiAgICAgICAgICAgIHN0 eWxlPSJ2ZXJiIj5hY2Nlc3NfdG9rZW48L3NwYW54PiwgcGVyIHdvcmtpbmcgZ3JvdXAKICAgICAg ICAgICAgY29uc2Vuc3VzLgoJICA8L3Q+CgkgIDx0PgoJICAgIENoYW5nZWQgSFRUUCBzdGF0dXMg Y29kZSBmb3IgPHNwYW54CgkgICAgc3R5bGU9InZlcmIiPmludmFsaWRfcmVxdWVzdDwvc3Bhbng+ IGVycm9yIGNvZGUgZnJvbSBIVFRQCgkgICAgNDAxIChVbmF1dGhvcml6ZWQpIGJhY2sgdG8gSFRU UCA0MDAgKEJhZCBSZXF1ZXN0KSwgcGVyCgkgICAgaW5wdXQgZnJvbSBIVFRQIHdvcmtpbmcgZ3Jv dXAgZXhwZXJ0cy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4K ICAgICAgICAtMDUKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIFJl bW92ZWQgT0F1dGggRXJyb3JzIFJlZ2lzdHJ5LCBwZXIgZGVzaWduIHRlYW0gaW5wdXQuCgkgIDwv dD4KCSAgPHQ+CgkgICAgQ2hhbmdlZCBIVFRQIHN0YXR1cyBjb2RlIGZvciA8c3BhbngKCSAgICBz dHlsZT0idmVyYiI+aW52YWxpZF9yZXF1ZXN0PC9zcGFueD4gZXJyb3IgY29kZSBmcm9tIEhUVFAK CSAgICA0MDAgKEJhZCBSZXF1ZXN0KSB0byBIVFRQIDQwMSAoVW5hdXRob3JpemVkKSB0byBtYXRj aCBIVFRQCgkgICAgdXNhZ2UgW1sgY2hhbmdlIHBlbmRpbmcgd29ya2luZyBncm91cCBjb25zZW5z dXMgXV0uCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgbWlzc2luZyBxdW90YXRpb24gbWFya3Mg aW4gZXJyb3ItdXJpIGRlZmluaXRpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgbm90ZSB0 byBhZGQgbGFuZ3VhZ2UgYW5kIGVuY29kaW5nIGluZm9ybWF0aW9uIHRvCgkgICAgZXJyb3JfZGVz Y3JpcHRpb24gaWYgdGhlIGNvcmUgc3BlY2lmaWNhdGlvbiBkb2VzLgoJICA8L3Q+CgkgIDx0PgoJ ICAgIEV4cGxpY2l0bHkgcmVmZXJlbmNlIHRoZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAo QUJORikKCSAgICBkZWZpbmVkIGluIDx4cmVmIHRhcmdldD0nUkZDNTIzNCcgLz4uCgkgIDwvdD4K CSAgPHQ+CgkgICAgVXNlIGF1dGgtcGFyYW0gaW5zdGVhZCBvZiByZXBlYXRpbmcgaXRzIGRlZmlu aXRpb24sIHdoaWNoCgkgICAgaXMgKCB0b2tlbiAiPSIgKCB0b2tlbiAvIHF1b3RlZC1zdHJpbmcg KSApLgoJICA8L3Q+CgkgIDx0PgoJICAgIENsYXJpZnkgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMg YWJvdXQgaW5jbHVkaW5nIGFuCgkgICAgYXVkaWVuY2UgcmVzdHJpY3Rpb24gaW4gdGhlIHRva2Vu IGFuZCBpbmNsdWRlIGEKCSAgICByZWNvbW1lbmRhdGlvbiB0byBpc3N1ZSBzY29wZWQgYmVhcmVy IHRva2VucyBpbiB0aGUKCSAgICBzdW1tYXJ5IG9mIHJlY29tbWVuZGF0aW9ucy4KCSAgPC90Pgog ICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDQKICAgICAgICA8 bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIEVkaXRzIHJlc3BvbmRpbmcgdG8gd29y a2luZyBncm91cCBsYXN0IGNhbGwgZmVlZGJhY2sgb24KCSAgICAtMDMuICBTcGVjaWZpYyBlZGl0 cyBlbnVtZXJhdGVkIGJlbG93LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIEJlYXJlciBUb2tl biBkZWZpbml0aW9uIGluIFRlcm1pbm9sb2d5IHNlY3Rpb24uCgkgIDwvdD4KICAgICAgICAgIDx0 PgogICAgICAgICAgICBDaGFuZ2VkIHBhcmFtZXRlciBuYW1lIDxzcGFueAogICAgICAgICAgICBz dHlsZT0idmVyYiI+b2F1dGhfdG9rZW48L3NwYW54PiB0byA8c3BhbngKICAgICAgICAgICAgc3R5 bGU9InZlcmIiPmJlYXJlcl90b2tlbjwvc3Bhbng+LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVk IHJlYWxtIHBhcmFtZXRlciB0byA8c3BhbngKCSAgICBzdHlsZT0ndmVyYic+V1dXLUF1dGhlbnRp Y2F0ZTwvc3Bhbng+IHJlc3BvbnNlIHRvIGNvbXBseQoJICAgIHdpdGggPHhyZWYgdGFyZ2V0PSdS RkMyNjE3JyAvPi4KCSAgPC90PgoJICA8dD4KCSAgICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFy YW0gXSIgZnJvbSA8c3BhbngKCSAgICBzdHlsZT0idmVyYiI+Y3JlZGVudGlhbHM8L3NwYW54PiBk ZWZpbml0aW9uIHNpbmNlIGl0IGRpZAoJICAgIG5vdCBjb21wbHkgd2l0aCB0aGUgQUJORiBpbiA8 eHJlZgoJICAgIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KCSAgPC90PgoJ ICA8dD4KCSAgICBSZW1vdmVkIHJlc3RyaWN0aW9uIHRoYXQgdGhlIDxzcGFueAoJICAgIHN0eWxl PSJ2ZXJiIj5iZWFyZXJfdG9rZW48L3NwYW54PiAoZm9ybWVybHkgPHNwYW54CgkgICAgc3R5bGU9 InZlcmIiPm9hdXRoX3Rva2VuPC9zcGFueD4pIHBhcmFtZXRlciBiZSB0aGUgbGFzdAoJICAgIHBh cmFtZXRlciBpbiB0aGUgZW50aXR5LWJvZHkgYW5kIHRoZSBIVFRQIHJlcXVlc3QgVVJJCgkgICAg cXVlcnkuCgkgIDwvdD4KCSAgPHQ+CgkgICAgRG8gbm90IHJlcXVpcmUgV1dXLUF1dGhlbnRpY2F0 ZSBSZXNwb25zZSBpbiBhIHJlcGx5IHRvIGEKCSAgICBtYWxmb3JtZWQgcmVxdWVzdCwgYXMgYW4g SFRUUCA0MDAgQmFkIFJlcXVlc3QgcmVzcG9uc2UKCSAgICB3aXRob3V0IGEgV1dXLUF1dGhlbnRp Y2F0ZSBoZWFkZXIgaXMgbGlrZWx5IHRoZSByaWdodAoJICAgIHJlc3BvbnNlIGluIHNvbWUgY2Fz ZXMgb2YgbWFsZm9ybWVkIHJlcXVlc3RzLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlbW92ZWQgT0F1 dGggUGFyYW1ldGVycyByZWdpc3RyeSBleHRlbnNpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgTnVt ZXJvdXMgZWRpdG9yaWFsIGltcHJvdmVtZW50cyBzdWdnZXN0ZWQgYnkgd29ya2luZyBncm91cAoJ ICAgIG1lbWJlcnMuCgkgIDwvdD4KICAgICAgICA8L2xpc3Q+CiAgICAgIDwvdD4KICAgICAgPHQ+ CiAgICAgICAgLTAzCiAgICAgICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJICA8dD4KCSAgICBS ZXN0b3JlZCB0aGUgV1dXLUF1dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIKCSAgICBmdW5jdGlv bmFsaXR5IGRlbGV0ZWQgZnJvbSB0aGUgZnJhbWV3b3JrIHNwZWNpZmljYXRpb24gaW4KCSAgICBk cmFmdCAxMiBiYXNlZCB1cG9uIHRoZSBzcGVjaWZpY2F0aW9uIHRleHQgZnJvbSBkcmFmdCAxMS4K CSAgPC90PgoJICA8dD4KCSAgICBBdWdtZW50ZWQgdGhlIE9BdXRoIFBhcmFtZXRlcnMgcmVnaXN0 cnkgYnkgYWRkaW5nIHR3bwoJICAgIGFkZGl0aW9uYWwgcGFyYW1ldGVyIHVzYWdlIGxvY2F0aW9u czogInJlc291cmNlIHJlcXVlc3QiCgkgICAgYW5kICJyZXNvdXJjZSByZXNwb25zZSIuCgkgIDwv dD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBSZWdpc3RlcmVkIHRoZSAib2F1dGhfdG9rZW4i IE9BdXRoIHBhcmFtZXRlciB3aXRoIHVzYWdlCiAgICAgICAgICAgIGxvY2F0aW9uICJyZXNvdXJj ZSByZXF1ZXN0Ii4KICAgICAgICAgIDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBSZWdp c3RlcmVkIHRoZSAiZXJyb3IiIE9BdXRoIHBhcmFtZXRlci4KICAgICAgICAgIDwvdD4KCSAgPHQ+ CgkgICAgQ3JlYXRlZCB0aGUgT0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVyZWQgZXJy b3JzLgoJICA8L3Q+CgkgIDx0PgoJICAgIENoYW5nZWQgdGhlICJPQXV0aDIiIE9BdXRoIGFjY2Vz cyB0b2tlbiB0eXBlIG5hbWUgdG8KCSAgICAiQmVhcmVyIi4KCSAgPC90PgogICAgICAgIDwvbGlz dD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDIKICAgICAgICA8bGlzdCBzdHlsZT0n c3ltYm9scyc+CiAgICAgICAgICA8dD4KICAgICAgICAgICAgSW5jb3Jwb3JhdGVkIGZlZWRiYWNr IHJlY2VpdmVkIG9uIGRyYWZ0IDAxLiAgTW9zdCBjaGFuZ2VzCiAgICAgICAgICAgIHdlcmUgdG8g dGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24uICBObyBub3JtYXRpdmUKICAgICAg ICAgICAgY2hhbmdlcyB3ZXJlIG1hZGUuICBTcGVjaWZpYyBjaGFuZ2VzIGluY2x1ZGVkOgogICAg ICAgICAgPC90PgoJICA8dD4KCSAgICBDaGFuZ2VkIHRlcm1pbm9sb2d5IGZyb20gInRva2VuIHJl dXNlIiB0byAidG9rZW4gY2FwdHVyZQoJICAgIGFuZCByZXBsYXkiLgoJICA8L3Q+CgkgIDx0PgoJ ICAgIFJlbW92ZWQgc2VudGVuY2UgIkVuY3J5cHRpbmcgdGhlIHRva2VuIGNvbnRlbnRzIGlzIGFu b3RoZXIKCSAgICBhbHRlcm5hdGl2ZSIgZnJvbSB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMg c2luY2UgaXQgd2FzCgkgICAgcmVkdW5kYW50IGFuZCBwb3RlbnRpYWxseSBjb25mdXNpbmcuCgkg IDwvdD4KCSAgPHQ+CgkgICAgQ29ycmVjdGVkIHNvbWUgcmVmZXJlbmNlcyB0byAicmVzb3VyY2Ug c2VydmVyIiB0byBiZQoJICAgICJhdXRob3JpemF0aW9uIHNlcnZlciIgaW4gdGhlIHNlY3VyaXR5 IGNvbnNpZGVyYXRpb25zLgoJICA8L3Q+CgkgIDx0PgoJICAgIEdlbmVyYWxpemVkIHNlY3VyaXR5 IGNvbnNpZGVyYXRpb25zIGxhbmd1YWdlIGFib3V0CgkgICAgb2J0YWluaW5nIGNvbnNlbnQgb2Yg dGhlIHJlc291cmNlIG93bmVyLgoJICA8L3Q+CgkgIDx0PgoJICAgIEJyb2FkZW5lZCBzY29wZSBv ZiBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBkZXNjcmlwdGlvbiBmb3IKCSAgICByZWNvbW1lbmRh dGlvbiAiRG9uJ3QgcGFzcyBiZWFyZXIgdG9rZW5zIGluIHBhZ2UgVVJMcyIuCgkgIDwvdD4KCSAg PHQ+CgkgICAgUmVtb3ZlZCB1bnVzZWQgcmVmZXJlbmNlIHRvIE9BdXRoIDEuMC4KCSAgPC90PgoJ ICA8dD4KCSAgICBVcGRhdGVkIHJlZmVyZW5jZSB0byBmcmFtZXdvcmsgc3BlY2lmaWNhdGlvbiBh bmQgdXBkYXRlZAoJICAgIERhdmlkIFJlY29yZG9uJ3MgZS1tYWlsIGFkZHJlc3MuCgkgIDwvdD4K CSAgPHQ+CgkgICAgUmVtb3ZlZCBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyB0ZXh0IG9uIGF1dGhl bnRpY2F0aW5nCgkgICAgY2xpZW50cy4KCSAgPC90PgoJICA8dD4KCSAgICBSZWdpc3RlcmVkIHRo ZSAiT0F1dGgyIiBPQXV0aCBhY2Nlc3MgdG9rZW4gdHlwZSBhbmQKCSAgICAib2F1dGhfdG9rZW4i IHBhcmFtZXRlci4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4K ICAgICAgICAtMDEKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAgICA8dD4K ICAgICAgICAgICAgRmlyc3QgcHVibGljIGRyYWZ0LCB3aGljaCBpbmNvcnBvcmF0ZXMgZmVlZGJh Y2sgcmVjZWl2ZWQKICAgICAgICAgICAgb24gLTAwIGluY2x1ZGluZyBlbmhhbmNlZCBTZWN1cml0 eSBDb25zaWRlcmF0aW9ucyBjb250ZW50LgogICAgICAgICAgICBUaGlzIHZlcnNpb24gaXMgaW50 ZW5kZWQgdG8gYWNjb21wYW55IE9BdXRoIDIuMCBkcmFmdCAxMS4KICAgICAgICAgIDwvdD4KICAg ICAgICA8L2xpc3Q+CiAgICAgIDwvdD4KICAgICAgPHQ+CiAgICAgICAgLTAwCiAgICAgICAgPGxp c3Qgc3R5bGU9J3N5bWJvbHMnPgogICAgICAgICAgPHQ+CiAgICAgICAgICAgIEluaXRpYWwgZHJh ZnQgYmFzZWQgb24gcHJlbGltaW5hcnkgdmVyc2lvbiBvZiBPQXV0aCAyLjAgZHJhZnQgMTEuCiAg ICAgICAgICA8L3Q+CiAgICAgICAgPC9saXN0PgogICAgICA8L3Q+CiAgICA8L3NlY3Rpb24+ICAg ICAKCiAgPC9iYWNrPgoKPC9yZmM+Cg== --_007_4E1F6AAD24975D4BA5B16804296739435F6E777ETK5EX14MBXC283r_-- From andredemarre@gmail.com Thu Nov 3 17:09:43 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 382311F0C85 for ; Thu, 3 Nov 2011 17:09:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.999 X-Spam-Level: X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_75=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmtOQSAZX97x for ; Thu, 3 Nov 2011 17:09:42 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7078A1F0C59 for ; Thu, 3 Nov 2011 17:09:40 -0700 (PDT) Received: by iaeo4 with SMTP id o4so2459487iae.31 for ; Thu, 03 Nov 2011 17:09:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=pYgcX4T5Sif+5R4nvVwfK+6yoCeD/AIcaaOGpAAhoOY=; b=DyuO+X5Ok2FUBGF4e0vvN8D8jD7tyj46DFFuih8vnvxqBmPfZarY4bj809hQ5PQ/w6 A+0r5IJcm+pVwPQ2LBQIubWSraMOzl83ErH/OPMy3HzfNlKGmtn9gGsrC5YMkK3bBJzo anOG4Uqbvd8Kflqi99eOlMz5JOEREY4pvPmpY= MIME-Version: 1.0 Received: by 10.42.117.193 with SMTP id u1mr11988819icq.24.1320365379936; Thu, 03 Nov 2011 17:09:39 -0700 (PDT) Received: by 10.42.151.131 with HTTP; Thu, 3 Nov 2011 17:09:39 -0700 (PDT) In-Reply-To: <4EB1B5AB.6020208@lodderstedt.net> References: <4EB1B5AB.6020208@lodderstedt.net> Date: Thu, 3 Nov 2011 17:09:39 -0700 Message-ID: From: =?ISO-8859-1?Q?Andr=E9_DeMarre?= To: Torsten Lodderstedt Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: OAuth WG Subject: Re: [OAUTH-WG] Phishing with Client Application Name Spoofing X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2011 00:09:43 -0000 You are right that they are similar, but there is a difference, and only one of the six countermeasures is relevant to the threat I described. http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.4.1= .4 seems to be about an attack where the malicious client impersonates a different (valid) client that is registered with the authorization server. In other words, the valid client is registered as client_id 123, and the malicious client does not have its own client_id but tries to pose as client 123. This corresponds to http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-10.2. In the threat I described, there is no valid client. The malicious client is properly registered with the authorization server and has its own client_id and client credentials. It can authenticate with the authorization server without trying to pose as a different client. As an attacker you might reason, "Why would I try to impersonate a valid client for which I don't know the client credentials and can't pass the redirect URI test, when I can just register my own client with my own redirect URI and be given my own credentials?" Imagine the attacker wants to impersonate Google with a popular web service called Foobar. The attacker registers his application with Foobar's auth server. It does not matter if the real Google has registered an authentic app with Foobar. The attacker has no reason to be interested in stealing or guessing client credentials when he can simply register his own app and call it "Google". The information the auth server shows to end users when asking them to grant authorization becomes very important. Regards,Andre DeMarre On Wed, Nov 2, 2011 at 2:27 PM, Torsten Lodderstedt wrote: > Hi Andre, > > how do you think differs the threat you descibed from > http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.4= .1.4? > > regards, > Torsten. > Am 26.10.2011 22:44, schrieb Andr=E9 DeMarre: >> >> Should a brief explanation of this be added to the Threat Model and >> Security Considerations document? Or does anyone even agree that this >> can be a problem? >> >> Regards, >> Andre DeMarre >> >> On Tue, Oct 4, 2011 at 11:32 AM, Andr=E9 DeMarre >> =A0wrote: >>> >>> I've not seen this particular variant of phishing and client >>> impersonation discussed. A cursory search revealed that most of the >>> related discussion centers around either (a) client impersonation with >>> stolen client credentials or (b) phishing by malicious clients >>> directing resource owners to spoofed authorization servers. This is >>> different. >>> >>> This attack exploits the trust a resource owner has for an OAuth >>> authorization server so as to lend repute to a malicious client >>> pretending to be from a trustworthy source. This is not necessarily a >>> direct vulnerability of OAuth; rather, it shows that authorization >>> servers have a responsibility regarding client application names and >>> how they present resource owners with the option to allow or deny >>> authorization. >>> >>> A key to this exploit is the process of client registration with the >>> authorization server. A malicious client developer registers his >>> client application with a name that appears to represent a legitimate >>> organization which resource owners are likely to trust. Resource >>> owners at the authorization endpoint may be misled into granting >>> authorization when they see the authorization server asserting ">> trustworthy name> =A0is requesting permission to..." >>> >>> Imagine someone registers a client application with an OAuth service, >>> let's call it Foobar, and he names his client app "Google, Inc.". The >>> Foobar authorization server will engage the user with "Google, Inc. is >>> requesting permission to do the following." The resource owner might >>> reason, "I see that I'm legitimately on the https://www.foobar.com >>> site, and Foobar is telling me that Google wants permission. I trust >>> Foobar and Google, so I'll click Allow." >>> >>> To make the masquerade act even more convincing, many of the most >>> popular OAuth services allow app developers to upload images which >>> could be official logos of the organizations they are posing as. Often >>> app developers can supply arbitrary, unconfirmed URIs which are shown >>> to the resource owner as the app's website, even if the domain does >>> not match the redirect URI. Some OAuth services blindly entrust client >>> apps to customize the authorization page in other ways. >>> >>> This is hard to defend against. Authorization server administrators >>> could police client names, but that approach gives them a burden >>> similar to certificate authorities to verify organizations before >>> issuing certificates. Very expensive. >>> >>> A much simpler solution is for authorization servers to be careful >>> with their wording and educate resource owners about the need for >>> discretion when granting authority. Foobar's message above could be >>> changed: "An application calling itself Google, Inc. is requesting >>> permission to do the following" later adding, "Only allow this request >>> if you are sure of the application's source." Such wording is less >>> likely to give the impression that the resource server is vouching for >>> the application's identity. >>> >>> Authorization servers would also do well to show the resource owner >>> additional information about the client application to help them make >>> informed decisions. For example, it could display all or part of the >>> app's redirect URI, saying, "The application is operating on >>> example.com" or "If you decide to allow this application, your browser >>> will be directed to http://www.example.com/." Further, if the client >>> app's redirect URI uses TLS (something authorization servers might >>> choose to mandate), then auth servers can verify the certificate and >>> show the certified organization name to resource owners. >>> >>> This attack is possible with OAuth 1, but OAuth 2 makes successful >>> exploitation easier. OAuth 1 required the client to obtain temporary >>> credentials (aka access tokens) before sending resource owners to the >>> authorization endpoint. Now with OAuth 2, this attack does not require >>> resource owners to interact with the client application before >>> visiting the authorization server. The malicious client developer only >>> needs to distribute links around the web to the authorization server's >>> authorization endpoint. If the HTTP service is a social platform, the >>> client app might distribute links using resource owners' accounts with >>> the access tokens it has acquired, becoming a sort of worm. Continuing >>> the Google/Foobar example above, it might use anchor text such as "I >>> used Google Plus to synchronize with my Foobar account." Moreover, if >>> the app's redirect URI bounces the resource owner back to the HTTP >>> service after acquiring an authorization code, the victim will never >>> see a page rendered at the insidious app's domain. >>> >>> This is especially dangerous because the public is not trained to >>> defend against it. Savvy users are (arguably) getting better at >>> protecting themselves from traditional phishing by verifying the >>> domain in the address bar, and perhaps checking TLS certificates, but >>> such defenses are irrelevent here. Resource owners now need to verify >>> not only that they are on the legitimate authorization server, but to >>> consider the trustworthyness of the link that referred them there. >>> >>> I'm not sure what can or should be done, but I think it's important >>> for authorization server implementers to be aware of this attack. If >>> administrators are not able to authenticate client organizations, then >>> they are shifting this burden to resource owners. They should do all >>> they can to educate resource owners and help them make informed >>> decisions before granting authorization. >>> >>> Regards, >>> Andre DeMarre >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > From phil.hunt@oracle.com Fri Nov 4 13:41:10 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7545211E808E for ; Fri, 4 Nov 2011 13:41:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.499 X-Spam-Level: X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.099, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztSH8+VpRLp3 for ; Fri, 4 Nov 2011 13:41:09 -0700 (PDT) Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 7B92211E8082 for ; Fri, 4 Nov 2011 13:41:09 -0700 (PDT) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pA4Kf7Ro006914 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 4 Nov 2011 20:41:08 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pA4Kf5v8002942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 4 Nov 2011 20:41:07 GMT Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pA4Kf0l0009506 for ; Fri, 4 Nov 2011 15:41:00 -0500 Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 04 Nov 2011 13:41:00 -0700 From: Phil Hunt Content-Type: multipart/alternative; boundary="Apple-Mail=_183460ED-B23E-47BF-9350-13F2BAF6F023" Date: Fri, 4 Nov 2011 13:40:58 -0700 Message-Id: <918554FB-F7B1-42E7-AA49-E3611F435796@oracle.com> To: "oauth (oauth@ietf.org)" Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) X-Source-IP: acsinet21.oracle.com [141.146.126.237] X-Auth-Type: Internal IP X-CT-RefId: str=0001.0A090201.4EB44DE4.018E,ss=1,re=0.000,fgs=0 Subject: [OAUTH-WG] SAML Bearer Spec 09 - Refresh Clarification X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2011 20:41:10 -0000 --Apple-Mail=_183460ED-B23E-47BF-9350-13F2BAF6F023 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Section 4.5 of the OAuth Core spec provides that extension spec MAY = issue refresh tokens. Yet, section 3.1 of the OAuth2 SAML Bearer = specification currently says SHOULD NOT (from draft 09): > Authorization servers SHOULD issue access tokens with a limited = lifetime and require clients to refresh them by requesting a new access = token using the same assertion, if it is still valid, or with a new = assertion. The authorization server SHOULD NOT issue a refresh token. There has been some confusion as to why authorization servers SHOULD NOT = issue refresh tokens. Apparently this wording was put in place because a = SAML Bearer authorization might have a shorter life than typical refresh = token lifetime. Hence there was a concern that an authorization server = would inadvertently issue a long-lasting refresh token that outlives the = original SAML Bearer authorization. In order to make this concern clear = I propose the following text that makes clear the concern and makes = refresh tokens more permissive: Authorization servers SHOULD issue access tokens with a limited lifetime = and require clients to refresh them by requesting a new access token = using the same assertion, if it is still valid, or with a new assertion. = The authorization server SHOULD NOT issue a refresh token that has an = expiry longer than the lifetime of the authorization grant. I'm not aware of any other concerns regarding refresh tokens being = issued in conjunction with SAML Bearer assertions? Are there any = concerns that suggest we should keep the wording as generally SHOULD = NOT? Phil @independentid www.independentid.com phil.hunt@oracle.com --Apple-Mail=_183460ED-B23E-47BF-9350-13F2BAF6F023 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
Authorization servers SHOULD issue access = tokens with a limited access token using the same = assertion, if it is still valid, or with a new assertion. The authorization server = SHOULD NOT issue a refresh
There has been = some confusion as to why authorization servers SHOULD NOT issue refresh = tokens. Apparently this wording was put in place because a SAML Bearer = authorization might have a shorter life than typical refresh token = lifetime. Hence there was a concern that an authorization server would = inadvertently issue a long-lasting refresh token that outlives the = original SAML Bearer authorization.  In order to make this concern = clear I propose the following text that makes clear the concern and = makes refresh tokens more permissive:
Authorization servers SHOULD issue access = tokens with a limited laccess token using the same = assertion, if it is still valid, or with a new assertion. The authorization server = SHOULD NOT issue a refresh

I'm not aware of any = other concerns regarding refresh tokens being issued in conjunction with = SAML Bearer assertions?  Are there any concerns that suggest we = should keep the wording as generally SHOULD = NOT?

Phil

@independentid=
phil.hunt@oracle.com





= --Apple-Mail=_183460ED-B23E-47BF-9350-13F2BAF6F023-- From hannes.tschofenig@gmx.net Sat Nov 5 12:36:34 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E4B21F84B4 for ; Sat, 5 Nov 2011 12:36:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.486 X-Spam-Level: X-Spam-Status: No, score=-102.486 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oYu3WGVO0fQ for ; Sat, 5 Nov 2011 12:36:34 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id D1E1121F8549 for ; Sat, 5 Nov 2011 12:36:33 -0700 (PDT) Received: (qmail invoked by alias); 05 Nov 2011 19:36:32 -0000 Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [10.0.0.4]) [88.115.216.191] by mail.gmx.net (mp059) with SMTP; 05 Nov 2011 20:36:32 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX1+SaiZsHyWSEgEIevbnhAMJY/Q3seFxDrJ8x5YPlA 3asDIy5xlBjty+ From: Hannes Tschofenig Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Sat, 5 Nov 2011 21:36:31 +0200 Message-Id: <38D93E20-F8A7-4995-9C72-4BD440BA7BAB@gmx.net> To: "oauth@ietf.org WG" Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-Y-GMX-Trusted: 0 Subject: [OAUTH-WG] draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Nov 2011 19:36:34 -0000 Hi all,=20 after a discussion with Stephen we decided that it would be useful to = have draft-ietf-oauth-v2-bearer-14 submitted during the blackout period = so that we have the most recent feedback incorporated already before the = IETF meeting starts.=20 Stephen will talk to the secretary to enable the submission and I will = approve it.=20 Ciao Hannes From stephen.farrell@cs.tcd.ie Sat Nov 5 12:46:41 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC74E21F84B3 for ; Sat, 5 Nov 2011 12:46:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5iXJeWKO-mQ0 for ; Sat, 5 Nov 2011 12:46:37 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id C67AA21F842E for ; Sat, 5 Nov 2011 12:46:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 2DDCF1536F3; Sat, 5 Nov 2011 19:46:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1320522381; bh=fBPjwCQ1IDWpwr CMpPlbAzApC9NAsSDTyVOinI6eTkM=; b=gM/OHMx6GBJK1R/H/eINf4RGLM1jIM bvSXjPZzoj1YLa/Bvrg3/fvrdiKmGy7Q5r7LByxzC9wH0Vj2xXB/uMw569He2sfZ 2N91UsyK3osftOYb4wFrJRW1Nwa9/TL5DtObAMk7YhSUgcpP0yorglD2TPUUHdf1 yhRg7OjTMCuwT0b6ihDOp+ApzzGVrlYxFBztVoeCu4HFcAmF7P68X+qGKVjwESE2 AfriqWQonbzhm42cLN2aTlfOIfxQjRoE552bKaEoSPXEJGc6KDCR0EJVHBp+SNE9 ceTQs7gQwq+znUXbdELw9J9k6I6UTXNAuuVTpcwZlO1/D6jy++tTPfQA== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id TOS+tDGuJDix; Sat, 5 Nov 2011 19:46:21 +0000 (GMT) Received: from [10.87.48.11] (unknown [86.41.14.98]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id D7A2E1536F2; Sat, 5 Nov 2011 19:46:21 +0000 (GMT) Message-ID: <4EB5928D.7010506@cs.tcd.ie> Date: Sat, 05 Nov 2011 19:46:21 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Hannes Tschofenig References: <38D93E20-F8A7-4995-9C72-4BD440BA7BAB@gmx.net> In-Reply-To: <38D93E20-F8A7-4995-9C72-4BD440BA7BAB@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Nov 2011 19:46:41 -0000 On 11/05/2011 07:36 PM, Hannes Tschofenig wrote: > Hi all, > > after a discussion with Stephen we decided that it would be useful to have draft-ietf-oauth-v2-bearer-14 submitted during the blackout period so that we have the most recent feedback incorporated already before the IETF meeting starts. > Stephen will talk to the secretary to enable the submission and I will approve it. Done. Might take 'em a few days - they're busy with travel and meeting prep. S From Internet-Drafts@ietf.org Mon Nov 7 10:00:03 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 203F321F8BE4; Mon, 7 Nov 2011 10:00:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.47 X-Spam-Level: X-Spam-Status: No, score=-102.47 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QgInqEHCGMa9; Mon, 7 Nov 2011 10:00:02 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A734A21F8BE8; Mon, 7 Nov 2011 10:00:02 -0800 (PST) MIME-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.63 Message-ID: <20111107180002.9105.29455.idtracker@ietfa.amsl.com> Date: Mon, 07 Nov 2011 10:00:02 -0800 Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D ACTION:draft-ietf-oauth-v2-bearer-14.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2011 18:00:03 -0000 --NextPart A new Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : The OAuth 2.0 Authorization Protocol: Bearer Tokens Author(s) : M. Jones, et al Filename : draft-ietf-oauth-v2-bearer-14.txt Pages : 21 Date : 2011-11-07 This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-14.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-oauth-v2-bearer-14.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2011-11-07095332.I-D@ietf.org> --NextPart-- From Michael.Jones@microsoft.com Mon Nov 7 10:22:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57AA111E808E for ; Mon, 7 Nov 2011 10:22:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.277 X-Spam-Level: X-Spam-Status: No, score=-10.277 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUCZXVXOU4mP for ; Mon, 7 Nov 2011 10:22:45 -0800 (PST) Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 1DF1B11E8088 for ; Mon, 7 Nov 2011 10:22:45 -0800 (PST) Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 7 Nov 2011 10:22:44 -0800 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.65]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.01.0355.003; Mon, 7 Nov 2011 10:22:44 -0800 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: OAuth 2.0 Bearer Token Specification Draft -14 Thread-Index: Acydejhp8xbpBng3SACKp2IELNlRMA== Date: Mon, 7 Nov 2011 18:22:43 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F6F02EF@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F6F02EFTK5EX14MBXC283r_" MIME-Version: 1.0 Subject: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2011 18:22:46 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F6F02EFTK5EX14MBXC283r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RHJhZnQgMTQgb2YgdGhlIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW4gU3BlY2lmaWNhdGlvbjxodHRw Oi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmh0bWw+ IGhhcyBiZWVuIHB1Ymxpc2hlZC4gIEl0IGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY2hhbmdlczoN Cg0KwrcgICAgICAgIENoYW5nZXMgbWFkZSBpbiByZXNwb25zZSB0byByZXZpZXcgY29tbWVudHMg YnkgU2VjdXJpdHkgQXJlYSBEaXJlY3RvciBTdGVwaGVuIEZhcnJlbGwuIFNwZWNpZmljYWxseToN Cg0KwrcgICAgICAgIFN0cmVuZ3RoZW5lZCB3YXJuaW5ncyBhYm91dCBwYXNzaW5nIGFuIGFjY2Vz cyB0b2tlbiBhcyBhIHF1ZXJ5IHBhcmFtZXRlciBhbmQgbW9yZSBwcmVjaXNlbHkgZGVzY3JpYmVk IHRoZSBsaW1pdGF0aW9ucyBwbGFjZWQgdXBvbiB0aGUgdXNlIG9mIHRoaXMgbWV0aG9kLg0KDQrC tyAgICAgICAgQ2xhcmlmaWVkIHRoYXQgdGhlIHJlYWxtIGF0dHJpYnV0ZSBNQVkgaW5jbHVkZWQg dG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24gaW4gdGhlIG1hbm5lciBkZXNjcmli ZWQgaW4gSFRUUC8xLjEsIFBhcnQgNyBbSeKAkUQuaWV0ZuKAkWh0dHBiaXPigJFwN+KAkWF1dGhd PGh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIu aHRtbCNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGg+Lg0KDQrCtyAgICAgICAgTm9ybWF0aXZlbHkg c3RhdGVkIHRoYXQgInRoZSB0b2tlbiBpbnRlZ3JpdHkgcHJvdGVjdGlvbiBNVVNUIGJlIHN1ZmZp Y2llbnQgdG8gcHJldmVudCB0aGUgdG9rZW4gZnJvbSBiZWluZyBtb2RpZmllZCIuDQoNCsK3ICAg ICAgICBBZGRlZCBzdGF0ZW1lbnQgdGhhdCAiVExTIGlzIG1hbmRhdG9yeSB0byBpbXBsZW1lbnQg YW5kIHVzZSB3aXRoIHRoaXMgc3BlY2lmaWNhdGlvbiIgdG8gdGhlIGludHJvZHVjdGlvbi4NCg0K wrcgICAgICAgIFN0YXRlZCB0aGF0IFRMUyBNVVNUIGJlIHVzZWQgd2l0aCAiYSBjaXBoZXJzdWl0 ZSB0aGF0IHByb3ZpZGVzIGNvbmZpZGVudGlhbGl0eSBhbmQgaW50ZWdyaXR5IHByb3RlY3Rpb24i Lg0KDQrCtyAgICAgICAgQWRkZWQgIkFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWluc3QgdG9rZW4g ZGlzY2xvc3VyZSwgdGhlIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUg Y2hhaW4gd2hlbiBtYWtpbmcgcmVxdWVzdHMgdG8gcHJvdGVjdGVkIHJlc291cmNlcyIgdG8gdGhl IFRocmVhdCBNaXRpZ2F0aW9uIHNlY3Rpb24uDQoNCsK3ICAgICAgICBDbGFyaWZpZWQgdGhhdCBw dXR0aW5nIGEgdmFsaWRpdHkgdGltZSBmaWVsZCBpbnNpZGUgdGhlIHByb3RlY3RlZCBwYXJ0IG9m IHRoZSB0b2tlbiBpcyBvbmUgbWVhbnMsIGJ1dCBub3QgdGhlIG9ubHkgbWVhbnMsIG9mIGxpbWl0 aW5nIHRoZSBsaWZldGltZSBvZiB0aGUgdG9rZW4uDQoNCsK3ICAgICAgICBEcm9wcGVkIHRoZSBj b25mdXNpbmcgcGhyYXNlICJmb3IgaW5zdGFuY2UsIHRocm91Z2ggdGhlIHVzZSBvZiBUTFMiIGZy b20gdGhlIHNlbnRlbmNlIGFib3V0IGNvbmZpZGVudGlhbGl0eSBwcm90ZWN0aW9uIG9mIHRoZSBl eGNoYW5nZXMuDQoNCsK3ICAgICAgICBSZWZlcmVuY2UgUkZDIDYxMjUgZm9yIGlkZW50aXR5IHZl cmlmaWNhdGlvbiwgcmF0aGVyIHRoYW4gUkZDIDI4MTguDQoNCsK3ICAgICAgICBTdGF0ZWQgdGhh dCB0aGUgdG9rZW4gTVVTVCBiZSBwcm90ZWN0ZWQgYmV0d2VlbiBmcm9udCBlbmQgYW5kIGJhY2sg ZW5kIHNlcnZlcnMgd2hlbiB0aGUgVExTIGNvbm5lY3Rpb24gdGVybWluYXRlcyBhdCBhIGZyb250 IGVuZCBzZXJ2ZXIgdGhhdCBpcyBkaXN0aW5jdCBmcm9tIHRoZSBhY3R1YWwgc2VydmVyIHRoYXQg cHJvdmlkZXMgdGhlIHJlc291cmNlLg0KDQrCtyAgICAgICAgU3RhdGVkIHRoYXQgYmVhcmVyIHRv a2VucyBNVVNUIG5vdCBiZSBzdG9yZWQgaW4gY29va2llcyB0aGF0IGNhbiBiZSBzZW50IGluIHRo ZSBjbGVhciBpbiB0aGUgVGhyZWF0IE1pdGlnYXRpb24gc2VjdGlvbi4NCg0KwrcgICAgICAgIFJl cGxhY2VkIHNvbGUgcmVtYWluaW5nIHJlZmVyZW5jZSB0byBbUkZDMjYxNl08aHR0cDovL3NlbGYt aXNzdWVkLmluZm8vZG9jcy9kcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci5odG1sI1JGQzI2MTY+ Lg0KDQrCtyAgICAgICAgUmVwbGFjZWQgYWxsIHJlZmVyZW5jZXMgd2hlcmUgdGhlIHJlZmVyZW5j ZSBpcyB1c2VkIGFzIGlmIGl0IHdlcmUgcGFydCBvZiB0aGUgc2VudGVuY2UgKHN1Y2ggYXMgImRl ZmluZWQgYnkgW0ktRC53aGF0ZXZlcl0iKSB3aXRoIG9uZXMgd2hlcmUgdGhlIHNwZWNpZmljYXRp b24gbmFtZSBpcyB1c2VkLCBmb2xsb3dlZCBieSB0aGUgcmVmZXJlbmNlIChzdWNoIGFzICJkZWZp bmVkIGJ5IFdoYXRldmVyIFtJLUQud2hhdGV2ZXJdIikuDQoNCsK3ICAgICAgICBPdGhlciBvbi1u b3JtYXRpdmUgZWRpdG9yaWFsIGltcHJvdmVtZW50cy4NCg0KVGhlIGRyYWZ0IGlzIGF2YWlsYWJs ZSBhdCB0aGVzZSBsb2NhdGlvbnM6DQoNCsK3ICAgICAgICBodHRwOi8vdG9vbHMuaWV0Zi5vcmcv aHRtbC9kcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNA0KDQrCtyAgICAgICAgaHR0cDovL3d3 dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQu cGRmDQoNCsK3ICAgICAgICBodHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFm dC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNC50eHQNCg0KwrcgICAgICAgIGh0dHA6Ly93d3cuaWV0 Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0LnhtbA0K DQrCtyAgICAgICAgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1pZXRmLW9hdXRo LXYyLWJlYXJlci0xNC5odG1sDQoNCsK3ICAgICAgICBodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9k b2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0LnBkZg0KDQrCtyAgICAgICAgaHR0cDov L3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNC50eHQN Cg0KwrcgICAgICAgIGh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1vYXV0 aC12Mi1iZWFyZXItMTQueG1sDQoNCsK3ICAgICAgICBodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9k b2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmh0bWwgKHdpbGwgcG9pbnQgdG8gbmV3IHZl cnNpb25zIGFzIHRoZXkgYXJlIHBvc3RlZCkNCg0KwrcgICAgICAgIGh0dHA6Ly9zZWxmLWlzc3Vl ZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIucGRmICh3aWxsIHBvaW50IHRv IG5ldyB2ZXJzaW9ucyBhcyB0aGV5IGFyZSBwb3N0ZWQpDQoNCsK3ICAgICAgICBodHRwOi8vc2Vs Zi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLnR4dCAod2lsbCBw b2ludCB0byBuZXcgdmVyc2lvbnMgYXMgdGhleSBhcmUgcG9zdGVkKQ0KDQrCtyAgICAgICAgaHR0 cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci54bWwg KHdpbGwgcG9pbnQgdG8gbmV3IHZlcnNpb25zIGFzIHRoZXkgYXJlIHBvc3RlZCkNCg0KwrcgICAg ICAgIGh0dHA6Ly9zdm4ub3BlbmlkLm5ldC9yZXBvcy9zcGVjaWZpY2F0aW9ucy9vYXV0aC8yLjAv IChTdWJ2ZXJzaW9uIHJlcG9zaXRvcnksIHdpdGggaHRtbCwgcGRmLCB0eHQsIGFuZCBodG1sIHZl cnNpb25zIGF2YWlsYWJsZSkNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KDQo= --_000_4E1F6AAD24975D4BA5B16804296739435F6F02EFTK5EX14MBXC283r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseTpXaW5nZGluZ3M7DQoJcGFub3NlLTE6NSAwIDAgMCAwIDAgMCAwIDAgMDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIg MiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpWZXJkYW5hOw0KCXBhbm9z ZS0xOjIgMTEgNiA0IDMgNSA0IDQgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1z b05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFy Z2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNh bGlicmkiLCJzYW5zLXNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1z dHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1w cmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9 DQp0dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 IjsNCgljb2xvcjojMDAzMzY2O30NCnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFn cmFwaCwgZGl2Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1h cmdpbi10b3A6MGluOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbWFyZ2luLWJvdHRvbTowaW47DQoJ bWFyZ2luLWxlZnQ6LjVpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEx LjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCnNwYW4uRW1haWxT dHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLWNvbXBvc2U7DQoJZm9udC1mYW1pbHk6 IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZh dWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp Iiwic2Fucy1zZXJpZiI7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGlu Ow0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJ e3BhZ2U6V29yZFNlY3Rpb24xO30NCi8qIExpc3QgRGVmaW5pdGlvbnMgKi8NCkBsaXN0IGwwDQoJ e21zby1saXN0LWlkOjQ4ODY0MzU0MTsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6MTA4ODA1Njky O30NCkBsaXN0IGwwOmxldmVsMQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJ bXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDouNWluOw0KCW1zby1sZXZl bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJbXNvLWFuc2kt Zm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWwy DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0K CW1zby1sZXZlbC10YWItc3RvcDoxLjBpbjsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxl ZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJ Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3IjsNCgltc28tYmlkaS1mb250LWZhbWlseToiVGltZXMg TmV3IFJvbWFuIjt9DQpAbGlzdCBsMDpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6 YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MS41aW47 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsN Cgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpA bGlzdCBsMDpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1s ZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6Mi4waW47DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCgltc28tYW5zaS1mb250 LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDUN Cgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsN Cgltc28tbGV2ZWwtdGFiLXN0b3A6Mi41aW47DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0K CWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDYNCgl7bXNvLWxldmVsLW51 bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFi LXN0b3A6My4waW47DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0uMjVpbjsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5Oldp bmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVs bGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6My41aW47DQoJ bXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglt c28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlz dCBsMDpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6NC4waW47DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCgltc28tYW5zaS1mb250LXNp emU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7 bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCglt c28tbGV2ZWwtdGFiLXN0b3A6NC41aW47DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0 Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZv bnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMQ0KCXttc28tbGlzdC1pZDoxMDA4MDk3NDkz Ow0KCW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczoxOTA1OTYz OTU4IDY3Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzIDY3Njk4Njg5IDY3Njk4NjkxIDY3Njk4Njkz IDY3Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzO30NCkBsaXN0IGwxOmxldmVsMQ0KCXttc28tbGV2 ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZl bC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0 LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwxOmxldmVsMg0K CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCglt c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7 DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxp c3QgbDE6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5n ZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250 LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9y bWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25l Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47 DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMTpsZXZlbDYNCgl7bXNvLWxl dmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2 ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4 dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMTpsZXZl bDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+C tzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9u OmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlz dCBsMTpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmll ciBOZXciO30NCkBsaXN0IGwxOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxs ZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9u dC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyDQoJe21zby1saXN0LWlkOjE4MTg0NTQ4MTM7 DQoJbXNvLWxpc3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOjEyMTEyOTkw MTQgNjc2OTg2ODkgNjc2OTg2OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2OTEgNjc2OTg2OTMg Njc2OTg2ODkgNjc2OTg2OTEgNjc2OTg2OTM7fQ0KQGxpc3QgbDI6bGV2ZWwxDQoJe21zby1sZXZl bC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVs LXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQt aW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDI6bGV2ZWwyDQoJ e21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1z by1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsN Cgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlz dCBsMjpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVy LXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5Oldpbmdk aW5nczt9DQpAbGlzdCBsMjpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0 Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28t bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQt ZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMjpsZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt YXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsN Cglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwyOmxldmVsNg0KCXttc28tbGV2 ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZl bC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0 LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyOmxldmVs Nw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3 Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246 bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0 IGwyOmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs LXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVy IE5ldyI7fQ0KQGxpc3QgbDI6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250 LWZhbWlseTpXaW5nZGluZ3M7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowaW47fQ0KdWwNCgl7bWFy Z2luLWJvdHRvbTowaW47fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxv OnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtl bmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJl ZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0 PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJs dWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPkRyYWZ0IDE0IG9mIHRoZSA8YSBocmVmPSJodHRwOi8vc2VsZi1pc3N1ZWQu aW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmh0bWwiPg0KT0F1dGggMi4wIEJl YXJlciBUb2tlbiBTcGVjaWZpY2F0aW9uPC9hPiBoYXMgYmVlbiBwdWJsaXNoZWQuJm5ic3A7IEl0 IGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY2hhbmdlczo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0Omwy IGxldmVsMSBsZm8xIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sO2NvbG9yOmJsYWNrIj48c3BhbiBz dHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gbGFuZz0iRU4iIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+Q2hhbmdlcyBtYWRlIGluIHJlc3BvbnNl IHRvIHJldmlldyBjb21tZW50cyBieSBTZWN1cml0eSBBcmVhIERpcmVjdG9yIFN0ZXBoZW4gRmFy cmVsbC4gU3BlY2lmaWNhbGx5Og0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDIgbGV2 ZWwxIGxmbzEiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpTeW1ib2w7Y29sb3I6YmxhY2siPjxzcGFuIHN0eWxl PSJtc28tbGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsNCjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj5TdHJlbmd0aGVuZWQgd2FybmluZ3MgYWJvdXQg cGFzc2luZyBhbiBhY2Nlc3MgdG9rZW4gYXMgYSBxdWVyeSBwYXJhbWV0ZXIgYW5kIG1vcmUgcHJl Y2lzZWx5IGRlc2NyaWJlZCB0aGUgbGltaXRhdGlvbnMgcGxhY2VkIHVwb24gdGhlIHVzZQ0KIG9m IHRoaXMgbWV0aG9kLiA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBh cmFncmFwaCIgc3R5bGU9InRleHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMiBsZXZlbDEgbGZv MSI+PCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbDtjb2xvcjpibGFjayI+PHNwYW4gc3R5bGU9Im1zby1s aXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9z cGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6YmxhY2siPkNsYXJpZmllZCB0aGF0IHRoZQ0KPC9zcGFuPjx0dD48c3Bh biBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPnJlYWxtPC9zcGFuPjwvdHQ+PHNw YW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Zl cmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+IGF0dHJpYnV0 ZSBNQVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24gaW4gdGhl IG1hbm5lciBkZXNjcmliZWQgaW4gSFRUUC8xLjEsIFBhcnQNCiA3IDxhIGhyZWY9Imh0dHA6Ly9z ZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIuaHRtbCNJLUQu aWV0Zi1odHRwYmlzLXA3LWF1dGgiPg0KPHNwYW4gc3R5bGU9InRleHQtZGVjb3JhdGlvbjpub25l Ij5bSeKAkUQuaWV0ZuKAkWh0dHBiaXPigJFwN+KAkWF1dGhdPC9zcGFuPjwvYT4uIDxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1p bmRlbnQ6LS4yNWluO21zby1saXN0OmwyIGxldmVsMSBsZm8xIj48IVtpZiAhc3VwcG9ydExpc3Rz XT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3lt Ym9sO2NvbG9yOmJsYWNrIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0 eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtl bmRpZl0+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+ Tm9ybWF0aXZlbHkgc3RhdGVkIHRoYXQgJnF1b3Q7dGhlIHRva2VuIGludGVncml0eSBwcm90ZWN0 aW9uIE1VU1QgYmUgc3VmZmljaWVudCB0byBwcmV2ZW50IHRoZSB0b2tlbiBmcm9tIGJlaW5nIG1v ZGlmaWVkJnF1b3Q7Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQ YXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDIgbGV2ZWwxIGxm bzEiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTpTeW1ib2w7Y29sb3I6YmxhY2siPjxzcGFuIHN0eWxlPSJtc28t bGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwv c3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj5BZGRlZCBzdGF0ZW1lbnQgdGhhdCAmcXVvdDtUTFMgaXMg bWFuZGF0b3J5IHRvIGltcGxlbWVudCBhbmQgdXNlIHdpdGggdGhpcyBzcGVjaWZpY2F0aW9uJnF1 b3Q7IHRvIHRoZSBpbnRyb2R1Y3Rpb24uDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRleHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDps MiBsZXZlbDEgbGZvMSI+PCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gbGFuZz0iRU4iIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbDtjb2xvcjpibGFjayI+PHNwYW4g c3R5bGU9Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIGxhbmc9IkVOIiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPlN0YXRlZCB0aGF0IFRMUyBNVVNUIGJl IHVzZWQgd2l0aCAmcXVvdDthIGNpcGhlcnN1aXRlIHRoYXQgcHJvdmlkZXMgY29uZmlkZW50aWFs aXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbiZxdW90Oy4NCjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWlu O21zby1saXN0OmwyIGxldmVsMSBsZm8xIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBsYW5n PSJFTiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sO2NvbG9yOmJs YWNrIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250Ojcu MHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4g bGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRh bmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+QWRkZWQgJnF1b3Q7 QXMgYSBmdXJ0aGVyIGRlZmVuc2UgYWdhaW5zdCB0b2tlbiBkaXNjbG9zdXJlLCB0aGUgY2xpZW50 IE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZyByZXF1 ZXN0cyB0byBwcm90ZWN0ZWQNCiByZXNvdXJjZXMmcXVvdDsgdG8gdGhlIFRocmVhdCBNaXRpZ2F0 aW9uIHNlY3Rpb24uIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFy YWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwyIGxldmVsMSBsZm8x Ij48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sO2NvbG9yOmJsYWNrIj48c3BhbiBzdHlsZT0ibXNvLWxp c3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3Nw YW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjpibGFjayI+Q2xhcmlmaWVkIHRoYXQgcHV0dGluZyBhIHZhbGlkaXR5IHRp bWUgZmllbGQgaW5zaWRlIHRoZSBwcm90ZWN0ZWQgcGFydCBvZiB0aGUgdG9rZW4gaXMgb25lIG1l YW5zLCBidXQgbm90IHRoZSBvbmx5IG1lYW5zLCBvZiBsaW1pdGluZyB0aGUNCiBsaWZldGltZSBv ZiB0aGUgdG9rZW4uIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFy YWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwyIGxldmVsMSBsZm8x Ij48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sO2NvbG9yOmJsYWNrIj48c3BhbiBzdHlsZT0ibXNvLWxp c3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3Nw YW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjpibGFjayI+RHJvcHBlZCB0aGUgY29uZnVzaW5nIHBocmFzZSAmcXVvdDtm b3IgaW5zdGFuY2UsIHRocm91Z2ggdGhlIHVzZSBvZiBUTFMmcXVvdDsgZnJvbSB0aGUgc2VudGVu Y2UgYWJvdXQgY29uZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gb2YgdGhlIGV4Y2hhbmdlcy4NCjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0i dGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwyIGxldmVsMSBsZm8xIj48IVtpZiAhc3VwcG9y dExpc3RzXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6U3ltYm9sO2NvbG9yOmJsYWNrIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7Ctzxz cGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bh bj48IVtlbmRpZl0+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpi bGFjayI+UmVmZXJlbmNlIFJGQyA2MTI1IGZvciBpZGVudGl0eSB2ZXJpZmljYXRpb24sIHJhdGhl ciB0aGFuIFJGQyAyODE4Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xp c3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDIgbGV2ZWwx IGxmbzEiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTpTeW1ib2w7Y29sb3I6YmxhY2siPjxzcGFuIHN0eWxlPSJt c28tbGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsN Cjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj5TdGF0ZWQgdGhhdCB0aGUgdG9rZW4gTVVTVCBiZSBw cm90ZWN0ZWQgYmV0d2VlbiBmcm9udCBlbmQgYW5kIGJhY2sgZW5kIHNlcnZlcnMgd2hlbiB0aGUg VExTIGNvbm5lY3Rpb24gdGVybWluYXRlcyBhdCBhIGZyb250IGVuZCBzZXJ2ZXIgdGhhdA0KIGlz IGRpc3RpbmN0IGZyb20gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3Vy Y2UuIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBz dHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwyIGxldmVsMSBsZm8xIj48IVtpZiAh c3VwcG9ydExpc3RzXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9u dC1mYW1pbHk6U3ltYm9sO2NvbG9yOmJsYWNrIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3Jl Ij7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFu Pjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjpibGFjayI+U3RhdGVkIHRoYXQgYmVhcmVyIHRva2VucyBNVVNUIG5vdCBiZSBzdG9yZWQg aW4gY29va2llcyB0aGF0IGNhbiBiZSBzZW50IGluIHRoZSBjbGVhciBpbiB0aGUgVGhyZWF0IE1p dGlnYXRpb24gc2VjdGlvbi4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29M aXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwyIGxldmVs MSBsZm8xIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sO2NvbG9yOmJsYWNrIj48c3BhbiBzdHlsZT0i bXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJm b250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+UmVwbGFjZWQgc29sZSByZW1haW5pbmcgcmVmZXJl bmNlIHRvDQo8YSBocmVmPSJodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWlldGYt b2F1dGgtdjItYmVhcmVyLmh0bWwjUkZDMjYxNiI+PHNwYW4gc3R5bGU9InRleHQtZGVjb3JhdGlv bjpub25lIj5bUkZDMjYxNl08L3NwYW4+PC9hPi4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1s aXN0OmwyIGxldmVsMSBsZm8xIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBsYW5nPSJFTiIg c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sO2NvbG9yOmJsYWNrIj48 c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gbGFuZz0i RU4iIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+UmVwbGFjZWQgYWxsIHJlZmVy ZW5jZXMgd2hlcmUgdGhlIHJlZmVyZW5jZSBpcyB1c2VkIGFzIGlmIGl0IHdlcmUgcGFydCBvZiB0 aGUgc2VudGVuY2UgKHN1Y2ggYXMgJnF1b3Q7ZGVmaW5lZCBieSBbSS1ELndoYXRldmVyXSZxdW90 Oykgd2l0aCBvbmVzIHdoZXJlDQogdGhlIHNwZWNpZmljYXRpb24gbmFtZSBpcyB1c2VkLCBmb2xs b3dlZCBieSB0aGUgcmVmZXJlbmNlIChzdWNoIGFzICZxdW90O2RlZmluZWQgYnkgV2hhdGV2ZXIg W0ktRC53aGF0ZXZlcl0mcXVvdDspLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDIg bGV2ZWwxIGxmbzEiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpTeW1ib2w7Y29sb3I6YmxhY2siPjxzcGFuIHN0 eWxlPSJtc28tbGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48c3BhbiBsYW5nPSJFTiIgc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj5PdGhlciBvbi1ub3JtYXRpdmUgZWRpdG9y aWFsIGltcHJvdmVtZW50cy4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlIGRy YWZ0IGlzIGF2YWlsYWJsZSBhdCB0aGVzZSBsb2NhdGlvbnM6PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRleHQtaW5kZW50Oi0uMjVpbjttc28tbGlz dDpsMSBsZXZlbDEgbGZvMiI+PCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHls ZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5k aWZdPmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVy LTE0PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRl eHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMSBsZXZlbDEgbGZvMiI+PCFbaWYgIXN1cHBvcnRM aXN0c10+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1s aXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9z cGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPmh0dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQt ZHJhZnRzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0LnBkZjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNv LWxpc3Q6bDEgbGV2ZWwxIGxmbzIiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJm b250LWZhbWlseTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPsK3PHNwYW4g c3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwh W2VuZGlmXT5odHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRmLW9h dXRoLXYyLWJlYXJlci0xNC50eHQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29MaXN0UGFy YWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0OmwxIGxldmVsMSBsZm8y Ij48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6U3ltYm9sIj48 c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+aHR0cDovL3d3dy5p ZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQueG1s PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRleHQt aW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMSBsZXZlbDEgbGZvMiI+PCFbaWYgIXN1cHBvcnRMaXN0 c10+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0 Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFu Pjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJh ZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQuaHRtbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDEg bGV2ZWwxIGxmbzIiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZv bnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT5o dHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0 LnBkZjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0 ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDEgbGV2ZWwxIGxmbzIiPjwhW2lmICFzdXBwb3J0 TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJtc28t bGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwv c3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT5odHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2Nz L2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0LnR4dDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6 bDEgbGV2ZWwxIGxmbzIiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9 ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlm XT5odHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVy LTE0LnhtbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxl PSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDEgbGV2ZWwxIGxmbzIiPjwhW2lmICFzdXBw b3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJt c28tbGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsN Cjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48YSBocmVmPSJodHRwOi8vc2VsZi1pc3N1 ZWQuaW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmh0bWwiPmh0dHA6Ly9zZWxm LWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIuaHRtbDwvYT4gKHdp bGwgcG9pbnQgdG8gbmV3IHZlcnNpb25zIGFzIHRoZXkgYXJlIHBvc3RlZCk8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWlu O21zby1saXN0OmwxIGxldmVsMSBsZm8yIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHls ZT0iZm9udC1mYW1pbHk6U3ltYm9sIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7Ctzxz cGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bh bj48IVtlbmRpZl0+PGEgaHJlZj0iaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1p ZXRmLW9hdXRoLXYyLWJlYXJlci5wZGYiPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJh ZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIucGRmPC9hPiAod2lsbCBwb2ludCB0byBuZXcgdmVyc2lv bnMgYXMgdGhleSBhcmUgcG9zdGVkKTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQ YXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDEgbGV2ZWwxIGxm bzIiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpTeW1ib2wi PjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQg JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48YSBocmVmPSJo dHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLnR4 dCI+aHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJl ci50eHQ8L2E+ICh3aWxsIHBvaW50IHRvIG5ldyB2ZXJzaW9ucyBhcyB0aGV5IGFyZSBwb3N0ZWQp PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRleHQt aW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMSBsZXZlbDEgbGZvMiI+PCFbaWYgIXN1cHBvcnRMaXN0 c10+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0 Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFu Pjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxhIGhyZWY9Imh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZv L2RvY3MvZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIueG1sIj5odHRwOi8vc2VsZi1pc3N1ZWQu aW5mby9kb2NzL2RyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLnhtbDwvYT4gKHdpbGwgcG9pbnQg dG8gbmV3IHZlcnNpb25zIGFzIHRoZXkgYXJlIHBvc3RlZCk8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0 OmwxIGxldmVsMSBsZm8yIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6U3ltYm9sIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxl PSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRp Zl0+PGEgaHJlZj0iaHR0cDovL3N2bi5vcGVuaWQubmV0L3JlcG9zL3NwZWNpZmljYXRpb25zL29h dXRoLzIuMC8iPmh0dHA6Ly9zdm4ub3BlbmlkLm5ldC9yZXBvcy9zcGVjaWZpY2F0aW9ucy9vYXV0 aC8yLjAvPC9hPiAoU3VidmVyc2lvbiByZXBvc2l0b3J5LCB3aXRoIGh0bWwsIHBkZiwgdHh0LCBh bmQgaHRtbCB2ZXJzaW9ucyBhdmFpbGFibGUpPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_4E1F6AAD24975D4BA5B16804296739435F6F02EFTK5EX14MBXC283r_-- From declan.newman@semantico.com Tue Nov 8 01:58:12 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6B9D21F8C5E for ; Tue, 8 Nov 2011 01:58:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.391 X-Spam-Level: X-Spam-Status: No, score=-1.391 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HD22wMStL7JT for ; Tue, 8 Nov 2011 01:58:12 -0800 (PST) Received: from mail.semantico.net (nat01b-dmz.semantico.net [91.208.163.139]) by ietfa.amsl.com (Postfix) with SMTP id 850E321F8C5C for ; Tue, 8 Nov 2011 01:58:09 -0800 (PST) Received: from mail.semantico.net (localhost.localdomain [127.0.0.1]) by mail.semantico.net (Postfix) with ESMTP id A93A826407; Tue, 8 Nov 2011 09:58:04 +0000 (GMT) Received: from dhcp-192-168-4-131.semantico.net (unknown [192.168.4.131]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.semantico.net (Postfix) with ESMTPSA id 9D03823FFB; Tue, 8 Nov 2011 09:58:04 +0000 (GMT) From: Declan Newman Content-Type: multipart/alternative; boundary="Apple-Mail=_8436CD6A-DD68-4112-95A3-282DAADA2A7B" Date: Tue, 8 Nov 2011 09:58:04 +0000 Message-Id: To: oauth@ietf.org Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) X-Virus-Scanned: ClamAV using ClamSMTP Cc: Will Simpson , Geoffrey Bilder Subject: [OAUTH-WG] Single transaction token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 09:58:12 -0000 --Apple-Mail=_8436CD6A-DD68-4112-95A3-282DAADA2A7B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hello, We're currently implementing OAuth 2 provider for a client, whom needs = to have the facility to authenticate/authorise a client to update in a = single transaction. Is there a way to specify the validity of a token on a per-transaction = basis, as opposed to a timeframe? Any help much appreciated. Regards, Dec = --------------------------------------------------------------------------= -- Declan Newman, Development Team Leader, Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE --Apple-Mail=_8436CD6A-DD68-4112-95A3-282DAADA2A7B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
mailto:Declan.Newman@semantico= .com>
<tel:+44-1273-358247>

= --Apple-Mail=_8436CD6A-DD68-4112-95A3-282DAADA2A7B-- From eran@hueniverse.com Tue Nov 8 07:18:29 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B2021F8C2A for ; Tue, 8 Nov 2011 07:18:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.521 X-Spam-Level: X-Spam-Status: No, score=-2.521 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsLi+Bs62E0s for ; Tue, 8 Nov 2011 07:18:28 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 6B48221F8C1D for ; Tue, 8 Nov 2011 07:18:28 -0800 (PST) Received: (qmail 10753 invoked from network); 8 Nov 2011 15:18:21 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 8 Nov 2011 15:18:21 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 8 Nov 2011 08:18:18 -0700 From: Eran Hammer-Lahav To: Declan Newman , "oauth@ietf.org" Date: Tue, 8 Nov 2011 08:18:13 -0700 Thread-Topic: [OAUTH-WG] Single transaction token Thread-Index: Acyd/PA/TdXjXbX3RDyPJtrkG+i1ygALJQJw Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452634039D7@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723452634039D7P3PW5EX1MB01E_" MIME-Version: 1.0 Cc: Will Simpson , Geoffrey Bilder Subject: Re: [OAUTH-WG] Single transaction token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 15:18:29 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E723452634039D7P3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable No, but you can define a new parameter for use instead or alongside the exi= sting parameter. EHL From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of D= eclan Newman Sent: Tuesday, November 08, 2011 1:58 AM To: oauth@ietf.org Cc: Will Simpson; Geoffrey Bilder Subject: [OAUTH-WG] Single transaction token Hello, We're currently implementing OAuth 2 provider for a client, whom needs to h= ave the facility to authenticate/authorise a client to update in a single t= ransaction. Is there a way to specify the validity of a token on a per-transaction basi= s, as opposed to a timeframe? Any help much appreciated. Regards, Dec ---------------------------------------------------------------------------= - Declan Newman, Development Team Leader, Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE --_000_90C41DD21FB7C64BB94121FBBC2E723452634039D7P3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

No, but y= ou can define a new parameter for use instead or alongside the existing par= ameter.

 <= /span>

EHL

 

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] = On Behalf Of Declan Newman
Sent: Tuesday, November 08, 2011 1= :58 AM
To: oauth@ietf.org
Cc: Will Simpson; Geoffrey Bi= lder
Subject: [OAUTH-WG] Single transaction token

 

Hello,

 

<= /div>

We're currently implementing OAuth 2 provide= r for a client, whom needs to have the facility to authenticate/authorise a= client to update in a single transaction.

 

Is there= a way to specify the validity of a token on a per-transaction basis, as op= posed to a timeframe?

&n= bsp;

Any help much appreciated.

 

Regards,

 

Dec

 

-------------------------------------------------------= ---------------------
Declan Newman, Development Team Leader,
Semanti= co, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
<mailto:Declan.Newman@semantico.com>
<= ;tel:+44-1273-358247>

 

= --_000_90C41DD21FB7C64BB94121FBBC2E723452634039D7P3PW5EX1MB01E_-- From wmills@yahoo-inc.com Tue Nov 8 07:35:27 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5BE311E8083 for ; Tue, 8 Nov 2011 07:35:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.241 X-Spam-Level: X-Spam-Status: No, score=-16.241 tagged_above=-999 required=5 tests=[AWL=-1.057, BAYES_40=-0.185, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvAGQ3s9-+qw for ; Tue, 8 Nov 2011 07:35:26 -0800 (PST) Received: from nm20.bullet.mail.ne1.yahoo.com (nm20.bullet.mail.ne1.yahoo.com [98.138.90.83]) by ietfa.amsl.com (Postfix) with SMTP id BB3BA11E807F for ; Tue, 8 Nov 2011 07:35:26 -0800 (PST) Received: from [98.138.90.48] by nm20.bullet.mail.ne1.yahoo.com with NNFMP; 08 Nov 2011 15:35:21 -0000 Received: from [98.138.89.244] by tm1.bullet.mail.ne1.yahoo.com with NNFMP; 08 Nov 2011 15:35:21 -0000 Received: from [127.0.0.1] by omp1058.mail.ne1.yahoo.com with NNFMP; 08 Nov 2011 15:35:21 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 2819.95579.bm@omp1058.mail.ne1.yahoo.com Received: (qmail 88451 invoked by uid 60001); 8 Nov 2011 15:35:20 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1320766520; bh=TRyrCW+gRJCb8jkWHJlIolBeBGtlGzyPCaU2wrJ31gU=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=I7CS3oHsCUAPA+VvlmUdGTavYXdDnH9Li5iYTLu97htgxzOYC2OCfFxeQgxYluqTnWNrjlr8MP2yA/2AsrHE7fu0pPunBn6555kqpu2UP1P/PCDY8UkGqcvrgsnOJr/WpQphWwPZE6s46l54TU73a9J+6Nqz5q/gX+Kx7iNa+x0= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=hhhIapydFmWlB6GZVpgF0SgR+Zh+dgTNNEYFdW6ImccgKAlH+RJIbQLRMp6A/7kWXCuKNkShI+Js0WRX3aPwpioXCWZYlDlBszD6eBvgfzDKk/ReHWycLuA6emazw7m7eikEdlu7E0SznMo/esx5e037cAJOdC+CTXPUqIVoct0=; X-YMail-OSG: JvMUSUgVM1npdiqQCTDQS0hX7uvuT0YC6xgYuSF_0vmJDHu Dbm.6rjPDpIBXvp.K439rb4qSD0uY9Gtxlch_r3I459OyQ8viBGtlE.ZG3PW P3zybUQajqtEiKoNvS2g.EOu3aMWq9nA.z_rQ1OiH1d_ndMNozaiefNTl0DV 0hulehPZ4gPHxChWVwRU5pKmdDrvf3mcXU0OH59c4yG11_j57a2a.527Q1K6 sLeHyNR79vvVbm77oIWAC4M7L9nPGCbeOsMONtt3W64YbybwKSXYJ.Aj8his bo_Pxq2EYhwqWeJMSTYuXEYMM21OxnQGLr61g7Ejxd6bh1YDpzFBn5F8N9kJ 0KgOKtY5izgjyDi61.L60re9uuiuVfjb5htX6zeC9MLyqL.4yt2Lpy8qyuUb xLzJv34WfPPQm3RbUmA-- Received: from [99.31.212.42] by web31816.mail.mud.yahoo.com via HTTP; Tue, 08 Nov 2011 07:35:20 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.115.325013 References: Message-ID: <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com> Date: Tue, 8 Nov 2011 07:35:20 -0800 (PST) From: William Mills To: Declan Newman , "oauth@ietf.org" In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1238014912-75648340-1320766520=:68585" Subject: Re: [OAUTH-WG] Single transaction token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 15:35:27 -0000 ---1238014912-75648340-1320766520=:68585 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable The problem is that the token has no state about the transaction.=A0 Is the= transaction already determined when the token is issued?=A0 If so then put= the transaction dat ain the token and make it non-repeatable.=0A=0AIf this= is an auth token for an arbitrary single action you have to put some form = of replay protection on the protected resource, or you can immediately revo= ke the token after use against a revocation API and make sure the RP is che= cking for revoked tokens against the same API/endpoint.=A0 You do have a ra= ce here, so you have to sort out what you'll make synchronous calls against= for this.=0A=0ARegards,=0A=0A-bill=0A=0A=0A=0A____________________________= ____=0AFrom: Declan Newman =0ATo: oauth@ietf.o= rg=0ACc: Will Simpson ; Geoffrey Bilder =0ASent: Tuesday, November 8, 2011 1:58 AM=0ASubject: [OAUTH= -WG] Single transaction token=0A=0A=0AHello,=0A=0AWe're currently implement= ing OAuth 2 provider for a client, whom needs to have the facility to authe= nticate/authorise a client to update in a single transaction.=0A=0AIs there= a way to specify the validity of a token on a per-transaction basis, as op= posed to a timeframe?=0A=0AAny help much appreciated.=0A=0ARegards,=0A=0ADe= c=0A=0A=0A-----------------------------------------------------------------= -----------=0ADeclan Newman, Development Team Leader,=0ASemantico, Floor 1,= 21-23 Dyke Road, Brighton BN1 3FE=0A= =0A =0A=0A____________________________________________= ___=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/li= stinfo/oauth ---1238014912-75648340-1320766520=:68585 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
The problem is that the token has no state about the transaction.  I= s the transaction already determined when the token is issued?  If so = then put the transaction dat ain the token and make it non-repeatable.

If this is an auth token for= an arbitrary single action you have to put some form of replay protection = on the protected resource, or you can immediately revoke the token after us= e against a revocation API and make sure the RP is checking for revoked tok= ens against the same API/endpoint.  You do have a race here, so you ha= ve to sort out what you'll make synchronous calls against for this.<= /div>

Regards,

<= span>
-bill

From: Declan Newman <d= eclan.newman@semantico.com>
To:= oauth@ietf.org
Cc: Will Simpson <will.simpson@semantico.com>; Geoffrey Bilder &l= t;gbilder@crossref.org>
Sent: Tuesday, November 8, 2011 1:58 AM
Subject: [OAUTH-WG] Single transaction token

=0A
Hello,

We're curre= ntly implementing OAuth 2 provider for a client, whom needs to have the fac= ility to authenticate/authorise a client to update in a single transaction.=

Is there a way to specify the validity of a token= on a per-transaction basis, as opposed to a timeframe?

Any help much appreciated.

Regards,

Dec

=0A
--------------------------------------------------------------------= --------
Declan Newman, Development Team Leader,
Semantico, Floor 1, = 21-23 Dyke Road, Brighton BN1 3FE
<mailto:Declan.Newman@semantico= .com>
<tel:+44-1273-358247>
=0A=0A

___________________________________________= ____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/li= stinfo/oauth


---1238014912-75648340-1320766520=:68585-- From hardjono@mit.edu Tue Nov 8 09:06:36 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8800421F84BC for ; Tue, 8 Nov 2011 09:06:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.323 X-Spam-Level: X-Spam-Status: No, score=-5.323 tagged_above=-999 required=5 tests=[AWL=0.275, BAYES_00=-2.599, GB_I_INVITATION=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-mpvnuXAx6Q for ; Tue, 8 Nov 2011 09:06:35 -0800 (PST) Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU [18.7.68.35]) by ietfa.amsl.com (Postfix) with ESMTP id 0368B21F8485 for ; Tue, 8 Nov 2011 09:06:34 -0800 (PST) X-AuditID: 12074423-b7f756d0000008d0-73-4eb9618dd672 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id B1.4B.02256.D8169BE4; Tue, 8 Nov 2011 12:06:21 -0500 (EST) Received: from outgoing-exchange-2.mit.edu (OUTGOING-EXCHANGE-2.MIT.EDU [18.9.28.16]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id pA8H6Lqd024959 for ; Tue, 8 Nov 2011 12:06:21 -0500 Received: from W92EXEDGE5.EXCHANGE.MIT.EDU (W92EXEDGE5.EXCHANGE.MIT.EDU [18.7.73.22]) by outgoing-exchange-2.mit.edu (8.13.8/8.12.4) with ESMTP id pA8H6KeW027856 for ; Tue, 8 Nov 2011 12:06:21 -0500 Received: from oc11exhub4.exchange.mit.edu (18.9.3.14) by W92EXEDGE5.EXCHANGE.MIT.EDU (18.7.73.22) with Microsoft SMTP Server (TLS) id 14.1.289.1; Tue, 8 Nov 2011 12:05:32 -0500 Received: from EXPO10.exchange.mit.edu ([18.9.4.15]) by oc11exhub4.exchange.mit.edu ([18.9.3.14]) with mapi; Tue, 8 Nov 2011 12:06:21 -0500 From: Thomas Hardjono To: "oauth (oauth@ietf.org)" Date: Tue, 8 Nov 2011 12:06:19 -0500 Thread-Topic: OAUTH WG webex for Taipei --- Meeting invitation: OAUTH WG webex Thread-Index: AcyeOLr+82bYVbdhRoaFbSrcfgZFZQ== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_DADD7EAD88AB484D8CCC328D40214CCD0E79DC29C7EXPO10exchang_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrCKsWRmVeSWpSXmKPExsUixCmqrNubuNPPYOpaS4uTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEr4/e/RewFbyYwVjR/fMrawPinh7GLkZNDQsBE4v7WZihbTOLC vfVsXYxcHEIC+xglWme+ZIJwrjBKTJnVxgzhvGCU2LXhEVRmK6PE2wkbWSGcfkaJw609TCDD 2AQ0JM793ssOYosI6Eqs/tQLZrMIqEgc2nmDFcQWFvCUWHFvESNETYDEwZ+LWCFsPYmN5+eB 2bxA8e2P34LZjEAHfj+1Bmw+s4C4xK0n85kgDheUWDR7DzPME/92PWSDqBeVuNO+nhGiPl/i /ZMdLBAzBSVOznzCMoFRdBaSUbOQlM1CUjaLkQMorimxfpc+RImixJTuh+wQtoZE65y57Mji CxjZVzHKpuRW6eYmZuYUpybrFicn5uWlFuma6eVmluilppRuYgRFHbuL8g7GPweVDjEKcDAq 8fDOFN3hJ8SaWFZcmXuIUZKDSUmUd27MTj8hvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrxrrIFy vCmJlVWpRfkwKWkOFiVxXpmdDn5CAumJJanZqakFqUUwWRkODiUJ3jsJQI2CRanpqRVpmTkl CGkmDk6Q4TxAw33CQIYXFyTmFmemQ+RPMRpztLRfPsXI8eDI3VOMQix5+XmpUuK8b0HGCYCU ZpTmwU2DJc5XjOJAzwnz3gap4gEmXbh5r4BWMQGtatfdBrKqJBEhJdXAuDLvErsJ9+TTXnv7 V+TuX1OnlHXvloEJb8K3sDufSxYtZG/eUTfn3+OvK2Skvm23+Dm93ypu8u5HDwTm6dn+U1Wd U+XtnG6iW5DKUKU67flbkZ0qGbr2//TL/Rb/+8K+3SrU3OftitCFhb0isin5d9x3bnWOecF0 5MbePbcixFn5eyOLUxYKKrEUZyQaajEXFScCADbhB0R3AwAA Subject: [OAUTH-WG] OAUTH WG webex for Taipei --- Meeting invitation: OAUTH WG webex X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 17:06:36 -0000 --_000_DADD7EAD88AB484D8CCC328D40214CCD0E79DC29C7EXPO10exchang_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpGb2xrcywNCg0KQmVsb3cgaXMgdGhlIFdlYmV4IGluZm8gZm9yIHRoZSBPQVVUSCBXRyBNZWV0 aW5nIGluIFRhaXBlaSAob24gVGh1IDE3IE5vdiBhdCAxUE0tVGFpcGVpIHRpbWUpLg0KDQpUaGlz IHRyYW5zbGF0ZXMgdG8gV2VkbmVzZGF5IDEyLW1pZG5pZ2h0IEVhc3QgQ29hc3QgdGltZS4NCg0K aHR0cDovL3d3dy50aW1lem9uZWNvbnZlcnRlci5jb20vY2dpLWJpbi90emMudHpjDQoNCjAxOjAw OjAwIHAubS4gVGh1cnNkYXkgTm92ZW1iZXIgMTcsIDIwMTEgaW4gQXNpYS9UYWlwZWkgY29udmVy dHMgdG8NCjEyOjAwOjAwIE1pZG5pZ2h0IFdlZG5lc2RheSBOb3ZlbWJlciAxNiwgMjAxMSBpbiBB bWVyaWNhL05ld19Zb3JrDQpEYXlsaWdodCBTYXZpbmcgVGltZSBpcyBub3QgaW4gZWZmZWN0IG9u IHRoaXMgZGF0ZS90aW1lIGluIEFzaWEvVGFpcGVpDQpEYXlsaWdodCBTYXZpbmcgVGltZSBpcyBu b3QgaW4gZWZmZWN0IG9uIHRoaXMgZGF0ZS90aW1lIGluIEFtZXJpY2EvTmV3X1lvcmsNCg0KDQpI b3BlIHRoaXMgd29ya3MuDQoNCi90aG9tYXMvDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NCg0KRnJvbTogVGhvbWFzIEhhcmRqb25vIFttYWlsdG86bWVz c2VuZ2VyQHdlYmV4LmNvbV0NClNlbnQ6IFR1ZXNkYXksIE5vdmVtYmVyIDA4LCAyMDExIDExOjU2 IEFNDQpUbzogVGhvbWFzIEhhcmRqb25vDQpTdWJqZWN0OiAoRm9yd2FyZCB0byBhdHRlbmRlZXMp IE1lZXRpbmcgaW52aXRhdGlvbjogT0FVVEggV0cgd2ViZXgNCg0KDQoqKioqIFlvdSBjYW4gZm9y d2FyZCB0aGlzIGVtYWlsIGludml0YXRpb24gdG8gYXR0ZW5kZWVzICoqKioNCg0KSGVsbG8gLA0K DQpUaG9tYXMgSGFyZGpvbm8gaW52aXRlcyB5b3UgdG8gYXR0ZW5kIHRoaXMgb25saW5lIG1lZXRp bmcuDQoNClRvcGljOiBPQVVUSCBXRyB3ZWJleA0KRGF0ZTogVGh1cnNkYXksIE5vdmVtYmVyIDE3 LCAyMDExDQpUaW1lOiAxOjAwIHBtLCBUYWlwZWkgVGltZSAoVGFpcGVpLCBHTVQrMDg6MDApDQpN ZWV0aW5nIE51bWJlcjogNjQyIDYxOCA1MzUNCk1lZXRpbmcgUGFzc3dvcmQ6IG9hdXRoDQoNCg0K LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0K VG8gam9pbiB0aGUgb25saW5lIG1lZXRpbmcgKE5vdyBmcm9tIG1vYmlsZSBkZXZpY2VzISkNCi0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCjEu IEdvIHRvIGh0dHBzOi8vbWl0d2ViLndlYmV4LmNvbS9taXR3ZWIvai5waHA/RUQ9MTQ3MjA5MzU3 JlVJRD0wJlBXPU5PV015TWpkaU9EazMmUlQ9TWlNME9BJTNEJTNEDQoyLiBJZiByZXF1ZXN0ZWQs IGVudGVyIHlvdXIgbmFtZSBhbmQgZW1haWwgYWRkcmVzcy4NCjMuIElmIGEgcGFzc3dvcmQgaXMg cmVxdWlyZWQsIGVudGVyIHRoZSBtZWV0aW5nIHBhc3N3b3JkOiBvYXV0aA0KNC4gQ2xpY2sgIkpv aW4iLg0KDQpUbyB2aWV3IGluIG90aGVyIHRpbWUgem9uZXMgb3IgbGFuZ3VhZ2VzLCBwbGVhc2Ug Y2xpY2sgdGhlIGxpbms6DQpodHRwczovL21pdHdlYi53ZWJleC5jb20vbWl0d2ViL2oucGhwP0VE PTE0NzIwOTM1NyZVSUQ9MCZQVz1OT1dNeU1qZGlPRGszJk9SVD1NaU0wT0ElM0QlM0QNCg0KLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KVG8g am9pbiB0aGUgYXVkaW8gY29uZmVyZW5jZSBvbmx5DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpUbyByZWNlaXZlIGEgY2FsbCBiYWNrLCBw cm92aWRlIHlvdXIgcGhvbmUgbnVtYmVyIHdoZW4geW91IGpvaW4gdGhlIG1lZXRpbmcsIG9yIGNh bGwgdGhlIG51bWJlciBiZWxvdyBhbmQgZW50ZXIgdGhlIGFjY2VzcyBjb2RlLg0KQ2FsbC1pbiB0 b2xsLWZyZWUgbnVtYmVyIChVUy9DYW5hZGEpOiAxLTg3Ny02NjgtNDQ5MA0KQ2FsbC1pbiB0b2xs IG51bWJlciAoVVMvQ2FuYWRhKTogMS00MDgtNzkyLTYzMDANCkdsb2JhbCBjYWxsLWluIG51bWJl cnM6IGh0dHBzOi8vbWl0d2ViLndlYmV4LmNvbS9taXR3ZWIvZ2xvYmFsY2FsbGluLnBocD9zZXJ2 aWNlVHlwZT1NQyZFRD0xNDcyMDkzNTcmdG9sbEZyZWU9MQ0KVG9sbC1mcmVlIGRpYWxpbmcgcmVz dHJpY3Rpb25zOiBodHRwOi8vd3d3LndlYmV4LmNvbS9wZGYvdG9sbGZyZWVfcmVzdHJpY3Rpb25z LnBkZg0KDQpBY2Nlc3MgY29kZTo2NDIgNjE4IDUzNQ0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpGb3IgYXNzaXN0YW5jZQ0KLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KMS4gR28g dG8gaHR0cHM6Ly9taXR3ZWIud2ViZXguY29tL21pdHdlYi9tYw0KMi4gT24gdGhlIGxlZnQgbmF2 aWdhdGlvbiBiYXIsIGNsaWNrICJTdXBwb3J0Ii4NCg0KWW91IGNhbiBjb250YWN0IG1lIGF0Og0K aGFyZGpvbm9AbWl0LmVkdTxtYWlsdG86aGFyZGpvbm9AbWl0LmVkdT4NCjEtNzgxLTcyOQ0KDQpU byBhZGQgdGhpcyBtZWV0aW5nIHRvIHlvdXIgY2FsZW5kYXIgcHJvZ3JhbSAoZm9yIGV4YW1wbGUg TWljcm9zb2Z0IE91dGxvb2spLCBjbGljayB0aGlzIGxpbms6DQpodHRwczovL21pdHdlYi53ZWJl eC5jb20vbWl0d2ViL2oucGhwP0VEPTE0NzIwOTM1NyZVSUQ9MCZJQ1M9TUkmTEQ9MSZSRD0yJlNU PTEmU0hBMj1pL0NRNWQwMlp0Y0NXaU5yaS0ycFk4ckdpemplYWNKRFlLTjMyUC1keFBvPSZSVD1N aU0wT0ElM0QlM0QNCg0KVGhlIHBsYXliYWNrIG9mIFVDRiAoVW5pdmVyc2FsIENvbW11bmljYXRp b25zIEZvcm1hdCkgcmljaCBtZWRpYSBmaWxlcyByZXF1aXJlcyBhcHByb3ByaWF0ZSBwbGF5ZXJz LiBUbyB2aWV3IHRoaXMgdHlwZSBvZiByaWNoIG1lZGlhIGZpbGVzIGluIHRoZSBtZWV0aW5nLCBw bGVhc2UgY2hlY2sgd2hldGhlciB5b3UgaGF2ZSB0aGUgcGxheWVycyBpbnN0YWxsZWQgb24geW91 ciBjb21wdXRlciBieSBnb2luZyB0byBodHRwczovL21pdHdlYi53ZWJleC5jb20vbWl0d2ViL3N5 c3RlbWRpYWdub3Npcy5waHAuDQoNClNpZ24gdXAgZm9yIGEgZnJlZSB0cmlhbCBvZiBXZWJFeA0K aHR0cDovL3d3dy53ZWJleC5jb20vZ28vbWNlbWZyZWV0cmlhbA0KDQpodHRwOi8vd3d3LndlYmV4 LmNvbQ0KDQpDQ1A6KzE0MDg3OTI2MzAweDY0MjYxODUzNSMNCg0KSU1QT1JUQU5UIE5PVElDRTog VGhpcyBXZWJFeCBzZXJ2aWNlIGluY2x1ZGVzIGEgZmVhdHVyZSB0aGF0IGFsbG93cyBhdWRpbyBh bmQgYW55IGRvY3VtZW50cyBhbmQgb3RoZXIgbWF0ZXJpYWxzIGV4Y2hhbmdlZCBvciB2aWV3ZWQg ZHVyaW5nIHRoZSBzZXNzaW9uIHRvIGJlIHJlY29yZGVkLiBCeSBqb2luaW5nIHRoaXMgc2Vzc2lv biwgeW91IGF1dG9tYXRpY2FsbHkgY29uc2VudCB0byBzdWNoIHJlY29yZGluZ3MuIElmIHlvdSBk byBub3QgY29uc2VudCB0byB0aGUgcmVjb3JkaW5nLCBkaXNjdXNzIHlvdXIgY29uY2VybnMgd2l0 aCB0aGUgbWVldGluZyBob3N0IHByaW9yIHRvIHRoZSBzdGFydCBvZiB0aGUgcmVjb3JkaW5nIG9y IGRvIG5vdCBqb2luIHRoZSBzZXNzaW9uLiBQbGVhc2Ugbm90ZSB0aGF0IGFueSBzdWNoIHJlY29y ZGluZ3MgbWF5IGJlIHN1YmplY3QgdG8gZGlzY292ZXJ5IGluIHRoZSBldmVudCBvZiBsaXRpZ2F0 aW9uLg0K --_000_DADD7EAD88AB484D8CCC328D40214CCD0E79DC29C7EXPO10exchang_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxNCAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0 aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQt ZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQt ZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYi O30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNw YW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9y OnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1haWxTdHlsZTE3 DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVy IE5ldyI7DQoJY29sb3I6IzFGNDk3RDsNCglmb250LXdlaWdodDpub3JtYWw7DQoJZm9udC1zdHls ZTpub3JtYWw7DQoJdGV4dC1kZWNvcmF0aW9uOm5vbmUgbm9uZTt9DQouTXNvQ2hwRGVmYXVsdA0K CXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6 ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5X b3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0 ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEw MjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNo YXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAv Pg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPjwvaGVhZD48Ym9keSBsYW5nPUVO LVVTIGxpbms9Ymx1ZSB2bGluaz1wdXJwbGU+PGRpdiBjbGFzcz1Xb3JkU2VjdGlvbjE+PHAgY2xh c3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJD b3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxw IGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eToiQ291cmllciBOZXciO2NvbG9yOiMxRjQ5N0QnPkZvbGtzLDxvOnA+PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+QmVsb3cgaXMgdGhlIFdlYmV4 IGluZm8gZm9yIHRoZSBPQVVUSCBXRyBNZWV0aW5nIGluIFRhaXBlaSAob24gVGh1IDE3IE5vdiBh dCAxUE0tVGFpcGVpIHRpbWUpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3Jt YWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 Ijtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNv Tm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVy IE5ldyI7Y29sb3I6IzFGNDk3RCc+VGhpcyB0cmFuc2xhdGVzIHRvIFdlZG5lc2RheSAxMi1taWRu aWdodCBFYXN0IENvYXN0IHRpbWUuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05v cm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBO ZXciO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJp ZXIgTmV3Ijtjb2xvcjojMUY0OTdEJz48YSBocmVmPSJodHRwOi8vd3d3LnRpbWV6b25lY29udmVy dGVyLmNvbS9jZ2ktYmluL3R6Yy50emMiPmh0dHA6Ly93d3cudGltZXpvbmVjb252ZXJ0ZXIuY29t L2NnaS1iaW4vdHpjLnR6YzwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9y bWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5l dyI7Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmll ciBOZXciO2NvbG9yOiMxRjQ5N0QnPjAxOjAwOjAwIHAubS4gVGh1cnNkYXkgTm92ZW1iZXIgMTcs IDIwMTEgaW4gQXNpYS9UYWlwZWkgY29udmVydHMgdG88bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAg Y2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiJDb3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+MTI6MDA6MDAgTWlkbmlnaHQgV2VkbmVzZGF5 IE5vdmVtYmVyIDE2LCAyMDExIGluIEFtZXJpY2EvTmV3X1lvcms8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+RGF5bGlnaHQgU2F2aW5nIFRpbWUg aXMgbm90IGluIGVmZmVjdCBvbiB0aGlzIGRhdGUvdGltZSBpbiBBc2lhL1RhaXBlaSA8bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+RGF5bGlnaHQg U2F2aW5nIFRpbWUgaXMgbm90IGluIGVmZmVjdCBvbiB0aGlzIGRhdGUvdGltZSBpbiBBbWVyaWNh L05ld19Zb3JrPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOiMx RjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNw YW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xv cjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFs PjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7 Y29sb3I6IzFGNDk3RCc+SG9wZSB0aGlzIHdvcmtzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBj bGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 IkNvdXJpZXIgTmV3Ijtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+L3Rob21hcy88bzpwPjwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNp emU6MTAuNXB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6IzFGNDk3RCc+X19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPG86cD48L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseToiQ291cmllciBOZXciO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PGI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiJz5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4g c3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYi Jz4gVGhvbWFzIEhhcmRqb25vIFttYWlsdG86bWVzc2VuZ2VyQHdlYmV4LmNvbV0gPGJyPjxiPlNl bnQ6PC9iPiBUdWVzZGF5LCBOb3ZlbWJlciAwOCwgMjAxMSAxMTo1NiBBTTxicj48Yj5Ubzo8L2I+ IFRob21hcyBIYXJkam9ubzxicj48Yj5TdWJqZWN0OjwvYj4gKEZvcndhcmQgdG8gYXR0ZW5kZWVz KSBNZWV0aW5nIGludml0YXRpb246IE9BVVRIIFdHIHdlYmV4PG86cD48L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb05vcm1hbD48bzpwPiZuYnNwOzwvbzpwPjwvcD48cCBjbGFzcz1Nc29Ob3Jt YWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IlRhaG9tYSIsInNh bnMtc2VyaWYiJz48YnI+KioqKiBZb3UgY2FuIGZvcndhcmQgdGhpcyBlbWFpbCBpbnZpdGF0aW9u IHRvIGF0dGVuZGVlcyAqKioqIDxicj48YnI+SGVsbG8gLCA8YnI+PGJyPlRob21hcyBIYXJkam9u byBpbnZpdGVzIHlvdSB0byBhdHRlbmQgdGhpcyBvbmxpbmUgbWVldGluZy4gPGJyPjxicj5Ub3Bp YzogT0FVVEggV0cgd2ViZXggPGJyPkRhdGU6IFRodXJzZGF5LCBOb3ZlbWJlciAxNywgMjAxMSA8 YnI+VGltZTogMTowMCBwbSwgVGFpcGVpIFRpbWUgKFRhaXBlaSwgR01UKzA4OjAwKSA8YnI+TWVl dGluZyBOdW1iZXI6IDY0MiA2MTggNTM1IDxicj5NZWV0aW5nIFBhc3N3b3JkOiBvYXV0aCA8YnI+ PGJyPjxicj4tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tIDxicj5UbyBqb2luIHRoZSBvbmxpbmUgbWVldGluZyAoTm93IGZyb20gbW9iaWxlIGRl dmljZXMhKSA8YnI+LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLSA8YnI+MS4gR28gdG8gPGEgaHJlZj0iaHR0cHM6Ly9taXR3ZWIud2ViZXguY29t L21pdHdlYi9qLnBocD9FRD0xNDcyMDkzNTcmYW1wO1VJRD0wJmFtcDtQVz1OT1dNeU1qZGlPRGsz JmFtcDtSVD1NaU0wT0ElM0QlM0QiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL21pdHdlYi53ZWJl eC5jb20vbWl0d2ViL2oucGhwP0VEPTE0NzIwOTM1NyZhbXA7VUlEPTAmYW1wO1BXPU5PV015TWpk aU9EazMmYW1wO1JUPU1pTTBPQSUzRCUzRDwvYT4gPGJyPjIuIElmIHJlcXVlc3RlZCwgZW50ZXIg eW91ciBuYW1lIGFuZCBlbWFpbCBhZGRyZXNzLiA8YnI+My4gSWYgYSBwYXNzd29yZCBpcyByZXF1 aXJlZCwgZW50ZXIgdGhlIG1lZXRpbmcgcGFzc3dvcmQ6IG9hdXRoIDxicj40LiBDbGljayAmcXVv dDtKb2luJnF1b3Q7LiA8YnI+PGJyPlRvIHZpZXcgaW4gb3RoZXIgdGltZSB6b25lcyBvciBsYW5n dWFnZXMsIHBsZWFzZSBjbGljayB0aGUgbGluazogPGJyPjxhIGhyZWY9Imh0dHBzOi8vbWl0d2Vi LndlYmV4LmNvbS9taXR3ZWIvai5waHA/RUQ9MTQ3MjA5MzU3JmFtcDtVSUQ9MCZhbXA7UFc9Tk9X TXlNamRpT0RrMyZhbXA7T1JUPU1pTTBPQSUzRCUzRCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8v bWl0d2ViLndlYmV4LmNvbS9taXR3ZWIvai5waHA/RUQ9MTQ3MjA5MzU3JmFtcDtVSUQ9MCZhbXA7 UFc9Tk9XTXlNamRpT0RrMyZhbXA7T1JUPU1pTTBPQSUzRCUzRDwvYT4gPGJyPjxicj4tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIDxicj5UbyBq b2luIHRoZSBhdWRpbyBjb25mZXJlbmNlIG9ubHkgPGJyPi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gPGJyPlRvIHJlY2VpdmUgYSBjYWxsIGJh Y2ssIHByb3ZpZGUgeW91ciBwaG9uZSBudW1iZXIgd2hlbiB5b3Ugam9pbiB0aGUgbWVldGluZywg b3IgY2FsbCB0aGUgbnVtYmVyIGJlbG93IGFuZCBlbnRlciB0aGUgYWNjZXNzIGNvZGUuIDxicj5D YWxsLWluIHRvbGwtZnJlZSBudW1iZXIgKFVTL0NhbmFkYSk6IDEtODc3LTY2OC00NDkwIDxicj5D YWxsLWluIHRvbGwgbnVtYmVyIChVUy9DYW5hZGEpOiAxLTQwOC03OTItNjMwMCA8YnI+R2xvYmFs IGNhbGwtaW4gbnVtYmVyczogPGEgaHJlZj0iaHR0cHM6Ly9taXR3ZWIud2ViZXguY29tL21pdHdl Yi9nbG9iYWxjYWxsaW4ucGhwP3NlcnZpY2VUeXBlPU1DJmFtcDtFRD0xNDcyMDkzNTcmYW1wO3Rv bGxGcmVlPTEiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL21pdHdlYi53ZWJleC5jb20vbWl0d2Vi L2dsb2JhbGNhbGxpbi5waHA/c2VydmljZVR5cGU9TUMmYW1wO0VEPTE0NzIwOTM1NyZhbXA7dG9s bEZyZWU9MTwvYT4gPGJyPlRvbGwtZnJlZSBkaWFsaW5nIHJlc3RyaWN0aW9uczogPGEgaHJlZj0i aHR0cDovL3d3dy53ZWJleC5jb20vcGRmL3RvbGxmcmVlX3Jlc3RyaWN0aW9ucy5wZGYiIHRhcmdl dD0iX2JsYW5rIj5odHRwOi8vd3d3LndlYmV4LmNvbS9wZGYvdG9sbGZyZWVfcmVzdHJpY3Rpb25z LnBkZjwvYT4gPGJyPjxicj5BY2Nlc3MgY29kZTo2NDIgNjE4IDUzNSA8YnI+PGJyPi0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gPGJyPkZvciBh c3Npc3RhbmNlIDxicj4tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tIDxicj4xLiBHbyB0byA8YSBocmVmPSJodHRwczovL21pdHdlYi53ZWJleC5j b20vbWl0d2ViL21jIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9taXR3ZWIud2ViZXguY29tL21p dHdlYi9tYzwvYT4gPGJyPjIuIE9uIHRoZSBsZWZ0IG5hdmlnYXRpb24gYmFyLCBjbGljayAmcXVv dDtTdXBwb3J0JnF1b3Q7LiA8YnI+PGJyPllvdSBjYW4gY29udGFjdCBtZSBhdDogPGJyPjxhIGhy ZWY9Im1haWx0bzpoYXJkam9ub0BtaXQuZWR1Ij5oYXJkam9ub0BtaXQuZWR1PC9hPiA8YnI+MS03 ODEtNzI5IDxicj48YnI+VG8gYWRkIHRoaXMgbWVldGluZyB0byB5b3VyIGNhbGVuZGFyIHByb2dy YW0gKGZvciBleGFtcGxlIE1pY3Jvc29mdCBPdXRsb29rKSwgY2xpY2sgdGhpcyBsaW5rOiA8YnI+ PGEgaHJlZj0iaHR0cHM6Ly9taXR3ZWIud2ViZXguY29tL21pdHdlYi9qLnBocD9FRD0xNDcyMDkz NTcmYW1wO1VJRD0wJmFtcDtJQ1M9TUkmYW1wO0xEPTEmYW1wO1JEPTImYW1wO1NUPTEmYW1wO1NI QTI9aS9DUTVkMDJadGNDV2lOcmktMnBZOHJHaXpqZWFjSkRZS04zMlAtZHhQbz0mYW1wO1JUPU1p TTBPQSUzRCUzRCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbWl0d2ViLndlYmV4LmNvbS9taXR3 ZWIvai5waHA/RUQ9MTQ3MjA5MzU3JmFtcDtVSUQ9MCZhbXA7SUNTPU1JJmFtcDtMRD0xJmFtcDtS RD0yJmFtcDtTVD0xJmFtcDtTSEEyPWkvQ1E1ZDAyWnRjQ1dpTnJpLTJwWThyR2l6amVhY0pEWUtO MzJQLWR4UG89JmFtcDtSVD1NaU0wT0ElM0QlM0Q8L2E+IDxicj48YnI+VGhlIHBsYXliYWNrIG9m IFVDRiAoVW5pdmVyc2FsIENvbW11bmljYXRpb25zIEZvcm1hdCkgcmljaCBtZWRpYSBmaWxlcyBy ZXF1aXJlcyBhcHByb3ByaWF0ZSBwbGF5ZXJzLiBUbyB2aWV3IHRoaXMgdHlwZSBvZiByaWNoIG1l ZGlhIGZpbGVzIGluIHRoZSBtZWV0aW5nLCBwbGVhc2UgY2hlY2sgd2hldGhlciB5b3UgaGF2ZSB0 aGUgcGxheWVycyBpbnN0YWxsZWQgb24geW91ciBjb21wdXRlciBieSBnb2luZyB0byA8YSBocmVm PSJodHRwczovL21pdHdlYi53ZWJleC5jb20vbWl0d2ViL3N5c3RlbWRpYWdub3Npcy5waHAiPmh0 dHBzOi8vbWl0d2ViLndlYmV4LmNvbS9taXR3ZWIvc3lzdGVtZGlhZ25vc2lzLnBocDwvYT4uIDxi cj48YnI+U2lnbiB1cCBmb3IgYSBmcmVlIHRyaWFsIG9mIFdlYkV4IDxicj48YSBocmVmPSJodHRw Oi8vd3d3LndlYmV4LmNvbS9nby9tY2VtZnJlZXRyaWFsIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDov L3d3dy53ZWJleC5jb20vZ28vbWNlbWZyZWV0cmlhbDwvYT4gPGJyPjxicj48YSBocmVmPSJodHRw Oi8vd3d3LndlYmV4LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly93d3cud2ViZXguY29tPC9h PiA8YnI+PGJyPkNDUDorMTQwODc5MjYzMDB4NjQyNjE4NTM1IyA8YnI+PGJyPklNUE9SVEFOVCBO T1RJQ0U6IFRoaXMgV2ViRXggc2VydmljZSBpbmNsdWRlcyBhIGZlYXR1cmUgdGhhdCBhbGxvd3Mg YXVkaW8gYW5kIGFueSBkb2N1bWVudHMgYW5kIG90aGVyIG1hdGVyaWFscyBleGNoYW5nZWQgb3Ig dmlld2VkIGR1cmluZyB0aGUgc2Vzc2lvbiB0byBiZSByZWNvcmRlZC4gQnkgam9pbmluZyB0aGlz IHNlc3Npb24sIHlvdSBhdXRvbWF0aWNhbGx5IGNvbnNlbnQgdG8gc3VjaCByZWNvcmRpbmdzLiBJ ZiB5b3UgZG8gbm90IGNvbnNlbnQgdG8gdGhlIHJlY29yZGluZywgZGlzY3VzcyB5b3VyIGNvbmNl cm5zIHdpdGggdGhlIG1lZXRpbmcgaG9zdCBwcmlvciB0byB0aGUgc3RhcnQgb2YgdGhlIHJlY29y ZGluZyBvciBkbyBub3Qgam9pbiB0aGUgc2Vzc2lvbi4gUGxlYXNlIG5vdGUgdGhhdCBhbnkgc3Vj aCByZWNvcmRpbmdzIG1heSBiZSBzdWJqZWN0IHRvIGRpc2NvdmVyeSBpbiB0aGUgZXZlbnQgb2Yg bGl0aWdhdGlvbi4gPC9zcGFuPjxvOnA+PC9vOnA+PC9wPjwvZGl2PjwvYm9keT48L2h0bWw+ --_000_DADD7EAD88AB484D8CCC328D40214CCD0E79DC29C7EXPO10exchang_-- From declan.newman@semantico.com Tue Nov 8 14:36:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDDCD11E8086 for ; Tue, 8 Nov 2011 14:36:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w51+N5OL5GpX for ; Tue, 8 Nov 2011 14:36:52 -0800 (PST) Received: from mail.semantico.net (nat01b-dmz.semantico.net [91.208.163.139]) by ietfa.amsl.com (Postfix) with SMTP id C09A111E80C7 for ; Tue, 8 Nov 2011 14:36:49 -0800 (PST) Received: from mail.semantico.net (localhost.localdomain [127.0.0.1]) by mail.semantico.net (Postfix) with ESMTP id A9D8327398; Tue, 8 Nov 2011 22:36:44 +0000 (GMT) Received: from [192.168.1.103] (host86-177-94-65.range86-177.btcentralplus.com [86.177.94.65]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.semantico.net (Postfix) with ESMTPSA id 32C58226A8; Tue, 8 Nov 2011 22:36:44 +0000 (GMT) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/alternative; boundary="Apple-Mail=_9EABD69C-A295-434C-A3E3-4219A1CA11CD" From: Declan Newman In-Reply-To: <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com> Date: Tue, 8 Nov 2011 22:36:43 +0000 Message-Id: <3928F44C-B988-47CF-AAE5-CA2C1F5FB2D0@semantico.com> References: <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com> To: William Mills X-Mailer: Apple Mail (2.1251.1) X-Virus-Scanned: ClamAV using ClamSMTP Cc: Will Simpson , Geoffrey Bilder , oauth@ietf.org Subject: Re: [OAUTH-WG] Single transaction token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 22:36:53 -0000 --Apple-Mail=_9EABD69C-A295-434C-A3E3-4219A1CA11CD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Thanks very much for for your thoughts. With your comments in mind, our current thinking is that the initial = requests' scope will determine the access token's life.=20 If a 'write scope' is requested, a write-lock is placed on the = corresponding record and the token is valid for one write operation = (with a short expires_in), after which the write-lock is released and = the token's expires timestamp is set to a time in the past, allowing the = caller to use a refresh token to resume read-only operations using newly = created access token. In this scenario, the "expires_in" value will be used to revoke the = access token, rather than an explicit delete. I'd be really interested in getting peoples views on how this adheres to = the the current OAuth 2 specification. Thanks again, Dec On 8 Nov 2011, at 15:35, William Mills wrote: > The problem is that the token has no state about the transaction. Is = the transaction already determined when the token is issued? If so then = put the transaction dat ain the token and make it non-repeatable. >=20 > If this is an auth token for an arbitrary single action you have to = put some form of replay protection on the protected resource, or you can = immediately revoke the token after use against a revocation API and make = sure the RP is checking for revoked tokens against the same = API/endpoint. You do have a race here, so you have to sort out what = you'll make synchronous calls against for this. >=20 > Regards, >=20 > -bill >=20 > From: Declan Newman > To: oauth@ietf.org > Cc: Will Simpson ; Geoffrey Bilder = > Sent: Tuesday, November 8, 2011 1:58 AM > Subject: [OAUTH-WG] Single transaction token >=20 > Hello, >=20 > We're currently implementing OAuth 2 provider for a client, whom needs = to have the facility to authenticate/authorise a client to update in a = single transaction. >=20 > Is there a way to specify the validity of a token on a per-transaction = basis, as opposed to a timeframe? >=20 > Any help much appreciated. >=20 > Regards, >=20 > Dec >=20 > = --------------------------------------------------------------------------= -- > Declan Newman, Development Team Leader, > Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE > > >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 = --------------------------------------------------------------------------= -- Declan Newman, Development Team Leader, Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE --Apple-Mail=_9EABD69C-A295-434C-A3E3-4219A1CA11CD Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1

I'd be really interested in = getting peoples views on how this adheres to the the current OAuth 2 = specification.

Thanks = again,

Dec


On 8 Nov 2011, at 15:35, William Mills wrote:

The = problem is that the token has no state about the transaction.  Is = the transaction already determined when the token is issued?  If so = then put the transaction dat ain the token and make it = non-repeatable.

If = this is an auth token for an arbitrary single action you have to put = some form of replay protection on the protected resource, or you can = immediately revoke the token after use against a revocation API and make = sure the RP is checking for revoked tokens against the same = API/endpoint.  You do have a race here, so you have to sort out = what you'll make synchronous calls against for = this.

Regards,

-bill

=
From: Declan Newman <declan.newman@semantico.com>
To: oauth@ietf.org
Cc: Will Simpson <will.simpson@semantico.com&= gt;; Geoffrey Bilder <gbilder@crossref.org>
Sent: Tuesday, November 8, = 2011 1:58 AM
Subject: [OAUTH-WG] Single transaction = token

Hello,

We're currently = implementing OAuth 2 provider for a client, whom needs to have the = facility to authenticate/authorise a client to update in a single = transaction.

Is there a way to specify the = validity of a token on a per-transaction basis, as opposed to a = timeframe?

Any help much = appreciated.

Regards,

De= c

-------------------------------------= ---------------------------------------
Declan Newman, Development = Team Leader,
Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 = 3FE
<mailto:Declan.Newman@semantico= .com>
<tel:+44-1273-358247>
=

_______________________________________________<= br>OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= br>

mailto:Declan.Newman@semantico= .com>
<tel:+44-1273-358247>

= --Apple-Mail=_9EABD69C-A295-434C-A3E3-4219A1CA11CD-- From wmills@yahoo-inc.com Tue Nov 8 20:48:42 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A15711E80E3 for ; Tue, 8 Nov 2011 20:48:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.362 X-Spam-Level: X-Spam-Status: No, score=-17.362 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KgkLwTYrS0r6 for ; Tue, 8 Nov 2011 20:48:41 -0800 (PST) Received: from nm11.bullet.mail.ac4.yahoo.com (nm11.bullet.mail.ac4.yahoo.com [98.139.52.208]) by ietfa.amsl.com (Postfix) with SMTP id 1432E11E8096 for ; Tue, 8 Nov 2011 20:48:40 -0800 (PST) Received: from [98.139.52.194] by nm11.bullet.mail.ac4.yahoo.com with NNFMP; 09 Nov 2011 04:48:37 -0000 Received: from [98.139.52.163] by tm7.bullet.mail.ac4.yahoo.com with NNFMP; 09 Nov 2011 04:48:37 -0000 Received: from [127.0.0.1] by omp1046.mail.ac4.yahoo.com with NNFMP; 09 Nov 2011 04:48:37 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 156227.34086.bm@omp1046.mail.ac4.yahoo.com Received: (qmail 82817 invoked by uid 60001); 9 Nov 2011 04:48:36 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1320814116; bh=2TOyMb5jg9duYWy+6GWP0fSWCHFkQjosfMBlA1KtLMI=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Ldotyvdp5PWPny5rcN0u/Rp7k5UsOBcPjsQqrF6rzwekwWSfnyWc5KuYJU/ieLhQafZPnedX2mlGQJtcioTTZAbh+vmV1fRVOKh4icToQJ1G5aZWLi4dkWrA5uXbe5e1QUjBA1+r1eD4BESL0pV9n79gO6Do8xf3PK2779sySBE= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=qStn6jKnZYFapi14p6EDAIxfzphOitrCba2/XcypmkdP8BWXR3MdHCGXVNIOm9UE4fWvp2jrDB7YiqgHLpz/MRNO9zREZVa1qSMV/NPlujD4OD6A14xYSh/HHh/UnEa54DDXb9u+NfNhGLxegivC+3q4HFUys+4Psm7UldbyaMg=; X-YMail-OSG: z3EftnYVM1nRJBcmq8uOn11wUvTQrkFm4.E5MO8pg7eaOJH Hb8EE_KWs9gpvnSoHPidDfPgICmoahlD.pTIM_u6KStEb7DJrNJE.TK1mVRW LF_MghDmfDwvB4IUFkeu9uBhs05YKWTlj2dkWu.Rp5Gq8IGgdbSjgAshEGfZ 4A5_oNeEsUO6ud3aT9Qj3UUe0abHSxfSQogUVnwYfJp7P2HKbT_JL2pySjwp hsf_NBVrwJoT9ZAArxlltUfA3uF8.BDDohwWMUCuESDgwXDkyFHwdt0Zb04H xFAQCyE0m0GNqeRh2wHRS1vyEXIYzq770wP3mTNoRuVZHOFWiVAnQymsX6zE 8OnuqDtu0oQT.IQ.2oQi3DZnFdkqLJcgQeJOxIp9jFbVYPkPPeJLzFypb1vH u3mXZtoZs3lRJXBB590urep9TWwS5bdjHqZJjW3pztQ-- Received: from [209.131.62.115] by web31806.mail.mud.yahoo.com via HTTP; Tue, 08 Nov 2011 20:48:36 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.115.325013 References: <1320766520.68585.YahooMailNeo@web31816.mail.mud.yahoo.com> <3928F44C-B988-47CF-AAE5-CA2C1F5FB2D0@semantico.com> Message-ID: <1320814116.69891.YahooMailNeo@web31806.mail.mud.yahoo.com> Date: Tue, 8 Nov 2011 20:48:36 -0800 (PST) From: William Mills To: Declan Newman In-Reply-To: <3928F44C-B988-47CF-AAE5-CA2C1F5FB2D0@semantico.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1055047407-1803035394-1320814116=:69891" Cc: Will Simpson , Geoffrey Bilder , "oauth@ietf.org" Subject: Re: [OAUTH-WG] Single transaction token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2011 04:48:42 -0000 ---1055047407-1803035394-1320814116=:69891 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Nothing here is at all in variance with the OAuth 2 spec.=A0 Everything you= 're talkign abotu fits nicely into the "put your own application data into = an opaque token.=0A=0A=0A=0A________________________________=0AFrom: Declan= Newman =0ATo: William Mills =0ACc: oauth@ietf.org; Geoffrey Bilder ; Will Si= mpson =0ASent: Tuesday, November 8, 2011 2:36 P= M=0ASubject: Re: [OAUTH-WG] Single transaction token=0A=0A=0AThanks very mu= ch for for your thoughts.=0A=0AWith your comments in mind, our current thin= king is that the initial requests' =A0scope will determine the access token= 's life.=A0=0A=0AIf a 'write scope' is requested, a write-lock is placed on= the corresponding record and the token is valid for one write operation (w= ith a short expires_in), after which the write-lock is released and the tok= en's expires timestamp is set to a time in the past, allowing the caller to= =A0use a refresh token to resume read-only operations using newly created a= ccess token.=0A=0AIn this scenario, the "expires_in" value will be used to = revoke the access token, rather than an explicit delete.=0A=0AI'd be really= interested in getting peoples views on how this adheres to the the current= OAuth 2 specification.=0A=0AThanks again,=0A=0ADec=0A=0A=0A=0AOn 8 Nov 201= 1, at 15:35, William Mills wrote:=0A=0AThe problem is that the token has no= state about the transaction.=A0 Is the transaction already determined when= the token is issued?=A0 If so then put the transaction dat ain the token a= nd make it non-repeatable.=0A>=0A>=0A>If this is an auth token for an arbit= rary single action you have to put some form of replay protection on the pr= otected resource, or you can immediately revoke the token after use against= a revocation API and make sure the RP is checking for revoked tokens again= st the same API/endpoint.=A0 You do have a race here, so you have to sort o= ut what you'll make synchronous calls against for this.=0A>=0A>=0A>Regards,= =0A>=0A>=0A>-bill=0A>=0A>=0A>=0A>=0A>________________________________=0A>Fr= om: Declan Newman =0A>To: oauth@ietf.org=0A>Cc= : Will Simpson ; Geoffrey Bilder =0A>Sent: Tuesday, November 8, 2011 1:58 AM=0A>Subject: [OAUTH-WG] = Single transaction token=0A>=0A>=0A>Hello,=0A>=0A>=0A>We're currently imple= menting OAuth 2 provider for a client, whom needs to have the facility to a= uthenticate/authorise a client to update in a single transaction.=0A>=0A>= =0A>Is there a way to specify the validity of a token on a per-transaction = basis, as opposed to a timeframe?=0A>=0A>=0A>Any help much appreciated.=0A>= =0A>=0A>Regards,=0A>=0A>=0A>Dec=0A>=0A>=0A>--------------------------------= --------------------------------------------=0A>Declan Newman, Development = Team Leader,=0A>Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE=0A>=0A> =0A>=0A>_______= ________________________________________=0A>OAuth mailing list=0A>OAuth@iet= f.org=0A>https://www.ietf.org/mailman/listinfo/oauth=0A>=0A>=0A>=0A=0A-----= -----------------------------------------------------------------------=0AD= eclan Newman, Development Team Leader,=0ASemantico, Floor 1, 21-23 Dyke Roa= d, Brighton BN1 3FE=0A=0A ---1055047407-1803035394-1320814116=:69891 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Nothing here is at all in variance with the OAuth 2 spec.  Everythin= g you're talkign abotu fits nicely into the "put your own application data = into an opaque token.

From: Declan Newman <declan.newman@sem= antico.com>
To: Will= iam Mills <wmills@yahoo-inc.com>
Cc: oauth@ietf.org; Geoffrey Bilder <gbilder@crossref.or= g>; Will Simpson <will.simpson@semantico.com>
Sent: Tuesday, November 8, 2011 2:36 PM
Subject: Re: [OAUTH-WG] Single transact= ion token

=0A
Thanks very = much for for your thoughts.

With your comments in = mind, our current thinking is that the initial requests'  scope will d= etermine the access token's life. 

If a 'writ= e scope' is requested, a write-lock is placed on the corresponding record a= nd the token is valid for one write operation (with a short expires_in), af= ter which the write-lock is released and the token's expires timestamp is s= et to a time in the past, allowing the caller to use a refresh token t= o resume read-only operations using newly created access token.
<= br>
In this scenario, the "expires_in" value will be used to revo= ke the access token, rather than an explicit delete.

I'd be really interested in getting peoples views on how this adheres to= the the current OAuth 2 specification.

Thanks again,

Dec


On 8 Nov 2011, at 15:35, William Mills wrote:

The problem is that the t= oken has no state about the transaction.  Is the transaction already d= etermined when the token is issued?  If so then put the transaction da= t ain the token and make it non-repeatable.

If this is an auth token for an arbitrary single action= you have to put some form of replay protection on the protected resource, = or you can immediately revoke the token after use against a revocation API = and make sure the RP is checking for revoked tokens against the same API/en= dpoint.  You do have a race here, so you have to sort out what you'll make synchronous calls against for this.

Regards,

-bill

From: Declan Newman <declan.newman@semantico.com>
To: oauth@ietf.org<= /a>
Cc: Will Simpson <= ;will.simpson@semantico.com&= gt;; Geoffrey Bilder <gbilder@cr= ossref.org>
Sent:= Tuesday, November 8, 2011 1:58 AM
= Subject: [OAUTH-WG] Single transaction token

=0A
Hello,

We're currently impl= ementing OAuth 2 provider for a client, whom needs to have the facility to = authenticate/authorise a client to update in a single transaction.

Is there a way to specify the validity of a token on a per= -transaction basis, as opposed to a timeframe?

Any= help much appreciated.

Regards,

Dec

=0A
= ---------------------------------------------------------------------------= -
Declan Newman, Development Team Leader,
Semantico, Floor 1, 21-23 D= yke Road, Brighton BN1 3FE
<mailto:Declan.Newman@semantico= .com>
<tel:+44-1273-358247>
=0A=0A

___________________________________________= ____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


=0A
-------------------------------------------------= ---------------------------
Declan Newman, Development Team Leader,
S= emantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
<mailto:Declan.Newman@semantico= .com>
<tel:+44-1273-358247>
=0A=0A


---1055047407-1803035394-1320814116=:69891-- From stpeter@stpeter.im Wed Nov 9 15:32:40 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3973B21F84A3 for ; Wed, 9 Nov 2011 15:32:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.846 X-Spam-Level: X-Spam-Status: No, score=-102.846 tagged_above=-999 required=5 tests=[AWL=-0.247, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dn2+2SWvCxy for ; Wed, 9 Nov 2011 15:32:39 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 8BEED21F84A2 for ; Wed, 9 Nov 2011 15:32:39 -0800 (PST) Received: from normz.cisco.com (unknown [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 75E9C41FC7; Wed, 9 Nov 2011 16:38:36 -0700 (MST) Message-ID: <4EBB0D96.50808@stpeter.im> Date: Wed, 09 Nov 2011 16:32:38 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4E1F6AAD24975D4BA5B16804296739435F6F02EF@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F6F02EF@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: OAuth WG Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2011 23:32:40 -0000 On 11/7/11 11:22 AM, Mike Jones wrote: > Draft 14 of the OAuth 2.0 Bearer Token Specification > has been > published. FYI, I've asked folks in the HTTPbis WG to review this spec, as well (paying special attention to the "Bearer" authentication scheme). Peter -- Peter Saint-Andre https://stpeter.im/ From stpeter@stpeter.im Wed Nov 9 16:34:18 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 265FC1F0C35 for ; Wed, 9 Nov 2011 16:34:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.817 X-Spam-Level: X-Spam-Status: No, score=-102.817 tagged_above=-999 required=5 tests=[AWL=-0.218, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ferINZFSktd for ; Wed, 9 Nov 2011 16:34:17 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 4BABE1F0C34 for ; Wed, 9 Nov 2011 16:34:17 -0800 (PST) Received: from normz.cisco.com (unknown [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 605EA41FC7 for ; Wed, 9 Nov 2011 17:40:14 -0700 (MST) Message-ID: <4EBB1C07.6060407@stpeter.im> Date: Wed, 09 Nov 2011 17:34:15 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: OAuth WG References: <20110830195516.9445.90096.idtracker@ietfa.amsl.com> In-Reply-To: <20110830195516.9445.90096.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2011 00:34:18 -0000 On 8/30/11 1:55 PM, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. > > Title : An IETF URN Sub-Namespace for OAuth > Author(s) : Hannes Tschofenig > Filename : draft-ietf-oauth-urn-sub-ns-00.txt > Pages : 5 > Date : 2011-08-30 > > This document establishes an IETF URN Sub-namespace for use with > OAuth related specifications. Seems like a good idea. The security considerations point to RFC 3553, but that just points to RFC 2141, so you might as well point to the latter spec. Peter -- Peter Saint-Andre https://stpeter.im/ From matake@gmail.com Fri Nov 11 00:23:51 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02A8521F8469 for ; Fri, 11 Nov 2011 00:23:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.97 X-Spam-Level: X-Spam-Status: No, score=-2.97 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_RECV_IP_218216=0.629] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NqS-XwciHb3 for ; Fri, 11 Nov 2011 00:23:50 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6367B21F8468 for ; Fri, 11 Nov 2011 00:23:50 -0800 (PST) Received: by ggnr4 with SMTP id r4so2815775ggn.31 for ; Fri, 11 Nov 2011 00:23:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; bh=ZhyO9lMzUMl+RyJlkjW3cVsxXr35G2lRKz5E3GC+m1E=; b=iSxWjRbrfhBwsuhy7wUZDnXrZKMYtZdkE9eZUNFxxOoHkMK6BMln8LiQccp3I4IKFU U9D3bWviZvrBHwncrrEE8D0gYizo2ssWitgu/zr/c4SwT3W5AH5AVuMsXdkOWvnxjB+k aeVZE0lUYJQZ/xj2hUOtR1/4WJWakT3uDaZ2o= Received: by 10.68.37.97 with SMTP id x1mr22044083pbj.14.1320999829699; Fri, 11 Nov 2011 00:23:49 -0800 (PST) Received: from [172.16.8.184] ([218.223.19.176]) by mx.google.com with ESMTPS id b2sm28300329pbc.2.2011.11.11.00.23.48 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 11 Nov 2011 00:23:48 -0800 (PST) From: "matake@gmail" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Fri, 11 Nov 2011 17:23:49 +0900 Message-Id: To: oauth WG Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) Subject: [OAUTH-WG] Question on section 10.3 in Core spec. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2011 08:23:51 -0000 Hi all, I'm now translating OAuth 2.0 Core & Bearer specs into Japanese with my = friends. I have one question on section 10.3 in Core spec. "To prevent this form of attack, native applications SHOULD use external = browsers instead of embedding browsers in an iframe when requesting = end-user authorization." Here, what do you mean for "in an iframe"? I thought it means "embedded browser is in an iframe", but I can't = imagine it can be.. Thanks in advance -- nov matake= From torsten@lodderstedt.net Fri Nov 11 05:59:44 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F0B421F8A67 for ; Fri, 11 Nov 2011 05:59:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.087 X-Spam-Level: X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[AWL=0.162, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X9PqoOywi3a for ; Fri, 11 Nov 2011 05:59:44 -0800 (PST) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.43]) by ietfa.amsl.com (Postfix) with ESMTP id 0621421F8A62 for ; Fri, 11 Nov 2011 05:59:43 -0800 (PST) Received: from [79.253.25.216] (helo=[192.168.71.35]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1ROrdt-0004EI-Qr; Fri, 11 Nov 2011 14:59:41 +0100 Message-ID: <4EBD2A50.5050202@lodderstedt.net> Date: Fri, 11 Nov 2011 14:59:44 +0100 From: Torsten Lodderstedt User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "matake@gmail" References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU= Cc: oauth WG Subject: Re: [OAUTH-WG] Question on section 10.3 in Core spec. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2011 13:59:44 -0000 Hi, you are right, iframe is not the correct techniquehere. Browsers are embedded into a native UI using browser widget or something similar. I think "... embedding a browser into the application's user interface when requesting end-user authorization ..." would fit better. regards, Torsten. Am 11.11.2011 09:23, schrieb matake@gmail: > Hi all, > > I'm now translating OAuth 2.0 Core& Bearer specs into Japanese with my friends. > I have one question on section 10.3 in Core spec. > > "To prevent this form of attack, native applications SHOULD use external browsers instead of embedding browsers in an iframe when requesting end-user authorization." > > Here, what do you mean for "in an iframe"? > I thought it means "embedded browser is in an iframe", but I can't imagine it can be.. > > Thanks in advance > > -- > nov matake > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From matake@gmail.com Fri Nov 11 19:04:22 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC8E311E8080 for ; Fri, 11 Nov 2011 19:04:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGmj3tZ1CFax for ; Fri, 11 Nov 2011 19:04:22 -0800 (PST) Received: from mail-pz0-f50.google.com (mail-pz0-f50.google.com [209.85.210.50]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4B311E8073 for ; Fri, 11 Nov 2011 19:04:22 -0800 (PST) Received: by pzk5 with SMTP id 5so3455991pzk.9 for ; Fri, 11 Nov 2011 19:04:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=IbcflpiwSFvC4HVAhDIESH1YQ+XVg+Mg1qYgRA4LEwk=; b=Jm7U8IVK7ZPQ35VR5+3FmMWMRlK3Dt+uG3xwCg8lpcqc0jfdIQwCjH/+LJoVZ0aWxZ 3hl5scfe6Fn4K3vy6OKHnbjj42yCvnVA3+alhqf1dd6Opsp+0OIq3oIUwoAMvAvxtgqF YMNtwetayBzWTHoU+JpNIwlz3BOEGdLWARatI= Received: by 10.68.12.199 with SMTP id a7mr29216008pbc.58.1321067061730; Fri, 11 Nov 2011 19:04:21 -0800 (PST) Received: from [192.168.1.108] (s141241.dynamic.ppp.asahi-net.or.jp. [220.157.141.241]) by mx.google.com with ESMTPS id wn14sm35128583pbb.5.2011.11.11.19.04.19 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 11 Nov 2011 19:04:20 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: "matake@gmail" In-Reply-To: <4EBD2A50.5050202@lodderstedt.net> Date: Sat, 12 Nov 2011 12:04:18 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4EBD2A50.5050202@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: Apple Mail (2.1251.1) Cc: "wg-trans@openid.or.jp OIDF-J" , oauth WG Subject: Re: [OAUTH-WG] Question on section 10.3 in Core spec. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Nov 2011 03:04:23 -0000 Ah, now I got it. Thanks! On 2011/11/11, at 22:59, Torsten Lodderstedt wrote: > Hi, >=20 > you are right, iframe is not the correct techniquehere. Browsers are = embedded into a native UI using browser widget or something similar. I = think "... embedding a browser into the application's user interface = when requesting end-user authorization ..." would fit better. >=20 > regards, > Torsten. >=20 > Am 11.11.2011 09:23, schrieb matake@gmail: >> Hi all, >>=20 >> I'm now translating OAuth 2.0 Core& Bearer specs into Japanese with = my friends. >> I have one question on section 10.3 in Core spec. >>=20 >> "To prevent this form of attack, native applications SHOULD use = external browsers instead of embedding browsers in an iframe when = requesting end-user authorization." >>=20 >> Here, what do you mean for "in an iframe"? >> I thought it means "embedded browser is in an iframe", but I can't = imagine it can be.. >>=20 >> Thanks in advance >>=20 >> -- >> nov matake >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth From ve7jtb@ve7jtb.com Sat Nov 12 07:13:15 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C53921F86EC for ; Sat, 12 Nov 2011 07:13:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.549 X-Spam-Level: X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sE0NqjiHia0 for ; Sat, 12 Nov 2011 07:13:14 -0800 (PST) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id B980D21F84ED for ; Sat, 12 Nov 2011 07:13:14 -0800 (PST) Received: by yenq4 with SMTP id q4so1980075yen.31 for ; Sat, 12 Nov 2011 07:13:14 -0800 (PST) Received: by 10.236.190.197 with SMTP id e45mr3725669yhn.101.1321110794341; Sat, 12 Nov 2011 07:13:14 -0800 (PST) Received: from [192.168.1.6] ([190.22.111.107]) by mx.google.com with ESMTPS id 36sm43702915anz.2.2011.11.12.07.13.11 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 12 Nov 2011 07:13:13 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_24D8E49B-E264-4367-B7F7-8861F7899F09"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: Date: Sat, 12 Nov 2011 10:13:11 -0500 Message-Id: References: To: "matake@gmail" X-Mailer: Apple Mail (2.1251.1) Cc: oauth WG Subject: Re: [OAUTH-WG] Question on section 10.3 in Core spec. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Nov 2011 15:13:15 -0000 --Apple-Mail=_24D8E49B-E264-4367-B7F7-8861F7899F09 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii You are asking about 10.13 I think. The important idea is to give the user a browser that gives them a = browser bar so they can tell if the SSL and domain are correct. Some native applications (JS) may be able to invoke a frameless iframe = browse window. =20 It would be deter to be clear and translate as Full Frame external = Browser window. =20 No iframe only applies to some environments. At least that is how I read the section. John B. On 2011-11-11, at 3:23 AM, matake@gmail wrote: > Hi all, >=20 > I'm now translating OAuth 2.0 Core & Bearer specs into Japanese with = my friends. > I have one question on section 10.3 in Core spec. >=20 > "To prevent this form of attack, native applications SHOULD use = external browsers instead of embedding browsers in an iframe when = requesting end-user authorization." >=20 > Here, what do you mean for "in an iframe"? > I thought it means "embedded browser is in an iframe", but I can't = imagine it can be.. >=20 > Thanks in advance >=20 > -- > nov matake > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_24D8E49B-E264-4367-B7F7-8861F7899F09 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEx MTIxNTEzMTJaMCMGCSqGSIb3DQEJBDEWBBS2Fb1cBpAqm3QhuS4BU64DhPPzuDCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQBrN15M2x7nRR5ouFRWAfW51RhSIxx/sIipJzhnK6aPmRnHoI3XK4ELPriBKiJ4SbBoByFk48GK lUhIeyumIbJQlmH84DrY2Y+Z800Le9OY8niPJyeoK8nECRN0IKVzDE0ERZLwNra5H7hXgej+9cAu OnEhMApEvcWxl5Sv9ywwInnPPVv3zbyPYJfteL1x/Z36pJz8ld4KnTdzGX44gYOVV6hYWzbc901r l1eBDDWjTRevvLAW89qwxDMbko99p41wrR+EYwScQeEQqMrx2t1phS8GXikn7p6EqbbeS2GVhr6f BHCUjSQUHQT9zpMsemGeaa8sIymknqGOc6A85USfAAAAAAAA --Apple-Mail=_24D8E49B-E264-4367-B7F7-8861F7899F09-- From matake@gmail.com Sat Nov 12 17:04:41 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1827C21F8922 for ; Sat, 12 Nov 2011 17:04:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cM8vjVP8J9Az for ; Sat, 12 Nov 2011 17:04:40 -0800 (PST) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 56ED421F891D for ; Sat, 12 Nov 2011 17:04:40 -0800 (PST) Received: by iaeo4 with SMTP id o4so7313135iae.31 for ; Sat, 12 Nov 2011 17:04:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=yhqhj0MMz+pIe8bDtKfGD0s1UXTczZ2a7PBgakRDnBk=; b=Pv3YrvzuKYzTmFq8MvD1jc1l9wcJiT52xRZNrhEpaEiIIbzrGn/eDO5ofTlQFAYFYG K2/iCw3jsxrvteKkL0xIbok+IpqINyA/C/rB+nNgik0MkPP5ztLySBveG+UQwWU5vwrM eOZewxfHdwYDtC7Ol970dZSecxsEpCa1Z2SH8= Received: by 10.68.5.136 with SMTP id s8mr26729953pbs.10.1321146279808; Sat, 12 Nov 2011 17:04:39 -0800 (PST) Received: from [192.168.1.108] (s141241.dynamic.ppp.asahi-net.or.jp. [220.157.141.241]) by mx.google.com with ESMTPS id g8sm25021737pbe.11.2011.11.12.17.04.38 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 12 Nov 2011 17:04:38 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: "matake@gmail" In-Reply-To: Date: Sun, 13 Nov 2011 10:04:42 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: John Bradley X-Mailer: Apple Mail (2.1251.1) Cc: oauth WG Subject: Re: [OAUTH-WG] Question on section 10.3 in Core spec. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Nov 2011 01:04:41 -0000 Ah, right, 10.13 I meant. So I read the section as - "in an iframe" and "external browsers" are not related - and it's talking about "no address bar" situation. On 2011/11/13, at 0:13, John Bradley wrote: > You are asking about 10.13 I think. >=20 > The important idea is to give the user a browser that gives them a = browser bar so they can tell if the SSL and domain are correct. >=20 > Some native applications (JS) may be able to invoke a frameless iframe = browse window. =20 >=20 > It would be deter to be clear and translate as Full Frame external = Browser window. =20 >=20 > No iframe only applies to some environments. >=20 > At least that is how I read the section. >=20 > John B. > On 2011-11-11, at 3:23 AM, matake@gmail wrote: >=20 >> Hi all, >>=20 >> I'm now translating OAuth 2.0 Core & Bearer specs into Japanese with = my friends. >> I have one question on section 10.3 in Core spec. >>=20 >> "To prevent this form of attack, native applications SHOULD use = external browsers instead of embedding browsers in an iframe when = requesting end-user authorization." >>=20 >> Here, what do you mean for "in an iframe"? >> I thought it means "embedded browser is in an iframe", but I can't = imagine it can be.. >>=20 >> Thanks in advance >>=20 >> -- >> nov matake >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 From stpeter@stpeter.im Sat Nov 12 18:29:59 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3E9A11E8083 for ; Sat, 12 Nov 2011 18:29:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.412 X-Spam-Level: X-Spam-Status: No, score=-102.412 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, HTTP_ESCAPED_HOST=0.134, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cw6zmE0y+kaT for ; Sat, 12 Nov 2011 18:29:59 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE0711E808D for ; Sat, 12 Nov 2011 18:29:59 -0800 (PST) Received: from dhcp-13ac.meeting.ietf.org (unknown [130.129.19.172]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 34D95404FF; Sat, 12 Nov 2011 19:36:04 -0700 (MST) Message-ID: <4EBF2BA3.10200@stpeter.im> Date: Sun, 13 Nov 2011 10:29:55 +0800 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Eran Hammer-Lahav References: <4CE5E01F.1020207@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E723445A8FB27F9@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A8FB27F9@P3PW5EX1MB01.EX1.SECURESERVER.NET> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: OAuth WG Subject: Re: [OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Nov 2011 02:30:00 -0000 Finally processed. On 1/28/11 8:24 AM, Eran Hammer-Lahav wrote: > Verified as correct. > > EHL > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Peter Saint-Andre >> Sent: Thursday, November 18, 2010 6:26 PM >> To: OAuth WG >> Subject: [OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550) >> >> Folks, is this erratum accurate? >> >> >> -------- Original Message -------- >> Subject: [Technical Errata Reported] RFC5849 (2550) >> Date: Tue, 12 Oct 2010 09:42:17 -0700 (PDT) >> From: RFC Errata System >> To: eran@hueniverse.com, iesg@iesg.org >> CC: alasdair@lovefilm.com, rfc-editor@rfc-editor.org >> >> >> The following errata report has been submitted for RFC5849, "The OAuth 1.0 >> Protocol". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata_search.php?rfc=5849&eid=2550 >> >> -------------------------------------- >> Type: Technical >> Reported by: Alasdair McIntyre >> >> Section: GLOBAL >> >> Original Text >> ------------- >> Section 3.1 >> oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D" >> >> Section 3.4.1.1 >> oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D" >> >> Section 3.4.1.3.1 >> oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D" >> >> >> >> Corrected Text >> -------------- >> Section 3.1 >> oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D" >> >> Section 3.4.1.1 >> oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D" >> >> Section 3.4.1.3.1 >> oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D" >> >> >> Notes >> ----- >> (Apologies - this supercedes Errata ID 2549). >> >> The signatures in sections 3.1, 3.4.1.1, and 3.4.1.3.1 of the RFC have >> mistakenly been calculated as if with "GET". I have supplied the correct >> "POST" signatures in the corrected text. >> >> For reference, here is the perl script I used to calculate the signatures: >> >> #!/usr/bin/perl >> use strict; >> use warnings; >> use Digest::HMAC_SHA1; >> use URI::Escape; >> use MIME::Base64; >> >> my $unsafe = '^-._~A-Za-z0-9'; >> my $client_secret = 'j49sk3j29djd'; >> my $token_secret = 'dh893hdasih9'; >> my $key = join('&', $client_secret, $token_secret); >> >> my $uri_base = 'http%3A%2F%2Fexample.com%2Frequest'; >> my $params = join('', qw( >> a2%3Dr%2520b%26a3%3D2%2520q%26a3%3Da%26b5%3D >> %253D%25253D%26c%2540%3D%26c2%3D%26oauth_con >> sumer_key%3D9djdj82h48djs9d2%26oauth_nonce%3 >> D7d8f3e4a%26oauth_signature_method%3DHMAC-SH >> A1%26oauth_timestamp%3D137131201%26oauth_tok >> en%3Dkkk9d7dh3k39sjv7 >> )); >> >> foreach my $method ('GET', 'POST') { >> my $base_sig = join('&', $method, $uri_base, $params); >> my $bin_sig = Digest::HMAC_SHA1::hmac_sha1($base_sig, $key); >> my $b64_sig = MIME::Base64::encode_base64($bin_sig, ''); >> my $enc_sig = URI::Escape::uri_escape($b64_sig, $unsafe); >> printf "%-8s %s\n", $method, $enc_sig; } >> >> Instructions: >> ------------- >> This errata is currently posted as "Reported". If necessary, please use "Reply >> All" to discuss whether it should be verified or rejected. When a decision is >> reached, the verifying party (IESG) can log in to change the status and edit >> the report, if necessary. >> >> -------------------------------------- >> RFC5849 (draft-hammer-oauth-10) >> -------------------------------------- >> Title : The OAuth 1.0 Protocol >> Publication Date : April 2010 >> Author(s) : E. Hammer-Lahav, Ed. >> Category : INFORMATIONAL >> Source : IETF - NON WORKING GROUP >> Area : N/A >> Stream : IETF >> Verifying Party : IESG > -- Peter Saint-Andre https://stpeter.im/ From ve7jtb@ve7jtb.com Sun Nov 13 06:17:38 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29CB221F8B4E for ; Sun, 13 Nov 2011 06:17:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.552 X-Spam-Level: X-Spam-Status: No, score=-3.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIMDUcNmQ4r3 for ; Sun, 13 Nov 2011 06:17:37 -0800 (PST) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7E35C21F8B49 for ; Sun, 13 Nov 2011 06:17:37 -0800 (PST) Received: by gye5 with SMTP id 5so5034084gye.31 for ; Sun, 13 Nov 2011 06:17:37 -0800 (PST) Received: by 10.236.150.161 with SMTP id z21mr8706777yhj.4.1321193857021; Sun, 13 Nov 2011 06:17:37 -0800 (PST) Received: from [192.168.1.6] ([190.22.111.107]) by mx.google.com with ESMTPS id f76sm26252050yhj.21.2011.11.13.06.17.29 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 13 Nov 2011 06:17:36 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_FE0C16C1-D121-45BA-B669-D22C00C5C7DE"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: Date: Sun, 13 Nov 2011 09:17:25 -0500 Message-Id: References: To: "matake@gmail" X-Mailer: Apple Mail (2.1251.1) Cc: oauth WG Subject: Re: [OAUTH-WG] Question on section 10.3 in Core spec. X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Nov 2011 14:17:38 -0000 --Apple-Mail=_FE0C16C1-D121-45BA-B669-D22C00C5C7DE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii It is about the user trusting the browse the client is presenting. If the client is presenting a Authorization endpoint dialog in a = embeded browser it controls or in a iframe there is more it can do to = get the users login credentials or authorization from a site that the = user docent know there are granting. Now a bad client is not going to follow this advice, because they are = bad. This can only be effective if good clients follow the example and train = users to notice when something suspicious is going on. John B. On 2011-11-12, at 8:04 PM, matake@gmail wrote: > Ah, right, 10.13 I meant. >=20 > So I read the section as > - "in an iframe" and "external browsers" are not related > - and it's talking about "no address bar" situation. >=20 > On 2011/11/13, at 0:13, John Bradley wrote: >=20 >> You are asking about 10.13 I think. >>=20 >> The important idea is to give the user a browser that gives them a = browser bar so they can tell if the SSL and domain are correct. >>=20 >> Some native applications (JS) may be able to invoke a frameless = iframe browse window. =20 >>=20 >> It would be deter to be clear and translate as Full Frame external = Browser window. =20 >>=20 >> No iframe only applies to some environments. >>=20 >> At least that is how I read the section. >>=20 >> John B. >> On 2011-11-11, at 3:23 AM, matake@gmail wrote: >>=20 >>> Hi all, >>>=20 >>> I'm now translating OAuth 2.0 Core & Bearer specs into Japanese with = my friends. >>> I have one question on section 10.3 in Core spec. >>>=20 >>> "To prevent this form of attack, native applications SHOULD use = external browsers instead of embedding browsers in an iframe when = requesting end-user authorization." >>>=20 >>> Here, what do you mean for "in an iframe"? >>> I thought it means "embedded browser is in an iframe", but I can't = imagine it can be.. >>>=20 >>> Thanks in advance >>>=20 >>> -- >>> nov matake >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 >=20 --Apple-Mail=_FE0C16C1-D121-45BA-B669-D22C00C5C7DE Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEx MTMxNDE3MjZaMCMGCSqGSIb3DQEJBDEWBBTZIkTSl5ed4veu7HNKgHPa/U67MTCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQCz+JN69S1lPfEkF7XWucNAM0dwav4JheDrrM83utujA6K6RWi1hMzNZR5XYyKijDNyJe61vl3Q lZ6WoF23cFoK4HomPjTlLzQM7aSzLHgBdDhenmQB3m5XfdNXsWIjzszoSskOiGZbeu+9K4/aCgAy SCab/B3S5EvV4QsrxRftKehXshV8whO6rQ/AJoVv0UHqjliZ1Rr1voExmfI6IjXio+ANPBXhCqK7 ROA9MzI51egsio/Ms6BLnGKHnBBvg2fFSjF/JcSZDxxEA/UgUmSGXD+KmvuzKDpN9VF94lZ3qH2f 4omYC/yBN/cANJzGfG+iyLfBusVBZ8smc/08/jRmAAAAAAAA --Apple-Mail=_FE0C16C1-D121-45BA-B669-D22C00C5C7DE-- From crew@cs.stanford.edu Sun Nov 13 16:18:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1AEC21F86FF for ; Sun, 13 Nov 2011 16:18:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.665 X-Spam-Level: X-Spam-Status: No, score=-1.665 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_36=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDa2fSkxhW7r for ; Sun, 13 Nov 2011 16:18:09 -0800 (PST) Received: from mail.fyigm.com (mail.fyigm.com [69.17.114.80]) by ietfa.amsl.com (Postfix) with ESMTP id 209FB21F86EC for ; Sun, 13 Nov 2011 16:18:08 -0800 (PST) Received: from rfc by mail.fyigm.com with local (Exim 4.72) (envelope-from ) id 1RPkGC-0007cE-Ud; Sun, 13 Nov 2011 16:18:52 -0800 From: Roger Crew MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20160.24172.942808.563672@hagen.valhalla> Date: Sun, 13 Nov 2011 16:18:52 -0800 To: oauth@ietf.org X-Mailer: VM 8.1.0 under 23.2.1 (x86_64-pc-linux-gnu) X-Mailman-Approved-At: Sun, 13 Nov 2011 19:57:55 -0800 Subject: [OAUTH-WG] error codes in 4.1.2.1 and 4.2.2.1 and extension response types (8.4) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2011 00:26:51 -0000 [With respect to OAuth v2 draft 22] I have some observations about the error responses at the authorization endpoint (4.1.2.1 and 4.2.2.1 for the authorization_code and implicit grant_types, respectively). (1) looks like a bug, (2) is an ambiguity and may also apply to Section 5.2, (3-5) are suggestions. Onward... ----- (1) 4.1.2.1, and 4.2.2.1 both say that in the case that client_id is provided and invalid/unknown, the auth server MUST NOT automatically redirect. However, if the client_id is MISSING, that clause of 4.1.2.1/4.2.2.1 does not apply, and thence this becomes a malformed request (i.e., a required parameter is missing) which then results in an error='invalid_request' redirection. Which looks like a mistake to me, because in that situation what reason do we have to be trusting redirect_uri? ----- (2) If the response_type is provided but unknown, is that an 'invalid_request' (since this is clearly an "unsupported parameter value") or is it an 'unsupported_response_type'? Seems to me it should be the latter. If so, then... Given that for ALL currently defined parameters to authorization endpoint requests, there are already provisions for what happens if the value is provided but invalid/unsupported/etc, i.e., bad client_id => do not redirect bad redirect_uri => do not redirect bad response_type => redirect error='unsupported_response_type' bad scope => redirect error='invalid_scope' bad state => undetectable from the server side should the description for 'invalid_request' even be referring to "unsupported values" at all? A couple of alternatives (again these are for 4.1.2.1/4.2.2.1): invalid_request a required *extension* parameter is missing or has an unsupported value, or the request is otherwise malformed. invalid_request the request is malformed in some manner not covered by any of the other error codes defined for this response type Either of these would make clear that 'unsupported_response_type' is indeed the error code for the case of a provided-but-unrecognized response_type. Section 5.2 has the same problem w.r.t. 'unsupported_grant_type' ----- (3) If 'server_error' and 'temporarily_unavailable' are intended to correspond to HTTP status codes 500 and 503, it might be good to say so explicitly, e.g., The authorization server SHOULD, where possible, use these redirection error responses in preference to sending the corresponding status=(500|503) HTTP response in situations where the latter would otherwise be appropriate. Admittedly, there's no way an implementation is going to catch all of these, but I'm assuming the intent is to catch as many as possible? ----- (4) The lists of error codes in 4.1.2.1 and 4.2.2.1 are essentially identical. I believe these can be merged without any loss of clarity. (... As a matter of general principle, I'm not a huge fan of having to chase down swaths of cut&pasted text and then having to use 'diff' to figure out whether/how they are different. Better to combine the common stuff in a single place, use a cross reference and highlight the differences. And I absolutely do not mind following cross-references...) In this case, the ONLY place where there's ANY variance at all is in the descriptions of 'unauthorized_client' and 'unsupported_response_type'. I figure either of the following works: unauthorized_client The client is not authorized to use any of the supported authorization grant types implied by the requested response_type. unauthorized_client The client is not authorized to use this response_type. the latter having the advantage that we don't then get bogged down in the question of how response_types and grant_types relate to each other (see (5) below). And similarly for 'unsupported_response_type', viz unsupported_response_type The authorization server does not support any of the authorization grant types implied by the requested response type. unsupported_response_type The authorization server does not support this response type. at which point you can replace 4.2.2.1 with a single sentence referring to 4.1.2.1. ----- (5) I am assuming that each authorization endpoint response_type is NOT necessarily unique to a particular authorization grant type. It would be helpful to state this explicitly (probably in 8.4) so that implementers can plan accordingly. And if this IS intended otherwise (i.e., that every response type MUST imply a particular grant type, as is the case for the current spec so long as no new response types are ever defined), then that really should be stated somewhere in 8.4. The reason I assume not is that this seems a straightforward (to me, at least) use of response_type="token code", i.e., to allow the server to respond EITHER as per 4.1.2 or 4.2.2 as it sees fit (but evidently WG members are not agreeing on whether this response_type is needed, hence its absence from the current spec other than as a remark in 8.4). -- Roger Crew crew@cs.stanford.edu From johnjosephbachir@gmail.com Mon Nov 14 18:43:13 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 660A611E8109 for ; Mon, 14 Nov 2011 18:43:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6REu8dTJbhEs for ; Mon, 14 Nov 2011 18:43:12 -0800 (PST) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id C38B611E8087 for ; Mon, 14 Nov 2011 18:43:12 -0800 (PST) Received: by yenq4 with SMTP id q4so4211613yen.31 for ; Mon, 14 Nov 2011 18:43:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=th1ii7pEBweOweqnW9tyCsHaBHHa0gpKrvogMZom5Ac=; b=efZbYLMOREA0cbnPd8QWnQlwQI1jX0Xf0rl+SOEdeNlq1Ti/dX56oCStUebK8hyp+Z 0GDUxCTLQTt0vCVPgP9/jT3l0PMFiFwiiu6xi7rh9GoVNSLvEY90iRPHsSHAu0LQM/qy XfnjcXBxUBBs5Tm+U/DMdFSOsu2HeR570z/Bw= MIME-Version: 1.0 Received: by 10.182.36.100 with SMTP id p4mr5672157obj.65.1321324992272; Mon, 14 Nov 2011 18:43:12 -0800 (PST) Sender: johnjosephbachir@gmail.com Received: by 10.182.44.199 with HTTP; Mon, 14 Nov 2011 18:43:12 -0800 (PST) Date: Mon, 14 Nov 2011 21:43:12 -0500 X-Google-Sender-Auth: aE_e8zrLW0e6W-EpgZn2pz56ocA Message-ID: From: John Joseph Bachir To: oauth@ietf.org Content-Type: multipart/alternative; boundary=f46d04451797cc197a04b1bcf286 Subject: [OAUTH-WG] questions about implicit grant X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 02:51:13 -0000 --f46d04451797cc197a04b1bcf286 Content-Type: text/plain; charset=UTF-8 I have a few questions about the implicit grant type. Let me know if this is covered in documentation. The spec says that this grant type is "optimized for public clients known to operate a particular redirection URI". (a) What does "public" mean here? In what sense could a client be public or private, and why is implicit grant more appropriate for the public case? (b) What does "a particular redirection URI" mean? The role of the redirect URI and expectations of how it is handled are identical to the code type, right? The potential appeal of this flow to me is the reduction of steps in the case where there is only one type of token needed which does not need to be refreshed. In section 4.2 of the spec [1], steps A, B, and C where exactly what I expected. However: (a) I don't understand the use case for D, E, and F, and I couldn't find any discussion of this on the web. (b) Moreover, I don't understand why D, E, and F would ever be necessary, because the access token is already sent directly to the client in step C. Thanks! John [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2 --f46d04451797cc197a04b1bcf286 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I have a few questions about the implicit grant type. Let me know if this i= s covered in documentation.

The spec says that this gran= t type is "optimized for public clients known to operate a particular = redirection=C2=A0URI".
(a) What does "public" mean here? In what sense could a clie= nt be public or private, and why is implicit grant more appropriate for the= public case?
(b) What does "a particular redirection URI&qu= ot; mean? The role of the redirect URI and expectations of how it is handle= d are identical to the code type, right?

The potential appeal of this flow to me is the reductio= n of steps in the case where there is only one type of token needed which d= oes not need to be refreshed. In section 4.2 of the spec [1], steps A, B, a= nd C where exactly what I expected. However:
(a) I don't understand the use case for D, E, and F, and I couldn&= #39;t find any discussion of this on the web.
(b) Moreover, I don= 't understand why D, E, and F would ever be necessary, because the acce= ss token is already sent directly to the client in step C.

Thanks!
John


--f46d04451797cc197a04b1bcf286-- From Michael.Jones@microsoft.com Tue Nov 15 00:28:02 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB37421F8D4E for ; Tue, 15 Nov 2011 00:28:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.297 X-Spam-Level: X-Spam-Status: No, score=-10.297 tagged_above=-999 required=5 tests=[AWL=0.301, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ih80MC8oWW3W for ; Tue, 15 Nov 2011 00:28:02 -0800 (PST) Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id F26C221F8D47 for ; Tue, 15 Nov 2011 00:28:01 -0800 (PST) Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 15 Nov 2011 00:28:02 -0800 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.65]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.01.0355.003; Tue, 15 Nov 2011 00:28:01 -0800 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: OAuth 2.0 JWT Bearer Token Profiles Specification Draft -02 Thread-Index: AcyjcHiTVkpzza01R1qadchBMSvFSA== Date: Tue, 15 Nov 2011 08:28:01 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F6FC663@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F6FC663TK5EX14MBXC283r_" MIME-Version: 1.0 Subject: [OAUTH-WG] OAuth 2.0 JWT Bearer Token Profiles Specification Draft -02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 08:28:03 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F6FC663TK5EX14MBXC283r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Draft 02 of the OAuth 2.0 JWT Bearer Token Profiles Specification has been published. = It contains the following changes: * Removed remaining vestiges of normative text talking about SAML th= at remained from the SAML Profile draft. * Replaced all references where the reference is used as if it were = part of the sentence (such as "defined by [I-D.whatever]") with ones where = the specification name is used, followed by the reference (such as "defined= by Whatever [I-D.whatever]"). The draft is available at these locations: * http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-02 * http://www.ietf.org/internet-drafts/draft-jones-oauth-jwt-bearer-0= 2.pdf * http://www.ietf.org/internet-drafts/draft-jones-oauth-jwt-bearer-0= 2.txt * http://www.ietf.org/internet-drafts/draft-jones-oauth-jwt-bearer-0= 2.xml * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer-02.html * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer-02.pdf * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer-02.txt * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer-02.xml * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer.html (wi= ll point to new versions as they are posted) * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer.pdf (wil= l point to new versions as they are posted) * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer.txt (wil= l point to new versions as they are posted) * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer.xml (wil= l point to new versions as they are posted) * http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion = repository, with html, pdf, txt, and html versions available) -- Mike --_000_4E1F6AAD24975D4BA5B16804296739435F6FC663TK5EX14MBXC283r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Draft 02 of the OAuth 2.0 JWT Bearer Token Profiles Specification has been published.&n= bsp; It contains the following changes:

·     &= nbsp;  Removed= remaining vestiges of normative text talking about SAML that remained from= the SAML Profile draft.

·     &= nbsp;  Replace= d all references where the reference is used as if it were part of the sent= ence (such as "defined by [I-D.whatever]") with ones where the specification name is used, followed by the reference (such as "d= efined by Whatever [I-D.whatever]").

 

The draft is available at these locations:

·        http://tools.ietf.org/html/draft-jones-oauth-jwt= -bearer-02

·        http://www.ietf.org/internet-drafts/draft-jo= nes-oauth-jwt-bearer-02.pdf

·        http://www.ietf.org/internet-drafts/draft-jo= nes-oauth-jwt-bearer-02.txt

·        http://www.ietf.org/internet-drafts/draft-jo= nes-oauth-jwt-bearer-02.xml

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer-02.html

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer-02.pdf

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer-02.txt

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer-02.xml

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer.html (will point to new versions as they are posted)

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer.pdf (will point to new versions as they are posted)

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer.txt (will point to new versions as they are posted)

·        http://self-issued.info/docs/draft-jones-oau= th-jwt-bearer.xml (will point to new versions as they are posted)

·        http://svn.openid.net/repos/specifications/o= auth/2.0/ (Subversion repository, with html, pdf, txt, and html versions av= ailable)

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739435F6FC663TK5EX14MBXC283r_-- From jricher@mitre.org Tue Nov 15 05:58:11 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B91A21F8CDD for ; Tue, 15 Nov 2011 05:58:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybQqohetks7A for ; Tue, 15 Nov 2011 05:58:10 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 95B6621F8CB5 for ; Tue, 15 Nov 2011 05:58:10 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 469EE21B0EE8; Tue, 15 Nov 2011 08:58:10 -0500 (EST) Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 40E3F21B0E7C; Tue, 15 Nov 2011 08:58:10 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server id 14.1.339.1; Tue, 15 Nov 2011 08:58:10 -0500 Message-ID: <1321365477.7567.61.camel@ground> From: Justin Richer To: John Joseph Bachir Date: Tue, 15 Nov 2011 08:57:57 -0500 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.1- Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] questions about implicit grant X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 13:58:11 -0000 > The spec says that this grant type is "optimized for public clients > known to operate a particular redirection URI". > (a) What does "public" mean here? In what sense could a client be > public or private, and why is implicit grant more appropriate for the > public case? Section 2.1, client types. > (b) What does "a particular redirection URI" mean? The role of the > redirect URI and expectations of how it is handled are identical to > the code type, right? Since you can't reliably bake a secret into a public client, you can't rely on it to validate the client. However, if you are using a trusted and pre-registered redirection URL, then you are very effectively identifying the client. A bad actor wouldn't use someone else's redirect URL because they'd never get the callback. > The potential appeal of this flow to me is the reduction of steps in > the case where there is only one type of token needed which does not > need to be refreshed. In section 4.2 of the spec [1], steps A, B, and > C where exactly what I expected. However: > (a) I don't understand the use case for D, E, and F, and I couldn't > find any discussion of this on the web. > (b) Moreover, I don't understand why D, E, and F would ever be > necessary, because the access token is already sent directly to the > client in step C. Step C is the server sending back the HTTP redirect in response to step A. Steps D, and E are the user agent following that HTTP redirect. Step F is extracting the information from the redirected endpoint. While the access token is sent back in step C, scripts running in the user agent don't have easy access to it. -- Justin From dick.hardt@gmail.com Tue Nov 15 09:20:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE6021F8B28 for ; Tue, 15 Nov 2011 09:20:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29iu-A22tVW5 for ; Tue, 15 Nov 2011 09:20:43 -0800 (PST) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 546C721F8B27 for ; Tue, 15 Nov 2011 09:20:43 -0800 (PST) Received: by iaeo4 with SMTP id o4so11240654iae.31 for ; Tue, 15 Nov 2011 09:20:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=nN9WTs/p4hWCb5VUw10LHjknxql50Qzt05En17AJp5A=; b=YChCW8B9IGBwmQM1eJ2jUckclSmmCoB23XvtCg4cbzfij56bKIX3E1HTfRtDRxDiMt M0Lt2X8raPRPf3iZxnoheWe1jCcZHsPnM95geKfRcUkiTtAAhsfbZ7fKK3IRiwn8i/cq gpmX0YpWvyoF7CHS/fuBhe0Qb1obA12YoWuWw= Received: by 10.50.197.227 with SMTP id ix3mr30388398igc.51.1321377642924; Tue, 15 Nov 2011 09:20:42 -0800 (PST) Received: from [192.168.0.13] (S0106602ad0767c15.nb.shawcable.net. [70.74.93.204]) by mx.google.com with ESMTPS id ai7sm11271564igc.0.2011.11.15.09.20.38 (version=SSLv3 cipher=OTHER); Tue, 15 Nov 2011 09:20:39 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Dick Hardt In-Reply-To: Date: Tue, 15 Nov 2011 10:20:35 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <725EAF50-3A82-4AAE-8C60-6D4C4AE52A79@gmx.net> <20111021005637.Horde.X6nKL0lCcOxOoKclCL3mgBA@webmail.df.eu> <429493818451304B84EC9A0797B5D8582383F7@SEAPXCH10MBX01.amer.gettywan.com> <90C41DD21FB7C64BB94121FBBC2E723452631E987B@P3PW5EX1MB01.EX1.SECURESERVER.NET>, <44A277AD-1874-4160-9ECD-87DEFB2A7F60@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345263321013@P3PW5EX1MB01.EX1.SECURESERVER.NET> To: Anthony Nadalin X-Mailer: Apple Mail (2.1251.1) Cc: Dan Taflin , OAuth WG Subject: Re: [OAUTH-WG] Rechartering X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 17:20:47 -0000 The authoritative server could be acting as a intermediary for other = authoritative servers.=20 eg. RP would like to get access to both Facebook and Twitter. An = intermdiate AS could acquire both tokens for the RP. On Oct 31, 2011, at 3:56 PM, Anthony Nadalin wrote: > Could be 2 tokens that still fulfill the same scope just that each = token is a subset of the requested scope. >=20 > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf = Of Eran Hammer-Lahav > Sent: Monday, October 31, 2011 2:17 PM > To: Dick Hardt > Cc: OAuth WG; Dan Taflin > Subject: Re: [OAUTH-WG] Rechartering >=20 > That's a whole different issue as this is about talking to a single = server retuning two tokens with different scopes. >=20 > EHL >=20 > ________________________________________ > From: Dick Hardt [dick.hardt@gmail.com] > Sent: Saturday, October 29, 2011 12:07 AM > To: Eran Hammer-Lahav > Cc: Dan Taflin; OAuth WG > Subject: Re: [OAUTH-WG] Rechartering >=20 > What if the access tokens come from different authoritative servers? >=20 > On Oct 26, 2011, at 9:15 AM, Eran Hammer-Lahav wrote: >=20 >> Why not just ask for one access token with all the scopes you need, = then refresh it by asking for the different subsets you want. >>=20 >> EHL >>=20 >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On=20 >>> Behalf Of Dan Taflin >>> Sent: Tuesday, October 25, 2011 3:37 PM >>> To: OAuth WG >>> Subject: Re: [OAUTH-WG] Rechartering >>>=20 >>> I would like to second Torsten's pitch for the ability to return=20 >>> multiple access tokens with a single authorization process. The use=20= >>> case for my company is to segment operations into two main=20 >>> categories: protected and confidential. (A possible third category, = public, would not require any authorization at all). >>> Protected operations would be user-specific operations that don't=20 >>> involve the passing of any sensitive information, such as image=20 >>> search results tagged with information about whether each image is=20= >>> available for download by that user. Confidential operations would=20= >>> involve passing user data, like user registration or e-commerce. We=20= >>> would like to protect each category of operations with distinct=20 >>> tokens: a general-use token for protected operations, and a secure = token for confidential operations. >>>=20 >>> We could use the scope parameter to specify either "protected" or=20 >>> "confidential". Currently the oauth spec allows a Refresh token to=20= >>> request a new token with reduced scope from the one originally=20 >>> issued, but there is no way to obtain a new token with a completely=20= >>> different scope without doing the full oauth dance a second time. >>>=20 >>> Dan >>>=20 >>> -----Original Message----- >>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net] >>> Sent: Thursday, October 20, 2011 3:57 PM >>> To: Hannes Tschofenig >>> Cc: OAuth WG >>> Subject: Re: [OAUTH-WG] Rechartering >>>=20 >>> Hi all, >>>=20 >>> my prioritization is driven by the goal to make OAuth the=20 >>> authorization framework of choice for any internet standard = protocol,=20 >>> such as WebDAV, IMAP, SMTP or SIP. So let me first explain what is=20= >>> missing from my point of view and explain some thoughts how to fill = the gaps. >>>=20 >>> A standard protocol is defined in terms of resource types and=20 >>> messages by a body (e.g. IETF, OIDF, OMA), (hopefully) implemented = in=20 >>> many places, and used by different but deployment-independent = clients. >>> OAuth-based protocol specifications must also define scope values = (e.g. >>> read, write, send) and their relation to the resource types and=20 >>> messages. The different deployments expose the standard protocol on=20= >>> different resource server endpoints. In my opinion, it is = fundamental=20 >>> to clearly distinguish scope values (standardized, static) and=20 >>> resource server addresses (deployment specific) and to manage their=20= >>> relationships. The current scope definition is much to weak and = insufficient. >>> Probably, the UMA concepts of hosts, resources sets, and=20 >>> corresponding scopes could be adopted for that purpose. >>>=20 >>> OAuth today requires clients to register with the service provider=20= >>> before they are deployed. Would you really expect IMAP clients, e.g. >>> Thunderbird, to register with any a-Mail services upfront? So = clients=20 >>> should be given a way to register dynamically to the authorization=20= >>> servers. This should also allow us to cover "client instance" = aspects. >>> It is interesting to note, that such a mechanism would allow us to=20= >>> get rid of secret-less clients and the one-time usage requirement = for=20 >>> authorization codes. >>>=20 >>> We also assume the client to know the URLs of the resource server = and=20 >>> the corresponding authorization server and to use HTTPS server=20 >>> authentication to verify the resource server's authenticity. This is=20= >>> impossible in the standard scenario. Clients must be able to = discover=20 >>> the authorization server a particular resource server relies on at=20= >>> runtime. The discovery mechanism could be specified by the OAuth WG,=20= >>> but could also be part of an application protocols specification. = But=20 >>> we MUST find another way to prevent token phishing by counterfeit = resource servers. >>>=20 >>> As one approach, the client could pass the (previously HTTPS >>> validated) resource server's URL with the authorization request. The=20= >>> authorization server should then refuse such requests for any = unknown >>> (counterfeit) resource servers. Such an additional parameter could=20= >>> also serve as namespace for scope values and enable service = providers=20 >>> to run multiple instances of the same service within a single = deployment. >>>=20 >>> If the additional data enlarges the request payload to much, we = could=20 >>> consider to adopt the "request by reference" proposal. >>>=20 >>> Let's now assume, OAuth is successful in the world of standard=20 >>> protocols and we will see plenty of deployments with a bunch of=20 >>> different OAuth protected resource servers. Shall this servers all = be=20 >>> accessible with a single token? In my opinion, this would cause=20 >>> security, privacy and/or scalability/performance problems. To give=20= >>> just the most obvious example, the target audience of such a token=20= >>> cannot be restricted enough, which may allow a resource server (or = an=20 >>> attacker in control of it) to abuse the token on other servers. But=20= >>> the current design of the code grant type forces deployments to use=20= >>> the same token for all services. What is needed from my point of = view=20 >>> is a way to request and issue multiple server-specific access tokens = with a single authorization process. >>>=20 >>> I've been advocating this topic for a long time now and I'm still=20 >>> convinced this is required to really complete the core design. We at=20= >>> Deutsche Telekom needed and implemented this function on top of the=20= >>> existing core. In my opinion, a core enhancement would be easier to = handle and more powerful. >>> If others support this topic, I would be willed to submit an I-D=20 >>> describing a possible solution. >>>=20 >>> If we take standards really seriously, then service providers should=20= >>> be given the opportunity to implement their service by utilizing=20 >>> standard server implementations. This creates the challenge to find = a=20 >>> standardized protocol between authorization server and resource=20 >>> server to exchange authorization data. Depending on the token design=20= >>> (self-contained vs. handle) this could be solved by either=20 >>> standardizing a token format (JWT) or an authorization API. >>>=20 >>> Based on the rationale given above, my list is as follows (topics = w/o=20 >>> I-D are marked with *): >>>=20 >>> - Revocation (low hanging fruit since I-D is ready and implemented = in=20 >>> some >>> places) >>> - Resource server notion* >>> - Multiple access tokens* >>> - Dynamic client registration >>> 1) Dynamic Client Registration Protocol >>> 4) Client Instance Extension >>> - Discovery >>> (10) Simple Web Discovery, probably other specs as well >>> - (6) JSON Web Token >>> - (7) JSON Web Token (JWT) Bearer Profile >>> - 8) User Experience Extension >>> - Device flow >>> - 9) Request by Reference >>> (depending resource server notion and multiple access tokens) >>>=20 >>> regards, >>> Torsten. >>> Zitat von Hannes Tschofenig : >>>=20 >>>> Hi all, >>>>=20 >>>> in preparation of the upcoming IETF meeting Barry and I would like=20= >>>> to start a re-chartering discussion. We both are currently=20 >>>> attending the Internet Identity Workshop and so we had the chance = to=20 >>>> solicit input from the participants. This should serve as a = discussion starter. >>>>=20 >>>> Potential future OAuth charter items (in random order): >>>>=20 >>>> ---------------- >>>>=20 >>>> 1) Dynamic Client Registration Protocol >>>>=20 >>>> Available document: >>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-dynreg/ >>>>=20 >>>> 2) Token Revocation >>>>=20 >>>> Available document: >>>> http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/ >>>>=20 >>>> 3) UMA >>>>=20 >>>> Available document: >>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/ >>>>=20 >>>> 4) Client Instance Extension >>>>=20 >>>> Available document: >>>> http://tools.ietf.org/id/draft-richer-oauth-instance-00.txt >>>>=20 >>>> 5) XML Encoding >>>>=20 >>>> Available document: >>>> http://tools.ietf.org/id/draft-richer-oauth-xml-00.txt >>>>=20 >>>> 6) JSON Web Token >>>>=20 >>>> Available document: >>>> http://tools.ietf.org/html/draft-jones-json-web-token-05 >>>>=20 >>>> 7) JSON Web Token (JWT) Bearer Profile >>>>=20 >>>> Available document: >>>> http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00 >>>>=20 >>>> 8) User Experience Extension >>>>=20 >>>> Available document: >>>> http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00 >>>>=20 >>>> 9) Request by Reference >>>>=20 >>>> Available document: >>>> http://tools.ietf.org/html/draft-sakimura-oauth-requrl-00 >>>>=20 >>>> 10) Simple Web Discovery >>>>=20 >>>> Available document: >>>> http://tools.ietf.org/html/draft-jones-simple-web-discovery-00 >>>>=20 >>>> ---------------- >>>>=20 >>>> We have the following questions: >>>>=20 >>>> a) Are you interested in any of the above-listed items? (as a=20 >>>> reviewer, co-author, implementer, or someone who would like to=20 >>>> deploy). It is also useful to know if you think that we shouldn't=20= >>>> work on a specific item. >>>>=20 >>>> b) Are there other items you would like to see the group working = on? >>>>=20 >>>> Note: In case your document is expired please re-submit it. >>>>=20 >>>> Ciao >>>> Hannes & Barry >>>>=20 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 >=20 >=20 >=20 From johnjosephbachir@gmail.com Tue Nov 15 09:41:18 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E38321F8B48 for ; Tue, 15 Nov 2011 09:41:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGQ9v++GU3qg for ; Tue, 15 Nov 2011 09:41:17 -0800 (PST) Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 78C4C21F8B45 for ; Tue, 15 Nov 2011 09:41:17 -0800 (PST) Received: by faap16 with SMTP id p16so810413faa.31 for ; Tue, 15 Nov 2011 09:41:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=Pmp9nr6l/LmJupXuzbfAPzsE7Xx4VPggCEgC7XzfJ/4=; b=JszfUg6c8Z0koeFM3Ce3t5hP0emi2Cn6/PbV+3Kc/+8widHLv0B2KgvH+0yw/rpK5P kkPCOaVeC5lDsbRYJuxgUG6kTfy98NHWDDcMtLUN7HlenZoZ/IdSzQoyUD3ooTkh/2cx 4n4V4+e5FIuC5lP641dIFq3gobOtgx5aq7qW4= MIME-Version: 1.0 Received: by 10.182.124.42 with SMTP id mf10mr4116698obb.5.1321378876330; Tue, 15 Nov 2011 09:41:16 -0800 (PST) Sender: johnjosephbachir@gmail.com Received: by 10.182.44.199 with HTTP; Tue, 15 Nov 2011 09:41:16 -0800 (PST) In-Reply-To: <1321365477.7567.61.camel@ground> References: <1321365477.7567.61.camel@ground> Date: Tue, 15 Nov 2011 12:41:16 -0500 X-Google-Sender-Auth: BzPEQhP8GJOgXiLzg5HHEv-lfFE Message-ID: From: John Joseph Bachir To: oauth@ietf.org Content-Type: multipart/alternative; boundary=f46d0444eda18992ba04b1c97e27 Subject: Re: [OAUTH-WG] questions about implicit grant X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 17:41:18 -0000 --f46d0444eda18992ba04b1c97e27 Content-Type: text/plain; charset=UTF-8 Thanks Justin - some more questions below... > > What does "public" mean here? In what sense could a client be > > public or private, and why is implicit grant more appropriate for the > > public case? > > Section 2.1, client types. > My understanding of a public client from this section was a client which is distributed and not hosted on a server, such as a desktop or mobile app. How is it possible for a web-hosted client to be public? Step C is the server sending back the HTTP redirect in response to step > A. Steps D, and E are the user agent following that HTTP redirect. Step > F is extracting the information from the redirected endpoint. While the > access token is sent back in step C, scripts running in the user agent > don't have easy access to it. Ah whoops, I misread C and D. So here's my real question: Why doesn't the user agent send the access token to the server in D? Why does the web server have to deliver a script which extracts it locally? Is it to facilitate a certain style of applications development? --f46d0444eda18992ba04b1c97e27 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks Justin - some more questions below..= .

=C2=A0
> What does "public" mean here? In what sense could a client b= e
> public or private, and why is implicit grant more appropriate for the<= br> > public case?

Section 2.1, client types.

My und= erstanding of a public client from this section was a client which is distr= ibuted and not hosted on a server, such as a desktop or mobile app. How is = it possible for a web-hosted client to be public?


Step C is the server sending back the HTTP redirect in response to ste= p
A. Steps D, and E are the user agent following that HTTP redirect. Step
F is extracting the information from the redirected endpoint. While the
access token is sent back in step C, scripts running in the user agent
don't have easy access to it.

Ah whoops= , I misread C and D. So here's my real question: Why doesn't the us= er agent send the access token to the server in D? Why does the web server = have to deliver a script which extracts it locally? Is it to facilitate a c= ertain style of applications development?

--f46d0444eda18992ba04b1c97e27-- From jricher@mitre.org Tue Nov 15 10:00:25 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFCEE1F0C61 for ; Tue, 15 Nov 2011 10:00:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jP2VYU5-zc6N for ; Tue, 15 Nov 2011 10:00:25 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5DB251F0C5F for ; Tue, 15 Nov 2011 10:00:25 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id ABEEF21B0FE5; Tue, 15 Nov 2011 13:00:24 -0500 (EST) Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 9E74721B0FA9; Tue, 15 Nov 2011 13:00:24 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.1.339.1; Tue, 15 Nov 2011 13:00:24 -0500 Message-ID: <1321380011.7567.77.camel@ground> From: Justin Richer To: John Joseph Bachir Date: Tue, 15 Nov 2011 13:00:11 -0500 In-Reply-To: References: <1321365477.7567.61.camel@ground> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.1- Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] questions about implicit grant X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 18:00:26 -0000 On Tue, 2011-11-15 at 12:41 -0500, John Joseph Bachir wrote: > Thanks Justin - some more questions below... > > What does "public" mean here? In what sense could a client > be > > public or private, and why is implicit grant more > appropriate for the > > public case? > Section 2.1, client types. > > My understanding of a public client from this section was a client > which is distributed and not hosted on a server, such as a desktop or > mobile app. How is it possible for a web-hosted client to be public? In a JavaScript client, all of the code is distributed to the end user's machine to execute locally, as opposed to a server-side script which only shows the browser its output. In order for JS in the browser to have a secret, the server that hosts the JS would need to spit out the secret along with the code. This secret would likely be the same for every instance of the JS client, and it would be readable by the end user of all of them, which makes it not really a secret and not really very useful. > > > > Step C is the server sending back the HTTP redirect in > response to step > A. Steps D, and E are the user agent following that HTTP > redirect. Step > F is extracting the information from the redirected endpoint. > While the > access token is sent back in step C, scripts running in the > user agent > don't have easy access to it. > > > Ah whoops, I misread C and D. So here's my real question: Why doesn't > the user agent send the access token to the server in D? Why does the > web server have to deliver a script which extracts it locally? Is it > to facilitate a certain style of applications development? 1) The browser generally doesn't send the fragment to the web server 2) That's just standard deployed practice for such JS clients, and it's currently the easiest way for the JS to get a ping that the transaction has completed. -- Justin From johnjosephbachir@gmail.com Tue Nov 15 10:28:11 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E021F0C62 for ; Tue, 15 Nov 2011 10:28:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkwVowLkK1pn for ; Tue, 15 Nov 2011 10:28:10 -0800 (PST) Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 781781F0C5A for ; Tue, 15 Nov 2011 10:28:10 -0800 (PST) Received: by faap16 with SMTP id p16so867980faa.31 for ; Tue, 15 Nov 2011 10:28:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=BIu9GCndtneGXVQdeT52nilVBxeXF5jx0etCKxAhuVQ=; b=lhLYqagvfsFR9Vv8ZCAZIwKFe4YJ/fzuzMClyPbXwg8YVEuzsSMAWA1BUip6DMeTJo IqGNl4pYZGWW03MZH9A6uyw4lMrjuVwrDOk1dvzi6FnwOGyO5h0PbhxA9Lu+KQ84csZC hsTrfO2TPakaZf65yDp/yVm+aCVz8ytT9x2Fw= MIME-Version: 1.0 Received: by 10.182.217.105 with SMTP id ox9mr6337844obc.45.1321381689367; Tue, 15 Nov 2011 10:28:09 -0800 (PST) Sender: johnjosephbachir@gmail.com Received: by 10.182.44.199 with HTTP; Tue, 15 Nov 2011 10:28:09 -0800 (PST) In-Reply-To: <1321380011.7567.77.camel@ground> References: <1321365477.7567.61.camel@ground> <1321380011.7567.77.camel@ground> Date: Tue, 15 Nov 2011 13:28:09 -0500 X-Google-Sender-Auth: LC0gwK8BXrh4Ma9RIpia5vkzXe8 Message-ID: From: John Joseph Bachir To: oauth@ietf.org Content-Type: multipart/alternative; boundary=f46d04447311351df604b1ca268e Subject: Re: [OAUTH-WG] questions about implicit grant X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 18:28:11 -0000 --f46d04447311351df604b1ca268e Content-Type: text/plain; charset=UTF-8 Okay, so I think the basic thing I'm not getting is: what's the use case for a javascript client? Googling doesn't help much here... --f46d04447311351df604b1ca268e Content-Type: text/html; charset=UTF-8 Okay, so I think the basic thing I'm not getting is: what's the use case for a javascript client? Googling doesn't help much here... --f46d04447311351df604b1ca268e-- From dan.taflin@gettyimages.com Tue Nov 15 12:26:15 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404421F0C87 for ; Tue, 15 Nov 2011 12:26:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.724 X-Spam-Level: X-Spam-Status: No, score=-4.724 tagged_above=-999 required=5 tests=[AWL=-1.125, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8rX8gS5S43b for ; Tue, 15 Nov 2011 12:26:11 -0800 (PST) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id F2AA81F0C86 for ; Tue, 15 Nov 2011 12:26:10 -0800 (PST) Received: from mail205-ch1-R.bigfish.com (10.43.68.251) by CH1EHSOBE014.bigfish.com (10.43.70.64) with Microsoft SMTP Server id 14.1.225.22; Tue, 15 Nov 2011 20:25:38 +0000 Received: from mail205-ch1 (localhost.localdomain [127.0.0.1]) by mail205-ch1-R.bigfish.com (Postfix) with ESMTP id 1A8421720173; Tue, 15 Nov 2011 20:25:56 +0000 (UTC) X-SpamScore: -7 X-BigFish: VPS-7(zzbb2dK9371K98dKzz1202hz4ejz8275bhz2fh2a8h668h839h946h) X-Forefront-Antispam-Report: CIP:216.169.250.56; KIP:(null); UIP:(null); IPVD:NLI; H:SEAPXCH10CAHT02.amer.gettywan.com; RD:mailtest.gettyimages.com; EFVD:NLI Received-SPF: pass (mail205-ch1: domain of gettyimages.com designates 216.169.250.56 as permitted sender) client-ip=216.169.250.56; envelope-from=dan.taflin@gettyimages.com; helo=SEAPXCH10CAHT02.amer.gettywan.com ; gettywan.com ; Received: from mail205-ch1 (localhost.localdomain [127.0.0.1]) by mail205-ch1 (MessageSwitch) id 1321388753945023_23753; Tue, 15 Nov 2011 20:25:53 +0000 (UTC) Received: from CH1EHSMHS033.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.241]) by mail205-ch1.bigfish.com (Postfix) with ESMTP id CA0C6238053; Tue, 15 Nov 2011 20:25:53 +0000 (UTC) Received: from SEAPXCH10CAHT02.amer.gettywan.com (216.169.250.56) by CH1EHSMHS033.bigfish.com (10.43.70.33) with Microsoft SMTP Server (TLS) id 14.1.225.22; Tue, 15 Nov 2011 20:26:02 +0000 Received: from SEAPXCH10MBX01.amer.gettywan.com ([fe80::f054:280d:92db:5fff]) by SEAPXCH10CAHT02.amer.gettywan.com ([::1]) with mapi id 14.01.0289.001; Tue, 15 Nov 2011 12:26:01 -0800 From: Dan Taflin To: John Joseph Bachir , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] questions about implicit grant Thread-Index: Acyj1Mf0tBO8jEKIgUaXWOk47jlPJA== Date: Tue, 15 Nov 2011 20:26:00 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-Entourage/13.11.0.110726 x-originating-ip: [10.194.244.88] Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: gettyimages.com Subject: Re: [OAUTH-WG] questions about implicit grant X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 20:26:15 -0000 I=92ve spent the last couple months trying to answer this question myself (= even posted on Stack Overflow, http://stackoverflow.com/questions/7522831/w= hat-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2), an= d here=92s the best answer I can come up with: it=92s a great solution for = someone like, say, Facebook or Twitter to be able to hand out a blob of jav= ascript and say, =93Here, put this on your web page to enable users to like= /tweet/post on their account.=94 The 3rd-party web site doesn=92t have to w= rite a lick of oauth code to manage the authorization process =96 the acces= s token just magically becomes available in the javascript code. Dan On 11/15/11 10:28 AM, "John Joseph Bachir" wrote: Okay, so I think the basic thing I'm not getting is: what's the use case fo= r a javascript client? Googling doesn't help much here... From johnjosephbachir@gmail.com Tue Nov 15 13:40:31 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E367211E80DE for ; Tue, 15 Nov 2011 13:40:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5uFh-wqp8iKC for ; Tue, 15 Nov 2011 13:40:31 -0800 (PST) Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id ED4C811E80DD for ; Tue, 15 Nov 2011 13:40:30 -0800 (PST) Received: by wyf28 with SMTP id 28so6571913wyf.31 for ; Tue, 15 Nov 2011 13:40:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=WvMsGNzuhLrSZ4CqCKnc2jNsYiYykEFKbDBrl9z905I=; b=BPySMcf49GCHkPWECKjclLO77JlJw3rXnG7QcXZGS/tnUoll13aoRU64E+tbzLyg2N P1xdBU0tzBeFHKOjvSPbrEMJtA4poGx8uf6r5MedmZWxwlfl80D8VWf5Ry6iJ8mC7LLh ZCNiT8vWMJGv7jBC4gTQ500N41kH6CWkbeiCU= MIME-Version: 1.0 Received: by 10.182.74.4 with SMTP id p4mr6497272obv.15.1321393229403; Tue, 15 Nov 2011 13:40:29 -0800 (PST) Sender: johnjosephbachir@gmail.com Received: by 10.182.44.199 with HTTP; Tue, 15 Nov 2011 13:40:29 -0800 (PST) In-Reply-To: References: Date: Tue, 15 Nov 2011 16:40:29 -0500 X-Google-Sender-Auth: KJLLB739QNHVGT2iZEy5i4xFOOA Message-ID: From: John Joseph Bachir To: "oauth@ietf.org" Content-Type: multipart/alternative; boundary=f46d044518290c16d004b1ccd63d Subject: Re: [OAUTH-WG] questions about implicit grant X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 21:40:32 -0000 --f46d044518290c16d004b1ccd63d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, Nov 15, 2011 at 3:26 PM, Dan Taflin wro= te: > it=E2=80=99s a great solution for someone like, say, Facebook or Twitter = to be > able to hand out a blob of javascript and say, =E2=80=9CHere, put this on= your web > page to enable users to like/tweet/post on their account.=E2=80=9D The 3r= d-party > web site doesn=E2=80=99t have to write a lick of oauth code to manage the > authorization process =E2=80=93 the access token just magically becomes a= vailable > in the javascript code. Ah ha! It all makes sense now. I even know the mechanics of Facebook in that case but didn't make the connection. I wonder how the description in the spec could be tweaked a bit to maybe explain this better. --f46d044518290c16d004b1ccd63d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Tue, Nov 15, 2011 at 3:26 PM, Dan Taflin <dan.taflin@= gettyimages.com> wrote:
it=E2=80=99s a great solution for someone like, say, Facebook or Twitter to= be able to hand out a blob of javascript and say, =E2=80=9CHere, put this = on your web page to enable users to like/tweet/post on their account.=E2=80= =9D The 3rd-party web site doesn=E2=80=99t have to write a lick of oauth co= de to manage the authorization process =E2=80=93 the access token just magi= cally becomes available in the javascript code.

Ah ha! It all makes sense now. I even know the mechanics of = Facebook in that case but didn't make the connection.

I wonder how the description in the spec could be tweaked a bit to = maybe explain this better.
--f46d044518290c16d004b1ccd63d-- From crew@cs.stanford.edu Wed Nov 16 12:52:59 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A61D921F916A for ; Wed, 16 Nov 2011 12:52:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.667 X-Spam-Level: X-Spam-Status: No, score=-1.667 tagged_above=-999 required=5 tests=[AWL=0.598, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37y4s0tR17zW for ; Wed, 16 Nov 2011 12:52:59 -0800 (PST) Received: from mail.fyigm.com (mail.fyigm.com [69.17.114.80]) by ietfa.amsl.com (Postfix) with ESMTP id E306321F9145 for ; Wed, 16 Nov 2011 12:52:58 -0800 (PST) Received: from rfc by mail.fyigm.com with local (Exim 4.72) (envelope-from ) id 1RQmUO-00021i-Rn; Wed, 16 Nov 2011 12:53:48 -0800 From: Roger Crew MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20164.8924.854804.784106@hagen.valhalla> Date: Wed, 16 Nov 2011 12:53:48 -0800 To: oauth@ietf.org X-Mailer: VM 8.1.0 under 23.2.1 (x86_64-pc-linux-gnu) X-Mailman-Approved-At: Wed, 16 Nov 2011 16:51:51 -0800 Subject: [OAUTH-WG] non-TLS clients and making the state parameter be use-once for authcode requests X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2011 20:52:59 -0000 So I'm trying to figure out if there's ANY way in which non-TLS-capable clients (i.e., clients that cannot receive TLS requests, e.g., because they're stuck in a shared-hosting environment and can't have dedicated IP, can't use SSL URIs, etc... even if they *can* initiate TLS connections to the auth server) can use the authorization code flow securely. And it seems to me the CSRF scenario (10.12) makes this COMPLETELY hopeless unless the following are requirements are introduced (this would be a modification of 4.1.2/3): (*) When a "state" parameter is provided, the authorization code ultimately issued needs to be bound to that value as well (i.e., in addition to being bound to the client identifier and the redirection URI). (*) The access token request (4.1.3) needs to be allowed to include a "state" parameter and, if included, the authorization server MUST then reject the request if the provided state value is not identical to the corresponding value from the original authorization request. (*) A client MUST NOT use a particular state value for more than one authorization request. If a given (client_id, state) pair is used more than once, the authorization server MUST deny the authorization request, MUST deny any subsequent request for an access token for that client based on that state value, and SHOULD attempt to revoke all tokens previously issued for that client that are based on THE code derived from that state value. Oddly enough, this leads to some desirable properties. This, along with the existing requirement that authorization codes cannot be reused, in a sense, "guards both ends" of the redirection chain that - begins with the initial client response (to whatever request) that transmits the state value to the browser, and - ends with the final browser request that transmits the code to the client's redirect_uri, of which only the first and last messages can be non-TLS-protected (because all other requests/responses are between the browser and the authorization server, which is required to use TLS). The key point is that, with the above requirements, for any given (client_id, state) pair, at most one corresponding redirect chain can be carried to completion (i.e., issuance of an authorization code) While an attacker who discovers the state value can attempt to obtain a valid authorization code with her own credentials, if she does so and her authorization request reaches the auth server first, then the legitimate resource owner's own such request will fail in an obvious way, and, having seen this failure, said owner will then have reason to know that any subsequent report by the client that access has been granted is necessarily bogus. In this world, the authorization code, rather than being a bearer instrument that must be kept secret at all costs, now becomes merely a certificate that a redirect chain was carried to completion on SOME browser SOMEWHERE. The client, upon receiving the state value at the redirect_uri WILL be able to verify that the request came from the same browser that it originally sent the state value to (whether because the request is accompanied by a matching 'secure' cookie **OR** because the browser and client are, say, using digest authentication and state is bound to the hashed user:realm:password secret they share -- which does NOT entail TLS), An attacker may still be able to launch a CSRF request at redirect_uri AND have sufficient network control to block the legitimate request from getting through AND be able to use the same state value so that the client won't be able to detect the substitution. BUT, if she doesn't use the same authorization code as well, the authorization server will note the mismatch and client's subsequent access_token request will fail. And if she uses the same code, she's not deriving any benefit other than to be able to do DOS attacks. Thus, both the state value and the code can now safely (or at least more safely than before) be made public. Conversely, without these additional requirements, i.e., if the authorization server does NOT check that the code matches the state given in the access_token request, then the CSRF undetectably succeeds EVEN IF TLS is being used at redirect_uri. And if the state can be used more than once to obtain a valid code, then it can be used in other browser sessions and the CSRF attacker indeed will have something to substitute that can do damage. Therefore, with the current spec, if the state value can leak out AT ALL, it's game over. Which then means that a non-TLS-capable client, which has no secure way to transmit the state value to the browser, is COMPLETELY USELESS in OAuth2, At which point I don't understand why the current spec doesn't just require TLS clients and call it a day. -- Roger Crew 206.940.5732 crew@cs.stanford.edu From stephen.farrell@cs.tcd.ie Wed Nov 16 18:44:17 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 284461F0C7D for ; Wed, 16 Nov 2011 18:44:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.569 X-Spam-Level: X-Spam-Status: No, score=-102.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JcbZp6+zNFa4 for ; Wed, 16 Nov 2011 18:44:16 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 6CFDA1F0C7C for ; Wed, 16 Nov 2011 18:44:16 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id B5D09171CCF; Thu, 17 Nov 2011 02:44:14 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1321497854; bh=cBXW7Di6Z/SwzHi1lBt7MprF k4/tT75TgIsQtpbo7UY=; b=m+fmntdhdQyRUzBJmBqdtsDIkBky7Ied7KvFwnVs pjZoZw52MtWhivq/A0HMQL/SbRc1rwWwnMp0wiWUO8RoIGQcWEMJQG+hWWYZLntr O5MaFWveFez7HKvsTJi9JVXbaYM2Gh81VQFJBv4eqQbCZmAzgU3m5XVHtXXSfcXx 9KKr3V1QWw6+mrWr/ZDIm9/Xd9BkggWpNAzLspjisilUytjZ+MaQPJ3jfryBZl3H lWc6j55gnfFj4uY5A53oGVN+/MwGA5pz32DYDN+ivMSjElEDvoinQT1CDpIvxDqH 5hw/3I43sap8VWAgx+JMj1qSU5iQQHBtD5GuIBpW9XCSNw== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id QqFraFU7hsqM; Thu, 17 Nov 2011 02:44:14 +0000 (GMT) Received: from [130.129.37.121] (dhcp-2579.meeting.ietf.org [130.129.37.121]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 19A15171C1A; Thu, 17 Nov 2011 02:44:12 +0000 (GMT) Message-ID: <4EC474FA.4050907@cs.tcd.ie> Date: Thu, 17 Nov 2011 02:44:10 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: "dane-chairs@tools.ietf.org" , "nea-chairs@tools.ietf.org" , "oauth@ietf.org" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [OAUTH-WG] wg summaries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 02:44:17 -0000 Reminder: please send your wg summary messages to saag before the session at 1520! Nea and oauth: I know that's quite demanding Dane: you met Monday :-) Thanks, S. From stephen.farrell@cs.tcd.ie Wed Nov 16 18:59:30 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A13771F0CA1 for ; Wed, 16 Nov 2011 18:59:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.574 X-Spam-Level: X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7A+YJFYKdtGi for ; Wed, 16 Nov 2011 18:59:24 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id DA35D21F91D7 for ; Wed, 16 Nov 2011 18:59:19 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 4DB06171CCF for ; Thu, 17 Nov 2011 02:59:19 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1321498758; bh=CAtFE9v8L4rKi4 t7veQicQurn1QO4AcUPP5Xe6I1cmM=; b=niR722s1XJFtcN/An/xbRLG5hHY2Zl ajw1C0RsCvZcETSRBe3c9ZXufsybzMXcGJ6t7LWWnmjg2Zhp02sqW9PqcLV3BCAk iItFIJIVNCVkFfgR+Dk9ZEIKywJN/QpRTn1ntc4PNDiq1Z+Fruwssvsiwt+iAKhE 09OT7O8hvU49ut59SeqIw8M41x86ss40QVZiZcBSlp+C/Z6etlZ3Q7f7sjNITquj iB1s6HIG5iCx/4yzciwcUXHajNr4xBBsgyl0+fF6yJLrBT98OYxVgE0ebPLTSVMp RbbqaMXd7W3dH+b/0YdScsryLof0Lynh7FQ2mQpcYBkjv9FQ0vfkdkwA== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id JxFfA72gtFRY for ; Thu, 17 Nov 2011 02:59:18 +0000 (GMT) Received: from [130.129.37.121] (dhcp-2579.meeting.ietf.org [130.129.37.121]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 3B09B171C1A for ; Thu, 17 Nov 2011 02:59:17 +0000 (GMT) Message-ID: <4EC4787F.6040406@cs.tcd.ie> Date: Thu, 17 Nov 2011 02:59:11 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: "oauth@ietf.org" References: <4EC474FA.4050907@cs.tcd.ie> In-Reply-To: <4EC474FA.4050907@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [OAUTH-WG] wg summaries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 02:59:30 -0000 oops - meant just for the chairs, apologies. S On 11/17/2011 02:44 AM, Stephen Farrell wrote: > > Reminder: please send your wg summary messages to saag before > the session at 1520! > > Nea and oauth: I know that's quite demanding > Dane: you met Monday :-) > > Thanks, > S. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From wmills@yahoo-inc.com Wed Nov 16 21:34:31 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C14811E80BA for ; Wed, 16 Nov 2011 21:34:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.937 X-Spam-Level: X-Spam-Status: No, score=-15.937 tagged_above=-999 required=5 tests=[AWL=-0.939, BAYES_50=0.001, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJv-xrifKqxK for ; Wed, 16 Nov 2011 21:34:30 -0800 (PST) Received: from nm14.bullet.mail.sp2.yahoo.com (nm14.bullet.mail.sp2.yahoo.com [98.139.91.84]) by ietfa.amsl.com (Postfix) with SMTP id BCB2A11E8083 for ; Wed, 16 Nov 2011 21:34:30 -0800 (PST) Received: from [98.139.91.67] by nm14.bullet.mail.sp2.yahoo.com with NNFMP; 17 Nov 2011 05:34:26 -0000 Received: from [98.139.91.20] by tm7.bullet.mail.sp2.yahoo.com with NNFMP; 17 Nov 2011 05:32:39 -0000 Received: from [127.0.0.1] by omp1020.mail.sp2.yahoo.com with NNFMP; 17 Nov 2011 05:32:39 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 69631.13352.bm@omp1020.mail.sp2.yahoo.com Received: (qmail 88753 invoked by uid 60001); 17 Nov 2011 05:32:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1321507958; bh=50wXuJ6fVPmedeGm22CbB9eQngzkqj1w2nMFy70TToM=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=QjUmy7z0/Y8Bm27gWqmPn6HPrYdcsxrhd730ZlqC0ypz3ZE8l+p2Q1sYKtNDeO4HHtrDD8Pcm/FEgxaS4m8ajmhdsik5vYLMI7s7Jkx4SYGSt+UvxpgkzPJas9IsIujWWUuGLV8ow7SrUHyjaIsdKaJBbC/x4I4/kUP2iai833U= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=ZiiS2ILnn7MNWlL51ADxcPEOgmj2Vp4hsswqB6LcMkJEnC1tVHzP+PUplah6Xm+pEUF+E6ePNTTHKQb0ru5DSCcMlv+PIbtq1ijXWpLe6j31HhmMXqOLJ2tjqyAMD9N6EsNNVCDl5CH5qQ7TaQ9qR0ijf6ZY+j4Uinfedo2V37c=; X-YMail-OSG: NNGeC3kVM1m_PakS23vUJXBrbT5cM.a5NgkYLrVYC4UxjQi DXER02FAiZVi4gM4tzc_LYwLMh2ZmIrF5Vm_VcRWC5QzoTAdgbeVREPFOSdA Zwl6SVvZdzuuTXU1CE42HjNGzmMWSWn3VadrBt5A_FZ7Maej0nPWSdG35MG5 vJA2XEs2Z8YA5BryEdE.cEEH0ArlXTn5n_u0OL0uB72BM0kmw9iSUWJSd6Gn uoFa4TyC8Uii2WYkKfTx.5a6vrzjxBjc60_jBW64nm3W4aG6co7GFjQFXOuT ArBEzZXlB6QCt2BO1QVHFc4P7Por16mWaRK5uLj38QpbE41GlU10g5qceLPB gLzAHO7ywFKWK7P4x.XvU.q5v6db9Z20vuEURGmM9__L79HRcetk9NFM95fV WBHq42UGJzcykMA_aPgfBqsNAHCMxvQM- Received: from [99.31.212.42] by web31807.mail.mud.yahoo.com via HTTP; Wed, 16 Nov 2011 21:32:38 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.115.331203 References: <4EC474FA.4050907@cs.tcd.ie> <4EC4787F.6040406@cs.tcd.ie> Message-ID: <1321507958.87903.YahooMailNeo@web31807.mail.mud.yahoo.com> Date: Wed, 16 Nov 2011 21:32:38 -0800 (PST) From: William Mills To: "oauth@ietf.org" In-Reply-To: <4EC4787F.6040406@cs.tcd.ie> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-125733401-1686429954-1321507958=:87903" Subject: [OAUTH-WG] IETF session X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 05:34:31 -0000 ---125733401-1686429954-1321507958=:87903 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable If anyone is online and reading during the session happening now at the IET= F can you reply with the WebEX info if possible?=A0 Or is there a chat room= I can poke comments into?=0A=0AI'm listening to the audio stream, but I'd = liek to throw comments form the sidelines if possible.=0A=0AThanks,=0A=0A-b= ill=0A ---125733401-1686429954-1321507958=:87903 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
If anyone= is online and reading during the session happening now at the IETF can you= reply with the WebEX info if possible?  Or is there a chat room I can= poke comments into?

I'm listening to the audio stream, but I'd liek= to throw comments form the sidelines if possible.

Thanks,

-b= ill
---125733401-1686429954-1321507958=:87903-- From stpeter@stpeter.im Wed Nov 16 21:38:25 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 424A911E80EA for ; Wed, 16 Nov 2011 21:38:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.54 X-Spam-Level: X-Spam-Status: No, score=-102.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dx-9OaJ7IIj for ; Wed, 16 Nov 2011 21:38:24 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 1583811E80E4 for ; Wed, 16 Nov 2011 21:38:17 -0800 (PST) Received: from dhcp-1422.meeting.ietf.org (unknown [130.129.20.34]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 42792421AB; Wed, 16 Nov 2011 22:44:34 -0700 (MST) Message-ID: <4EC49DC3.9060906@stpeter.im> Date: Thu, 17 Nov 2011 13:38:11 +0800 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: William Mills References: <4EC474FA.4050907@cs.tcd.ie> <4EC4787F.6040406@cs.tcd.ie> <1321507958.87903.YahooMailNeo@web31807.mail.mud.yahoo.com> In-Reply-To: <1321507958.87903.YahooMailNeo@web31807.mail.mud.yahoo.com> X-Enigmail-Version: 1.3.3 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] IETF session X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 05:38:25 -0000 On 11/17/11 1:32 PM, William Mills wrote: > is there a chat room I can poke comments into? xmpp:oauth@jabber.ietf.org?join From Michael.Jones@microsoft.com Wed Nov 16 21:39:43 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94CBC1F0C4F for ; Wed, 16 Nov 2011 21:39:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.309 X-Spam-Level: X-Spam-Status: No, score=-10.309 tagged_above=-999 required=5 tests=[AWL=0.289, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxOhODV3D5AE for ; Wed, 16 Nov 2011 21:39:41 -0800 (PST) Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id F0D1B1F0CA7 for ; Wed, 16 Nov 2011 21:39:40 -0800 (PST) Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 16 Nov 2011 21:39:40 -0800 Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.172]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.01.0355.003; Wed, 16 Nov 2011 21:39:39 -0800 From: Mike Jones To: William Mills , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] IETF session Thread-Index: AQHMpOqZbhITuUqYLkeE2QduFfVQ3JWwjLPg Date: Thu, 17 Nov 2011 05:39:39 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F7214A0@TK5EX14MBXC285.redmond.corp.microsoft.com> References: <4EC474FA.4050907@cs.tcd.ie> <4EC4787F.6040406@cs.tcd.ie> <1321507958.87903.YahooMailNeo@web31807.mail.mud.yahoo.com> In-Reply-To: <1321507958.87903.YahooMailNeo@web31807.mail.mud.yahoo.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F7214A0TK5EX14MBXC285r_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] IETF session X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 05:39:43 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F7214A0TK5EX14MBXC285r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable ------------------------------------------------------- To join the online meeting (Now from mobile devices!) ------------------------------------------------------- 1. Go to https://mitweb.webex.com/mitweb/j.php?ED=3D147209357&UID=3D0&PW=3D= NOWMyMjdiODk3&RT=3DMiM0OA%3D%3D 2. If requested, enter your name and email address. 3. If a password is required, enter the meeting password: oauth 4. Click "Join". To view in other time zones or languages, please click the link: https://mitweb.webex.com/mitweb/j.php?ED=3D147209357&UID=3D0&PW=3DNOWMyMjdi= ODk3&ORT=3DMiM0OA%3D%3D ------------------------------------------------------- To join the audio conference only ------------------------------------------------------- To receive a call back, provide your phone number when you join the meeting= , or call the number below and enter the access code. Call-in toll-free number (US/Canada): 1-877-668-4490 Call-in toll number (US/Canada): 1-408-792-6300 Global call-in numbers: https://mitweb.webex.com/mitweb/globalcallin.php?se= rviceType=3DMC&ED=3D147209357&tollFree=3D1 Toll-free dialing restrictions: http://www.webex.com/pdf/tollfree_restricti= ons.pdf Access code:642 618 535 ------------------------------------------------------- For assistance ------------------------------------------------------- 1. Go to https://mitweb.webex.com/mitweb/mc 2. On the left navigation bar, click "Support". You can contact me at: hardjono@mit.edu 1-781-729 To add this meeting to your calendar program (for example Microsoft Outlook= ), click this link: https://mitweb.webex.com/mitweb/j.php?ED=3D147209357&UID=3D0&ICS=3DMI&LD=3D= 1&RD=3D2&ST=3D1&SHA2=3Di/CQ5d02ZtcCWiNri-2pY8rGizjeacJDYKN32P-dxPo=3D&RT=3D= MiM0OA%3D%3D The playback of UCF (Universal Communications Format) rich media files requ= ires appropriate players. To view this type of rich media files in the meet= ing, please check whether you have the players installed on your computer b= y going to https://mitweb.webex.com/mitweb/systemdiagnosis.php. Sign up for a free trial of WebEx http://www.webex.com/go/mcemfreetrial http://www.webex.com CCP:+14087926300x642618535# From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of W= illiam Mills Sent: Wednesday, November 16, 2011 9:33 PM To: oauth@ietf.org Subject: [OAUTH-WG] IETF session If anyone is online and reading during the session happening now at the IET= F can you reply with the WebEX info if possible? Or is there a chat room I= can poke comments into? I'm listening to the audio stream, but I'd liek to throw comments form the = sidelines if possible. Thanks, -bill --_000_4E1F6AAD24975D4BA5B16804296739435F7214A0TK5EX14MBXC285r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable


-------------------------------------------------------
To join the online meeting (Now from mobile devices!)
-------------------------------------------------------
1. Go to https://mitweb.webex.com/mitweb/j.php?ED=3D147209357&UID=3D0&PW=3DN= OWMyMjdiODk3&RT=3DMiM0OA%3D%3D
2. If requested, enter your name and email address.
3. If a password is required, enter the meeting password: oauth
4. Click "Join".

To view in other time zones or languages, please click the link:
https://m= itweb.webex.com/mitweb/j.php?ED=3D147209357&UID=3D0&PW=3DNOWMyMjdiO= Dk3&ORT=3DMiM0OA%3D%3D

-------------------------------------------------------
To join the audio conference only
-------------------------------------------------------
To receive a call back, provide your phone number when you join the meeting= , or call the number below and enter the access code.
Call-in toll-free number (US/Canada): 1-877-668-4490
Call-in toll number (US/Canada): 1-408-792-6300
Global call-in numbers: https://mitweb.webex.com/mitweb/globalcallin.php?serviceType=3DMC&ED=3D= 147209357&tollFree=3D1
Toll-free dialing restrictions: http://www.webex.com/pdf/tollfree_restrictions.pdf

Access code:642 618 535

-------------------------------------------------------
For assistance
-------------------------------------------------------
1. Go to h= ttps://mitweb.webex.com/mitweb/mc
2. On the left navigation bar, click "Support".

You can contact me at:
hardjono@mit.edu
1-781-729

To add this meeting to your calendar program (for example Microsoft Outlook= ), click this link:
http= s://mitweb.webex.com/mitweb/j.php?ED=3D147209357&UID=3D0&ICS=3DMI&a= mp;LD=3D1&RD=3D2&ST=3D1&SHA2=3Di/CQ5d02ZtcCWiNri-2pY8rGizjeacJD= YKN32P-dxPo=3D&RT=3DMiM0OA%3D%3D

The playback of UCF (Universal Communications Format) rich media files requ= ires appropriate players. To view this type of rich media files in the meet= ing, please check whether you have the players installed on your computer b= y going to https://mit= web.webex.com/mitweb/systemdiagnosis.php.

Sign up for a free trial of WebEx
http://= www.webex.com/go/mcemfreetrial

http://www.webex.com=

CCP:+14087926300x642618535#


 <= /p>

From: oauth-bo= unces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William Mills
Sent: Wednesday, November 16, 2011 9:33 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] IETF session

 

If anyone is online and reading duri= ng the session happening now at the IETF can you reply with the WebEX info = if possible?  Or is there a chat room I can poke comments into?

I'm listening to the audio stream, but I'd liek to throw comments form the = sidelines if possible.

Thanks,

-bill

--_000_4E1F6AAD24975D4BA5B16804296739435F7214A0TK5EX14MBXC285r_-- From barryleiba@gmail.com Thu Nov 17 00:18:57 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E941511E815F for ; Thu, 17 Nov 2011 00:18:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.834 X-Spam-Level: X-Spam-Status: No, score=-102.834 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrrR4VDYxN1t for ; Thu, 17 Nov 2011 00:18:57 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id E7D7F21F99B9 for ; Thu, 17 Nov 2011 00:18:51 -0800 (PST) Received: by ggnr5 with SMTP id r5so839712ggn.31 for ; Thu, 17 Nov 2011 00:18:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=D8TCr0GlAPFMauFDIof7U98I+nnD/H3oU7gRnW+yoBc=; b=lGkJLMeFlcYNqsX8QbflrLkjgJCWXkIG0PW1dMpaUXGdcvHz81FSJqszUDVHuZyyK9 CVf0qQOQYXD1GRwWT79XpFly93ZpcVIXzayrX8IVZRqePfb07TBtSvFhGUBqmI+2SztQ oTdKc0tVgIS3Cv0oebBWLTKX4FK0hk0Rg7A14= MIME-Version: 1.0 Received: by 10.236.200.130 with SMTP id z2mr7076759yhn.25.1321517931479; Thu, 17 Nov 2011 00:18:51 -0800 (PST) Sender: barryleiba@gmail.com Received: by 10.236.203.196 with HTTP; Thu, 17 Nov 2011 00:18:51 -0800 (PST) Date: Thu, 17 Nov 2011 16:18:51 +0800 X-Google-Sender-Auth: e0mQLMkzdhICcwaT0f63qXYwFQo Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Subject: [OAUTH-WG] Meeting minutes from IETF 82 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 08:18:58 -0000 The chairs have posted minutes to the meeting materials page. Find them here: http://www.ietf.org/proceedings/82/minutes/oauth.txt A few messages will follow soon, with action items from the meeting. Barry, as chair From barryleiba@gmail.com Thu Nov 17 00:22:28 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4154D1F0CEE for ; Thu, 17 Nov 2011 00:22:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.838 X-Spam-Level: X-Spam-Status: No, score=-102.838 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g02xTUND4k2z for ; Thu, 17 Nov 2011 00:22:27 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id CDDDA1F0CEF for ; Thu, 17 Nov 2011 00:22:25 -0800 (PST) Received: by ywt34 with SMTP id 34so852940ywt.31 for ; Thu, 17 Nov 2011 00:22:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=dFEgO/jlyfp6I9QzWL8uCFGGETBmKGePHR6bjej4HI0=; b=dodCFaie/NZdGWVgJfVmsKehMy+U4kPD9RJcs/qcwas9PjB3smEUsRDw227aQFv70e w+HLHXJos2RD30rQy2RyfnDFHo0QYTMk35NqeDzRTyvOsU/0nsFbtUG/FbsLDzNCS/8B 90pJsMI3oevIslMH9fAYkWDS04bVWkodn8h4M= MIME-Version: 1.0 Received: by 10.236.22.4 with SMTP id s4mr1565505yhs.8.1321518145477; Thu, 17 Nov 2011 00:22:25 -0800 (PST) Sender: barryleiba@gmail.com Received: by 10.236.203.196 with HTTP; Thu, 17 Nov 2011 00:22:25 -0800 (PST) Date: Thu, 17 Nov 2011 16:22:25 +0800 X-Google-Sender-Auth: PpoIv1kQLS37Ftum0_bSa4AlbwE Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Subject: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 08:22:28 -0000 Working group last call begins today on the threat model document: http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01 Please review this version and post last call comments by 9 December. Barry, as chair From barryleiba@gmail.com Thu Nov 17 00:28:48 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22B0F1F0CF3 for ; Thu, 17 Nov 2011 00:28:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.84 X-Spam-Level: X-Spam-Status: No, score=-102.84 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3IqzPMjP3PhG for ; Thu, 17 Nov 2011 00:28:47 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id A4A941F0CE8 for ; Thu, 17 Nov 2011 00:28:47 -0800 (PST) Received: by ggnr5 with SMTP id r5so849655ggn.31 for ; Thu, 17 Nov 2011 00:28:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=k0JDw2LYNKWbHZjrves376wo5bfz9BnJKYayQKH3RLY=; b=HY0449EKvcDo1NRD0O38sggNWt8eso+pKfAOjDEz8e8Je4QdkwX77mgS6ZVdT+Tlgf DR++S6hNRo0Ys9tx1vMaySy+uuogu3vDfJQSehRDMZG/ASL54W4+e3xbRBnXdQ5b1ol2 xpaanfPyVw8EkxgCW5iUCiGCuol+Ayq2VUIKM= MIME-Version: 1.0 Received: by 10.236.161.65 with SMTP id v41mr7412972yhk.42.1321518527324; Thu, 17 Nov 2011 00:28:47 -0800 (PST) Sender: barryleiba@gmail.com Received: by 10.236.203.196 with HTTP; Thu, 17 Nov 2011 00:28:47 -0800 (PST) Date: Thu, 17 Nov 2011 16:28:47 +0800 X-Google-Sender-Auth: O_XurPENFZpnOyfguMW5dALkCgs Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Subject: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 08:28:48 -0000 Stephen, as AD, brought up the question of mandatory-to-implement token types, in the IETF 82 meeting. There was some extended discussion on the point: - Stephen is firm in his belief that it's necessary for interoperability. He notes that mandatory to *implement* is not the same as mandatory to *use*. - Several participants believe that without a mechanism for requesting or negotiating a token type, there is no value in having any type be mandatory to implement. Stephen is happy to continue the discussion on the list, and make his point clear. In any case, there was clear consensus in the room that we *should* specify a mandatory-to-implement type, and that that type be bearer tokens. This would be specified in the base document, and would make a normative reference from the base doc to the bearer token doc. We need to confirm that consensus on the mailing list, so this starts the discussion. Let's work on resolving this over the next week or so, and moving forward: 1. Should we specify some token type as mandatory to implement? Why or why not (*briefly*)? 2. If we do specify one, which token type should it be? Barry, as chair From Michael.Jones@microsoft.com Thu Nov 17 00:32:51 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB3321F995D for ; Thu, 17 Nov 2011 00:32:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.316 X-Spam-Level: X-Spam-Status: No, score=-10.316 tagged_above=-999 required=5 tests=[AWL=0.283, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYkZ+zCpMylS for ; Thu, 17 Nov 2011 00:32:50 -0800 (PST) Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 977BA21F995B for ; Thu, 17 Nov 2011 00:32:50 -0800 (PST) Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (157.54.7.153) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 17 Nov 2011 00:32:50 -0800 Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.172]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.01.0355.003; Thu, 17 Nov 2011 00:32:50 -0800 From: Mike Jones To: Barry Leiba , oauth WG Thread-Topic: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme Thread-Index: AcylA3xOv1mPWlVvR+6FueyJKdY3og== Date: Thu, 17 Nov 2011 08:32:49 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 08:32:51 -0000 Terminology correction: This discussion was actually about HTTP authentica= tion schemes (Bearer, MAC, etc.), not token types (JWT, SAML, etc.). I've = changed the subject line of the thread accordingly. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B= arry Leiba Sent: Thursday, November 17, 2011 12:29 AM To: oauth WG Subject: [OAUTH-WG] Mandatory-to-implement token type Stephen, as AD, brought up the question of mandatory-to-implement token typ= es, in the IETF 82 meeting. There was some extended discussion on the poin= t: - Stephen is firm in his belief that it's necessary for interoperability. = He notes that mandatory to *implement* is not the same as mandatory to *use= *. - Several participants believe that without a mechanism for requesting or n= egotiating a token type, there is no value in having any type be mandatory = to implement. Stephen is happy to continue the discussion on the list, and make his point= clear. In any case, there was clear consensus in the room that we *should= * specify a mandatory-to-implement type, and that that type be bearer token= s. This would be specified in the base document, and would make a normativ= e reference from the base doc to the bearer token doc. We need to confirm that consensus on the mailing list, so this starts the d= iscussion. Let's work on resolving this over the next week or so, and movi= ng forward: 1. Should we specify some token type as mandatory to implement? Why or why= not (*briefly*)? 2. If we do specify one, which token type should it be? Barry, as chair _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From barryleiba@gmail.com Thu Nov 17 00:41:30 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ECA221F9A2F for ; Thu, 17 Nov 2011 00:41:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.842 X-Spam-Level: X-Spam-Status: No, score=-102.842 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVQ7bGcIhp3b for ; Thu, 17 Nov 2011 00:41:29 -0800 (PST) Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 812F421F9A2C for ; Thu, 17 Nov 2011 00:41:29 -0800 (PST) Received: by eyg24 with SMTP id 24so1941843eyg.31 for ; Thu, 17 Nov 2011 00:41:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=vBt+YmUGsyrCbTU7Jqp5bCnQii8TR/Q7h0IoQa7nKmI=; b=IiJjnKjxQI7Wv0SlLS9+chF3V6pO2tNBE/zJ4g0oVLC3mKihVmvtNX1eXzPSzVi+s8 CTQ+wgMbucdqlWHt5rUZHJ8sipIQFJnIF4pELK128Xa5ogLiss2qNCvAYS6ZmYeqhYAf 7MKylmC5juogn/EcJrujxaXu+5SbKHDARQ/00= MIME-Version: 1.0 Received: by 10.229.192.73 with SMTP id dp9mr5215291qcb.134.1321519286803; Thu, 17 Nov 2011 00:41:26 -0800 (PST) Sender: barryleiba@gmail.com Received: by 10.229.184.20 with HTTP; Thu, 17 Nov 2011 00:41:26 -0800 (PST) Date: Thu, 17 Nov 2011 16:41:26 +0800 X-Google-Sender-Auth: 25oS8yaNcgewBmdDCUAlu61iCUg Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Subject: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 08:41:30 -0000 The OAuth base doc refers in two places to TLS versions (with the same text in both places: OLD The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD support TLS 1.2 ([RFC5246]) and its future replacements, and MAY support additional transport-layer mechanisms meeting its security requirements. In both the shepherd review and the AD review, this was called into question: 1. MUST for an old version and SHOULD for the current version seems wrong. 2. Having specific versions required locks us into those versions (for example, all implementations will have to support TLS 1.0, even long after it becomes obsolete, unless we rev the spec. I have suggested the following change, as doc shepherd: NEW The authorization server MUST implement the current version of TLS (1.2 [RFC5246] at the time of this writing), and SHOULD implement the most widely deployed previous version (1.0 [RFC2246] at the of this writing), unless that version is deprecated due to security vulnerabilities. It MAY also implement additional transport-layer mechanisms that meet its security requirements. I believe this also gives us the effect we want, without the two problems above. There was consensus in the meeting for accepting this text. Confirming on the list: Please respond to this thread if you *object* to this change, and say why. Please respond by 2 Dec 2011. Barry, as document shepherd From mamille2@cisco.com Thu Nov 17 01:24:57 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0522921F9B56 for ; Thu, 17 Nov 2011 01:24:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLiO1dvMzUTy for ; Thu, 17 Nov 2011 01:24:56 -0800 (PST) Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id C6E3821F9B1F for ; Thu, 17 Nov 2011 01:24:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mamille2@cisco.com; l=6321; q=dns/txt; s=iport; t=1321521896; x=1322731496; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=jQ1+j5WgDRrh0luANSf6Tq+1zE1UytRCXKIA4p3ZFHY=; b=fsPJOJWTNnbF9kWCOfoZ59k4HCcUb5B4EEoHKoglQZZQOzAUpnAyoN+i Q8O2RA/n6/NUx/1GUo6CkVtP96FaDLcjdrW+yITkaUYOIA2vSVg9/39ST qj3u9hP2uhp7i6YaMcyfkZLO/6iZeAO7ukak6aNcSYpHtgvTWJNxSqjw+ Y=; X-Files: smime.p7s : 2214 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApMAAAHSxE6rRDoI/2dsb2JhbABCmXiNIYJlgQWBcgEBAQMBAQEBDwFbCwUHBAsOAwQBASgHAiUfCQgGARIih2AIlSwBnjIEiTRjBIgTjCKFO4xO X-IronPort-AV: E=Sophos;i="4.69,526,1315180800"; d="p7s'?scan'208";a="14726760" Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-2.cisco.com with ESMTP; 17 Nov 2011 09:24:53 +0000 Received: from [10.21.76.31] ([10.21.76.31]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id pAH9Op0m029408; Thu, 17 Nov 2011 09:24:52 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-4--382692241; protocol="application/pkcs7-signature"; micalg=sha1 From: Matt Miller In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> Date: Thu, 17 Nov 2011 17:24:51 +0800 Message-Id: References: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> To: Mike Jones , Barry Leiba X-Mailer: Apple Mail (2.1084) Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 09:24:57 -0000 --Apple-Mail-4--382692241 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Further clarification (-: This is not (or shortly will not be) limited = to HTTP. There is work to use OAUTH over SASL, which opens it up to a = much much broader audience (e.g. IMAP, SMTP, and XMPP). > 1. Should we specify some token type as mandatory to implement? Why = or why not (*briefly*)? Yes. I believe it is necessary to provide a baseline for implementors, = and will help make the "80% rule" easier; if "everyone" supports = then I will find client, authorization, and resource software that will = "just work". I think this becomes even more important as OAuth is used = with well-established resource servers (e.g. cloud-based XMPP service). >=20 > 2. If we do specify one, which token type should it be? >=20 I personally am ambivalent. On Nov 17, 2011, at 16:32, Mike Jones wrote: > Terminology correction: This discussion was actually about HTTP = authentication schemes (Bearer, MAC, etc.), not token types (JWT, SAML, = etc.). I've changed the subject line of the thread accordingly. >=20 > -- Mike >=20 > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf = Of Barry Leiba > Sent: Thursday, November 17, 2011 12:29 AM > To: oauth WG > Subject: [OAUTH-WG] Mandatory-to-implement token type >=20 > Stephen, as AD, brought up the question of mandatory-to-implement = token types, in the IETF 82 meeting. There was some extended discussion = on the point: >=20 > - Stephen is firm in his belief that it's necessary for = interoperability. He notes that mandatory to *implement* is not the = same as mandatory to *use*. > - Several participants believe that without a mechanism for requesting = or negotiating a token type, there is no value in having any type be = mandatory to implement. >=20 > Stephen is happy to continue the discussion on the list, and make his = point clear. In any case, there was clear consensus in the room that we = *should* specify a mandatory-to-implement type, and that that type be = bearer tokens. This would be specified in the base document, and would = make a normative reference from the base doc to the bearer token doc. >=20 > We need to confirm that consensus on the mailing list, so this starts = the discussion. Let's work on resolving this over the next week or so, = and moving forward: >=20 > 1. Should we specify some token type as mandatory to implement? Why = or why not (*briefly*)? >=20 > 2. If we do specify one, which token type should it be? >=20 > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth - m&m Matt Miller - Collaboration Software Group - Cisco Systems, Inc. --Apple-Mail-4--382692241 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFNTCCBTEw ggMZoAMCAQICAwmYMjANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEyMTQxNzQ3MTlaFw0x MjEyMTMxNzQ3MTlaMDwxFzAVBgNVBAMTDk1hdHRoZXcgTWlsbGVyMSEwHwYJKoZIhvcNAQkBFhJt YW1pbGxlMkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Sh5cQYtd /kfoG3KjXd8i2esxt+BtHCmuiSku2VECC6msLKzA08cGJ31GfyX7+996TV3D5omh51j5fznfFikk cVGsuKe+omo70Aidw48ISGygQk8ZJrU8JVVfTjKVJRX39wgj8w8CI/BCz4kXLirIBWKTv1ARuqsO 7I1aqT7pWHAwlAKIbYYEwfz46OjyzmqknglOecy/1PR09nXwAAIepSo0Jk9edqsU8Pdqsbx8cPUV jlFtVkk+58ORjefl+4BoGrzW24rGG2B04sNPrycNqZEaJLmdk5J9ie/FMV10H8wFW8syomuacPxv NhoUgNnkYsJiO7zJEKUUmbmW1GPFAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBo dHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEE AYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMB0GA1UdEQQWMBSBEm1hbWlsbGUyQGNpc2NvLmNvbTAN BgkqhkiG9w0BAQUFAAOCAgEAoa/WVlTWG/rbVIFlG1tCdJrbVvIWNfUNSgojunKsoaVGCoIh7T1+ SgWe8sV+r7s5bVlq66iGxTm/qoKMHM9i4aNGlwWDkXqLHoCKbY4qKPGKnn7PaoA6DWQ5u7ZKBkn9 N2fY8iLxiAy/hLnjtRLlbSr2yBX0DbO1K0ORLDwfO2MUf1j2Cou+qVvEmyEe7cUq37iOOsNbtghT xjn+RE7WJiHcR9deAkfI1xXi7UZcFME+k6nhdnX/qWFFLox0fJJCzX1H8DTzRIjA+ciNLWSG+TRx s7fAn+YZisJdkGxMcWlHZxSu+ybPjc9T7zCyf4+yFHigdOMNxiQ2k/E9WTJ84xIis2TG3E9Nba9B PMb6cgjiqGxiFpKKHj9/5A3wDIHZ8dof+M7YFGnHzwF9i72ZEoaO3hMEhAg9LhqGtQtEZohbTZL2 FOeT+8VjUHSOKhEYurQjWrHDj+ZyDjzhOE/KMwqSWokZhoy0s+VQ05BrVlbXd5DJaB/Hem0MdDUc /6IjqtI6f8O/HLQFAVUQgtW50bfCjDOAB/SaEKzygblcAHxSKDbduRQaRst6cIHEy4eQxvxrHIhg b2KWZ00jS+7NUnAMOyzIJTcZfV5mkCb8UjMHq9NSChwpBFuDzpXxjU20xJGDvbVWNDwfbITCczph p4uuhLITzvhHKaUNwxoqx0oxggMzMIIDLwIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYD VQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDCZgyMAkGBSsOAwIaBQCg ggGHMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMTExNzA5MjQ1 MVowIwYJKoZIhvcNAQkEMRYEFMNhbOYHRBEVHIdDnmiyvTm4NN36MIGRBgkrBgEEAYI3EAQxgYMw gYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIw IAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0 QGNhY2VydC5vcmcCAwmYMjCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwmYMjANBgkq hkiG9w0BAQEFAASCAQATukuI6OrixEBW1j3D8+6zOW11DbfSFXXhBqsmchAZBKox1DY6HJvYJlk9 C1chCkJxnVUeHTgDQujyhK6k5Ksj7e1Qrp/xrrNfK6lC8uJzAE7y7B0Z1yEHInSePV4dc/kAjpny oynU7YcGQMQm8S8NME/mMygwuheReDUbs5QxDPKuJHZgp1VmImj5Ch0/xJWAalDQmrbS94Hf/J+t YeK6+W0gJ9oJ80RrcI5Gcd6xWhqm8m/26DQP0gY4+T7foCVgKz6D3FZPS2Ewlhmv8pRsVmcXbnpu 49Eus57x3uL/0eyxT9pZx+QUkwM5KVAgSWkmS45AAjfVynj2C6agAGqOAAAAAAAA --Apple-Mail-4--382692241-- From rrichards@cdatazone.org Thu Nov 17 03:07:25 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A823121F9B02 for ; Thu, 17 Nov 2011 03:07:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJDKy2f0SHo6 for ; Thu, 17 Nov 2011 03:07:25 -0800 (PST) Received: from smtp2go.com (smtp2go.com [207.58.142.213]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB5921F9AA8 for ; Thu, 17 Nov 2011 03:07:24 -0800 (PST) Message-ID: <4EC4EAE6.1020106@cdatazone.org> Date: Thu, 17 Nov 2011 06:07:18 -0500 From: Rob Richards User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Barry Leiba References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 11:07:25 -0000 Please refer to this thread about the problem with requiring anything more than TLS 1.0 http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html You will end up with a spec that virtually no one can implement and be in conformance with. I still have yet to find an implementation out in the wild that supports anything more than TLS 1.0 Rob On 11/17/11 3:41 AM, Barry Leiba wrote: > The OAuth base doc refers in two places to TLS versions (with the same > text in both places: > > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. > > In both the shepherd review and the AD review, this was called into question: > 1. MUST for an old version and SHOULD for the current version seems wrong. > 2. Having specific versions required locks us into those versions (for > example, all implementations will have to support TLS 1.0, even long > after it becomes obsolete, unless we rev the spec. > > I have suggested the following change, as doc shepherd: > > NEW > The authorization server MUST implement the current version of TLS > (1.2 [RFC5246] at the time of this writing), and SHOULD implement the > most widely deployed previous version (1.0 [RFC2246] at the of this > writing), unless that version is deprecated due to security > vulnerabilities. It MAY also implement additional transport-layer > mechanisms that meet its security requirements. > > I believe this also gives us the effect we want, without the two > problems above. There was consensus in the meeting for accepting this > text. Confirming on the list: > > Please respond to this thread if you *object* to this change, and say > why. Please respond by 2 Dec 2011. > > Barry, as document shepherd > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From tonynad@microsoft.com Thu Nov 17 03:15:45 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34B0921F9B81 for ; Thu, 17 Nov 2011 03:15:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.392 X-Spam-Level: X-Spam-Status: No, score=-7.392 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpfdCugVDa1G for ; Thu, 17 Nov 2011 03:15:44 -0800 (PST) Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 8505121F9B78 for ; Thu, 17 Nov 2011 03:15:44 -0800 (PST) Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 17 Nov 2011 03:15:44 -0800 Received: from VA3EHSOBE001.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.1.355.3; Thu, 17 Nov 2011 03:15:43 -0800 Received: from mail63-va3-R.bigfish.com (10.7.14.250) by VA3EHSOBE001.bigfish.com (10.7.40.21) with Microsoft SMTP Server id 14.1.225.22; Thu, 17 Nov 2011 11:15:08 +0000 Received: from mail63-va3 (localhost [127.0.0.1]) by mail63-va3-R.bigfish.com (Postfix) with ESMTP id AE6D2160455 for ; Thu, 17 Nov 2011 11:20:04 +0000 (UTC) X-SpamScore: -37 X-BigFish: PS-37(zzbb2dK9371K542M1432N98dKzz1202h1082kzz1033IL8275dhz31h2a8h668h839h944h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:157.55.157.141; KIP:(null); UIP:(null); (null); H:SN2PRD0304HT002.namprd03.prod.outlook.com; R:internal; EFV:INT Received-SPF: softfail (mail63-va3: transitioning domain of microsoft.com does not designate 157.55.157.141 as permitted sender) client-ip=157.55.157.141; envelope-from=tonynad@microsoft.com; helo=SN2PRD0304HT002.namprd03.prod.outlook.com ; .outlook.com ; Received: from mail63-va3 (localhost.localdomain [127.0.0.1]) by mail63-va3 (MessageSwitch) id 1321528804476021_17273; Thu, 17 Nov 2011 11:20:04 +0000 (UTC) Received: from VA3EHSMHS027.bigfish.com (unknown [10.7.14.244]) by mail63-va3.bigfish.com (Postfix) with ESMTP id 6B22080042; Thu, 17 Nov 2011 11:20:04 +0000 (UTC) Received: from SN2PRD0304HT002.namprd03.prod.outlook.com (157.55.157.141) by VA3EHSMHS027.bigfish.com (10.7.99.37) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 17 Nov 2011 11:15:06 +0000 Received: from SN2PRD0304MB235.namprd03.prod.outlook.com ([169.254.10.245]) by SN2PRD0304HT002.namprd03.prod.outlook.com ([10.111.196.121]) with mapi id 14.16.0082.000; Thu, 17 Nov 2011 11:15:38 +0000 From: Anthony Nadalin To: Rob Richards , Barry Leiba Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base Thread-Index: AQHMpQS7Auve7+zH8EmS+jD2gTHFwJWw6BoAgAABP/A= Date: Thu, 17 Nov 2011 11:15:38 +0000 Message-ID: References: <4EC4EAE6.1020106@cdatazone.org> In-Reply-To: <4EC4EAE6.1020106@cdatazone.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.196.25] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OrganizationHeadersPreserved: SN2PRD0304HT002.namprd03.prod.outlook.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%CDATAZONE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-OriginatorOrg: microsoft.com X-CrossPremisesHeadersPromoted: TK5EX14MLTC104.redmond.corp.microsoft.com X-CrossPremisesHeadersFiltered: TK5EX14MLTC104.redmond.corp.microsoft.com Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 11:15:45 -0000 I would agree as we ran into this from some of deployment we had. What is t= he driving factor here for 1.2 over 1.0? -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of R= ob Richards Sent: Thursday, November 17, 2011 3:07 AM To: Barry Leiba Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base Please refer to this thread about the problem with requiring anything more = than TLS 1.0 http://www.ietf.org/mail-archive/web/oauth/current/msg07234.ht= ml You will end up with a spec that virtually no one can implement and be in c= onformance with. I still have yet to find an implementation out in the wild= that supports anything more than TLS 1.0 Rob On 11/17/11 3:41 AM, Barry Leiba wrote: > The OAuth base doc refers in two places to TLS versions (with the same=20 > text in both places: > > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD=20 > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY=20 > support additional transport-layer mechanisms meeting its security=20 > requirements. > > In both the shepherd review and the AD review, this was called into quest= ion: > 1. MUST for an old version and SHOULD for the current version seems wrong= . > 2. Having specific versions required locks us into those versions (for=20 > example, all implementations will have to support TLS 1.0, even long=20 > after it becomes obsolete, unless we rev the spec. > > I have suggested the following change, as doc shepherd: > > NEW > The authorization server MUST implement the current version of TLS > (1.2 [RFC5246] at the time of this writing), and SHOULD implement the=20 > most widely deployed previous version (1.0 [RFC2246] at the of this=20 > writing), unless that version is deprecated due to security=20 > vulnerabilities. It MAY also implement additional transport-layer=20 > mechanisms that meet its security requirements. > > I believe this also gives us the effect we want, without the two=20 > problems above. There was consensus in the meeting for accepting this=20 > text. Confirming on the list: > > Please respond to this thread if you *object* to this change, and say=20 > why. Please respond by 2 Dec 2011. > > Barry, as document shepherd > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From barryleiba@gmail.com Thu Nov 17 03:18:40 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF5221F9B29 for ; Thu, 17 Nov 2011 03:18:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.844 X-Spam-Level: X-Spam-Status: No, score=-102.844 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KI64r6CooM3x for ; Thu, 17 Nov 2011 03:18:40 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id F0E0421F9B11 for ; Thu, 17 Nov 2011 03:18:39 -0800 (PST) Received: by ywt34 with SMTP id 34so1055221ywt.31 for ; Thu, 17 Nov 2011 03:18:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=S8T16SkRFIki9thpAdRow1zCrnukPT7h3LQz5z9pQhY=; b=EGm1zHIqrwBFnem4yrwVNXtR3QBw+viuOzyTMz25cqmr/it/24AfgoueODbX2naN4w yzYL96Rv3qAlMotOZZxztPclgKQ3HnTXd7MbudXxd0hfNsQeYQFwuus25wKY6k9GNyJG fFNJh3rN+tN61TTdqmvqvuUdjCIosag+9VNuw= MIME-Version: 1.0 Received: by 10.236.153.101 with SMTP id e65mr8089283yhk.59.1321528719318; Thu, 17 Nov 2011 03:18:39 -0800 (PST) Sender: barryleiba@gmail.com Received: by 10.236.95.37 with HTTP; Thu, 17 Nov 2011 03:18:39 -0800 (PST) In-Reply-To: <4EC4EAE6.1020106@cdatazone.org> References: <4EC4EAE6.1020106@cdatazone.org> Date: Thu, 17 Nov 2011 19:18:39 +0800 X-Google-Sender-Auth: s7boQ1wn2Rb_NJ8Ap5ixFzZNpxU Message-ID: From: Barry Leiba To: Rob Richards Content-Type: text/plain; charset=ISO-8859-1 Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 11:18:40 -0000 > Please refer to this thread about the problem with requiring anything more > than TLS 1.0 > http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html > > You will end up with a spec that virtually no one can implement and be in > conformance with. I still have yet to find an implementation out in the wild > that supports anything more than TLS 1.0 Are you saying that there's some difficulty in *implementing* TLS 1.2 ? If so, please explain what that difficulty is. If you're saying that TLS 1.2 is not widely deployed, and so it's hard to find two implementations that will actually *use* TLS 1.2 to talk to each other, I have no argument with you. But that's not the point. If everyone implements only TLS 1.0, we'll never move forward. And when TLS 1.2 (or something later) does get rolled out, OAuth implementations will be left behind. If everyone implements 1.2 AND 1.0, then we'll be ready when things move. I'm pretty sure there'll be trouble getting through the IESG with a MUST for something two versions old, and a SHOULD for the current version. Barry From tonynad@microsoft.com Thu Nov 17 03:30:19 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190BB21F9BF8 for ; Thu, 17 Nov 2011 03:30:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.407 X-Spam-Level: X-Spam-Status: No, score=-7.407 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h87Aw7pRfpPF for ; Thu, 17 Nov 2011 03:30:18 -0800 (PST) Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 5635F21F9BF7 for ; Thu, 17 Nov 2011 03:30:18 -0800 (PST) Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 17 Nov 2011 03:30:18 -0800 Received: from CH1EHSOBE003.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.1.355.3; Thu, 17 Nov 2011 03:30:17 -0800 Received: from mail79-ch1-R.bigfish.com (10.43.68.251) by CH1EHSOBE003.bigfish.com (10.43.70.53) with Microsoft SMTP Server id 14.1.225.22; Thu, 17 Nov 2011 11:29:43 +0000 Received: from mail79-ch1 (localhost [127.0.0.1]) by mail79-ch1-R.bigfish.com (Postfix) with ESMTP id E9D365A020D for ; Thu, 17 Nov 2011 11:30:28 +0000 (UTC) X-SpamScore: -34 X-BigFish: PS-34(zz9371K542M1432N98dKzz1202h1082kzz1033IL8275bh8275dhz31h2a8h668h839h944h) X-Forefront-Antispam-Report: CIP:157.55.157.141; KIP:(null); UIP:(null); (null); H:SN2PRD0304HT002.namprd03.prod.outlook.com; R:internal; EFV:INT Received-SPF: softfail (mail79-ch1: transitioning domain of microsoft.com does not designate 157.55.157.141 as permitted sender) client-ip=157.55.157.141; envelope-from=tonynad@microsoft.com; helo=SN2PRD0304HT002.namprd03.prod.outlook.com ; .outlook.com ; Received: from mail79-ch1 (localhost.localdomain [127.0.0.1]) by mail79-ch1 (MessageSwitch) id 1321529426690234_21493; Thu, 17 Nov 2011 11:30:26 +0000 (UTC) Received: from CH1EHSMHS017.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.241]) by mail79-ch1.bigfish.com (Postfix) with ESMTP id 9C1D64C0043; Thu, 17 Nov 2011 11:30:26 +0000 (UTC) Received: from SN2PRD0304HT002.namprd03.prod.outlook.com (157.55.157.141) by CH1EHSMHS017.bigfish.com (10.43.70.17) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 17 Nov 2011 11:29:41 +0000 Received: from SN2PRD0304MB235.namprd03.prod.outlook.com ([169.254.10.245]) by SN2PRD0304HT002.namprd03.prod.outlook.com ([10.111.196.121]) with mapi id 14.16.0082.000; Thu, 17 Nov 2011 11:30:13 +0000 From: Anthony Nadalin To: Matt Miller , Mike Jones , Barry Leiba Thread-Topic: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme Thread-Index: AcylA3xOv1mPWlVvR+6FueyJKdY3ogAB0WyAAAPxEEA= Date: Thu, 17 Nov 2011 11:30:12 +0000 Message-ID: References: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.196.25] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OrganizationHeadersPreserved: SN2PRD0304HT002.namprd03.prod.outlook.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%CISCO.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-OriginatorOrg: microsoft.com X-CrossPremisesHeadersPromoted: TK5EX14MLTC104.redmond.corp.microsoft.com X-CrossPremisesHeadersFiltered: TK5EX14MLTC104.redmond.corp.microsoft.com Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 11:30:19 -0000 Making the draft-ietf-oauth-v2-bearer mandatory to implement gets us a bear= er (unknown content and format) token from the authorization server, for th= e resource server this gets us a authentication scheme of bearer (unknown c= ontent and format) token, not sure where this gets us towards interop as th= e content and format will be specific to authorization and resource server. I don't fully understand the requirement for this mandatory to implement it= em beyond the fact that everyone has to implement bearer tokens of unknown = content and format. -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= att Miller Sent: Thursday, November 17, 2011 1:25 AM To: Mike Jones; Barry Leiba Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme Further clarification (-: This is not (or shortly will not be) limited to = HTTP. There is work to use OAUTH over SASL, which opens it up to a much mu= ch broader audience (e.g. IMAP, SMTP, and XMPP). > 1. Should we specify some token type as mandatory to implement? Why or w= hy not (*briefly*)? Yes. I believe it is necessary to provide a baseline for implementors, and= will help make the "80% rule" easier; if "everyone" supports then I wi= ll find client, authorization, and resource software that will "just work".= I think this becomes even more important as OAuth is used with well-estab= lished resource servers (e.g. cloud-based XMPP service). >=20 > 2. If we do specify one, which token type should it be? >=20 I personally am ambivalent. On Nov 17, 2011, at 16:32, Mike Jones wrote: > Terminology correction: This discussion was actually about HTTP authenti= cation schemes (Bearer, MAC, etc.), not token types (JWT, SAML, etc.). I'v= e changed the subject line of the thread accordingly. >=20 > -- Mike >=20 > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of= Barry Leiba > Sent: Thursday, November 17, 2011 12:29 AM > To: oauth WG > Subject: [OAUTH-WG] Mandatory-to-implement token type >=20 > Stephen, as AD, brought up the question of mandatory-to-implement token t= ypes, in the IETF 82 meeting. There was some extended discussion on the po= int: >=20 > - Stephen is firm in his belief that it's necessary for interoperability.= He notes that mandatory to *implement* is not the same as mandatory to *u= se*. > - Several participants believe that without a mechanism for requesting or= negotiating a token type, there is no value in having any type be mandator= y to implement. >=20 > Stephen is happy to continue the discussion on the list, and make his poi= nt clear. In any case, there was clear consensus in the room that we *shou= ld* specify a mandatory-to-implement type, and that that type be bearer tok= ens. This would be specified in the base document, and would make a normat= ive reference from the base doc to the bearer token doc. >=20 > We need to confirm that consensus on the mailing list, so this starts the= discussion. Let's work on resolving this over the next week or so, and mo= ving forward: >=20 > 1. Should we specify some token type as mandatory to implement? Why or w= hy not (*briefly*)? >=20 > 2. If we do specify one, which token type should it be? >=20 > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth - m&m Matt Miller - Collaboration Software Group - Cisco Systems, Inc. From tonynad@microsoft.com Thu Nov 17 03:32:17 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82E2621F9C10 for ; Thu, 17 Nov 2011 03:32:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.417 X-Spam-Level: X-Spam-Status: No, score=-7.417 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G1jXhUwJIEST for ; Thu, 17 Nov 2011 03:32:12 -0800 (PST) Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 8FC7E21F9C09 for ; Thu, 17 Nov 2011 03:32:12 -0800 (PST) Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 17 Nov 2011 03:32:12 -0800 Received: from DB3EHSOBE001.bigfish.com (157.54.51.80) by mail.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.1.355.3; Thu, 17 Nov 2011 03:32:12 -0800 Received: from mail25-db3-R.bigfish.com (10.3.81.240) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.22; Thu, 17 Nov 2011 11:31:37 +0000 Received: from mail25-db3 (localhost.localdomain [127.0.0.1]) by mail25-db3-R.bigfish.com (Postfix) with ESMTP id 52448190320 for ; Thu, 17 Nov 2011 11:31:57 +0000 (UTC) X-SpamScore: -31 X-BigFish: PS-31(zz9371K542M1432Nzz1202h1082kzz1033IL8275dhz31h2a8h668h839h944h) X-Forefront-Antispam-Report: CIP:157.55.157.141; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0304HT003.namprd03.prod.outlook.com; R:internal; EFV:INT X-FB-SS: 13, Received-SPF: softfail (mail25-db3: transitioning domain of microsoft.com does not designate 157.55.157.141 as permitted sender) client-ip=157.55.157.141; envelope-from=tonynad@microsoft.com; helo=SN2PRD0304HT003.namprd03.prod.outlook.com ; .outlook.com ; Received: from mail25-db3 (localhost.localdomain [127.0.0.1]) by mail25-db3 (MessageSwitch) id 1321529517177986_6335; Thu, 17 Nov 2011 11:31:57 +0000 (UTC) Received: from DB3EHSMHS019.bigfish.com (unknown [10.3.81.249]) by mail25-db3.bigfish.com (Postfix) with ESMTP id 1B69774804C; Thu, 17 Nov 2011 11:31:57 +0000 (UTC) Received: from SN2PRD0304HT003.namprd03.prod.outlook.com (157.55.157.141) by DB3EHSMHS019.bigfish.com (10.3.87.119) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 17 Nov 2011 11:31:34 +0000 Received: from SN2PRD0304MB235.namprd03.prod.outlook.com ([169.254.10.245]) by SN2PRD0304HT003.namprd03.prod.outlook.com ([10.111.196.122]) with mapi id 14.16.0082.000; Thu, 17 Nov 2011 11:32:05 +0000 From: Anthony Nadalin To: Barry Leiba , Rob Richards Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base Thread-Index: AQHMpQS7Auve7+zH8EmS+jD2gTHFwJWw6BoAgAADLICAAANh0A== Date: Thu, 17 Nov 2011 11:32:04 +0000 Message-ID: References: <4EC4EAE6.1020106@cdatazone.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.196.25] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OrganizationHeadersPreserved: SN2PRD0304HT003.namprd03.prod.outlook.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%CDATAZONE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-OriginatorOrg: microsoft.com X-CrossPremisesHeadersPromoted: TK5EX14MLTC102.redmond.corp.microsoft.com X-CrossPremisesHeadersFiltered: TK5EX14MLTC102.redmond.corp.microsoft.com Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 11:32:17 -0000 And if the servers don't implement the "should" on 1.0 how do we get deploy= ments for the other actors that can't talk to 1.2 -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B= arry Leiba Sent: Thursday, November 17, 2011 3:19 AM To: Rob Richards Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base > Please refer to this thread about the problem with requiring anything=20 > more than TLS 1.0=20 > http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html > > You will end up with a spec that virtually no one can implement and be=20 > in conformance with. I still have yet to find an implementation out in=20 > the wild that supports anything more than TLS 1.0 Are you saying that there's some difficulty in *implementing* TLS 1.2 ? If= so, please explain what that difficulty is. If you're saying that TLS 1.2 is not widely deployed, and so it's hard to f= ind two implementations that will actually *use* TLS 1.2 to talk to each ot= her, I have no argument with you. But that's not the point. If everyone implements only TLS 1.0, we'll never move forward. And when T= LS 1.2 (or something later) does get rolled out, OAuth implementations will= be left behind. If everyone implements 1.2 AND 1.0, then we'll be ready w= hen things move. I'm pretty sure there'll be trouble getting through the IESG with a MUST fo= r something two versions old, and a SHOULD for the current version. Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From barryleiba@gmail.com Thu Nov 17 03:34:53 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D32211E80BB for ; Thu, 17 Nov 2011 03:34:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.846 X-Spam-Level: X-Spam-Status: No, score=-102.846 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UM9t3o91xCsU for ; Thu, 17 Nov 2011 03:34:53 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 046A311E8089 for ; Thu, 17 Nov 2011 03:34:52 -0800 (PST) Received: by ggnr5 with SMTP id r5so1066307ggn.31 for ; Thu, 17 Nov 2011 03:34:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=weia8YG76UATr6zWg7mBRQRFQ6uFeyVunMIemvcomic=; b=a23/7joZdh1uzx3T7l6MREu3NH4AcDO1arzReHwix6H7RfkJ6fOmwRe0ZjajNGVd6z aXAj8U4X8XL8rEHRkYfW5JvSkTjRD+Ps+nHWway9ADVD0g9Aqv5IkP0kImpkwyz+IqBV Ag9HX4DaYP+6JqLGfGvXy/3BK2tvM84R0/Gmk= MIME-Version: 1.0 Received: by 10.236.72.167 with SMTP id t27mr8200878yhd.127.1321529692683; Thu, 17 Nov 2011 03:34:52 -0800 (PST) Sender: barryleiba@gmail.com Received: by 10.236.95.37 with HTTP; Thu, 17 Nov 2011 03:34:52 -0800 (PST) In-Reply-To: References: <4EC4EAE6.1020106@cdatazone.org> Date: Thu, 17 Nov 2011 19:34:52 +0800 X-Google-Sender-Auth: kbOJfCdnHvLqGiQ6ZeSPO9EDyuY Message-ID: From: Barry Leiba To: Anthony Nadalin Content-Type: text/plain; charset=ISO-8859-1 Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 11:34:53 -0000 > And if the servers don't implement the "should" on 1.0 how do we get > deployments for the other actors that can't talk to 1.2 1. Do you think we'll really see implementations that don't work with what's out there? 2. SHOULD doesn't mean MAY. SHOULD means "MUST, unless you have a really good reason to do otherwise, and understand the implications." Barry From rrichards@cdatazone.org Thu Nov 17 03:51:28 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 453AD11E80BD for ; Thu, 17 Nov 2011 03:51:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nbp9eCw+kzrh for ; Thu, 17 Nov 2011 03:51:27 -0800 (PST) Received: from smtp2go.com (smtp2go.com [207.58.142.213]) by ietfa.amsl.com (Postfix) with ESMTP id B9B1211E80AD for ; Thu, 17 Nov 2011 03:51:27 -0800 (PST) Message-ID: <4EC4F538.6000406@cdatazone.org> Date: Thu, 17 Nov 2011 06:51:20 -0500 From: Rob Richards User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Barry Leiba References: <4EC4EAE6.1020106@cdatazone.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 11:51:28 -0000 I'm saying that it's very difficult for someone to implement an AS that implements TLS 1.2. TLS 1.2 is not supported in the a good number of systems people deploy on. For example, the use of Apache and OpenSSL accounts for a good number of web servers out there. The only way to deploy a conforming AS is to use a not yet released version of openssl, 1.0.1, and rebuild or use a different crypto library and rebuild. The barrier for entry to use OAuth 2.0 has just became to high for the majority of people out there. I have already hit a scenario where the security group for a company has balked at OAuth 2.0, prior to the change relaxing TLS 1.2 usage, because the deployed system did not support TLS 1.2 and it's against policy to use non-vendor approved versions of packages. Requiring TLS 1.2 is going to cause the majority to release non-conforming deployments of OAuth 2, just as it was before the previous change. Rob On 11/17/11 6:18 AM, Barry Leiba wrote: >> Please refer to this thread about the problem with requiring anything more >> than TLS 1.0 >> http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html >> >> You will end up with a spec that virtually no one can implement and be in >> conformance with. I still have yet to find an implementation out in the wild >> that supports anything more than TLS 1.0 > Are you saying that there's some difficulty in *implementing* TLS 1.2 > ? If so, please explain what that difficulty is. > > If you're saying that TLS 1.2 is not widely deployed, and so it's hard > to find two implementations that will actually *use* TLS 1.2 to talk > to each other, I have no argument with you. But that's not the point. > If everyone implements only TLS 1.0, we'll never move forward. And > when TLS 1.2 (or something later) does get rolled out, OAuth > implementations will be left behind. If everyone implements 1.2 AND > 1.0, then we'll be ready when things move. > > I'm pretty sure there'll be trouble getting through the IESG with a > MUST for something two versions old, and a SHOULD for the current > version. > > Barry > From ve7jtb@ve7jtb.com Thu Nov 17 05:34:41 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A1211E80AD for ; Thu, 17 Nov 2011 05:34:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.497 X-Spam-Level: X-Spam-Status: No, score=-3.497 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fm1DgpxR25P6 for ; Thu, 17 Nov 2011 05:34:41 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id EE6D911E8135 for ; Thu, 17 Nov 2011 05:34:40 -0800 (PST) Received: by ywt34 with SMTP id 34so1241372ywt.31 for ; Thu, 17 Nov 2011 05:34:40 -0800 (PST) Received: by 10.236.128.226 with SMTP id f62mr9137690yhi.104.1321536880460; Thu, 17 Nov 2011 05:34:40 -0800 (PST) Received: from [192.168.1.2] ([190.22.90.255]) by mx.google.com with ESMTPS id c10sm5972628yhj.2.2011.11.17.05.34.35 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 17 Nov 2011 05:34:39 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: John Bradley In-Reply-To: Date: Thu, 17 Nov 2011 10:34:33 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> To: Matt Miller X-Mailer: Apple Mail (2.1251.1) Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 13:34:41 -0000 Unless I am missing something this is about the HTTP authentication = scheme that the protected resource MUST support. Token type is a bit = of a misdirection. While it would be possible to use some profile of bearer with those = other protocols, making a specific HTTP binding of MAC or Bearer MTI = would preclude ever having a conforming version for SMTP. Not that there aren't other HTTP specific things in the spec that may = also be an issue. I don't think that having a MTI token type/http authentication scheme = alone gets us interoperability. I don't even know if OAuth 2.0 interoperability between two unrelated = systems is a goal. Other specs like OpenID Connect have that goal. If I have to pick one authentication scheme as MTI for the protected = resource it would be Bearer. John B. On 2011-11-17, at 6:24 AM, Matt Miller wrote: > Further clarification (-: This is not (or shortly will not be) = limited to HTTP. There is work to use OAUTH over SASL, which opens it = up to a much much broader audience (e.g. IMAP, SMTP, and XMPP). >=20 >> 1. Should we specify some token type as mandatory to implement? Why = or why not (*briefly*)? >=20 > Yes. I believe it is necessary to provide a baseline for = implementors, and will help make the "80% rule" easier; if "everyone" = supports then I will find client, authorization, and resource = software that will "just work". I think this becomes even more = important as OAuth is used with well-established resource servers (e.g. = cloud-based XMPP service). >=20 >>=20 >> 2. If we do specify one, which token type should it be? >>=20 >=20 > I personally am ambivalent. >=20 > On Nov 17, 2011, at 16:32, Mike Jones wrote: >=20 >> Terminology correction: This discussion was actually about HTTP = authentication schemes (Bearer, MAC, etc.), not token types (JWT, SAML, = etc.). I've changed the subject line of the thread accordingly. >>=20 >> -- Mike >>=20 >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On = Behalf Of Barry Leiba >> Sent: Thursday, November 17, 2011 12:29 AM >> To: oauth WG >> Subject: [OAUTH-WG] Mandatory-to-implement token type >>=20 >> Stephen, as AD, brought up the question of mandatory-to-implement = token types, in the IETF 82 meeting. There was some extended discussion = on the point: >>=20 >> - Stephen is firm in his belief that it's necessary for = interoperability. He notes that mandatory to *implement* is not the = same as mandatory to *use*. >> - Several participants believe that without a mechanism for = requesting or negotiating a token type, there is no value in having any = type be mandatory to implement. >>=20 >> Stephen is happy to continue the discussion on the list, and make his = point clear. In any case, there was clear consensus in the room that we = *should* specify a mandatory-to-implement type, and that that type be = bearer tokens. This would be specified in the base document, and would = make a normative reference from the base doc to the bearer token doc. >>=20 >> We need to confirm that consensus on the mailing list, so this starts = the discussion. Let's work on resolving this over the next week or so, = and moving forward: >>=20 >> 1. Should we specify some token type as mandatory to implement? Why = or why not (*briefly*)? >>=20 >> 2. If we do specify one, which token type should it be? >>=20 >> Barry, as chair >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > - m&m >=20 > Matt Miller - > Collaboration Software Group - Cisco Systems, Inc. >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From jricher@mitre.org Thu Nov 17 07:24:35 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AC7F21F9A1B for ; Thu, 17 Nov 2011 07:24:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.599 X-Spam-Level: X-Spam-Status: No, score=-7.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5yntKX4fXwWI for ; Thu, 17 Nov 2011 07:24:35 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id F2E0021F9975 for ; Thu, 17 Nov 2011 07:24:34 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3081121B16E2; Thu, 17 Nov 2011 10:24:32 -0500 (EST) Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 219F621B16E0; Thu, 17 Nov 2011 10:24:32 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server id 14.1.339.1; Thu, 17 Nov 2011 10:24:31 -0500 Message-ID: <1321543457.7567.137.camel@ground> From: Justin Richer To: Barry Leiba Date: Thu, 17 Nov 2011 10:24:17 -0500 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.1- Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 15:24:35 -0000 > 1. Should we specify some token type as mandatory to implement? Why > or why not (*briefly*)? No, since I do not believe that the force of compliance with this one point of the spec will be enough to persuade those who don't want to use whatever the MTI token type ends up being to use it. Let's say that we were to pick Bearer, but Example.com decides to only support MAC for their API. Is it correct to say that Example.com is not really doing OAuth2? I would argue no, since they're doing everything within spec to issue tokens, and the tokens that they're issuing are well defined and within spec as well. So then let's say, hypothetically, that in order comply with the letter of the law, they implement a Bearer token as well as MAC. But which type do they issue to clients? Clients have no way of choosing or discovering which what kind of token comes back (yet). If Bearer is MTI, how do you even use another token type? Which brings us to MTI in clients, which makes even less sense. Let's say that I'm writing a client to talk to Example.com, which hands back MAC tokens. I want to comply with the spec, so I implement Bearer support in my client, code paths which will never see the light of day. Then there's the argument that a generic library is what's really meant by "client" here, and that those MUST follow the MTI guidelines. I also find this to be ludicrous, since client libraries will implement whatever servers support. A good client library will support *both* MAC and Bearer together, along with whatever magical tokens that haven't been dreamed up yet that are getting traction. Ultimately, I think that our declaring something MTI is a position of hubris that won't affect how people really use this thing. -- Justin From jricher@mitre.org Thu Nov 17 07:28:42 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF3011E8144 for ; Thu, 17 Nov 2011 07:28:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.699 X-Spam-Level: X-Spam-Status: No, score=-6.699 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QHW0RkD1IW9I for ; Thu, 17 Nov 2011 07:28:41 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id A129411E8108 for ; Thu, 17 Nov 2011 07:28:41 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 45F7221B16E2; Thu, 17 Nov 2011 10:28:41 -0500 (EST) Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 39D7E21B16D7; Thu, 17 Nov 2011 10:28:41 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server id 14.1.339.1; Thu, 17 Nov 2011 10:28:40 -0500 Message-ID: <1321543706.7567.140.camel@ground> From: Justin Richer To: Rob Richards Date: Thu, 17 Nov 2011 10:28:26 -0500 In-Reply-To: <4EC4F538.6000406@cdatazone.org> References: <4EC4EAE6.1020106@cdatazone.org> <4EC4F538.6000406@cdatazone.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.1- Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 15:28:42 -0000 Agree with Rob here. Also, from an application and service developer's perspective, the check for "TLS compliance" is going to go something like this: 1) Does that url start with "https"? 2) If yes, I'm compliant! 3) If no, make the url start with "https" 4) Done! Which will put us in exactly the position Rob outlines here. What we really want is for people to use suitable socket encryption, whatever that means at the time of deployment. -- Justin On Thu, 2011-11-17 at 06:51 -0500, Rob Richards wrote: > I'm saying that it's very difficult for someone to implement an AS that > implements TLS 1.2. TLS 1.2 is not supported in the a good number of > systems people deploy on. For example, the use of Apache and OpenSSL > accounts for a good number of web servers out there. The only way to > deploy a conforming AS is to use a not yet released version of openssl, > 1.0.1, and rebuild or use a different crypto library and rebuild. The > barrier for entry to use OAuth 2.0 has just became to high for the > majority of people out there. I have already hit a scenario where the > security group for a company has balked at OAuth 2.0, prior to the > change relaxing TLS 1.2 usage, because the deployed system did not > support TLS 1.2 and it's against policy to use non-vendor approved > versions of packages. Requiring TLS 1.2 is going to cause the majority > to release non-conforming deployments of OAuth 2, just as it was before > the previous change. > > Rob > > On 11/17/11 6:18 AM, Barry Leiba wrote: > >> Please refer to this thread about the problem with requiring anything more > >> than TLS 1.0 > >> http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html > >> > >> You will end up with a spec that virtually no one can implement and be in > >> conformance with. I still have yet to find an implementation out in the wild > >> that supports anything more than TLS 1.0 > > Are you saying that there's some difficulty in *implementing* TLS 1.2 > > ? If so, please explain what that difficulty is. > > > > If you're saying that TLS 1.2 is not widely deployed, and so it's hard > > to find two implementations that will actually *use* TLS 1.2 to talk > > to each other, I have no argument with you. But that's not the point. > > If everyone implements only TLS 1.0, we'll never move forward. And > > when TLS 1.2 (or something later) does get rolled out, OAuth > > implementations will be left behind. If everyone implements 1.2 AND > > 1.0, then we'll be ready when things move. > > > > I'm pretty sure there'll be trouble getting through the IESG with a > > MUST for something two versions old, and a SHOULD for the current > > version. > > > > Barry > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From wmills@yahoo-inc.com Thu Nov 17 08:22:15 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D76F11E8184 for ; Thu, 17 Nov 2011 08:22:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.08 X-Spam-Level: X-Spam-Status: No, score=-17.08 tagged_above=-999 required=5 tests=[AWL=0.518, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guKf47SPr9Ry for ; Thu, 17 Nov 2011 08:22:14 -0800 (PST) Received: from nm10-vm0.bullet.mail.bf1.yahoo.com (nm10-vm0.bullet.mail.bf1.yahoo.com [98.139.213.147]) by ietfa.amsl.com (Postfix) with SMTP id 7A9A511E817C for ; Thu, 17 Nov 2011 08:22:14 -0800 (PST) Received: from [98.139.212.151] by nm10.bullet.mail.bf1.yahoo.com with NNFMP; 17 Nov 2011 16:22:08 -0000 Received: from [98.139.212.249] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 17 Nov 2011 16:22:08 -0000 Received: from [127.0.0.1] by omp1058.mail.bf1.yahoo.com with NNFMP; 17 Nov 2011 16:22:08 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 336421.92128.bm@omp1058.mail.bf1.yahoo.com Received: (qmail 69223 invoked by uid 60001); 17 Nov 2011 16:22:07 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1321546927; bh=DGMjjp9tpNdHrXrq9xeYXSTcLTHLLbio4ekAtknTV5Y=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=X+MM+J9jl2dT0kELvIGNbTMyNZz+p3B0v06PE/xjJoCmtoqpmZPlrIOwEHyntSiIS3r98SNL/wdZRUICUp5aGPGREJQjBqNHfiNVhpWaUg4pExf4IZ+N/mOM6XbQS29429z7CGsCgVyjIFH0lHJ8+0XZPNldc7G57g+2j4dT3tw= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=aE3u5IOi0clDKdAIxISMA5QUAewkMaM0rLfGkjASR8yiYt4ckHG+UCOZ6IIp+fhqC8wabWb7AV5FEpp8lU9SqtgQDtX0YhWHQgPAYDEj9McGMEK/gk1iO8de2LGYFgZEVjvvjZnnSMBtM8iWGHsehHfz6abn2GjNdArqPem02EQ=; X-YMail-OSG: .BBhFt8VM1mvR5L6KLckKayMRojDb4yjGBGyKHLTIGWuDKZ AA0tbbgzprRkWRI452LnImY2bMK3u3LZHBwAtd8.gghheKHyWoNt0acbJa7J NJSxth.J7Wr85FpA4Rdq5K1FTw1.KUo1dQhe28QAt6obUN.tbNa.L9bASRtB Jdt8VfGbVABXsNnR3LfNhoJEXWBuzBDy.nF_H1QizDvI3T6r9q8STT0hAxvg 9XWZ8czdrghMD01siYRpZmbrkMC.Dx3inTanmuwuwFsGRkcVmKE.E_y2Qwg4 IXjfXInsNqMyyyepFn7kb5b4nTNtNLiOUJp0LiDnw0CxnWxv7SS2uEjbw0jc XI1s5SKCGjuI1Qk_Q4fC.QEujI3HlSRc31Ar9QnIAOajrARcfSwqolv63BYZ YjLHv43t5C757 Received: from [99.31.212.42] by web31809.mail.mud.yahoo.com via HTTP; Thu, 17 Nov 2011 08:22:07 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.115.331203 References: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> Message-ID: <1321546927.30880.YahooMailNeo@web31809.mail.mud.yahoo.com> Date: Thu, 17 Nov 2011 08:22:07 -0800 (PST) From: William Mills To: oauth WG In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1395015409-1611526563-1321546927=:30880" Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 16:22:15 -0000 ---1395015409-1611526563-1321546927=:30880 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable > 1. Should we specify some token type as mandatory to implement?=A0 Why or= why not (*briefly*)?=0A=0A=0ABriefly... No.=A0 Because it doesn't actually= solve the whole problem and mandates a particular security model.=A0 =0A= =0A=0ANot so briefly....=A0 =0A=0A=0AIt tries to solve the client-to-server= interoperability by ensuring that there is a supported auth type, but in f= act it will mandate a security model which is something the core spec has s= pecifically avoided.=A0 Signed tokens (MAC etc.)=A0 and bearer type tokens = (Bearer, JWT, etc.) are different in their security characteristics.=0A=0AI= t also does not solve at all the problem of token compatibility, which is s= omehting the auth and protected service endpoints have to agree on within a= realm.=A0 It is difficult to justify that there has to be realm to realm c= ompatibility.=0A=0A=0AWhat we actually need to support as MTI is that the c= lients can discover what authentication schemes are supported for the endpo= ints they want to access and select a method they support.=A0 This is very = much in the SSL model of choosing key exchange and cipher suites.=0A=0A-bil= l=0A=0A=0A-----Original Message-----=0AFrom: oauth-bounces@ietf.org [mailto= :oauth-bounces@ietf.org] On Behalf Of Barry Leiba=0ASent: Thursday, Novembe= r 17, 2011 12:29 AM=0ATo: oauth WG=0ASubject: [OAUTH-WG] Mandatory-to-imple= ment token type=0A=0AStephen, as AD, brought up the question of mandatory-t= o-implement token types, in the IETF 82 meeting.=A0 There was some extended= discussion on the point:=0A=0A- Stephen is firm in his belief that it's ne= cessary for interoperability.=A0 He notes that mandatory to *implement* is = not the same as mandatory to *use*.=0A- Several participants believe that w= ithout a mechanism for requesting or negotiating a token type, there is no = value in having any type be mandatory to implement.=0A=0AStephen is happy t= o continue the discussion on the list, and make his point clear.=A0 In any = case, there was clear consensus in the room that we *should* specify a mand= atory-to-implement type, and that that type be bearer tokens.=A0 This would= be specified in the base document, and would make a normative reference fr= om the base doc to the bearer token doc.=0A=0AWe need to confirm that conse= nsus on the mailing list, so this starts the discussion.=A0 Let's work on r= esolving this over the next week or so, and moving forward:=0A=0A1. Should = we specify some token type as mandatory to implement?=A0 Why or why not (*b= riefly*)?=0A=0A2. If we do specify one, which token type should it be?=0A= =0ABarry, as chair=0A_______________________________________________=0AOAut= h mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oau= th=0A=0A_______________________________________________=0AOAuth mailing lis= t=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth ---1395015409-1611526563-1321546927=:30880 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
>= 1. Should we specify some token type as mandatory to implement?  Why = or why not (*briefly*)?

Briefly... No.  B= ecause it doesn't actually solve the whole problem and mandates a particula= r security model. 

Not so briefly....&nb= sp;

It tries to solve the client-to-server in= teroperability by ensuring that there is a supported auth type, but in fact= it will mandate a security model which is something the core spec has spec= ifically avoided.  Signed tokens (MAC etc.)  and bearer type toke= ns (Bearer, JWT, etc.) are different in their security characteristics.

It also does not solve at all the problem of token co= mpatibility, which is somehting the auth and protected service endpoints have to agree on within a realm.  It is difficult to justif= y that there has to be realm to realm compatibility.

What we actually need to support as MTI is that the clients can disc= over what authentication schemes are supported for the endpoints they want = to access and select a method they support.  This is very much in the = SSL model of choosing key exchange and cipher suites.

<= div>-bill

<= /font>-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Beha= lf Of Barry Leiba
Sent: Thursday, November 17, 2011 12:29 AM
To: oaut= h WG
Subject: [OAUTH-WG] Mandatory-to-implement token type

Stephe= n, as AD, brought up the question of mandatory-to-implement token types, in= the IETF 82 meeting.  There was some extended discussion on the point= :

- Stephen is firm in his belief that it's necessary for interopera= bility.  He notes that mandatory to *implement* is not the same as man= datory to *use*.
- Several participants believe that without a mechanism= for requesting or negotiating a token type, there is no value in having an= y type be mandatory to implement.

Stephen is happy to continue the d= iscussion on the list, and make his point clear.  In any case, there w= as clear consensus in the room that we *should* specify a mandatory-to-impl= ement type, and that that type be bearer tokens.  This would be specified in the base document, and would make a normative reference from = the base doc to the bearer token doc.

We need to confirm that consen= sus on the mailing list, so this starts the discussion.  Let's work on= resolving this over the next week or so, and moving forward:

1. Sho= uld we specify some token type as mandatory to implement?  Why or why = not (*briefly*)?

2. If we do specify one, which token type should it= be?

Barry, as chair
____________________________________________= ___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/lis= tinfo/oauth

_______________________________________________
O= Auth mailing list
OAuth@ietf.org
htt= ps://www.ietf.org/mailman/listinfo/oauth


---1395015409-1611526563-1321546927=:30880-- From mike@mtcc.com Thu Nov 17 08:49:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B5E421F9886 for ; Thu, 17 Nov 2011 08:49:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqU974VAATup for ; Thu, 17 Nov 2011 08:49:08 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 60A9521F9885 for ; Thu, 17 Nov 2011 08:49:08 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pAHGn2gB030640 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 17 Nov 2011 08:49:03 -0800 Message-ID: <4EC53AFE.5020506@mtcc.com> Date: Thu, 17 Nov 2011 08:49:02 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Justin Richer References: <1321543457.7567.137.camel@ground> In-Reply-To: <1321543457.7567.137.camel@ground> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1519; t=1321548543; x=1322412543; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Mandatory-to-implement=20t oken=20type |Sender:=20 |To:=20Justin=20Richer=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=K1sKWCikZGseKZqL3t6Z0IPNdEGljOuCn5L5LSoRato=; b=cy1HJYc1+ERzDxHa8l/ULFxoNE+zF4hEvA9XpmVWdJ8XWwfKeftX7KPwXL J4nU2ujgJGUu3TKFsWG8OMlumztEdpLtpOmUMUBer7gos2f//l/e8+ANPog4 SKbhFvO1IhGq5BI0cYl/l9jFlMahDI2CEk74Ixg9ab2M9ZJaWp7vQ=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 16:49:09 -0000 On 11/17/2011 07:24 AM, Justin Richer wrote: > Which brings us to MTI in clients, which makes even less sense. Let's > say that I'm writing a client to talk to Example.com, which hands back > MAC tokens. I want to comply with the spec, so I implement Bearer > support in my client, code paths which will never see the light of day. > > Then there's the argument that a generic library is what's really meant > by "client" here, and that those MUST follow the MTI guidelines. I also > find this to be ludicrous, since client libraries will implement > whatever servers support. A good client library will support *both* MAC > and Bearer together, along with whatever magical tokens that haven't > been dreamed up yet that are getting traction. > I think this is really the key problem. To date, there isn't a unified library that clients and servers are using that could force this issue: every server/site is rolling their own oauth sdk, and they don't have much reason *now* to change that. If/when something emerged as being the oauth equivalent of openssl, then it would make sense to tighten requirements on such a library to achieve better interoperability. It would also coincide with actual real world _knowledge_ of what the appropriate MUST-IMPLEMENT's are instead of guessing. All a mandatory requirement will do now is alienate a lot implementations who are otherwise striving to be compliant. So my bottom line to Stephen: defer this to a later recycle of the rfc. Mike From phil.hunt@oracle.com Thu Nov 17 10:28:01 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E5A11E80C8 for ; Thu, 17 Nov 2011 10:28:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.511 X-Spam-Level: X-Spam-Status: No, score=-6.511 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IzGVH8beAeRU for ; Thu, 17 Nov 2011 10:28:01 -0800 (PST) Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id F3C1711E8086 for ; Thu, 17 Nov 2011 10:28:00 -0800 (PST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pAHIRv4e004036 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 17 Nov 2011 18:27:58 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pAHIRu9Y012835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Nov 2011 18:27:57 GMT Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pAHIRp9C012202; Thu, 17 Nov 2011 12:27:51 -0600 Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 17 Nov 2011 10:27:51 -0800 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Phil Hunt In-Reply-To: Date: Thu, 17 Nov 2011 10:27:49 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <6C11A833-1B70-43E6-9ABE-B8C7817B8EF5@oracle.com> References: To: Barry Leiba X-Mailer: Apple Mail (2.1251.1) X-Source-IP: acsinet22.oracle.com [141.146.126.238] X-Auth-Type: Internal IP X-CT-RefId: str=0001.0A090205.4EC5522E.00D5,ss=1,re=0.000,fgs=0 Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 18:28:01 -0000 Are there any features of TLS 1.2 that are specifically needed for = OAuth2? Can you identify a technical reason other then 'we gotta move = the market forward'?=20 Given past history in the WG where having any transport security was = contentious, I suspect there would be significant objection to 1.2. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-11-17, at 12:41 AM, Barry Leiba wrote: > The OAuth base doc refers in two places to TLS versions (with the same > text in both places: >=20 > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. >=20 > In both the shepherd review and the AD review, this was called into = question: > 1. MUST for an old version and SHOULD for the current version seems = wrong. > 2. Having specific versions required locks us into those versions (for > example, all implementations will have to support TLS 1.0, even long > after it becomes obsolete, unless we rev the spec. >=20 > I have suggested the following change, as doc shepherd: >=20 > NEW > The authorization server MUST implement the current version of TLS > (1.2 [RFC5246] at the time of this writing), and SHOULD implement the > most widely deployed previous version (1.0 [RFC2246] at the of this > writing), unless that version is deprecated due to security > vulnerabilities. It MAY also implement additional transport-layer > mechanisms that meet its security requirements. >=20 > I believe this also gives us the effect we want, without the two > problems above. There was consensus in the meeting for accepting this > text. Confirming on the list: >=20 > Please respond to this thread if you *object* to this change, and say > why. Please respond by 2 Dec 2011. >=20 > Barry, as document shepherd > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From eran@hueniverse.com Thu Nov 17 10:43:22 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04F8621F984C for ; Thu, 17 Nov 2011 10:43:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.525 X-Spam-Level: X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z85GemTcW5mx for ; Thu, 17 Nov 2011 10:43:21 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 58CD221F984D for ; Thu, 17 Nov 2011 10:43:21 -0800 (PST) Received: (qmail 30001 invoked from network); 17 Nov 2011 18:39:09 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 17 Nov 2011 18:39:09 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Thu, 17 Nov 2011 11:38:57 -0700 From: Eran Hammer-Lahav To: Barry Leiba , oauth WG Date: Thu, 17 Nov 2011 11:38:48 -0700 Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type Thread-Index: AcylAu+35Pq9gSF/QaS3Z+DAS2FtgQATFAzg Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EB64@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 18:43:22 -0000 > 1. Should we specify some token type as mandatory to implement? Why or > why not (*briefly*)? On the server - no. It makes no sense because the server dictates the token= type so if it decides to never issue the mandated type, what's the point i= n implementing? On the client, maybe. If the server knows that a client will always underst= and a set of token types, it can choose to use that and ensure interop (or = not). In practice, mandating will add no real interop value. Almost every c= lient will hard-code the token types it needs to understand and providers a= re not likely to support more than one or to change it. We can mandate a ty= pe for 'generic clients' so that libraries support both, but it won't actua= lly make any difference. Bottom line, this is a red herring. OAuth doesn't really provide this level= of interop and was never designed for that. In the future, when we have mo= re interop web APIs (photos, social, etc.) and we have real world experienc= e with discovery, this will be important. But that's a few years away (at l= east). =20 > 2. If we do specify one, which token type should it be? This is a no win situation. Most providers will ignore a requirement to sup= port MAC, or will support it but will not see much usage because most devel= opers when given the choice will go with Bearer. Mandating Bearer will be i= gnored by providers who want better security and will most likely render MA= C pointless. If we mandate Bearer, I see no point in even publishing MAC as= it will turn into a purely theoretical exercise. Given the history of this group, no change is the only likely consensus. EHL From buhake@googlemail.com Fri Nov 18 00:33:49 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 201D421F85FF for ; Fri, 18 Nov 2011 00:33:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.275 X-Spam-Level: X-Spam-Status: No, score=-1.275 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1, SARE_URI_CONS7=0.306] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMqjgnaoZ01z for ; Fri, 18 Nov 2011 00:33:48 -0800 (PST) Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 33AC121F85F1 for ; Fri, 18 Nov 2011 00:33:47 -0800 (PST) Received: by bkbzv15 with SMTP id zv15so3681537bkb.31 for ; Fri, 18 Nov 2011 00:33:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; bh=vPvDwbnM411ES9A8IScBIUAyYNJPLrqtPnwCJQRijVg=; b=UWFc+pd5PvgZix9rP/AMBgexdBq7lNQeMQg+zS+gf5iEJkROgv/0V3gFZrkqbuTh2l btolAA/boe2QndIoUGuNBsx6GSarbWohhETPH7vVMgUAbKM3eb53Vurxan4U0ML1fy2Y y6soFc0nV6fmcp5WqdCYXsm6S2wKgaq/2hdiU= Received: by 10.204.133.197 with SMTP id g5mr2284533bkt.43.1321605227171; Fri, 18 Nov 2011 00:33:47 -0800 (PST) Received: from [192.168.137.209] ([41.160.150.196]) by mx.google.com with ESMTPS id n25sm4697441fah.15.2011.11.18.00.33.43 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 18 Nov 2011 00:33:44 -0800 (PST) References: <20111024142922.27979.37890.idtracker@ietfa.amsl.com> In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <2796DF93-ABE1-48C0-8CA2-7DC1FC239DE5@gmail.com> X-Mailer: iPad Mail (9A405) From: Buhake Sindi Date: Fri, 18 Nov 2011 10:33:37 +0200 To: Thomas Hardjono X-Mailman-Approved-At: Fri, 18 Nov 2011 13:31:38 -0800 Cc: "oauth \(oauth@ietf.org\)" Subject: Re: [OAUTH-WG] FW: New Version Notification for draft-hardjono-oauth-dynreg-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2011 08:33:49 -0000 Hi Thomas, Concerning the above documentation, section 7.4. Your error attributes and e= xample doesn't match. Should I ignore the example shown in the document? Buhake Sindi The Elite Gentleman. On 24 Oct 2011, at 16:31, Thomas Hardjono wrote: > FYI Folks, >=20 > Just a rev update. >=20 > /thomas/ >=20 >=20 > __________________________________________ >=20 >=20 > -----Original Message----- > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]=20 > Sent: Monday, October 24, 2011 10:29 AM > To: Thomas Hardjono > Cc: m.p.machulak@ncl.ac.uk; Thomas Hardjono; eve@xmlgrrl.com > Subject: New Version Notification for draft-hardjono-oauth-dynreg-01.txt >=20 > A new version of I-D, draft-hardjono-oauth-dynreg-01.txt has been successf= ully submitted by Thomas Hardjono and posted to the IETF repository. >=20 > Filename: draft-hardjono-oauth-dynreg > Revision: 01 > Title: OAuth Dynamic Client Registration Protocol > Creation date: 2011-10-24 > WG ID: Individual Submission > Number of pages: 20 >=20 > Abstract: > This specification proposes an OAuth Dynamic Client Registration > protocol. >=20 >=20 >=20 >=20 > The IETF Secretariat > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From eran@hueniverse.com Sat Nov 19 07:33:32 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1C021F86A1 for ; Sat, 19 Nov 2011 07:33:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.533 X-Spam-Level: X-Spam-Status: No, score=-2.533 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVgbv-Ui03P5 for ; Sat, 19 Nov 2011 07:33:32 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id EAC0921F867F for ; Sat, 19 Nov 2011 07:33:31 -0800 (PST) Received: (qmail 6197 invoked from network); 19 Nov 2011 15:33:31 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 19 Nov 2011 15:33:31 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Sat, 19 Nov 2011 08:33:31 -0700 From: Eran Hammer-Lahav To: OAuth WG Date: Sat, 19 Nov 2011 08:33:18 -0700 Thread-Topic: MAC Cookies Thread-Index: Acymz6HFl/U8guK9RkudiHgjjqTLyg== Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF0@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF0P3PW5EX1MB01E_" MIME-Version: 1.0 Cc: Ben Adida , "'Adam Barth \(adam@adambarth.com\)'" Subject: [OAUTH-WG] MAC Cookies X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 15:33:32 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF0P3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I would like to drop the cookies support defined in the MAC document due to= lack of interest from the browser vendors. At this point it is most likely= going to be an unimplemented proposal. If there is interest in the future,= it can be proposed in a separate document. This will allow us to bring thi= s work to a quick conclusion. Any objections? EHL --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF0P3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I would like to = drop the cookies support defined in the MAC document due to lack of interes= t from the browser vendors. At this point it is most likely going to be an = unimplemented proposal. If there is interest in the future, it can be propo= sed in a separate document. This will allow us to bring this work to a quic= k conclusion.

 

Any objections?

&nb= sp;

EHL

= --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF0P3PW5EX1MB01E_-- From eran@hueniverse.com Sat Nov 19 07:39:24 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCF3721F8906 for ; Sat, 19 Nov 2011 07:39:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.535 X-Spam-Level: X-Spam-Status: No, score=-2.535 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwlvfzw0skXH for ; Sat, 19 Nov 2011 07:39:24 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 7E5FE21F850B for ; Sat, 19 Nov 2011 07:39:19 -0800 (PST) Received: (qmail 12510 invoked from network); 19 Nov 2011 15:39:18 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 19 Nov 2011 15:39:18 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Sat, 19 Nov 2011 08:39:18 -0700 From: Eran Hammer-Lahav To: OAuth WG Date: Sat, 19 Nov 2011 08:39:05 -0700 Thread-Topic: MAC: body-hash Thread-Index: Acym0Srj6ldOsg2FQ0u3XZcwg9JdEQ== Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF1P3PW5EX1MB01E_" MIME-Version: 1.0 Subject: [OAUTH-WG] MAC: body-hash X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 15:39:24 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF1P3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I want to reaffirm our previous consensus to drop the body-hash parameter a= nd leave the ext parameter. Body-hash as currently specified is going to ca= use significant interop issues due to character (and other) encoding issues= . Providers who desire to MAC the body can define their own ext use case. Let me know if you have an objection to this change. EHL --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF1P3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I want to reaffi= rm our previous consensus to drop the body-hash parameter and leave the ext= parameter. Body-hash as currently specified is going to cause significant = interop issues due to character (and other) encoding issues. Providers who = desire to MAC the body can define their own ext use case.

 

Let me know if = you have an objection to this change.

 

EHL

= --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF1P3PW5EX1MB01E_-- From wmills@yahoo-inc.com Sat Nov 19 07:46:31 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27CE221F899D for ; Sat, 19 Nov 2011 07:46:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.947 X-Spam-Level: X-Spam-Status: No, score=-15.947 tagged_above=-999 required=5 tests=[AWL=-0.763, BAYES_40=-0.185, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSYp2L3VTC-q for ; Sat, 19 Nov 2011 07:46:30 -0800 (PST) Received: from nm19.bullet.mail.sp2.yahoo.com (nm19.bullet.mail.sp2.yahoo.com [98.139.91.89]) by ietfa.amsl.com (Postfix) with SMTP id 807F521F891D for ; Sat, 19 Nov 2011 07:46:30 -0800 (PST) Received: from [98.139.91.62] by nm19.bullet.mail.sp2.yahoo.com with NNFMP; 19 Nov 2011 15:46:27 -0000 Received: from [98.139.91.32] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 19 Nov 2011 15:46:27 -0000 Received: from [127.0.0.1] by omp1032.mail.sp2.yahoo.com with NNFMP; 19 Nov 2011 15:46:27 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 410995.60872.bm@omp1032.mail.sp2.yahoo.com Received: (qmail 62762 invoked by uid 60001); 19 Nov 2011 15:46:26 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1321717586; bh=QUVkSgpb1vjR0paV1/l+EIMjmSWM+/k7IdX+ZqpjrGE=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=KMWd1pqOGERe8rCRKpDwxsCXtKbHo0s6b7FAdI+MoqxTRCF5A9Ip31qwjX+6nO4bDol2SMlPlzCTw6JWCuY84aDtAbhePwB85aEuqS0i17IRqntLF9Jr9Q47vMi3jUe2rNB7I5DlQCQtUmA9L5gnPxLuael65S745GtNEmtmPEU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=pRG/IhStLXDF/fwrprMEbnzDYoTX1f7m14NwV0fWQLwOF06aZifkwjmj0vSNCVEVmRtmWoJwZRyCOW3U/7NCm85fbkyV+IUnS0kkKUAHmz5kEI4yIvq4yXrb7EYxzm86Qnjz76u2Nvkeu3POH2HOrND8g1VKdIidnv5mvOagi6s=; X-YMail-OSG: bPKDCbkVM1mbcWor1t8Z0qIufMCc_k9NNEuq_iqw.4yzG.Q mZRdfG8BpQgz2a8WYeoA.Za3ON9groLQOFuhYA0Mio0kBSe2BUq_LJOU05Nr 5MMdklGhaCKdUKCDGh4Thyq4MJAt7lErI.6LjY7F9p2Zx6WblFoyQM1Y5Gg. qU9NwZ1tJeg8r6UTWbl7wo4kftNlN0zCnC.2StH90ERSjyHCgaJ2l0lse83H LN1hWmYT8J2BVCK987r42XtG9y1i3RgPjss3jQukTsMqyeFmTcyjMDG86nZO .gdgy6r4QYpzl3SAsAP_LpFIKJ4zCRMwVOyU5WuDoJmUv6sJsaDeQOZWpfV0 Kv0FJIQspqzD6YhlwvrDR5uQtGiB60g0MndpS8AqBO_lrChD3nOy2rbAQYQx BNNCebOU7JS8x Received: from [99.31.212.42] by web31804.mail.mud.yahoo.com via HTTP; Sat, 19 Nov 2011 07:46:26 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.115.331203 References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> Message-ID: <1321717586.50797.YahooMailNeo@web31804.mail.mud.yahoo.com> Date: Sat, 19 Nov 2011 07:46:26 -0800 (PST) From: William Mills To: Eran Hammer-Lahav , OAuth WG In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="835683298-1628337004-1321717586=:50797" Subject: Re: [OAUTH-WG] MAC: body-hash X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 15:46:31 -0000 --835683298-1628337004-1321717586=:50797 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I haven't read the MAC spec recently enough, did you already deal with the = character set issue (if there was one) comparable to the ones in the Bearer= spec?=0A=0AI am +1 on the -body_hash +ext change.=0A=0A=0A=0A_____________= ___________________=0A From: Eran Hammer-Lahav =0ATo: = OAuth WG =0ASent: Saturday, November 19, 2011 7:39 AM=0ASu= bject: [OAUTH-WG] MAC: body-hash=0A =0A=0AI want to reaffirm our previous c= onsensus to drop the body-hash parameter and leave the ext parameter. Body-= hash as currently specified is going to cause significant interop issues du= e to character (and other) encoding issues. Providers who desire to MAC the= body can define their own ext use case.=0A=A0=0ALet me know if you have an= objection to this change.=0A=A0=0AEHL=0A__________________________________= _____________=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/= mailman/listinfo/oauth --835683298-1628337004-1321717586=:50797 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
I haven't read the MAC spec recently enough, did you already deal with th= e character set issue (if there was one) comparable to the ones in the Bear= er spec?

I am +1 on the = -body_hash +ext change.

From: Eran Hammer-Lahav <eran@h= ueniverse.com>
To: = OAuth WG <oauth@ietf.org>
= Sent: Saturday, November 19, 2011 7:39 AM
Subject: [OAUTH-WG] MAC: body-hash
=0A
I want to reaff= irm our previous consensus to drop the body-hash parameter and leave the ex= t parameter. Body-hash as currently specified is going to cause significant= interop issues due to character (and other) encoding issues. Providers who= desire to MAC the body can define their own ext use case.
 
= Let me know if you have an objection to this change.
 
EHL

_______________________________________________
= OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/o= auth


--835683298-1628337004-1321717586=:50797-- From phil.hunt@oracle.com Sat Nov 19 08:28:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFDF21F84A8 for ; Sat, 19 Nov 2011 08:28:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.521 X-Spam-Level: X-Spam-Status: No, score=-6.521 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewuDJs0cdcG6 for ; Sat, 19 Nov 2011 08:28:51 -0800 (PST) Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 7D0A621F84A4 for ; Sat, 19 Nov 2011 08:28:51 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pAJGSmXa006366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 19 Nov 2011 16:28:49 GMT Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pAJGSlii011585 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Nov 2011 16:28:48 GMT Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pAJGSgwN002253; Sat, 19 Nov 2011 10:28:42 -0600 Received: from [192.168.1.8] (/24.87.204.3) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 19 Nov 2011 08:28:41 -0800 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/alternative; boundary="Apple-Mail=_795F5302-0021-4734-9665-102C49D6F193" From: Phil Hunt In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Sat, 19 Nov 2011 08:28:41 -0800 Message-Id: <72A7CE61-1ED3-4DD3-A5C0-3D2F572ED471@oracle.com> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> To: Eran Hammer-Lahav X-Mailer: Apple Mail (2.1251.1) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] X-CT-RefId: str=0001.0A090202.4EC7D942.002C,ss=1,re=0.000,fgs=0 Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC: body-hash X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 16:28:52 -0000 --Apple-Mail=_795F5302-0021-4734-9665-102C49D6F193 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Sounds good. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-11-19, at 7:39 AM, Eran Hammer-Lahav wrote: > I want to reaffirm our previous consensus to drop the body-hash = parameter and leave the ext parameter. Body-hash as currently specified = is going to cause significant interop issues due to character (and = other) encoding issues. Providers who desire to MAC the body can define = their own ext use case. > =20 > Let me know if you have an objection to this change. > =20 > EHL > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_795F5302-0021-4734-9665-102C49D6F193 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2011-11-19, at 7:39 AM, Eran Hammer-Lahav = wrote:

I want to reaffirm our = previous consensus to drop the body-hash parameter and leave the ext = parameter. Body-hash as currently specified is going to cause = significant interop issues due to character (and other) encoding issues. = Providers who desire to MAC the body can define their own ext use = case.
 
Let me know if you = have an objection to this change.
 
List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 16:39:40 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF5P3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The charset is restricted so no issues. From: William Mills [mailto:wmills@yahoo-inc.com] Sent: Saturday, November 19, 2011 7:46 AM To: Eran Hammer-Lahav; OAuth WG Subject: Re: [OAUTH-WG] MAC: body-hash I haven't read the MAC spec recently enough, did you already deal with the = character set issue (if there was one) comparable to the ones in the Bearer= spec? I am +1 on the -body_hash +ext change. ________________________________ From: Eran Hammer-Lahav > To: OAuth WG > Sent: Saturday, November 19, 2011 7:39 AM Subject: [OAUTH-WG] MAC: body-hash I want to reaffirm our previous consensus to drop the body-hash parameter a= nd leave the ext parameter. Body-hash as currently specified is going to ca= use significant interop issues due to character (and other) encoding issues= . Providers who desire to MAC the body can define their own ext use case. Let me know if you have an objection to this change. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF5P3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The chars= et is restricted so no issues.

 

= From:= William Mills [mailto:wmills@yahoo-inc.com]
Sent: Saturday, = November 19, 2011 7:46 AM
To: Eran Hammer-Lahav; OAuth WG
S= ubject: Re: [OAUTH-WG] MAC: body-hash

=

 

I haven't read the MAC spec recently enough, did you already deal with = the character set issue (if there was one) comparable to the ones in the Be= arer spec?

=  

I am +1 on the= -body_hash +ext change.

 

From: Eran Hamme= r-Lahav <eran@hueniverse.com&= gt;
To: OAuth WG <oauth@ietf= .org>
Sent: Saturday, November 19, 2011 7:39 AM
Sub= ject: [OAUTH-WG] MAC: body-hash=

I want to reaffirm o= ur previous consensus to drop the body-hash parameter and leave the ext par= ameter. Body-hash as currently specified is going to cause significant inte= rop issues due to character (and other) encoding issues. Providers who desi= re to MAC the body can define their own ext use case.

=

 

Let me know if you have= an objection to this change.

 <= /o:p>

= EHL


_______________________________________________=
OAuth mailing list
OAuth@ietf.org<= /a>
https://www.ietf.org/mailman/listinfo/oauth

= --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF5P3PW5EX1MB01E_-- From eran@hueniverse.com Sat Nov 19 08:42:00 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7A021F87D9 for ; Sat, 19 Nov 2011 08:42:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.54 X-Spam-Level: X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAJGfBRAWmWt for ; Sat, 19 Nov 2011 08:41:59 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 2ED0921F86A6 for ; Sat, 19 Nov 2011 08:41:59 -0800 (PST) Received: (qmail 28070 invoked from network); 19 Nov 2011 16:41:58 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Nov 2011 16:41:58 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sat, 19 Nov 2011 09:41:58 -0700 From: Eran Hammer-Lahav To: OAuth WG Date: Sat, 19 Nov 2011 09:41:45 -0700 Thread-Topic: MAC: Age in nonce Thread-Index: Acym0W8ISBrm3AkySJ2N//oMkDobCA== Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF6@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF6P3PW5EX1MB01E_" MIME-Version: 1.0 Subject: [OAUTH-WG] MAC: Age in nonce X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 16:42:00 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF6P3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We had a long discussion about what to use for the numerical component of t= he nonce string. I would like to suggest we use: nonce REQUIRED. A unique string generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over an insecure channel. The nonce value MUST be unique across all requests with the same MAC key identifier. The nonce value MUST consist of an age, a colon character (%x25), and a unique string (typically random). The age portion MUST be a monotonically increasing, but not necessarily unique, positive integer value. The change in the age value between requests MUST reflect the number of seconds elapsed. For example, the age can be a client timestamp expressed as seconds since 01-01-1970 or since the credentials were issued to the client. The value MUST NOT include leading zeros (e.g. "000273156"). For example: "273156:di3hvdf8" To avoid the need to retain an infinite number of nonce values for future checks, the server MAY choose to restrict the time period after which a request with an old age is rejected. If such a restriction is enforced, the server SHOULD allow for a sufficiently large window to accommodate network delays. The server SHOULD use the first age value received from the client to establish a method for comparing the server time with that of the client. In addition, the server SHOULD accommodate small negative changes in age values caused by differences between the multiple clocks of a distributed client configuration utilizing more than one device. This text keeps the age as a seconds count but uses the first request to es= tablish a clock sync on the server side instead of mandating one way to cal= culate it. Feedback? EHL --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF6P3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

We had a long di= scussion about what to use for the numerical component of the nonce string.= I would like to suggest we use:

&n= bsp;

   nonce

         REQUIRED.&nbs= p; A unique string generated by the client to allow the

         server = to verify that a request has never been made before and

         helps p= revent replay attacks when requests are made over an

<= p class=3DMsoNormal>         insecure c= hannel.  The nonce value MUST be unique across all

         request= s with the same MAC key identifier.

<= o:p> 

     &= nbsp;   The nonce value MUST consist of an age, a colon character=

      =    (%x25), and a unique string (typically random).  The age<= o:p>

      &= nbsp;  portion MUST be a monotonically increasing, but not necessarily=

      =    unique, positive integer value.  The change in the age va= lue

     &nb= sp;   between requests MUST reflect the number of seconds elapsed= .

      = ;   For example, the age can be a client timestamp expressed as

      &n= bsp;  seconds since 01-01-1970 or since the credentials were issued

      &nb= sp;  to the client.  The value MUST NOT include leading zeros (e.= g.

     &nbs= p;   "000273156").  For example: "273156:di3h= vdf8"

 

         To avoi= d the need to retain an infinite number of nonce values

         for fut= ure checks, the server MAY choose to restrict the time

         period a= fter which a request with an old age is rejected.  If

         such= a restriction is enforced, the server SHOULD allow for a=

         suffi= ciently large window to accommodate network delays.  The

         s= erver SHOULD use the first age value received from the client

         t= o establish a method for comparing the server time with that

         of= the client.  In addition, the server SHOULD accommodate small

       &n= bsp; negative changes in age values caused by differences between

       &nbs= p; the multiple clocks of a distributed client configuration

         ut= ilizing more than one device.

 

This text keeps the age as a seconds= count but uses the first request to establish a clock sync on the server s= ide instead of mandating one way to calculate it.

 

Feedback?

 

EHL

 

=  

= --_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF6P3PW5EX1MB01E_-- From eran@hueniverse.com Sat Nov 19 09:08:56 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E62C21F8880 for ; Sat, 19 Nov 2011 09:08:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.542 X-Spam-Level: X-Spam-Status: No, score=-2.542 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ih+Onw1C2C8 for ; Sat, 19 Nov 2011 09:08:55 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 4441821F84A3 for ; Sat, 19 Nov 2011 09:08:55 -0800 (PST) Received: (qmail 3561 invoked from network); 19 Nov 2011 17:08:55 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 19 Nov 2011 17:08:52 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Sat, 19 Nov 2011 10:08:52 -0700 From: Eran Hammer-Lahav To: Mark Nottingham Date: Sat, 19 Nov 2011 10:08:39 -0700 Thread-Topic: [apps-discuss] HTTP MAC Authentication Scheme Thread-Index: Acwf7oEQJBF82ilkT/6VDPS/ahDBDSG7wWuQ Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EDFD@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: OAuth WG Subject: Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentication Scheme X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 17:08:56 -0000 > -----Original Message----- > From: Mark Nottingham [mailto:mnot@mnot.net] > Sent: Tuesday, May 31, 2011 4:57 PM > The "normalized request string" contains the request-URI and values > extracted from the Host header. Be aware that intermediaries can and do > change these; e.g., they may change an absolute URI to a relative URI in = the > request-line, without affecting the semantics of the request. See [1] for > details (it covers other problematic conditions too). >=20 > It would be more robust to calculate an effective request URI, as in [2]. > [2] http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section= -4.3 Using the effective request URI has proved to be a significant point of fri= ction in OAuth 1.0. I would rather note that intermediaries can change the = request URI and that the server must reverse those changes based on what th= e values should have been if they were received from the client directly. EHL From eran@hueniverse.com Sat Nov 19 09:22:14 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADF1B21F86FF for ; Sat, 19 Nov 2011 09:22:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.544 X-Spam-Level: X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I267jnEH+NH1 for ; Sat, 19 Nov 2011 09:22:14 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 37A8B21F8663 for ; Sat, 19 Nov 2011 09:22:14 -0800 (PST) Received: (qmail 3002 invoked from network); 19 Nov 2011 17:22:13 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.46) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Nov 2011 17:22:13 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT004.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Sat, 19 Nov 2011 10:22:14 -0700 From: Eran Hammer-Lahav To: Justin Richer , "oauth@ietf.org" Date: Sat, 19 Nov 2011 10:22:00 -0700 Thread-Topic: [OAUTH-WG] MAC Token Comments Thread-Index: AcxZH97PSmoCML6PTe2lWNeQSBH6LRNv2RMg Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EE00@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <1313174628.22073.135.camel@ground> In-Reply-To: <1313174628.22073.135.camel@ground> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "Anganes, Amanda L" Subject: Re: [OAUTH-WG] MAC Token Comments X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 17:22:14 -0000 Thanks. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Justin Richer > Sent: Friday, August 12, 2011 11:44 AM > To: oauth@ietf.org > Cc: Anganes, Amanda L > Subject: [OAUTH-WG] MAC Token Comments >=20 > 2: MAC Key: "The server MUST NOT reissue a previously issued MAC key and > MAC key identifier combination." Ok. =20 > 3: I would still like to see a binding for post body and url parameters. > This could be as simple as defining a set of parameter names for everythi= ng > used in the auth header, but I'm still given the impression that this has= been > deemed outside the scope of the MAC token. Our use case is to pass around > signed URLs between servers with all query parameters protected by the > signature, which we use 2-legged OAuth 1.0 for today. We can try to get > language for this together if there's enough draw for it, but I haven't b= een > hearing that from other folks yet so we might just try to draft an extens= ion to > the extension, instead. I can see the value in this for signed redirections and callbacks. The prob= lem, of course, is that once you mess with the request URI, it must be norm= alized which has been a significant source of friction in OAuth 1.0. If you= have suggestions on how to add this functionality without introducing sign= ificant pain, we should discuss it. > 5: This section's wording should be brought more in line with the descrip= tions > of the OAuth protocol in both core and bearer, which in turn should actua= lly > be a bit closer together themselves. Seems like we need a succinct elevat= or > pitch for "what is OAuth2" to drop into all of these locations (and other > extension specs) -- anybody want to take a crack at distilling one from t= hese > three sources? I just dropped the whole thing and kept a one line reference to OAuth 2.0. = No need to explain it. > 7.9: Grammar tweak: "Those designing additional methods should evaluate > the compatibility of the normalized request string with their > own security requirements." Adding 'own' is superfluous. EHL From mnot@mnot.net Sun Nov 20 13:34:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28D0F21F854D for ; Sun, 20 Nov 2011 13:34:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.441 X-Spam-Level: X-Spam-Status: No, score=-105.441 tagged_above=-999 required=5 tests=[AWL=-2.842, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wLlxNJeSfhJ for ; Sun, 20 Nov 2011 13:34:51 -0800 (PST) Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id 7390521F8548 for ; Sun, 20 Nov 2011 13:34:51 -0800 (PST) Received: from mnot-mini.mnot.net (unknown [118.209.190.198]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 688EE509DB; Sun, 20 Nov 2011 16:34:44 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Mark Nottingham In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDFD@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Mon, 21 Nov 2011 08:34:40 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: <29DF95E3-1E07-433C-B67A-6A8C044B5F9D@mnot.net> References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E7234526735EDFD@P3PW5EX1MB01.EX1.SECURESERVER.NET> To: Eran Hammer-Lahav X-Mailer: Apple Mail (2.1251.1) Cc: OAuth WG Subject: Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentication Scheme X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2011 21:34:52 -0000 It sounds like it's specifying *almost* the same thing, but in a = different way. Why is there friction? Is it fashion, NIH or something = more substantial? Cheers, On 20/11/2011, at 4:08 AM, Eran Hammer-Lahav wrote: >=20 >=20 >> -----Original Message----- >> From: Mark Nottingham [mailto:mnot@mnot.net] >> Sent: Tuesday, May 31, 2011 4:57 PM >=20 >> The "normalized request string" contains the request-URI and values >> extracted from the Host header. Be aware that intermediaries can and = do >> change these; e.g., they may change an absolute URI to a relative URI = in the >> request-line, without affecting the semantics of the request. See [1] = for >> details (it covers other problematic conditions too). >>=20 >> It would be more robust to calculate an effective request URI, as in = [2]. >> [2] = http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.3 >=20 > Using the effective request URI has proved to be a significant point = of friction in OAuth 1.0. I would rather note that intermediaries can = change the request URI and that the server must reverse those changes = based on what the values should have been if they were received from the = client directly. >=20 > EHL -- Mark Nottingham http://www.mnot.net/ From romeda@gmail.com Mon Nov 21 10:59:54 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C276B11E80DB for ; Mon, 21 Nov 2011 10:59:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.569 X-Spam-Level: X-Spam-Status: No, score=-103.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9kjyLF8a5Bv for ; Mon, 21 Nov 2011 10:59:50 -0800 (PST) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA1311E80E2 for ; Mon, 21 Nov 2011 10:59:50 -0800 (PST) Received: by vcbfy13 with SMTP id fy13so3427715vcb.31 for ; Mon, 21 Nov 2011 10:59:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=4UX7H0D6zg5SiOZ+s+/jG/Pi07+Q5Efn4XZqN1rUa44=; b=XLZGEjtvzyY+B0O7HuLWh6r64RQeRd5BnoT3h4p2W7XL3awXYdJ9eUtlvIndQWinh1 9n8picldC7NQ6dH8bbXygJvtCO9pXdzCIOXpVvUkul1j4UsRvB+J535cLAmaavFj9/Ny bGZ/Sb1lE32xV2gY20ePM0xh0snDN2KGsSqPc= Received: by 10.182.74.37 with SMTP id q5mr3255733obv.32.1321901990071; Mon, 21 Nov 2011 10:59:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.44.35 with HTTP; Mon, 21 Nov 2011 10:59:29 -0800 (PST) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF6@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF6@P3PW5EX1MB01.EX1.SECURESERVER.NET> From: Blaine Cook Date: Mon, 21 Nov 2011 18:59:29 +0000 Message-ID: To: Eran Hammer-Lahav Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC: Age in nonce X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2011 18:59:54 -0000 +1. This is good. On 19 November 2011 16:41, Eran Hammer-Lahav wrote: > We had a long discussion about what to use for the numerical component of > the nonce string. I would like to suggest we use: > > > > =C2=A0=C2=A0 nonce > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 REQUIRED.=C2=A0 A unique= string generated by the client to allow the > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 server to verify that a = request has never been made before and > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 helps prevent replay att= acks when requests are made over an > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 insecure channel.=C2=A0 = The nonce value MUST be unique across all > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 requests with the same M= AC key identifier. > > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The nonce value MUST con= sist of an age, a colon character > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (%x25), and a unique str= ing (typically random).=C2=A0 The age > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 portion MUST be a monoto= nically increasing, but not necessarily > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 unique, positive integer= value.=C2=A0 The change in the age value > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 between requests MUST re= flect the number of seconds elapsed. > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 For example, the age can= be a client timestamp expressed as > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 seconds since 01-01-1970= or since the credentials were issued > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to the client.=C2=A0 The= value MUST NOT include leading zeros (e.g. > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "000273156").=C2=A0 For = example: "273156:di3hvdf8" > > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 To avoid the need to ret= ain an infinite number of nonce values > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 for future checks, the s= erver MAY choose to restrict the time > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 period after which a req= uest with an old age is rejected.=C2=A0 If > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 such a restriction is en= forced, the server SHOULD allow for a > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sufficiently large windo= w to accommodate network delays.=C2=A0 The > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 server SHOULD use the fi= rst age value received from the client > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to establish a method fo= r comparing the server time with that > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 of the client.=C2=A0 In = addition, the server SHOULD accommodate small > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 negative changes in age = values caused by differences between > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the multiple clocks of a= distributed client configuration > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 utilizing more than one = device. > > > > This text keeps the age as a seconds count but uses the first request to > establish a clock sync on the server side instead of mandating one way to > calculate it. > > > > Feedback? > > > > EHL > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > From mike@mtcc.com Mon Nov 21 11:03:24 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73FAE21F8B34 for ; Mon, 21 Nov 2011 11:03:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rgioIuM94Gz for ; Mon, 21 Nov 2011 11:03:19 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id D03AE21F8783 for ; Mon, 21 Nov 2011 11:03:19 -0800 (PST) Received: from piolinux.mtcc.com (65-165-164-67.du.volcano.net [65.165.164.67]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pALJ3FX2025267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Nov 2011 11:03:16 -0800 Message-ID: <4ECAA070.2040100@mtcc.com> Date: Mon, 21 Nov 2011 11:03:12 -0800 From: Michael Thomas User-Agent: Thunderbird 2.0.0.14 (X11/20080501) MIME-Version: 1.0 To: Blaine Cook References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF6@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2961; t=1321902197; x=1322766197; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20MAC=3A=20Age=20in=20nonce |Sender:=20 |To:=20Blaine=20Cook=20 |Content-Type:=20text/plain=3B=20charset=3DUTF-8=3B=20forma t=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=fbP5uet5Ih14ViaWN0SywhRdekSrj0oh+gPISWXafog=; b=iPDR7GujfKmELNoBAtCFGuTV++hBmmP/IZB8Zw+iBnoadPl+L0rtd0c1xP yiZkNnfDOL5o/GgPgjqxSTWX0PlpbQQP93ZCL9JwwIWvIlAxH9r9yvbl9NDX g9/g+yWE8268z0aH4hTcfdzTXRyNSebxrsniJGUatdruZvTF2vn0A=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC: Age in nonce X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2011 19:03:24 -0000 By unique, does that mean statistically unique or verifiably unique? That is, do I need store the nonce or can I just gin up a bunch of entropy of suitable collision resistance? The latter is generally preferable. Mike Blaine Cook wrote: > +1. This is good. > > On 19 November 2011 16:41, Eran Hammer-Lahav wrote: >> We had a long discussion about what to use for the numerical component of >> the nonce string. I would like to suggest we use: >> >> >> >> nonce >> >> REQUIRED. A unique string generated by the client to allow the >> >> server to verify that a request has never been made before and >> >> helps prevent replay attacks when requests are made over an >> >> insecure channel. The nonce value MUST be unique across all >> >> requests with the same MAC key identifier. >> >> >> >> The nonce value MUST consist of an age, a colon character >> >> (%x25), and a unique string (typically random). The age >> >> portion MUST be a monotonically increasing, but not necessarily >> >> unique, positive integer value. The change in the age value >> >> between requests MUST reflect the number of seconds elapsed. >> >> For example, the age can be a client timestamp expressed as >> >> seconds since 01-01-1970 or since the credentials were issued >> >> to the client. The value MUST NOT include leading zeros (e.g. >> >> "000273156"). For example: "273156:di3hvdf8" >> >> >> >> To avoid the need to retain an infinite number of nonce values >> >> for future checks, the server MAY choose to restrict the time >> >> period after which a request with an old age is rejected. If >> >> such a restriction is enforced, the server SHOULD allow for a >> >> sufficiently large window to accommodate network delays. The >> >> server SHOULD use the first age value received from the client >> >> to establish a method for comparing the server time with that >> >> of the client. In addition, the server SHOULD accommodate small >> >> negative changes in age values caused by differences between >> >> the multiple clocks of a distributed client configuration >> >> utilizing more than one device. >> >> >> >> This text keeps the age as a seconds count but uses the first request to >> establish a clock sync on the server side instead of mandating one way to >> calculate it. >> >> >> >> Feedback? >> >> >> >> EHL >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From peter.wolanin@acquia.com Wed Nov 23 11:53:42 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756C721F86DD for ; Wed, 23 Nov 2011 11:53:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.977 X-Spam-Level: X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jb251I6ZpRt2 for ; Wed, 23 Nov 2011 11:53:41 -0800 (PST) Received: from exprod7og115.obsmtp.com (exprod7og115.obsmtp.com [64.18.2.217]) by ietfa.amsl.com (Postfix) with SMTP id 8891821F8573 for ; Wed, 23 Nov 2011 11:53:41 -0800 (PST) Received: from mail-vx0-f179.google.com ([209.85.220.179]) (using TLSv1) by exprod7ob115.postini.com ([64.18.6.12]) with SMTP ID DSNKTs1PNENzlJ2c9FpN7+7LMEjM0LNWVhEi@postini.com; Wed, 23 Nov 2011 11:53:41 PST Received: by mail-vx0-f179.google.com with SMTP id fl15so1721012vcb.10 for ; Wed, 23 Nov 2011 11:53:24 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.169.34 with SMTP id ab2mr8839562obc.27.1322078004412; Wed, 23 Nov 2011 11:53:24 -0800 (PST) Received: by 10.182.30.228 with HTTP; Wed, 23 Nov 2011 11:53:24 -0800 (PST) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Wed, 23 Nov 2011 14:53:24 -0500 Message-ID: From: Peter Wolanin To: Eran Hammer-Lahav Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC: body-hash X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2011 19:53:42 -0000 As long as a specific service can make an ext containing the body hash required, I think this is fine. Can the spec include body hash as an example of an ext? Thanks, Peter On Sat, Nov 19, 2011 at 10:39 AM, Eran Hammer-Lahav w= rote: > I want to reaffirm our previous consensus to drop the body-hash parameter > and leave the ext parameter. Body-hash as currently specified is going to > cause significant interop issues due to character (and other) encoding > issues. Providers who desire to MAC the body can define their own ext use > case. > > > > Let me know if you have an objection to this change. > > > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Peter M. Wolanin, Ph.D. =C2=A0 =C2=A0 =C2=A0: Momentum Specialist,=C2=A0 Ac= quia. Inc. peter.wolanin@acquia.com : 781-313-8322 "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" From peter.wolanin@acquia.com Wed Nov 23 16:57:43 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F1011E80B3 for ; Wed, 23 Nov 2011 16:57:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.977 X-Spam-Level: X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuoEZirp8oEn for ; Wed, 23 Nov 2011 16:57:42 -0800 (PST) Received: from exprod7og122.obsmtp.com (exprod7og122.obsmtp.com [64.18.2.22]) by ietfa.amsl.com (Postfix) with SMTP id 3065111E8089 for ; Wed, 23 Nov 2011 16:57:42 -0800 (PST) Received: from mail-gy0-f177.google.com ([209.85.160.177]) (using TLSv1) by exprod7ob122.postini.com ([64.18.6.12]) with SMTP ID DSNKTs2We2lRusL9pzzDqjp0Y4BFHnxwxTuu@postini.com; Wed, 23 Nov 2011 16:57:42 PST Received: by ghrr19 with SMTP id r19so365058ghr.36 for ; Wed, 23 Nov 2011 16:57:30 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.50.65 with SMTP id a1mr9038313obo.17.1322096250084; Wed, 23 Nov 2011 16:57:30 -0800 (PST) Received: by 10.182.30.228 with HTTP; Wed, 23 Nov 2011 16:57:30 -0800 (PST) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF0@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF0@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Wed, 23 Nov 2011 19:57:30 -0500 Message-ID: From: Peter Wolanin To: Eran Hammer-Lahav Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Ben Adida , OAuth WG , "Adam Barth \(adam@adambarth.com\)" Subject: Re: [OAUTH-WG] MAC Cookies X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 00:57:43 -0000 No objection from me, but it's too bad the browser vendors aren't intereste= d. -Peter On Sat, Nov 19, 2011 at 10:33 AM, Eran Hammer-Lahav w= rote: > I would like to drop the cookies support defined in the MAC document due = to > lack of interest from the browser vendors. At this point it is most likel= y > going to be an unimplemented proposal. If there is interest in the future= , > it can be proposed in a separate document. This will allow us to bring th= is > work to a quick conclusion. > > > > Any objections? > > > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Peter M. Wolanin, Ph.D. =C2=A0 =C2=A0 =C2=A0: Momentum Specialist,=C2=A0 Ac= quia. Inc. peter.wolanin@acquia.com : 781-313-8322 "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" From ve7jtb@ve7jtb.com Wed Nov 23 17:01:58 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6CD11E80B5 for ; Wed, 23 Nov 2011 17:01:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.502 X-Spam-Level: X-Spam-Status: No, score=-3.502 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8a1FlMlXXhY for ; Wed, 23 Nov 2011 17:01:58 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 068AE11E8089 for ; Wed, 23 Nov 2011 17:01:57 -0800 (PST) Received: by ywt34 with SMTP id 34so2365847ywt.31 for ; Wed, 23 Nov 2011 17:01:57 -0800 (PST) Received: by 10.236.190.99 with SMTP id d63mr38952288yhn.73.1322096514994; Wed, 23 Nov 2011 17:01:54 -0800 (PST) Received: from [192.168.1.4] ([190.22.122.75]) by mx.google.com with ESMTPS id x20sm1881389yhe.13.2011.11.23.17.01.53 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 23 Nov 2011 17:01:54 -0800 (PST) From: John Bradley Content-Type: multipart/alternative; boundary="Apple-Mail=_8A684F5E-5236-4929-B2E4-367ABECE8974" Date: Wed, 23 Nov 2011 22:01:50 -0300 Message-Id: To: oauth WG Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) Subject: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 01:01:59 -0000 --Apple-Mail=_8A684F5E-5236-4929-B2E4-367ABECE8974 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii The draft-jones-oauth-jwt-bearer profile is lacking a message ID that = exists in the SAML version. This is important for the receiver to detect replay attacks. For Connect I made up a claim to use: tid The tid (token id) claim, A nonce or unique identifier for the = assertion. The Assertion ID may be used by implementations requiring = message de- duplication for one-time use assertions. I was tempted to use mid (Message ID) however it is the id of the token = not the message. If you add something I will change the claim to be consistent. I think it needs to be in your spec. Regards John B.= --Apple-Mail=_8A684F5E-5236-4929-B2E4-367ABECE8974 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii




= --Apple-Mail=_8A684F5E-5236-4929-B2E4-367ABECE8974-- From Michael.Jones@microsoft.com Wed Nov 23 17:21:29 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B187121F869E for ; Wed, 23 Nov 2011 17:21:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.821 X-Spam-Level: X-Spam-Status: No, score=-6.821 tagged_above=-999 required=5 tests=[AWL=-3.223, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s+EyfHJJGjPB for ; Wed, 23 Nov 2011 17:21:29 -0800 (PST) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe001.messaging.microsoft.com [216.32.181.181]) by ietfa.amsl.com (Postfix) with ESMTP id 0236121F8678 for ; Wed, 23 Nov 2011 17:21:28 -0800 (PST) Received: from mail56-ch1-R.bigfish.com (10.43.68.252) by CH1EHSOBE018.bigfish.com (10.43.70.68) with Microsoft SMTP Server id 14.1.225.22; Thu, 24 Nov 2011 01:20:46 +0000 Received: from mail56-ch1 (localhost [127.0.0.1]) by mail56-ch1-R.bigfish.com (Postfix) with ESMTP id 2410436049D; Thu, 24 Nov 2011 01:19:47 +0000 (UTC) X-SpamScore: -23 X-BigFish: VS-23(zz9371Kc85fhzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail56-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail56-ch1 (localhost.localdomain [127.0.0.1]) by mail56-ch1 (MessageSwitch) id 1322097584974757_926; Thu, 24 Nov 2011 01:19:44 +0000 (UTC) Received: from CH1EHSMHS030.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.245]) by mail56-ch1.bigfish.com (Postfix) with ESMTP id DF70B440042; Thu, 24 Nov 2011 01:19:44 +0000 (UTC) Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS030.bigfish.com (10.43.70.30) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 24 Nov 2011 01:20:44 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0247.005; Wed, 23 Nov 2011 17:21:25 -0800 From: Mike Jones To: John Bradley , oauth WG Thread-Topic: Message ID for draft-jones-oauth-jwt-bearer Thread-Index: AQHMqkSsSZNH/xSrpk6bjRX2IcEdIJW7OZ9g Date: Thu, 24 Nov 2011 01:21:23 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F74F94C@TK5EX14MBXC283.redmond.corp.microsoft.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F74F94CTK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 01:21:29 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F74F94CTK5EX14MBXC283r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks John. This makes sense to me. Feedback from others? -- Mike From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Wednesday, November 23, 2011 5:02 PM To: oauth WG Cc: Mike Jones Subject: Message ID for draft-jones-oauth-jwt-bearer The draft-jones-oauth-jwt-bearer profile is lacking a message ID that exists in the SAML v= ersion. This is important for the receiver to detect replay attacks. For Connect I made up a claim to use: tid The tid (token id) claim, A nonce or unique identifier for the asserti= on. The Assertion ID may be used by implementations requiring message de- d= uplication for one-time use assertions. I was tempted to use mid (Message ID) however it is the id of the token not= the message. If you add something I will change the claim to be consistent. I think it needs to be in your spec. Regards John B. --_000_4E1F6AAD24975D4BA5B16804296739435F74F94CTK5EX14MBXC283r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks John.  This m= akes sense to me.

 <= /p>

Feedback from others?

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: John Bra= dley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, November 23, 2011 5:02 PM
To: oauth WG
Cc: Mike Jones
Subject: Message ID for draft-jones-oauth-jwt-bearer

 

The d= raft-jones-oauth-jwt-bearer profile is lacking a message ID that exists in the SAML version.

 

This i= s important for the receiver to detect replay attacks.

 

For Co= nnect I made up a claim to use:

 

tid &n= bsp;The tid (token id) claim, A nonce or unique identifier for the assertio= n. The Assertion ID may be used by implementations requiring message de- duplication for one-time use assertions.

 

I was = tempted to use mid (Message ID) however it is the id of the token not the m= essage.

 

If you= add something I will change the claim to be consistent.=

 

I thin= k it needs to be in your spec.

 

Regard= s

John B= .

--_000_4E1F6AAD24975D4BA5B16804296739435F74F94CTK5EX14MBXC283r_-- From Michael.Jones@microsoft.com Wed Nov 23 17:27:58 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01B8C1F0C34 for ; Wed, 23 Nov 2011 17:27:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.26 X-Spam-Level: X-Spam-Status: No, score=-8.26 tagged_above=-999 required=5 tests=[AWL=-1.662, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKNTTKYhGyNO for ; Wed, 23 Nov 2011 17:27:56 -0800 (PST) Received: from VA3EHSOBE007.bigfish.com (va3ehsobe006.messaging.microsoft.com [216.32.180.16]) by ietfa.amsl.com (Postfix) with ESMTP id 76AE011E80A4 for ; Wed, 23 Nov 2011 17:27:54 -0800 (PST) Received: from mail140-va3-R.bigfish.com (10.7.14.246) by VA3EHSOBE007.bigfish.com (10.7.40.11) with Microsoft SMTP Server id 14.1.225.22; Thu, 24 Nov 2011 01:27:12 +0000 Received: from mail140-va3 (localhost [127.0.0.1]) by mail140-va3-R.bigfish.com (Postfix) with ESMTP id 708A430019F; Thu, 24 Nov 2011 01:24:07 +0000 (UTC) X-SpamScore: -23 X-BigFish: VS-23(zz9371Kc85fhzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail140-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC105.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail140-va3 (localhost.localdomain [127.0.0.1]) by mail140-va3 (MessageSwitch) id 132209784752851_27893; Thu, 24 Nov 2011 01:24:07 +0000 (UTC) Received: from VA3EHSMHS014.bigfish.com (unknown [10.7.14.250]) by mail140-va3.bigfish.com (Postfix) with ESMTP id E25FC180048; Thu, 24 Nov 2011 01:24:06 +0000 (UTC) Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS014.bigfish.com (10.7.99.24) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 24 Nov 2011 01:27:08 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.02.0247.005; Wed, 23 Nov 2011 17:27:48 -0800 From: Mike Jones To: John Bradley , oauth WG Thread-Topic: Message ID for draft-jones-oauth-jwt-bearer Thread-Index: AQHMqkSsSZNH/xSrpk6bjRX2IcEdIJW7OZ9ggAAB1jA= Date: Thu, 24 Nov 2011 01:27:47 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F74F95E@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739435F74F94C@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F74F94C@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F74F95ETK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 01:27:58 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F74F95ETK5EX14MBXC283r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thinking about it a bit more, since others may want to use "tid" for claims= with meanings like Transaction ID ( or other words beginning with "t"), ma= ybe the claim name should be "jti" (JSON web Token ID) to reduce chance of = name collisions? -- Mike From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= ike Jones Sent: Wednesday, November 23, 2011 5:21 PM To: John Bradley; oauth WG Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer Thanks John. This makes sense to me. Feedback from others? -- Mike From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Wednesday, November 23, 2011 5:02 PM To: oauth WG Cc: Mike Jones Subject: Message ID for draft-jones-oauth-jwt-bearer The draft-jones-oauth-jwt-bearer profile is lacking a message ID that exists in the SAML v= ersion. This is important for the receiver to detect replay attacks. For Connect I made up a claim to use: tid The tid (token id) claim, A nonce or unique identifier for the asserti= on. The Assertion ID may be used by implementations requiring message de- d= uplication for one-time use assertions. I was tempted to use mid (Message ID) however it is the id of the token not= the message. If you add something I will change the claim to be consistent. I think it needs to be in your spec. Regards John B. --_000_4E1F6AAD24975D4BA5B16804296739435F74F95ETK5EX14MBXC283r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thinking about it a bit m= ore, since others may want to use “tid” for claims with meaning= s like Transaction ID ( or other words beginning with “t”), may= be the claim name should be “jti” (JSON web Token ID) to reduce chanc= e of name collisions?

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: oauth-bo= unces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, November 23, 2011 5:21 PM
To: John Bradley; oauth WG
Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer<= o:p>

 

Thanks John.  This m= akes sense to me.

 <= /p>

Feedback from others?

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

 

The d= raft-jones-oauth-jwt-bearer profile is lacking a message ID that exists in the SAML version.

 

This i= s important for the receiver to detect replay attacks.

 

For Co= nnect I made up a claim to use:

 

tid &n= bsp;The tid (token id) claim, A nonce or unique identifier for the assertio= n. The Assertion ID may be used by implementations requiring message de- duplication for one-time use assertions.

 

I was = tempted to use mid (Message ID) however it is the id of the token not the m= essage.

 

If you= add something I will change the claim to be consistent.=

 

I thin= k it needs to be in your spec.

 

Regard= s

John B= .

--_000_4E1F6AAD24975D4BA5B16804296739435F74F95ETK5EX14MBXC283r_-- From ve7jtb@ve7jtb.com Wed Nov 23 18:11:50 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 310D021F87E2 for ; Wed, 23 Nov 2011 18:11:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.808 X-Spam-Level: X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[AWL=-0.606, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QwmEHmgWFsGl for ; Wed, 23 Nov 2011 18:11:49 -0800 (PST) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4F39A21F8783 for ; Wed, 23 Nov 2011 18:11:49 -0800 (PST) Received: by yenm7 with SMTP id m7so2446022yen.31 for ; Wed, 23 Nov 2011 18:11:44 -0800 (PST) Received: by 10.236.46.193 with SMTP id r41mr21624485yhb.44.1322100703018; Wed, 23 Nov 2011 18:11:43 -0800 (PST) Received: from [192.168.1.202] ([190.22.122.75]) by mx.google.com with ESMTPS id l19sm53798309anc.14.2011.11.23.18.11.40 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 23 Nov 2011 18:11:42 -0800 (PST) References: <4E1F6AAD24975D4BA5B16804296739435F74F94C@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739435F74F95E@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F74F95E@TK5EX14MBXC283.redmond.corp.microsoft.com> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary=Apple-Mail-2238E96B-147A-4844-8895-4606CDAF6EDE Message-Id: X-Mailer: iPad Mail (9A405) From: John Bradley Date: Wed, 23 Nov 2011 23:11:35 -0300 To: Mike Jones Cc: oauth WG Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 02:11:50 -0000 --Apple-Mail-2238E96B-147A-4844-8895-4606CDAF6EDE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 With only three characters combinations are at a premium. People can all ways use longer names. =20 The ones that are going to be in most tokens are the important ones to keep s= hort and memorable. =20 tid seems clearer than jti, but that is just me. I will go with whatever is= decided. John B Sent from my iPad On 2011-11-23, at 10:27 PM, Mike Jones wrote: > Thinking about it a bit more, since others may want to use =E2=80=9Ctid=E2= =80=9D for claims with meanings like Transaction ID ( or other words beginni= ng with =E2=80=9Ct=E2=80=9D), maybe the claim name should be =E2=80=9Cjti=E2= =80=9D (JSON web Token ID) to reduce chance of name collisions? > =20 > -- Mike > =20 > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= ike Jones > Sent: Wednesday, November 23, 2011 5:21 PM > To: John Bradley; oauth WG > Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer > =20 > Thanks John. This makes sense to me. > =20 > Feedback from others? > =20 > -- Mike > =20 > From: John Bradley [mailto:ve7jtb@ve7jtb.com]=20 > Sent: Wednesday, November 23, 2011 5:02 PM > To: oauth WG > Cc: Mike Jones > Subject: Message ID for draft-jones-oauth-jwt-bearer > =20 > The draft-jones-oauth-jwt-bearer profile is lacking a message ID that exis= ts in the SAML version. > =20 > This is important for the receiver to detect replay attacks. > =20 > For Connect I made up a claim to use: > =20 > tid The tid (token id) claim, A nonce or unique identifier for the assert= ion. The Assertion ID may be used by implementations requiring message de- d= uplication for one-time use assertions. > =20 > I was tempted to use mid (Message ID) however it is the id of the token no= t the message. > =20 > If you add something I will change the claim to be consistent. > =20 > I think it needs to be in your spec. > =20 > Regards > John B. --Apple-Mail-2238E96B-147A-4844-8895-4606CDAF6EDE Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
With only three characters= combinations are at a premium.

People can all ways= use longer names.  

The ones that are going t= o be in most tokens are the important ones to keep short and memorable. &nbs= p;

tid seems clearer than jti, but that is just me.  I will go w= ith whatever is decided.

John B
Sent from my iPa= d

On 2011-11-23, at 10:27 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
=
=

Thinking about it a bit mor= e, since others may want to use =E2=80=9Ctid=E2=80=9D for claims with meanin= gs like Transaction ID ( or other words beginning with =E2=80=9Ct=E2=80=9D),= maybe the claim name should be =E2=80=9Cjti=E2=80=9D (JSON web Token ID) to reduce ch= ance of name collisions?

 

    &nb= sp;            &= nbsp;            = ;            &nb= sp;            &= nbsp;    -- Mike

 

From: oauth-bounces@ietf.org [mailto:oauth-boun= ces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, November 23, 2011 5:21 PM
To: John Bradley; oauth WG
Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer

 

Thanks John.  This mak= es sense to me.

 

Feedback from others?<= /o:p>

 

    &nb= sp;            &= nbsp;            = ;            &nb= sp;            &= nbsp;    -- Mike

 

From: John Bradle= y [mailto:ve7jtb@ve7jtb.com]=
Sent: Wednesday, November 23, 2011 5:02 PM
To: oauth WG
Cc: Mike Jones
Subject: Message ID for draft-jones-oauth-jwt-bearer

 

The draf= t-jones-oauth-jwt-bearer profile is lacking a message ID that exists in the SAML version.

 

This is i= mportant for the receiver to detect replay attacks.=

 

For Conn= ect I made up a claim to use:

 

tid &nbs= p;The tid (token id) claim, A nonce or unique identifier for the assertion. T= he Assertion ID may be used by implementations requiring message de- duplication for one-time use assertions.

 

I was te= mpted to use mid (Message ID) however it is the id of the token not the mess= age.

 

If you a= dd something I will change the claim to be consistent.

 

I think i= t needs to be in your spec.

 

Regards<= /span>

John B.<= /span>

= --Apple-Mail-2238E96B-147A-4844-8895-4606CDAF6EDE-- From eran@hueniverse.com Wed Nov 23 22:58:06 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01BF11F0C4F for ; Wed, 23 Nov 2011 22:58:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.484 X-Spam-Level: X-Spam-Status: No, score=-2.484 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJ0KE-EEfCCH for ; Wed, 23 Nov 2011 22:58:05 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 2D8E31F0C65 for ; Wed, 23 Nov 2011 22:58:05 -0800 (PST) Received: (qmail 13414 invoked from network); 24 Nov 2011 06:58:04 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 24 Nov 2011 06:58:03 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Wed, 23 Nov 2011 23:58:03 -0700 From: Eran Hammer-Lahav To: OAuth WG Date: Wed, 23 Nov 2011 23:57:53 -0700 Thread-Topic: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 Thread-Index: AcyqcVs6qohHC3TGRQCh0f4joQWnmgABQWkg Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735F30F@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <380D90BE-FAAE-4BF4-BDC4-B177E2A73205@mnot.net> In-Reply-To: <380D90BE-FAAE-4BF4-BDC4-B177E2A73205@mnot.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 06:58:06 -0000 -----Original Message----- From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-bounces@ietf.org] = On Behalf Of Mark Nottingham Sent: Wednesday, November 23, 2011 10:22 PM To: IETF Apps Discuss; draft-ietf-oauth-v2-bearer.all@ietf.org Cc: The IESG Subject: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 I have been selected as the Applications Area Review Team reviewer for this= draft (for background on apps-review, please see ). Please resolve these comments along with any other Last Call comments you m= ay receive. Please wait for direction from your document shepherd or AD bef= ore posting a new version of the draft. Document: draft-ietf-oauth-v2-bearer-14 Title: OAuth 2.0 Bearer Tokens Reviewer: Mark Nottingham Review Date: 24/11/2011 Summary: This draft is almost ready for publication as a Proposed Standard,= but has a few issues that should be fixed. Major Issues ------------ * Section 2.3 URI Query Parameter This section effectively reserves a URI query parameter for the draft's use= . This should not be done lightly, since this would be a precedent for the = IETF encroaching upon a server's URIs (done previously in RFC5785, but in a= much more limited fashion, as a tactic to prevent further, uncontrolled en= croachment). Given that the draft already discourages the use of this mechanism, I'd rec= ommend dropping it altogether. If the Working Group wishes it to remain, th= is issues should be vetted both through the APPS area and the W3C liaison. (The same criticism could be leveled at Section 2.2 Form-Encoded Body Param= eter, but that at least isn't surfaced in an identifier) * Section 3 The WWW-Authenticate Response Header Field The draft references the quoted-string ABNF from HTTP, but changes its proc= essing in a later paragraph: """In all these cases, no character quoting will occur, as senders are proh= ibited from using the %5C ('\') character.""" This is at best surprising (as many readers will reasonably surmise that us= ing the quoted-string ABNF implies that the same code can be used). Please = either use quoted-string as defined (i.e., with escaping). Minor Issues ------------ * Section 1: Introduction The introduction explains oauth, but it doesn't fully explain the relations= hip of this specification to OAuth 2.0. E.g., can it be used independently = from the rest of OAuth? Likewise, the overview (section 1.3) seems more spe= cific to the OAuth specification than this document. As I read it, this mec= hanism could be used for ANY bearer token, not just one generated through O= Auth flows.=20 If it is indeed more general, I'd recommend minimising the discussion of OA= uth, perhaps even removing it from the document title. * Section 3 The WWW-Authenticate Response Header Field The difference between a realm and a scope is not explained. Are the functi= onally equivalent, just a single value vs. a list?=20 Do you really intend to disallow *all* extension parameters on the challeng= e? Also, the scope, error, error_description and error_uri parameters all spec= ify only a quoted-string serialisation. HTTPbis strongly suggests that new = schemes allow both forms, because implementation experience has shown that = implementations will likely support both, no matter how defined; this impro= ves interoperability (see p7 2.3.1).=20 Finally, the error_description parameter can carry only ASCII characters. W= hile I understand a tradeoff has been made here (and, in my judgement, an a= ppropriate one), it's appropriate to highlight this in review. * General The draft currently doesn't mention whether Bearer is suitable for use as a= proxy authentication scheme. I suspect it *may*; it would be worth discuss= ing this with some proxy implementers to gauge their interest (e.g., Squid)= .=20 Nits ---- * Section 2.1 Authorization Request Header Field "simplicity reasons" --> "simplicity" "If additional parameters are desired in the future, a different scheme cou= ld be defined." --> "If additional parameters are needed in the future, a d= ifferent scheme would need to be defined." * Section 3 The WWW-Authenticate Response Header Field The requirement that a resource server MUST include the HTTP WWW-Authentica= te response header field is odd; really this is at the discretion of the se= rver. Is it really necessary to use a conformance requirement here? URI-reference --> URI-Reference * Section 3.1 Error Codes 405 belongs in the list of typically appropriate status codes as well. Kind regards, -- Mark Nottingham http://www.mnot.net/ _______________________________________________ apps-discuss mailing list apps-discuss@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss From phil.hunt@oracle.com Wed Nov 23 23:36:10 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197541F0C75 for ; Wed, 23 Nov 2011 23:36:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.529 X-Spam-Level: X-Spam-Status: No, score=-6.529 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k93qcDjdUn6t for ; Wed, 23 Nov 2011 23:36:09 -0800 (PST) Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 2F5391F0C72 for ; Wed, 23 Nov 2011 23:36:09 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pAO7a2iJ003944 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Nov 2011 07:36:02 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pAO7a0od016877 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Nov 2011 07:36:01 GMT Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pAO7Zs1j007494; Thu, 24 Nov 2011 01:35:55 -0600 Received: from [192.168.1.8] (/24.87.204.3) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 23 Nov 2011 23:35:54 -0800 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Phil Hunt In-Reply-To: Date: Wed, 23 Nov 2011 23:35:56 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <2E9E2454-C524-405A-8E05-48146566656B@oracle.com> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF0@P3PW5EX1MB01.EX1.SECURESERVER.NET> To: Peter Wolanin X-Mailer: Apple Mail (2.1251.1) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] X-CT-RefId: str=0001.0A020202.4ECDF3E3.0050,ss=1,re=0.000,fgs=0 Cc: Ben Adida , "Adam Barth \(adam@adambarth.com\)" , OAuth WG Subject: Re: [OAUTH-WG] MAC Cookies X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 07:36:10 -0000 Eran, I see value (at least for servers) in having browser and HTTP clients = work with common tokens (e.g. MAC) - even though the mechanism for = exchange may vary. I had an email exchange with Harry Halpin. He suggests cross posting to = the w3c public-identity list. They are discussing web cryptography and MAC tokens may be an important = use case. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-11-23, at 4:57 PM, Peter Wolanin wrote: > No objection from me, but it's too bad the browser vendors aren't = interested. >=20 > -Peter >=20 > On Sat, Nov 19, 2011 at 10:33 AM, Eran Hammer-Lahav = wrote: >> I would like to drop the cookies support defined in the MAC document = due to >> lack of interest from the browser vendors. At this point it is most = likely >> going to be an unimplemented proposal. If there is interest in the = future, >> it can be proposed in a separate document. This will allow us to = bring this >> work to a quick conclusion. >>=20 >>=20 >>=20 >> Any objections? >>=20 >>=20 >>=20 >> EHL >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>=20 >=20 >=20 >=20 > --=20 > Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. > peter.wolanin@acquia.com : 781-313-8322 >=20 > "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From hannes.tschofenig@nsn.com Wed Nov 23 23:51:23 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E86D321F8AF2 for ; Wed, 23 Nov 2011 23:51:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.667 X-Spam-Level: X-Spam-Status: No, score=-106.667 tagged_above=-999 required=5 tests=[AWL=-0.068, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eone35V3QBR2 for ; Wed, 23 Nov 2011 23:51:23 -0800 (PST) Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id B8B0221F86F6 for ; Wed, 23 Nov 2011 23:51:22 -0800 (PST) Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id pAO7pL44014143 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 24 Nov 2011 08:51:21 +0100 Received: from DEMUEXC047.nsn-intra.net ([10.159.32.93]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id pAO7pIbD023865 for ; Thu, 24 Nov 2011 08:51:21 +0100 Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by DEMUEXC047.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 24 Nov 2011 08:51:06 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 24 Nov 2011 09:51:04 +0200 Message-ID: <999913AB42CC9341B05A99BBF358718DCD2102@FIESEXC035.nsn-intra.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 Thread-Index: AcyqcV5Qq4gANlE2TFCb1dZBk8wPbwADGEFg From: "Tschofenig, Hannes (NSN - FI/Espoo)" To: X-OriginalArrivalTime: 24 Nov 2011 07:51:06.0034 (UTC) FILETIME=[D2278120:01CCAA7D] Subject: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 07:51:24 -0000 FYI -----Original Message----- From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-bounces@ietf.org] On Behalf Of ext Mark Nottingham Sent: Thursday, November 24, 2011 8:22 AM To: IETF Apps Discuss; draft-ietf-oauth-v2-bearer.all@ietf.org Cc: The IESG Subject: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 I have been selected as the Applications Area Review Team reviewer for this draft (for background on apps-review, please see ). Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-ietf-oauth-v2-bearer-14 Title: OAuth 2.0 Bearer Tokens Reviewer: Mark Nottingham Review Date: 24/11/2011 Summary: This draft is almost ready for publication as a Proposed Standard, but has a few issues that should be fixed. Major Issues ------------ * Section 2.3 URI Query Parameter This section effectively reserves a URI query parameter for the draft's use. This should not be done lightly, since this would be a precedent for the IETF encroaching upon a server's URIs (done previously in RFC5785, but in a much more limited fashion, as a tactic to prevent further, uncontrolled encroachment). Given that the draft already discourages the use of this mechanism, I'd recommend dropping it altogether. If the Working Group wishes it to remain, this issues should be vetted both through the APPS area and the W3C liaison. (The same criticism could be leveled at Section 2.2 Form-Encoded Body Parameter, but that at least isn't surfaced in an identifier) * Section 3 The WWW-Authenticate Response Header Field The draft references the quoted-string ABNF from HTTP, but changes its processing in a later paragraph: """In all these cases, no character quoting will occur, as senders are prohibited from using the %5C ('\') character.""" This is at best surprising (as many readers will reasonably surmise that using the quoted-string ABNF implies that the same code can be used). Please either use quoted-string as defined (i.e., with escaping). Minor Issues ------------ * Section 1: Introduction The introduction explains oauth, but it doesn't fully explain the relationship of this specification to OAuth 2.0. E.g., can it be used independently from the rest of OAuth? Likewise, the overview (section 1.3) seems more specific to the OAuth specification than this document. As I read it, this mechanism could be used for ANY bearer token, not just one generated through OAuth flows.=20 If it is indeed more general, I'd recommend minimising the discussion of OAuth, perhaps even removing it from the document title. * Section 3 The WWW-Authenticate Response Header Field The difference between a realm and a scope is not explained. Are the functionally equivalent, just a single value vs. a list?=20 Do you really intend to disallow *all* extension parameters on the challenge? Also, the scope, error, error_description and error_uri parameters all specify only a quoted-string serialisation. HTTPbis strongly suggests that new schemes allow both forms, because implementation experience has shown that implementations will likely support both, no matter how defined; this improves interoperability (see p7 2.3.1).=20 Finally, the error_description parameter can carry only ASCII characters. While I understand a tradeoff has been made here (and, in my judgement, an appropriate one), it's appropriate to highlight this in review. * General The draft currently doesn't mention whether Bearer is suitable for use as a proxy authentication scheme. I suspect it *may*; it would be worth discussing this with some proxy implementers to gauge their interest (e.g., Squid).=20 Nits ---- * Section 2.1 Authorization Request Header Field "simplicity reasons" --> "simplicity" "If additional parameters are desired in the future, a different scheme could be defined." --> "If additional parameters are needed in the future, a different scheme would need to be defined." * Section 3 The WWW-Authenticate Response Header Field The requirement that a resource server MUST include the HTTP WWW-Authenticate response header field is odd; really this is at the discretion of the server. Is it really necessary to use a conformance requirement here? URI-reference --> URI-Reference * Section 3.1 Error Codes 405 belongs in the list of typically appropriate status codes as well. Kind regards, -- Mark Nottingham http://www.mnot.net/ _______________________________________________ apps-discuss mailing list apps-discuss@ietf.org https://www.ietf.org/mailman/listinfo/apps-discuss From peter.wolanin@acquia.com Thu Nov 24 05:02:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEEBD21F8B9C for ; Thu, 24 Nov 2011 05:02:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.977 X-Spam-Level: X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIXx+GCfPMFg for ; Thu, 24 Nov 2011 05:02:42 -0800 (PST) Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by ietfa.amsl.com (Postfix) with SMTP id 3EDB421F8BA0 for ; Thu, 24 Nov 2011 05:02:42 -0800 (PST) Received: from mail-qy0-f177.google.com ([209.85.216.177]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKTs5AbwE46wKNTPhQRLtnYK9OvKjW/3Xv@postini.com; Thu, 24 Nov 2011 05:02:42 PST Received: by qyk4 with SMTP id 4so688371qyk.36 for ; Thu, 24 Nov 2011 05:02:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.50.65 with SMTP id a1mr9471615obo.17.1322139756846; Thu, 24 Nov 2011 05:02:36 -0800 (PST) Received: by 10.182.30.228 with HTTP; Thu, 24 Nov 2011 05:02:36 -0800 (PST) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735F30E@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E7234526735F30E@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Thu, 24 Nov 2011 08:02:36 -0500 Message-ID: From: Peter Wolanin To: Eran Hammer-Lahav Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC: body-hash X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 13:02:46 -0000 I'd lobby for something more than just prose, since for me, including the body or body hash in the HMAC is a pretty essential piece of security for any real implementation. I understand that you think it should not be 100% required by all servers, and hence should not be a specified field, but then I think it should be something like a "standard" extension. For example, retain some of the existing text describing the bodyhash as using the same algorithm as the HMAC and show an example like: ext=3D"bodyhash:k9kbtCIy0CkI3/FEfpS/oIDjk6k=3D" Are there any other specific things you see as common examples of ext values? Is there a suggested system for indicating or separating multiple ext values? It seems to me without a standardized way to include the body hash in the ext field, you immediately invite more diversity in implementations. It would also seem by putting it in the ext field, any client could include the hash even if the server doesn't require it? Best, Peter On Thu, Nov 24, 2011 at 12:21 AM, Eran Hammer-Lahav w= rote: > In prose, sure. But I'd rather not go further than that. > > EHL > >> -----Original Message----- >> From: Peter Wolanin [mailto:peter.wolanin@acquia.com] >> Sent: Wednesday, November 23, 2011 11:53 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] MAC: body-hash >> >> As long as a specific service can make an ext containing the body hash >> required, I think this is fine. =C2=A0Can the spec include body hash as = an example of >> an ext? >> >> Thanks, >> >> Peter >> >> On Sat, Nov 19, 2011 at 10:39 AM, Eran Hammer-Lahav >> wrote: >> > I want to reaffirm our previous consensus to drop the body-hash >> > parameter and leave the ext parameter. Body-hash as currently >> > specified is going to cause significant interop issues due to >> > character (and other) encoding issues. Providers who desire to MAC the >> > body can define their own ext use case. >> > >> > >> > >> > Let me know if you have an objection to this change. >> > >> > >> > >> > EHL >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> >> >> >> -- >> Peter M. Wolanin, Ph.D. =C2=A0 =C2=A0 =C2=A0: Momentum Specialist,=C2=A0= Acquia. Inc. >> peter.wolanin@acquia.com : 781-313-8322 >> >> "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" --=20 Peter M. Wolanin, Ph.D. =C2=A0 =C2=A0 =C2=A0: Momentum Specialist,=C2=A0 Ac= quia. Inc. peter.wolanin@acquia.com : 781-313-8322 "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" From eran@hueniverse.com Thu Nov 24 09:17:23 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F175E21F8C2F for ; Thu, 24 Nov 2011 09:17:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.487 X-Spam-Level: X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QqgfjJVydoBS for ; Thu, 24 Nov 2011 09:17:22 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 19A3B21F8C2A for ; Thu, 24 Nov 2011 09:17:21 -0800 (PST) Received: (qmail 17044 invoked from network); 24 Nov 2011 17:17:19 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.46) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 24 Nov 2011 17:17:18 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT004.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Thu, 24 Nov 2011 10:17:17 -0700 From: Eran Hammer-Lahav To: Peter Wolanin Date: Thu, 24 Nov 2011 10:17:07 -0700 Thread-Topic: [OAUTH-WG] MAC: body-hash Thread-Index: AcyqqVjy3uUCYK8nSSC+rfSrgUrRVgAInRZQ Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735F32A@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E7234526735F30E@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC: body-hash X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 17:17:23 -0000 VGhhdCBsaWtlIHRyeWluZyB0byBlYXQgdGhlIGNha2UgYW5kIGhhdmUgaXQgdG9vLg0KDQpXZSBk cm9wcGVkIHRoZSBib2R5LWhhc2ggcGFyYW1ldGVyIGJlY2F1c2UgaXQgZG9lc24ndCB3b3JrLiBU aGVyZSBhcmUgdG9vIG1hbnkgY29tcGxpY2F0aW9ucyBpbiBnZXR0aW5nIGFuIGludGVyb3Agc29s dXRpb24gYWNyb3NzIHBsYXRmb3JtcyBhbmQgYm9keSB0eXBlcy4gVGhlcmUgYXJlIEFTQ0lJLCBV VEY4LCBiaW5hcnksIGV0Yy4gYm9kaWVzIGFuZCB0aGV5IHdpbGwgYWxsIHByb2R1Y2UgZGlmZmVy ZW50IGhhc2ggdmFsdWUgYmFzZWQgb24gYXQgd2hhdCBsZXZlbCB0aGUgY2xpZW50IGhhc2hlcyB0 aGVtLiBJbiBhZGRpdGlvbiwgdGhlIEhUVFAgbGF5ZXIgY2FuIGRvIG1hbnkgdGhpbmdzIHRvIHRo ZSBkYXRhIGluY2x1ZGluZyBlbmNvZGluZy4gT24gdG9wIG9mIHRoYXQsIHlvdSBoYXZlIEhUVFAg aGVhZGVycyB0aGF0IGNoYW5nZSB0aGUgbWVhbmluZyBvZiB0aGUgcGF5bG9hZC4NCg0KV2UndmUg dHJpZWQgaXQgYW5kIGNvdWxkIG5vdCBjb21lIHVwIHdpdGggYW55IHJlYXNvbmFibGUgc29sdXRp b24uDQoNCkFzIHNvbWVvbmUgd2hvIGhhdmUgYW5kIHdhbnRzIHRvIGltcGxlbWVudCB0aGlzLCBJ IHVuZGVyc3RhbmQgdGhlIG5lZWQgZm9yIGl0LCBidXQgYXQgdGhpcyBwb2ludCB3aXRoaW4gdGhl IGxpbWl0YXRpb25zIG9mIEhUVFAsIHRoaXMgYmVsb25ncyBhcyBhIHZlbmRvciBzcGVjaWZpYyBl eHRlbnNpb24gdW50aWwgbW9yZSByZWFsLXdvcmxkIGV4cGVyaWVuY2UgaXMgZ2FpbmVkLg0KDQpF SEwNCg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IFBldGVyIFdvbGFu aW4gW21haWx0bzpwZXRlci53b2xhbmluQGFjcXVpYS5jb21dDQo+IFNlbnQ6IFRodXJzZGF5LCBO b3ZlbWJlciAyNCwgMjAxMSA1OjAzIEFNDQo+IFRvOiBFcmFuIEhhbW1lci1MYWhhdg0KPiBDYzog T0F1dGggV0cNCj4gU3ViamVjdDogUmU6IFtPQVVUSC1XR10gTUFDOiBib2R5LWhhc2gNCj4gDQo+ IEknZCBsb2JieSBmb3Igc29tZXRoaW5nIG1vcmUgdGhhbiBqdXN0IHByb3NlLCBzaW5jZSBmb3Ig bWUsIGluY2x1ZGluZyB0aGUNCj4gYm9keSBvciBib2R5IGhhc2ggaW4gdGhlIEhNQUMgaXMgYSBw cmV0dHkgZXNzZW50aWFsIHBpZWNlIG9mIHNlY3VyaXR5IGZvciBhbnkNCj4gcmVhbCBpbXBsZW1l bnRhdGlvbi4gIEkgdW5kZXJzdGFuZCB0aGF0IHlvdSB0aGluayBpdCBzaG91bGQgbm90IGJlIDEw MCUNCj4gcmVxdWlyZWQgYnkgYWxsIHNlcnZlcnMsIGFuZCBoZW5jZSBzaG91bGQgbm90IGJlIGEg c3BlY2lmaWVkIGZpZWxkLCBidXQgdGhlbiBJDQo+IHRoaW5rIGl0IHNob3VsZCBiZSBzb21ldGhp bmcgbGlrZSBhICJzdGFuZGFyZCIgZXh0ZW5zaW9uLg0KPiANCj4gRm9yIGV4YW1wbGUsIHJldGFp biBzb21lIG9mIHRoZSBleGlzdGluZyB0ZXh0IGRlc2NyaWJpbmcgdGhlIGJvZHloYXNoIGFzDQo+ IHVzaW5nIHRoZSBzYW1lIGFsZ29yaXRobSBhcyB0aGUgSE1BQyBhbmQgc2hvdyBhbiBleGFtcGxl IGxpa2U6DQo+IA0KPiBleHQ9ImJvZHloYXNoOms5a2J0Q0l5MENrSTMvRkVmcFMvb0lEams2az0i DQo+IA0KPiBBcmUgdGhlcmUgYW55IG90aGVyIHNwZWNpZmljIHRoaW5ncyB5b3Ugc2VlIGFzIGNv bW1vbiBleGFtcGxlcyBvZiBleHQNCj4gdmFsdWVzPyAgSXMgdGhlcmUgYSBzdWdnZXN0ZWQgc3lz dGVtIGZvciBpbmRpY2F0aW5nIG9yIHNlcGFyYXRpbmcgbXVsdGlwbGUgZXh0DQo+IHZhbHVlcz8N Cj4gDQo+IEl0IHNlZW1zIHRvIG1lIHdpdGhvdXQgYSBzdGFuZGFyZGl6ZWQgd2F5IHRvIGluY2x1 ZGUgdGhlIGJvZHkgaGFzaCBpbiB0aGUNCj4gZXh0IGZpZWxkLCB5b3UgaW1tZWRpYXRlbHkgaW52 aXRlIG1vcmUgZGl2ZXJzaXR5IGluIGltcGxlbWVudGF0aW9ucy4gIEl0IHdvdWxkDQo+IGFsc28g c2VlbSBieSBwdXR0aW5nIGl0IGluIHRoZSBleHQgZmllbGQsIGFueSBjbGllbnQgY291bGQgaW5j bHVkZSB0aGUgaGFzaCBldmVuDQo+IGlmIHRoZSBzZXJ2ZXIgZG9lc24ndCByZXF1aXJlIGl0Pw0K PiANCj4gQmVzdCwNCj4gDQo+IFBldGVyDQo+IA0KPiBPbiBUaHUsIE5vdiAyNCwgMjAxMSBhdCAx MjoyMSBBTSwgRXJhbiBIYW1tZXItTGFoYXYNCj4gPGVyYW5AaHVlbml2ZXJzZS5jb20+IHdyb3Rl Og0KPiA+IEluIHByb3NlLCBzdXJlLiBCdXQgSSdkIHJhdGhlciBub3QgZ28gZnVydGhlciB0aGFu IHRoYXQuDQo+ID4NCj4gPiBFSEwNCj4gPg0KPiA+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0t LQ0KPiA+PiBGcm9tOiBQZXRlciBXb2xhbmluIFttYWlsdG86cGV0ZXIud29sYW5pbkBhY3F1aWEu Y29tXQ0KPiA+PiBTZW50OiBXZWRuZXNkYXksIE5vdmVtYmVyIDIzLCAyMDExIDExOjUzIEFNDQo+ ID4+IFRvOiBFcmFuIEhhbW1lci1MYWhhdg0KPiA+PiBDYzogT0F1dGggV0cNCj4gPj4gU3ViamVj dDogUmU6IFtPQVVUSC1XR10gTUFDOiBib2R5LWhhc2gNCj4gPj4NCj4gPj4gQXMgbG9uZyBhcyBh IHNwZWNpZmljIHNlcnZpY2UgY2FuIG1ha2UgYW4gZXh0IGNvbnRhaW5pbmcgdGhlIGJvZHkNCj4g Pj4gaGFzaCByZXF1aXJlZCwgSSB0aGluayB0aGlzIGlzIGZpbmUuIMKgQ2FuIHRoZSBzcGVjIGlu Y2x1ZGUgYm9keSBoYXNoDQo+ID4+IGFzIGFuIGV4YW1wbGUgb2YgYW4gZXh0Pw0KPiA+Pg0KPiA+ PiBUaGFua3MsDQo+ID4+DQo+ID4+IFBldGVyDQo+ID4+DQo+ID4+IE9uIFNhdCwgTm92IDE5LCAy MDExIGF0IDEwOjM5IEFNLCBFcmFuIEhhbW1lci1MYWhhdg0KPiA+PiA8ZXJhbkBodWVuaXZlcnNl LmNvbT4gd3JvdGU6DQo+ID4+ID4gSSB3YW50IHRvIHJlYWZmaXJtIG91ciBwcmV2aW91cyBjb25z ZW5zdXMgdG8gZHJvcCB0aGUgYm9keS1oYXNoDQo+ID4+ID4gcGFyYW1ldGVyIGFuZCBsZWF2ZSB0 aGUgZXh0IHBhcmFtZXRlci4gQm9keS1oYXNoIGFzIGN1cnJlbnRseQ0KPiA+PiA+IHNwZWNpZmll ZCBpcyBnb2luZyB0byBjYXVzZSBzaWduaWZpY2FudCBpbnRlcm9wIGlzc3VlcyBkdWUgdG8NCj4g Pj4gPiBjaGFyYWN0ZXIgKGFuZCBvdGhlcikgZW5jb2RpbmcgaXNzdWVzLiBQcm92aWRlcnMgd2hv IGRlc2lyZSB0byBNQUMNCj4gPj4gPiB0aGUgYm9keSBjYW4gZGVmaW5lIHRoZWlyIG93biBleHQg dXNlIGNhc2UuDQo+ID4+ID4NCj4gPj4gPg0KPiA+PiA+DQo+ID4+ID4gTGV0IG1lIGtub3cgaWYg eW91IGhhdmUgYW4gb2JqZWN0aW9uIHRvIHRoaXMgY2hhbmdlLg0KPiA+PiA+DQo+ID4+ID4NCj4g Pj4gPg0KPiA+PiA+IEVITA0KPiA+PiA+DQo+ID4+ID4NCj4gPj4gPiBfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiA+PiA+IE9BdXRoIG1haWxpbmcgbGlz dA0KPiA+PiA+IE9BdXRoQGlldGYub3JnDQo+ID4+ID4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9vYXV0aA0KPiA+PiA+DQo+ID4+DQo+ID4+DQo+ID4+DQo+ID4+IC0tDQo+ ID4+IFBldGVyIE0uIFdvbGFuaW4sIFBoLkQuIMKgIMKgIMKgOiBNb21lbnR1bSBTcGVjaWFsaXN0 LMKgIEFjcXVpYS4gSW5jLg0KPiA+PiBwZXRlci53b2xhbmluQGFjcXVpYS5jb20gOiA3ODEtMzEz LTgzMjINCj4gPj4NCj4gPj4gIkdldCBhIGZyZWUsIGhvc3RlZCBEcnVwYWwgNyBzaXRlOiBodHRw Oi8vd3d3LmRydXBhbGdhcmRlbnMuY29tIg0KPiANCj4gDQo+IA0KPiAtLQ0KPiBQZXRlciBNLiBX b2xhbmluLCBQaC5ELiDCoCDCoCDCoDogTW9tZW50dW0gU3BlY2lhbGlzdCzCoCBBY3F1aWEuIElu Yy4NCj4gcGV0ZXIud29sYW5pbkBhY3F1aWEuY29tIDogNzgxLTMxMy04MzIyDQo+IA0KPiAiR2V0 IGEgZnJlZSwgaG9zdGVkIERydXBhbCA3IHNpdGU6IGh0dHA6Ly93d3cuZHJ1cGFsZ2FyZGVucy5j b20iDQo= From eran@hueniverse.com Thu Nov 24 09:19:51 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9466621F8A6C for ; Thu, 24 Nov 2011 09:19:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.49 X-Spam-Level: X-Spam-Status: No, score=-2.49 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycJHfCuNZRZV for ; Thu, 24 Nov 2011 09:19:51 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id F2EE421F8A57 for ; Thu, 24 Nov 2011 09:19:50 -0800 (PST) Received: (qmail 26503 invoked from network); 24 Nov 2011 17:19:50 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 24 Nov 2011 17:19:50 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 24 Nov 2011 10:19:50 -0700 From: Eran Hammer-Lahav To: Phil Hunt , Peter Wolanin Date: Thu, 24 Nov 2011 10:19:40 -0700 Thread-Topic: [OAUTH-WG] MAC Cookies Thread-Index: Acyqe7vZbe1a7D/tQWaWbxp2Vq9s7gAUVCUw Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735F32B@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <2E9E2454-C524-405A-8E05-48146566656B@oracle.com> In-Reply-To: <2E9E2454-C524-405A-8E05-48146566656B@oracle.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Ben Adida , OAuth WG , "Adam Barth \(adam@adambarth.com\)" Subject: Re: [OAUTH-WG] MAC Cookies X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 17:19:51 -0000 MAC tokens are a solution, not a use case :-) As for reaching out, I'll leave it to the chairs to decide how to want to p= roceed. EHL > -----Original Message----- > From: Phil Hunt [mailto:phil.hunt@oracle.com] > Sent: Wednesday, November 23, 2011 11:36 PM > To: Peter Wolanin > Cc: Eran Hammer-Lahav; Ben Adida; OAuth WG; Adam Barth > (adam@adambarth.com) > Subject: Re: [OAUTH-WG] MAC Cookies >=20 > Eran, >=20 > I see value (at least for servers) in having browser and HTTP clients wor= k with > common tokens (e.g. MAC) - even though the mechanism for exchange may > vary. >=20 > I had an email exchange with Harry Halpin. He suggests cross posting to t= he > w3c public-identity list. >=20 > They are discussing web cryptography and MAC tokens may be an important > use case. >=20 > Phil >=20 > @independentid > www.independentid.com > phil.hunt@oracle.com >=20 >=20 >=20 >=20 >=20 > On 2011-11-23, at 4:57 PM, Peter Wolanin wrote: >=20 > > No objection from me, but it's too bad the browser vendors aren't > interested. > > > > -Peter > > > > On Sat, Nov 19, 2011 at 10:33 AM, Eran Hammer-Lahav > wrote: > >> I would like to drop the cookies support defined in the MAC document > >> due to lack of interest from the browser vendors. At this point it is > >> most likely going to be an unimplemented proposal. If there is > >> interest in the future, it can be proposed in a separate document. > >> This will allow us to bring this work to a quick conclusion. > >> > >> > >> > >> Any objections? > >> > >> > >> > >> EHL > >> > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > >> > > > > > > > > -- > > Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. > > peter.wolanin@acquia.com : 781-313-8322 > > > > "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth From bart@all4students.nl Mon Nov 28 07:12:55 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E99721F8801 for ; Mon, 28 Nov 2011 07:12:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.696 X-Spam-Level: ** X-Spam-Status: No, score=2.696 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_38=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXNfVjDf0r3D for ; Mon, 28 Nov 2011 07:12:51 -0800 (PST) Received: from mx-out14.all4students.nl (mx-out14.all4students.nl [89.188.22.31]) by ietfa.amsl.com (Postfix) with ESMTP id CC26721F86F6 for ; Mon, 28 Nov 2011 07:12:49 -0800 (PST) Received: from mx-out14.all4students.nl (localhost [127.0.0.1]) by mx-out14.all4students.nl (Postfix) with ESMTP id B2688943A4 for ; Mon, 28 Nov 2011 16:12:47 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=studenten.net; h= mime-version:content-type:content-transfer-encoding:subject:date :message-id:from:to; s=selector1; bh=3YD6eaVTxhcTuHX5L0CIp3REP3U =; b=RDW27gcc59QIMK5KHSpPRcrdWSSONlc9NzhGMAmQGtD8bkOSR6Wu8FGDTIk LxnUFpexlnZ8OMjRMQUmQNU4VdxraP0QydiUxJmBRBPYuM0lkK8VNqmpkqOPHRZI T1l/WrTBIa/A8V/EsbHM+ieKfdQn+3pEWVfWnqcW3v54v+Gs= Received: from all4students.nl (ip189-178-172-82.adsl2.static.versatel.nl [82.172.178.189]) by mx-out14.all4students.nl (Postfix) with ESMTP id 730BD943A2 for ; Mon, 28 Nov 2011 16:12:47 +0100 (CET) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 28 Nov 2011 16:12:46 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Refresh tokens Thread-Index: Acyt2/bOtM27kC+bR6Gqmw6v1flLWw== From: "Bart Wiegmans" To: "oauth WG" Subject: [OAUTH-WG] Refresh tokens X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 15:12:55 -0000 Hello everybody, This is my first post on this mailing list, so I will introduce myself. My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am involved with OAuth2 because I am implementing an authorization server for my employer, all4students / studenten.net. I have few remarks about refresh tokens. 1. The way I understand it, they are a way to limit the impact of access token exposure. Which I find desirable. 2. However, they can also be seen as credentials for an access token request. In which case, refresh token exposure is a more serious risk than access token exposure. 3. Are there, or will there ever be, multiple refresh token types as there are access token types? 4. Can a public client use refresh tokens at all, or is this meaningless? If not, are public clients that are installed on a users' computer or smartphone required to re-authorise every time an access token expires? (This would be undesirable). Should they request long-lived access tokens?=20 About MAC tokens, I wonder about the practicality of public (javascript) clients using them as a token type.=20 With kind regards, Bart Wiegmans | Developer From bart@all4students.nl Mon Nov 28 07:20:48 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4200821F8CFC for ; Mon, 28 Nov 2011 07:20:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.396 X-Spam-Level: * X-Spam-Status: No, score=1.396 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_38=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trN7h8oP8xeM for ; Mon, 28 Nov 2011 07:20:47 -0800 (PST) Received: from mx-out14.all4students.nl (mx-out14.all4students.nl [89.188.22.31]) by ietfa.amsl.com (Postfix) with ESMTP id 89A8D21F8B2D for ; Mon, 28 Nov 2011 07:20:47 -0800 (PST) Received: from mx-out14.all4students.nl (localhost [127.0.0.1]) by mx-out14.all4students.nl (Postfix) with ESMTP id CE2EB943A4 for ; Mon, 28 Nov 2011 16:20:46 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=studenten.net; h= mime-version:content-type:content-transfer-encoding:subject:date :message-id:from:to; s=selector1; bh=qxNIHNrfzZXms4Z2nxRJAhxQTmI =; b=E7dBq8Le/2NL63UwtQjyAMWL6STfNdGv/aaXyk9z3rWLslUEOob8tP8BOX8 iBxJVDNEFunn/co02Qca1eVPA7CqAaSQbmWb94DrhF91a7dCEa83kG4G++0tkEqX ItgK3Wke3vd5aJQgV4HyNACvV7aG5YnGjASpHxClFLzoVsNg= Received: from all4students.nl (ip189-178-172-82.adsl2.static.versatel.nl [82.172.178.189]) by mx-out14.all4students.nl (Postfix) with ESMTP id AEB68943A2 for ; Mon, 28 Nov 2011 16:20:46 +0100 (CET) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 28 Nov 2011 16:20:45 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Refresh tokens Thread-Index: Acyt2/bOtM27kC+bR6Gqmw6v1flLWwABGbyA From: "Bart Wiegmans" To: "oauth WG" Subject: Re: [OAUTH-WG] Refresh tokens X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 15:20:48 -0000 I forgot the following question: 5. If refresh taken are just another way of requesting access tokens, I believe they should be specified in section 4, with other grant types. But there must be a reason for the way it is now, so why? With kind regards, Bart Wiegmans | Developer -----Oorspronkelijk bericht----- Van: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] Namens Bart Wiegmans Verzonden: maandag 28 november 2011 16:13 Aan: oauth WG Onderwerp: [OAUTH-WG] Refresh tokens Hello everybody, This is my first post on this mailing list, so I will introduce myself. My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am involved with OAuth2 because I am implementing an authorization server for my employer, all4students / studenten.net. I have few remarks about refresh tokens. 1. The way I understand it, they are a way to limit the impact of access token exposure. Which I find desirable. 2. However, they can also be seen as credentials for an access token request. In which case, refresh token exposure is a more serious risk than access token exposure. 3. Are there, or will there ever be, multiple refresh token types as there are access token types? 4. Can a public client use refresh tokens at all, or is this meaningless? If not, are public clients that are installed on a users' computer or smartphone required to re-authorise every time an access token expires? (This would be undesirable). Should they request long-lived access tokens?=20 About MAC tokens, I wonder about the practicality of public (javascript) clients using them as a token type.=20 With kind regards, Bart Wiegmans | Developer _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From wmills@yahoo-inc.com Mon Nov 28 09:09:45 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E430F21F8B03 for ; Mon, 28 Nov 2011 09:09:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.998 X-Spam-Level: X-Spam-Status: No, score=-16.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fw++BiRJjle7 for ; Mon, 28 Nov 2011 09:09:45 -0800 (PST) Received: from nm25.bullet.mail.ac4.yahoo.com (nm25.bullet.mail.ac4.yahoo.com [98.139.52.222]) by ietfa.amsl.com (Postfix) with SMTP id 0B8BE21F899F for ; Mon, 28 Nov 2011 09:09:44 -0800 (PST) Received: from [98.139.52.196] by nm25.bullet.mail.ac4.yahoo.com with NNFMP; 28 Nov 2011 17:09:39 -0000 Received: from [98.139.52.141] by tm9.bullet.mail.ac4.yahoo.com with NNFMP; 28 Nov 2011 17:09:39 -0000 Received: from [127.0.0.1] by omp1024.mail.ac4.yahoo.com with NNFMP; 28 Nov 2011 17:09:39 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 626960.86199.bm@omp1024.mail.ac4.yahoo.com Received: (qmail 68252 invoked by uid 60001); 28 Nov 2011 17:09:39 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1322500179; bh=z5xN9EqFFANXMRMKTj+Hm9j7QbOxsh79u20vP9TqLQk=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=TBHlJJ/Zf91i85eJZ1C0nPjjRcr+OU348CXJ+e8igBzuXPbVra0TiL1kIM/zABhkl2EDAjv3l57GxufuLduyG+o6z08Z1s65nEZV8kdbyjB3T4Iu+2hkj5UUwofYR1nZP9MAujUNJbRAH7yY2xNoS/kpogNfD+66JfrzXEhElns= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=pUKHHTS/Vw9GppRdSBHBMw8U3VXiWc/i+MQZ/H+nlDPN2E278fBUwBfTRUSfH8eOJOXxQLlxhtlHziNOTevKgFIQd+BxCTVUVTRekRveKsCVzQl/DvxCiHhb7rXfLDTO1DlFrPajBaFGGX3VBt7RWj6GYPFkV0zMwatOVvaDo/Y=; X-YMail-OSG: 7egukr8VM1lan6MMUqLrIBJa0Kxqv97aMMjfN_5zANg9W.f wbLUTNSftRR0oygmEfhT9jOW9ZDjhA1lYErk67O_Dxs3lS5TSEkFthJn_MZu HstudaFof035Ivi1.dUaz8PAhtWmVqS8qAtPuA6e2LSxLOpUccGwwrrUqZu0 G3TykLth8TataoieADx5xJGRZT628fjPWHv8rjuhOFIuj5dOg8sl4h_7sBTj gdLY5mp8wTsY3ddhpK8Lz1.aqjFszAkEGwBXuoBf3a7lWMqvoHDGYIsw5biY hf_Q8.FjHn458flc0BTEBzgLSZZvyGFUECGJr8ImnIpSXry5r7eazio9giYX xRxsX4vKyZLZcvjY3a1SZ12eUid.XVqggR6gbt_49XPy2Ph2s61K.BYYBd7T dtmFmfgsECPeCzRRY.AL10Hw3uARILCPkAQ6iXjCRlmIc87gcT_HfljWkMFv cQJJxkDj9eFfK Received: from [99.31.212.42] by web31801.mail.mud.yahoo.com via HTTP; Mon, 28 Nov 2011 09:09:38 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.115.331203 References: Message-ID: <1322500178.60395.YahooMailNeo@web31801.mail.mud.yahoo.com> Date: Mon, 28 Nov 2011 09:09:38 -0800 (PST) From: William Mills To: Bart Wiegmans , oauth WG In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-368338466-1668142724-1322500178=:60395" Subject: Re: [OAUTH-WG] Refresh tokens X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 17:09:46 -0000 ---368338466-1668142724-1322500178=:60395 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable 1&2) Yep.=A0 This is why flows using Refresh Tokens must always use SSL.=0A= =0A3) Refresh tokens are comparable to access tokens in that you can scope = them etc.=A0 In fact it makes a great deal of sense to limit them in the sa= me way the access tokens are limited.=0A=0A4) The answer here depends on th= e security requirements for your app.=A0 It all depends on whether you feel= the client can keep a secret, either a MAC signing secret or a token.=A0 W= hether you store them on disk or not depends a lot on how you'd plan to sto= re them, if it's in a browser then you're pretty much trusting the user lev= el file security on the computer.=0A=0A5) Not sure, might be that Eran want= ed to generalize it so as not to be putting specific authentication scheme = constructs into the base framework.=0A=0A-bill=0A=0A=0A=0A=0A______________= __________________=0A From: Bart Wiegmans =0ATo: oaut= h WG =0ASent: Monday, November 28, 2011 7:20 AM=0ASubject:= Re: [OAUTH-WG] Refresh tokens=0A =0AI forgot the following question:=0A=0A= 5. If refresh taken are just another way of requesting access tokens, I=0Ab= elieve they should be specified in section 4, with other grant types.=0ABut= there must be a reason for the way it is now, so why?=0A=0AWith kind regar= ds,=0ABart Wiegmans | Developer=0A=0A-----Oorspronkelijk bericht-----=0AVan= : oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] Namens Bart=0AWieg= mans=0AVerzonden: maandag 28 november 2011 16:13=0AAan: oauth WG=0AOnderwer= p: [OAUTH-WG] Refresh tokens=0A=0AHello everybody,=0A=0AThis is my first po= st on this mailing list, so I will introduce myself.=0AMy name is Bart Wieg= mans, I work in Groningen, the Netherlands. I am=0Ainvolved with OAuth2 bec= ause I am implementing an authorization server=0Afor my employer, all4stude= nts / studenten.net.=0A=0AI have few remarks about refresh tokens.=0A=0A1. = The way I understand it, they are a way to limit the impact of access=0Atok= en exposure. Which I find desirable.=0A2. However, they can also be seen as= credentials for an access token=0Arequest. In which case, refresh token ex= posure is a more serious risk=0Athan access token exposure.=0A3. Are there,= or will there ever be, multiple refresh token types as=0Athere are access = token types?=0A4. Can a public client use refresh tokens at all, or is this= =0Ameaningless? If not, are public clients that are installed on a users'= =0Acomputer or smartphone required to re-authorise every time an access=0At= oken expires? (This would be undesirable). Should they request=0Along-lived= access tokens? =0A=0AAbout MAC tokens, I wonder about the practicality of = public (javascript)=0Aclients using them as a token type. =0A=0AWith kind r= egards,=0ABart Wiegmans | Developer=0A_____________________________________= __________=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mai= lman/listinfo/oauth=0A_______________________________________________=0AOAu= th mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oa= uth ---368338466-1668142724-1322500178=:60395 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
1&2) Yep.  This is why flows using Refresh Tokens must always us= e SSL.

3) Refresh tokens= are comparable to access tokens in that you can scope them etc.  In f= act it makes a great deal of sense to limit them in the same way the access= tokens are limited.

4) = The answer here depends on the security requirements for your app.  It= all depends on whether you feel the client can keep a secret, either a MAC= signing secret or a token.  Whether you store them on disk or not dep= ends a lot on how you'd plan to store them, if it's in a browser then you'r= e pretty much trusting the user level file security on the computer.=

5) Not sure, might be that Eran wanted to generalize it so as not to be putting specific authent= ication scheme constructs into the base framework.

-bill

From:= Bart Wiegmans <bart@all4students.nl>
To: oauth WG <oauth@ietf.org>
Sent: Monday, November 28, 2011 7:= 20 AM
Subject: Re: [OA= UTH-WG] Refresh tokens
=0AI forgot the following question:<= br>
5. If refresh taken are just another way of requesting access tokens= , I
believe they should be specified in section 4, with other grant type= s.
But there must be a reason for the way it is now, so why?

With= kind regards,
Bart Wiegmans | Developer

-----Oorspronkelijk beri= cht-----
Van: oauth-bounces@ietf.org [mailto:oauth= -bounces@ietf.org] Namens Bart
Wiegmans
Verzonden: maandag 28 nov= ember 2011 16:13
Aan: oauth WG
Onderwerp: [OAUTH-WG] Refresh tokens
Hello everybody,

This is my first post on this mailing list, s= o I will introduce myself.
My name is Bart Wiegmans, I work in Groningen= , the Netherlands. I am
involved with OAuth2 because I am implementing a= n authorization server
for my employer, all4students / studente= n.net.

I have few remarks about refresh tokens.

1. The wa= y I understand it, they are a way to limit the impact of access
token ex= posure. Which I find desirable.
2. However, they can also be seen as cre= dentials for an access token
request. In which case, refresh token expos= ure is a more serious risk
than access token exposure.
3. Are there, = or will there ever be, multiple refresh token types as
there are access = token types?
4. Can a public client use refresh tokens at all, or is thi= s
meaningless? If not, are public clients that are installed on a users'=
computer or smartphone required to re-authorise every time an accesstoken expires? (This would be undesirable). Should they request
long-li= ved access tokens?

About MAC tokens, I wonder about the practicalit= y of public (javascript)
clients using them as a token type.

With kind regards,
Bart Wiegmans | Developer
_______________= ________________________________
OAuth mailing list
OAuth@ietf.org
htt= ps://www.ietf.org/mailman/listinfo/oauth
___________________________= ____________________
OAuth mailing list
OAuth@ietf.org
https://www.iet= f.org/mailman/listinfo/oauth


---368338466-1668142724-1322500178=:60395-- From pranamcs@sg.ibm.com Mon Nov 28 12:07:24 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54A5211E80E1 for ; Mon, 28 Nov 2011 12:07:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.184 X-Spam-Level: X-Spam-Status: No, score=-4.184 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hGRs4iWB8gF for ; Mon, 28 Nov 2011 12:07:23 -0800 (PST) Received: from e23smtp07.au.ibm.com (e23smtp07.au.ibm.com [202.81.31.140]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA9611E808E for ; Mon, 28 Nov 2011 12:07:22 -0800 (PST) Received: from /spool/local by e23smtp07.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 28 Nov 2011 20:04:42 +1000 Received: from d23relay05.au.ibm.com ([202.81.31.247]) by e23smtp07.au.ibm.com ([202.81.31.204]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 28 Nov 2011 20:04:32 +1000 Received: from d23av04.au.ibm.com (d23av04.au.ibm.com [9.190.235.139]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pASK39hw3625212 for ; Tue, 29 Nov 2011 07:03:12 +1100 Received: from d23av04.au.ibm.com (loopback [127.0.0.1]) by d23av04.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pASK6ZoU001845 for ; Tue, 29 Nov 2011 07:06:35 +1100 Received: from d23ml125.sg.ibm.com (d23ml125.sg.ibm.com [9.127.37.161]) by d23av04.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id pASK6YVF001805 for ; Tue, 29 Nov 2011 07:06:34 +1100 Auto-Submitted: auto-generated From: Codur Sreedhar Pranam To: oauth@ietf.org Message-ID: Date: Tue, 29 Nov 2011 04:01:01 +0800 X-MIMETrack: Serialize by Router on d23ml125/23/M/IBM(Release 8.5.1FP4|July 25, 2010) at 11/29/2011 04:01:01 MIME-Version: 1.0 Content-type: multipart/alternative; Boundary="0__=C7BBF3C5DFFE72788f9e8a93df938690918cC7BBF3C5DFFE7278" Content-Disposition: inline x-cbid: 11112810-0260-0000-0000-0000001F566C Subject: [OAUTH-WG] AUTO: Codur Sreedhar Pranam is out of the office (returning 12/11/2011) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 20:07:24 -0000 --0__=C7BBF3C5DFFE72788f9e8a93df938690918cC7BBF3C5DFFE7278 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable I am out of the office until 12/11/2011. Note: This is an automated response to your message "OAuth Digest, Vol= 37, Issue 38" sent on 11/29/11 4:00:07. This is the only notification you will receive while this person is awa= y.= --0__=C7BBF3C5DFFE72788f9e8a93df938690918cC7BBF3C5DFFE7278 Content-type: text/html; charset=US-ASCII Content-Disposition: inline Content-transfer-encoding: quoted-printable

I am out of the office until 12/11/2011.




Note: This is an automated re= sponse to your message "OAuth Digest, = Vol 37, Issue 38" se= nt on 11/29/11 4:00:07.

This is the only notification= you will receive while this person is away.= --0__=C7BBF3C5DFFE72788f9e8a93df938690918cC7BBF3C5DFFE7278-- From eran@hueniverse.com Mon Nov 28 15:23:10 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20A9D21F8B4A for ; Mon, 28 Nov 2011 15:23:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNUQxZk043JK for ; Mon, 28 Nov 2011 15:23:08 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id B731421F8B43 for ; Mon, 28 Nov 2011 15:23:07 -0800 (PST) Received: (qmail 14072 invoked from network); 28 Nov 2011 23:23:06 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 28 Nov 2011 23:23:05 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 28 Nov 2011 16:22:50 -0700 From: Eran Hammer-Lahav To: William Mills , Bart Wiegmans , oauth WG Date: Mon, 28 Nov 2011 16:22:46 -0700 Thread-Topic: [OAUTH-WG] Refresh tokens Thread-Index: AcyuJKU7Oh0cL+HvTx2fPp2vBn8jAw== Message-ID: In-Reply-To: <1322500178.60395.YahooMailNeo@web31801.mail.mud.yahoo.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.10.0.110310 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_CAF957B1B51Feranhueniversecom_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] Refresh tokens X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 23:23:10 -0000 --_000_CAF957B1B51Feranhueniversecom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Re: #5 It was part of section 4 but people found it more confusing. EHL From: William Mills > Reply-To: William Mills > Date: Mon, 28 Nov 2011 10:09:38 -0700 To: Bart Wiegmans >, oaut= h WG > Subject: Re: [OAUTH-WG] Refresh tokens 1&2) Yep. This is why flows using Refresh Tokens must always use SSL. 3) Refresh tokens are comparable to access tokens in that you can scope the= m etc. In fact it makes a great deal of sense to limit them in the same wa= y the access tokens are limited. 4) The answer here depends on the security requirements for your app. It a= ll depends on whether you feel the client can keep a secret, either a MAC s= igning secret or a token. Whether you store them on disk or not depends a = lot on how you'd plan to store them, if it's in a browser then you're prett= y much trusting the user level file security on the computer. 5) Not sure, might be that Eran wanted to generalize it so as not to be put= ting specific authentication scheme constructs into the base framework. -bill ________________________________ From: Bart Wiegmans > To: oauth WG > Sent: Monday, November 28, 2011 7:20 AM Subject: Re: [OAUTH-WG] Refresh tokens I forgot the following question: 5. If refresh taken are just another way of requesting access tokens, I believe they should be specified in section 4, with other grant types. But there must be a reason for the way it is now, so why? With kind regards, Bart Wiegmans | Developer -----Oorspronkelijk bericht----- Van: oauth-bounces@ietf.org [mailto:oauth-bo= unces@ietf.org] Namens Bart Wiegmans Verzonden: maandag 28 november 2011 16:13 Aan: oauth WG Onderwerp: [OAUTH-WG] Refresh tokens Hello everybody, This is my first post on this mailing list, so I will introduce myself. My name is Bart Wiegmans, I work in Groningen, the Netherlands. I am involved with OAuth2 because I am implementing an authorization server for my employer, all4students / studenten.net. I have few remarks about refresh tokens. 1. The way I understand it, they are a way to limit the impact of access token exposure. Which I find desirable. 2. However, they can also be seen as credentials for an access token request. In which case, refresh token exposure is a more serious risk than access token exposure. 3. Are there, or will there ever be, multiple refresh token types as there are access token types? 4. Can a public client use refresh tokens at all, or is this meaningless? If not, are public clients that are installed on a users' computer or smartphone required to re-authorise every time an access token expires? (This would be undesirable). Should they request long-lived access tokens? About MAC tokens, I wonder about the practicality of public (javascript) clients using them as a token type. With kind regards, Bart Wiegmans | Developer _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_CAF957B1B51Feranhueniversecom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Re: #5

It was part of section 4 but people found it more confusing.
<= div>
EHL

From: William Mills <wmills@yahoo-inc.com>
Reply-T= o: William Mills <wmills= @yahoo-inc.com>
Date: Mo= n, 28 Nov 2011 10:09:38 -0700
To: Bart Wiegmans <bart@all4stude= nts.nl>, oauth WG <oauth@ietf.o= rg>
Subject: Re: [OAUTH-= WG] Refresh tokens

1&2) Yep.  This is why = flows using Refresh Tokens must always use SSL.

=
3) Refresh tokens are comparable to access tokens i= n that you can scope them etc.  In fact it makes a great deal of sense= to limit them in the same way the access tokens are limited.
<= div>
4) The answer here depends on the sec= urity requirements for your app.  It all depends on whether you feel t= he client can keep a secret, either a MAC signing secret or a token.  = Whether you store them on disk or not depends a lot on how you'd plan to st= ore them, if it's in a browser then you're pretty much trusting the user le= vel file security on the computer.

=
5) Not sure, might be that Eran wanted to generalize it so as not to be putting specific authent= ication scheme constructs into the base framework.

-bill

From:= Bart Wiegmans <bart@all4stu= dents.nl>
To: o= auth WG <oauth@ietf.org>
<= b>Sent: Monday, November 28, = 2011 7:20 AM
Subject: = Re: [OAUTH-WG] Refresh tokens
I forgot the following question:

5. If refresh taken are just anothe= r way of requesting access tokens, I
believe they should be specified in= section 4, with other grant types.
But there must be a reason for the w= ay it is now, so why?

With kind regards,
Bart Wiegmans | Develope= r

-----Oorspronkelijk bericht-----
Van: oauth-bounces@ie= tf.org [mailto:oauth-bounces@ietf.org] Namens Bart
Wieg= mans
Verzonden: maandag 28 november 2011 16:13
Aan: oauth WG
Onder= werp: [OAUTH-WG] Refresh tokens

Hello everybody,

This is my f= irst post on this mailing list, so I will introduce myself.
My name is B= art Wiegmans, I work in Groningen, the Netherlands. I am
involved with O= Auth2 because I am implementing an authorization server
for my employer, all4students / studente= n.net.

I have few remarks about refresh tokens.

1. The wa= y I understand it, they are a way to limit the impact of access
token ex= posure. Which I find desirable.
2. However, they can also be seen as cre= dentials for an access token
request. In which case, refresh token expos= ure is a more serious risk
than access token exposure.
3. Are there, = or will there ever be, multiple refresh token types as
there are access = token types?
4. Can a public client use refresh tokens at all, or is thi= s
meaningless? If not, are public clients that are installed on a users'=
computer or smartphone required to re-authorise every time an accesstoken expires? (This would be undesirable). Should they request
long-li= ved access tokens?

About MAC tokens, I wonder about the practicalit= y of public (javascript)
clients using them as a token type.

With kind regards,
Bart Wiegmans | Developer
_______________= ________________________________
OAuth mailing list
OAuth@ietf.org
htt= ps://www.ietf.org/mailman/listinfo/oauth
___________________________= ____________________
OAuth mailing list
OAuth@ietf.org
https://www.iet= f.org/mailman/listinfo/oauth


--_000_CAF957B1B51Feranhueniversecom_-- From barryleiba.mailing.lists@gmail.com Mon Nov 28 19:39:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84F3921F8B3F for ; Mon, 28 Nov 2011 19:39:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.147 X-Spam-Level: X-Spam-Status: No, score=-103.147 tagged_above=-999 required=5 tests=[AWL=-0.170, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-+NweP-vq+G for ; Mon, 28 Nov 2011 19:39:45 -0800 (PST) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2A521F8B3B for ; Mon, 28 Nov 2011 19:39:45 -0800 (PST) Received: by yenl2 with SMTP id l2so261924yen.31 for ; Mon, 28 Nov 2011 19:39:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=7uKjbrZQo6Y6M3D8/GhGAWYAdiTr7iVkThdkw76WI78=; b=pOpaUY8BmtZBwT2RfbpXqnTii/SWM/D4C7kdJoQE3WWRusztbqNHjkkQMfJd7OdumJ sWuIimLrLw0anRpiDooYkda+0vyW05T/fYDGvZDrIxSdIeCncbC+swr07lsJ+Ge/1+Bq +KXD4KeEY1I/5XuVXgRxFVCxdRST3dIZz4rkI= MIME-Version: 1.0 Received: by 10.236.181.234 with SMTP id l70mr66295322yhm.49.1322537985297; Mon, 28 Nov 2011 19:39:45 -0800 (PST) Sender: barryleiba.mailing.lists@gmail.com Received: by 10.146.107.9 with HTTP; Mon, 28 Nov 2011 19:39:45 -0800 (PST) In-Reply-To: References: Date: Mon, 28 Nov 2011 22:39:45 -0500 X-Google-Sender-Auth: OLK9WSlffBbpCZgh-_ey0gM7-zU Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 03:39:46 -0000 > The OAuth base doc refers in two places to TLS versions (with the same > text in both places: > > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. > > In both the shepherd review and the AD review, this was called into question: > 1. MUST for an old version and SHOULD for the current version seems wrong. > 2. Having specific versions required locks us into those versions (for > example, all implementations will have to support TLS 1.0, even long > after it becomes obsolete, unless we rev the spec. The comments I've gotten on this show a clear consensus against the change I suggest, and against any attempt to require a version of TLS other than 1.0. I still, though, am concerned that locking this spec into TLS 1.0 is limiting. So let me propose an alternative wording, which again tries to make the version(s) non-normative, while making it clear which version(s) need to be implemented to get interoperability: NEW -------------------------------------------- The authorization server MUST implement TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 [RFC2246] is the most widely deployed version, and will give the broadest interoperability. Servers MAY also implement additional transport-layer mechanisms that meet their security requirements. -------------------------------------------- Comments on this version? Barry From bart@all4students.nl Tue Nov 29 02:32:17 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54F9621F8C43 for ; Tue, 29 Nov 2011 02:32:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.376 X-Spam-Level: * X-Spam-Status: No, score=1.376 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_20=-0.74, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQk-P9LxZcUm for ; Tue, 29 Nov 2011 02:32:16 -0800 (PST) Received: from mx-out14.all4students.nl (mx-out14.all4students.nl [89.188.22.31]) by ietfa.amsl.com (Postfix) with ESMTP id 83E7721F8C41 for ; Tue, 29 Nov 2011 02:32:15 -0800 (PST) Received: from mx-out14.all4students.nl (localhost [127.0.0.1]) by mx-out14.all4students.nl (Postfix) with ESMTP id 2BDE29437A for ; Tue, 29 Nov 2011 11:32:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=studenten.net; h= mime-version:content-type:subject:date:message-id:from:to; s= selector1; bh=5MlyP/+hIPLN2n8ZrrxSgmPMwpI=; b=Wv84/LqR1ajimy1wE8 aO1uRcrPJaaz+ySPqrQ3HxIShD4/BjerJyEMsFfuPkhOCVUkgMRRfWlLPMlk9+mx 4VnbpN6ZVOtgXenQrmkYi3639kR9QAFRp9Dnz/s4bOxBt4+Uf3aLsrwFEQaP2N2X zAYKiD+YoHGwkSqeAHj+qyX8I= Received: from all4students.nl (ip189-178-172-82.adsl2.static.versatel.nl [82.172.178.189]) by mx-out14.all4students.nl (Postfix) with ESMTP id EAAD094370 for ; Tue, 29 Nov 2011 11:32:13 +0100 (CET) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CCAE82.278DA7E3" Date: Tue, 29 Nov 2011 11:32:11 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delete access tokens? Thread-Index: AcyugdFLRhLtg7zIR8O1iDGbNt/qeQ== From: "Bart Wiegmans" To: "oauth WG" Subject: [OAUTH-WG] delete access tokens? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 10:32:17 -0000 This is a multi-part message in MIME format. ------_=_NextPart_001_01CCAE82.278DA7E3 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello everybody, again. =20 This is just me pushing a random idea, but what if you specified that clients could ask for access token invalidation by making a DELETE request to the token endpoint? =20 Bart Wiegmans =20 ------_=_NextPart_001_01CCAE82.278DA7E3 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello = everybody, again.

 

This is just me pushing a random idea, but what if you = specified that clients could ask for access token invalidation by making = a DELETE request to the token endpoint?

 

Bart Wiegmans

 

------_=_NextPart_001_01CCAE82.278DA7E3-- From t.lodderstedt@telekom.de Tue Nov 29 05:13:44 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC59F21F8B64 for ; Tue, 29 Nov 2011 05:13:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.248 X-Spam-Level: X-Spam-Status: No, score=-3.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBJk4rIQo1ED for ; Tue, 29 Nov 2011 05:13:44 -0800 (PST) Received: from tcmail33.telekom.de (tcmail33.telekom.de [194.25.30.7]) by ietfa.amsl.com (Postfix) with ESMTP id 9AFF121F8B61 for ; Tue, 29 Nov 2011 05:13:43 -0800 (PST) Received: from g8p01.blf01.telekom.de ([164.25.63.135]) by tcmail31.telekom.de with ESMTP; 29 Nov 2011 14:08:55 +0100 Received: from q4de8ssaz61.gppng.telekom.de (q4de8ssaz61.gppng.telekom.de [10.206.166.200]) by G8P01.blf01.telekom.de with ESMTP for oauth@ietf.org; Tue, 29 Nov 2011 14:08:54 +0100 Received: from g8dbse01.krf01.telekom.de ([164.23.31.9]) by q4de8ssaz61.gppng.telekom.de with ESMTP; 29 Nov 2011 14:07:30 +0100 Received: from QEO40065.de.t-online.corp (QEO40065.de.t-online.corp [10.224.209.65]) by G8DBSE01.krf01.telekom.de with ESMTP; Tue, 29 Nov 2011 14:08:53 +0100 Received: from QEO40072.de.t-online.corp ([169.254.1.81]) by QEO40065.de.t-online.corp ([10.224.209.65]) with mapi; Tue, 29 Nov 2011 14:08:52 +0100 From: "Lodderstedt, Torsten" To: Bart Wiegmans , oauth WG Date: Tue, 29 Nov 2011 14:08:50 +0100 Thread-Topic: delete access tokens? Thread-Index: AcyugdFLRhLtg7zIR8O1iDGbNt/qeQAFbGsQ Message-Id: <63366D5A116E514AA4A9872D3C5335395BB5495FBE@QEO40072.de.t-online.corp> References: In-Reply-To: Accept-Language: de-DE Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE Content-Type: multipart/alternative; boundary="_000_63366D5A116E514AA4A9872D3C5335395BB5495FBEQEO40072deton_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] delete access tokens? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 13:13:44 -0000 --_000_63366D5A116E514AA4A9872D3C5335395BB5495FBEQEO40072deton_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Bart, I think this would be a truly RESTful approach. The group discussed this to= pic several months ago and consensus was to use another endpoint for token = revocation (=3D=3D deletion). Pls. take a look onto http://tools.ietf.org/h= tml/draft-lodderstedt-oauth-revocation-02. regards, Torsten. Von: Bart Wiegmans [mailto:bart@all4students.nl] Gesendet: Dienstag, 29. November 2011 11:32 An: oauth WG Betreff: [OAUTH-WG] delete access tokens? Hello everybody, again. This is just me pushing a random idea, but what if you specified that clien= ts could ask for access token invalidation by making a DELETE request to th= e token endpoint? Bart Wiegmans --_000_63366D5A116E514AA4A9872D3C5335395BB5495FBEQEO40072deton_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Bart,

 

I think this would be a truly RESTful a= pproach. The group discussed this topic several months ago and consensus wa= s to use another endpoint for token revocation (=3D=3D deletion). Pls. take= a look onto http://tools.ietf.org/html/draft-l= odderstedt-oauth-revocation-02.

 

regards,

Torsten.

 

Von: Bart Wiegmans [mailto:bart@all4students.nl] Gesendet: Dienstag, 29. November 2011 11:32
An: oauth WG<= br>Betreff: [OAUTH-WG] delete access tokens?

 

Hello everybody, again.

 

This is just me pushing a random idea, but what if you specif= ied that clients could ask for access token invalidation by making a DELETE= request to the token endpoint?

<= span lang=3DEN-US> 

Bart Wiegmans

 

= --_000_63366D5A116E514AA4A9872D3C5335395BB5495FBEQEO40072deton_-- From hardjono@mit.edu Tue Nov 29 08:46:00 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E4411E809D for ; Tue, 29 Nov 2011 08:46:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.293 X-Spam-Level: X-Spam-Status: No, score=-3.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_URI_CONS7=0.306] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMjO8y3EtfBj for ; Tue, 29 Nov 2011 08:45:59 -0800 (PST) Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 7459B11E8096 for ; Tue, 29 Nov 2011 08:45:59 -0800 (PST) X-AuditID: 12074422-b7ff56d00000092f-aa-4ed50c46ef68 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 18.2F.02351.64C05DE4; Tue, 29 Nov 2011 11:45:58 -0500 (EST) Received: from outgoing-exchange-1.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id pATGjvCT013825; Tue, 29 Nov 2011 11:45:57 -0500 Received: from OC11EXEDGE4.EXCHANGE.MIT.EDU (OC11EXEDGE4.EXCHANGE.MIT.EDU [18.9.3.27]) by outgoing-exchange-1.mit.edu (8.13.8/8.12.4) with ESMTP id pATGjv8D002533; Tue, 29 Nov 2011 11:45:57 -0500 Received: from W92EXHUB13.exchange.mit.edu (18.7.73.24) by OC11EXEDGE4.EXCHANGE.MIT.EDU (18.9.3.27) with Microsoft SMTP Server (TLS) id 14.1.289.1; Tue, 29 Nov 2011 11:45:17 -0500 Received: from OC11EXPO24.exchange.mit.edu ([169.254.1.210]) by W92EXHUB13.exchange.mit.edu ([18.7.73.24]) with mapi id 14.01.0289.001; Tue, 29 Nov 2011 11:45:56 -0500 From: Thomas Hardjono To: Buhake Sindi Thread-Topic: [OAUTH-WG] FW: New Version Notification for draft-hardjono-oauth-dynreg-01.txt Thread-Index: AcySWVPyKbX4q4C9TZ6+o/OdvWWK0gTc3g4wAjpT3LA= Date: Tue, 29 Nov 2011 16:45:56 +0000 Message-ID: <5E393DF26B791A428E5F003BB6C5342A032A7B@OC11EXPO24.exchange.mit.edu> References: <20111024142922.27979.37890.idtracker@ietfa.amsl.com> <2796DF93-ABE1-48C0-8CA2-7DC1FC239DE5@gmail.com> In-Reply-To: <2796DF93-ABE1-48C0-8CA2-7DC1FC239DE5@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [24.218.71.218] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrGKsWRmVeSWpSXmKPExsUixG6nruvGc9XPYMUvOYuLL14wWpx8+4rN gcnj6YTJ7B5LlvxkCmCK4rJJSc3JLEst0rdL4MqYP+U6S8F+/orbT5vYGxiX8XQxcnBICJhI PLoo3MXICWSKSVy4t56ti5GLQ0hgH6NE4+m/jBDOAUaJd3NesEI4xxkl5kx4CuVsZ5Q4fHYf lLOaUeL100eMIMPYBDQkzv3eyw5iiwDZ5+d9BrOZBXQl/n7qYQWxhQViJR7v/c4KcoeIQJzE k91+EOVWEi1/r4GVsAioSpy73sQGYvMKBEhs+Lcf6r7djBI/f6xnBklwCthKPJrwDmwvI9AT 30+tYYLYJS5x68l8JojnBCUWzd7DDPPov10P2SBsRYk3nRvZIOp1JBbs/gRla0ssW/iaGWKx oMTJmU9YJjBKzkIydhaSlllIWmYhaVnAyLKKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI11QvN7NE LzWldBMjODpdlHYw/jyodIhRgINRiYeXc/tlPyHWxLLiytxDjJIcTEqivJM4rvoJ8SXlp1Rm JBZnxBeV5qQWH2KU4GBWEuENZgPK8aYkVlalFuXDpKQ5WJTEebl2OvgJCaQnlqRmp6YWpBbB ZGU4OJQkeDO5gRoFi1LTUyvSMnNKENJMHJwgw3mAhseC1PAWFyTmFmemQ+RPMSpKifP+5gJK CIAkMkrz4HphyfMVozjQK8K8/iDtPMDEC9f9CmgwE9Dg9slXQAaXJCKkpBoY7RarPwpj+/G5 IeW1fOLENQbiG/bG2T/nPPBh9uLpV4R80r8mzNfUe3Sv7FTIXI5Ht+SvvX1Y3/1E6raL4J1G s4etP4K/1wnO+J11JuHMAjWj4M0W69IeTpObdTJ2xvy+L27diVtf85Vf1uoWjP+6wFPzayxH 3+rqjI4FW6/dvi32bt9/5TTn70osxRmJhlrMRcWJAAsfyMN5AwAA Cc: "oauth \(oauth@ietf.org\)" Subject: Re: [OAUTH-WG] FW: New Version Notification for draft-hardjono-oauth-dynreg-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 16:46:00 -0000 Thanks Buhake, Yes, this seems to be a bug in the draft. We're preparing a new update in the next couple of weeks, and will fix this one. Thanks again. /thomas/ __________________________________________ > -----Original Message----- > From: Buhake Sindi [mailto:buhake@googlemail.com] > Sent: Friday, November 18, 2011 3:34 AM > To: Thomas Hardjono > Cc: oauth (oauth@ietf.org) > Subject: Re: [OAUTH-WG] FW: New Version Notification for draft- > hardjono-oauth-dynreg-01.txt >=20 > Hi Thomas, >=20 >=20 > Concerning the above documentation, section 7.4. Your error attributes > and example doesn't match. Should I ignore the example shown in the > document? >=20 >=20 > Buhake Sindi >=20 > The Elite Gentleman. >=20 > On 24 Oct 2011, at 16:31, Thomas Hardjono wrote: >=20 > > FYI Folks, > > > > Just a rev update. > > > > /thomas/ > > > > > > __________________________________________ > > > > > > -----Original Message----- > > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > > Sent: Monday, October 24, 2011 10:29 AM > > To: Thomas Hardjono > > Cc: m.p.machulak@ncl.ac.uk; Thomas Hardjono; eve@xmlgrrl.com > > Subject: New Version Notification for draft-hardjono-oauth-dynreg- > 01.txt > > > > A new version of I-D, draft-hardjono-oauth-dynreg-01.txt has been > successfully submitted by Thomas Hardjono and posted to the IETF > repository. > > > > Filename: draft-hardjono-oauth-dynreg > > Revision: 01 > > Title: OAuth Dynamic Client Registration Protocol > > Creation date: 2011-10-24 > > WG ID: Individual Submission > > Number of pages: 20 > > > > Abstract: > > This specification proposes an OAuth Dynamic Client Registration > > protocol. > > > > > > > > > > The IETF Secretariat > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth From brian@lingotek.com Tue Nov 29 11:49:35 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292F611E8102 for ; Tue, 29 Nov 2011 11:49:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Trn4ETUDmy8q for ; Tue, 29 Nov 2011 11:49:34 -0800 (PST) Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2CA11E8101 for ; Tue, 29 Nov 2011 11:49:34 -0800 (PST) Received: by bkbzv15 with SMTP id zv15so11511958bkb.31 for ; Tue, 29 Nov 2011 11:49:33 -0800 (PST) Received: by 10.204.154.6 with SMTP id m6mr52823858bkw.20.1322596173163; Tue, 29 Nov 2011 11:49:33 -0800 (PST) MIME-Version: 1.0 Received: by 10.204.187.71 with HTTP; Tue, 29 Nov 2011 11:49:12 -0800 (PST) From: Brian Hawkins Date: Tue, 29 Nov 2011 12:49:12 -0700 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary=0015175df162152f1504b2e4eb3b Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 19:51:05 -0000 --0015175df162152f1504b2e4eb3b Content-Type: text/plain; charset=ISO-8859-1 I'm having trouble finding information on how to do 2leg authentication with OAuth 2.0. Does it even support it? Thanks Brian --0015175df162152f1504b2e4eb3b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I'm having trouble finding information on how to do 2leg authentication= with OAuth 2.0. =A0Does it even support it?

Thanks
Brian
--0015175df162152f1504b2e4eb3b-- From stpeter@stpeter.im Tue Nov 29 11:53:37 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E6221F8B23 for ; Tue, 29 Nov 2011 11:53:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3+CX0Dr7nh+y for ; Tue, 29 Nov 2011 11:53:36 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 7EF3E21F8B20 for ; Tue, 29 Nov 2011 11:53:36 -0800 (PST) Received: from normz.cisco.com (unknown [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C9D58422B6; Tue, 29 Nov 2011 13:00:30 -0700 (MST) Message-ID: <4ED5383E.5020605@stpeter.im> Date: Tue, 29 Nov 2011 12:53:34 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Brian Hawkins References: In-Reply-To: X-Enigmail-Version: 1.3.3 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 19:53:37 -0000 On 11/29/11 12:49 PM, Brian Hawkins wrote: > I'm having trouble finding information on how to do 2leg authentication > with OAuth 2.0. Does it even support it? This issue comes up often enough that it deserves to be in a FAQ. Peter -- Peter Saint-Andre https://stpeter.im/ From phil.hunt@oracle.com Tue Nov 29 12:05:20 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9AC1F0C38 for ; Tue, 29 Nov 2011 12:05:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJJXuHEzCHoo for ; Tue, 29 Nov 2011 12:05:20 -0800 (PST) Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id C8DF11F0C46 for ; Tue, 29 Nov 2011 12:05:19 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pATK5InA021735 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 Nov 2011 20:05:18 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pATK5GKj012623 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2011 20:05:17 GMT Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pATK5Ebr026771; Tue, 29 Nov 2011 14:05:14 -0600 Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Nov 2011 12:05:14 -0800 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Phil Hunt In-Reply-To: <4ED5383E.5020605@stpeter.im> Date: Tue, 29 Nov 2011 12:05:14 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <0EC9023D-A96E-4FF2-B89C-AD2C3B4BBFEB@oracle.com> References: <4ED5383E.5020605@stpeter.im> To: Peter Saint-Andre X-Mailer: Apple Mail (2.1251.1) X-Source-IP: ucsinet21.oracle.com [156.151.31.93] X-CT-RefId: str=0001.0A090205.4ED53AFF.0012,ss=1,re=0.000,fgs=0 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 20:05:21 -0000 This diagram may be out of date, but I found it useful early on to = understand the multiple flows and "legs" of OAuth. http://www.independentid.com/2011/03/oauth-flows-extended.html The question of "legs" (or parties as some prefer) depends on what you = have and what you need. Take a look at Implicit (4.2) and Resource Owner (4.3) flows for some = examples of 2-leg flows using passwords. There are others for different = types of grants. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-11-29, at 11:53 AM, Peter Saint-Andre wrote: > On 11/29/11 12:49 PM, Brian Hawkins wrote: >> I'm having trouble finding information on how to do 2leg = authentication >> with OAuth 2.0. Does it even support it? >=20 > This issue comes up often enough that it deserves to be in a FAQ. >=20 > Peter >=20 > --=20 > Peter Saint-Andre > https://stpeter.im/ >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From eran@hueniverse.com Tue Nov 29 12:06:34 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90FEB1F0C70 for ; Tue, 29 Nov 2011 12:06:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.298 X-Spam-Level: X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IY6BK2SCV2LG for ; Tue, 29 Nov 2011 12:06:34 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id E5E371F0C3D for ; Tue, 29 Nov 2011 12:06:33 -0800 (PST) Received: (qmail 23777 invoked from network); 29 Nov 2011 20:06:33 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 29 Nov 2011 20:06:33 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 29 Nov 2011 13:06:29 -0700 From: Eran Hammer-Lahav To: Brian Hawkins , "oauth@ietf.org" Date: Tue, 29 Nov 2011 13:06:23 -0700 Thread-Topic: [OAUTH-WG] 2 Leg with OAuth 2.0 Thread-Index: Acyu0EQdeoAjbI8+TXGPYnEx1bielgAAexaQ Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DBEP3PW5EX1MB01E_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 20:06:34 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DBEP3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable This functionality can be implemented in two main ways: 1. Using the client credentials flow to get an access token, then usi= ng the protocol as usual 2. Just using the Bearer (over SSL) or MAC token schemes without the = rest of OAuth EHL From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B= rian Hawkins Sent: Tuesday, November 29, 2011 11:49 AM To: oauth@ietf.org Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 I'm having trouble finding information on how to do 2leg authentication wit= h OAuth 2.0. Does it even support it? Thanks Brian --_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DBEP3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

This func= tionality can be implemented in two main ways:

 

1.       Using the client credentials flow to get= an access token, then using the protocol as usual

2.       Just using the Be= arer (over SSL) or MAC token schemes without the rest of OAuth

 

EHL

 

From:= oau= th-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Bri= an Hawkins
Sent: Tuesday, November 29, 2011 11:49 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] 2 Leg with OAuth 2.0

 

I'm having trouble finding information on how to do 2leg auth= entication with OAuth 2.0.  Does it even support it?

 

Thanks

Brian

<= /div>
= --_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DBEP3PW5EX1MB01E_-- From bcampbell@pingidentity.com Tue Nov 29 12:13:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA161F0CA4 for ; Tue, 29 Nov 2011 12:13:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.977 X-Spam-Level: X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmXHWWzIIDaL for ; Tue, 29 Nov 2011 12:13:08 -0800 (PST) Received: from na3sys009aog101.obsmtp.com (na3sys009aog101.obsmtp.com [74.125.149.67]) by ietfa.amsl.com (Postfix) with ESMTP id 74CB41F0C82 for ; Tue, 29 Nov 2011 12:13:08 -0800 (PST) Received: from mail-gy0-f173.google.com ([209.85.160.173]) (using TLSv1) by na3sys009aob101.postini.com ([74.125.148.12]) with SMTP ID DSNKTtU809CwD6DK83qVUZHn1PumDTu2vQuz@postini.com; Tue, 29 Nov 2011 12:13:08 PST Received: by mail-gy0-f173.google.com with SMTP id g19so8863280ghb.18 for ; Tue, 29 Nov 2011 12:13:07 -0800 (PST) Received: by 10.236.114.195 with SMTP id c43mr73921519yhh.12.1322597587789; Tue, 29 Nov 2011 12:13:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.146.192.35 with HTTP; Tue, 29 Nov 2011 12:12:36 -0800 (PST) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> From: Brian Campbell Date: Tue, 29 Nov 2011 13:12:36 -0700 Message-ID: To: Eran Hammer-Lahav Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 20:13:09 -0000 Or using the SAML or JWT grants to get an access token, then using the protocol as usual. On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav wr= ote: > This functionality can be implemented in two main ways: > > > > 1.=A0=A0=A0=A0=A0=A0 Using the client credentials flow to get an access t= oken, then > using the protocol as usual > > 2.=A0=A0=A0=A0=A0=A0 Just using the Bearer (over SSL) or MAC token scheme= s without the > rest of OAuth > > > > EHL > > > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of > Brian Hawkins > Sent: Tuesday, November 29, 2011 11:49 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 > > > > I'm having trouble finding information on how to do 2leg authentication w= ith > OAuth 2.0. =A0Does it even support it? > > > > Thanks > > Brian > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From brian@lingotek.com Tue Nov 29 12:28:12 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90FB41F0CD3 for ; Tue, 29 Nov 2011 12:28:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.802 X-Spam-Level: X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cM9XCapuwBPK for ; Tue, 29 Nov 2011 12:28:11 -0800 (PST) Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 555021F0CC5 for ; Tue, 29 Nov 2011 12:28:11 -0800 (PST) Received: by bkbzv15 with SMTP id zv15so11555087bkb.31 for ; Tue, 29 Nov 2011 12:28:10 -0800 (PST) Received: by 10.204.14.208 with SMTP id h16mr50669263bka.2.1322598490210; Tue, 29 Nov 2011 12:28:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.204.187.71 with HTTP; Tue, 29 Nov 2011 12:27:49 -0800 (PST) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> From: Brian Hawkins Date: Tue, 29 Nov 2011 13:27:49 -0700 Message-ID: To: "oauth@ietf.org" Content-Type: multipart/alternative; boundary=00032555606230819004b2e575ae Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 20:28:12 -0000 --00032555606230819004b2e575ae Content-Type: text/plain; charset=ISO-8859-1 Maybe I'm making this harder then it should be. Here is the situation: Site A and B both trust each other. Site A needs to update user information at site B. With OAuth 1.0 Site A would use it's consumer key and secret to sign the update call to Site B (no access token involved). Only one message is sent. The closest I can come to the above with OAuth 2.0 is to use the MAC token scheme and sign the request with the consumer secret. Is that valid? I kind of get the idea that the protocol doesn't care. It feels like the bearer scheme just doesn't work for what I'm trying to do. Thanks Brian On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav wrote: > This functionality can be implemented in two main ways:**** > > ** ** > > **1. **Using the client credentials flow to get an access token, > then using the protocol as usual**** > > **2. **Just using the Bearer (over SSL) or MAC token schemes > without the rest of OAuth**** > > ** ** > > EHL**** > > ** ** > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Brian Hawkins > *Sent:* Tuesday, November 29, 2011 11:49 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] 2 Leg with OAuth 2.0**** > > ** ** > > I'm having trouble finding information on how to do 2leg authentication > with OAuth 2.0. Does it even support it?**** > > ** ** > > Thanks**** > > Brian**** > --00032555606230819004b2e575ae Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Maybe I'm making this harder then it should be. =A0

= Here is the situation: =A0Site A and B both trust each other. =A0Site A nee= ds to update user information at site B.

With OAut= h 1.0 Site A would use it's consumer key and secret to sign the update = call to Site B (no access token involved). =A0Only one message is sent.

The closest I can come to the above with OAuth 2.0 is t= o use the MAC token scheme and sign the request with the consumer secret. = =A0Is that valid? =A0I kind of get the idea that the protocol doesn't c= are.

It feels like the bearer scheme just doesn't work f= or what I'm trying to do.

Thanks
Brian

On Tue, Nov 29, 2011 at= 1:06 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:

This functio= nality can be implemented in two main ways:

=A0<= /p>

1.=A0=A0=A0=A0=A0=A0 = Using the client creden= tials flow to get an access token, then using the protocol as usual<= u>

2.=A0=A0=A0=A0=A0=A0 Just using the Bearer (ove= r SSL) or MAC token schemes without the rest of OAuth<= /p>

=A0<= /p>

EHL

=A0<= /p>

From: oauth-bou= nces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Hawkins Sent: Tuesday, November 29, 2011 11:49 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] 2 Leg with OAuth 2.0

=A0

I'm = having trouble finding information on how to do 2leg authentication with OA= uth 2.0. =A0Does it even support it?

=A0

Thanks=

Brian


--00032555606230819004b2e575ae-- From eran@hueniverse.com Tue Nov 29 12:38:32 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 160451F0CDA for ; Tue, 29 Nov 2011 12:38:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nx+uGA9joAW7 for ; Tue, 29 Nov 2011 12:38:29 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 6F1B91F0C84 for ; Tue, 29 Nov 2011 12:38:29 -0800 (PST) Received: (qmail 4997 invoked from network); 29 Nov 2011 20:38:28 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 29 Nov 2011 20:38:28 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Tue, 29 Nov 2011 13:38:22 -0700 From: Eran Hammer-Lahav To: Brian Hawkins , "oauth@ietf.org" Date: Tue, 29 Nov 2011 13:38:17 -0700 Thread-Topic: [OAUTH-WG] 2 Leg with OAuth 2.0 Thread-Index: Acyu1ZBEiSiJVmm1SLurJ2pJcptthwAASXcA Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C6DD1@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DD1P3PW5EX1MB01E_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 20:38:32 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DD1P3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Both MAC and Bearer work in this setup, just think of them as HMAC-SHA-1 an= d PLAINTEXT in OAuth 1.0. In Bearer, your token is the client secret and in= MAC, the client secret is the key. EHL From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B= rian Hawkins Sent: Tuesday, November 29, 2011 12:28 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 Maybe I'm making this harder then it should be. Here is the situation: Site A and B both trust each other. Site A needs t= o update user information at site B. With OAuth 1.0 Site A would use it's consumer key and secret to sign the up= date call to Site B (no access token involved). Only one message is sent. The closest I can come to the above with OAuth 2.0 is to use the MAC token = scheme and sign the request with the consumer secret. Is that valid? I ki= nd of get the idea that the protocol doesn't care. It feels like the bearer scheme just doesn't work for what I'm trying to do= . Thanks Brian On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav > wrote: This functionality can be implemented in two main ways: 1. Using the client credentials flow to get an access token, then usi= ng the protocol as usual 2. Just using the Bearer (over SSL) or MAC token schemes without the = rest of OAuth EHL From: oauth-bounces@ietf.org [mailto:oauth-b= ounces@ietf.org] On Behalf Of Brian Hawkins Sent: Tuesday, November 29, 2011 11:49 AM To: oauth@ietf.org Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 I'm having trouble finding information on how to do 2leg authentication wit= h OAuth 2.0. Does it even support it? Thanks Brian --_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DD1P3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Both MAC = and Bearer work in this setup, just think of them as HMAC-SHA-1 and PLAINTE= XT in OAuth 1.0. In Bearer, your token is the client secret and in MAC, the= client secret is the key.

 

EHL

 

From: oauth-bounces@ietf.org [mailto:oauth-bo= unces@ietf.org] On Behalf Of Brian Hawkins
Sent: Tuesday, = November 29, 2011 12:28 PM
To: oauth@ietf.org
Subject: = Re: [OAUTH-WG] 2 Leg with OAuth 2.0

 

Maybe I'm making t= his harder then it should be.  

 

Here is the situatio= n:  Site A and B both trust each other.  Site A needs to update u= ser information at site B.

 

With OAuth 1.0 Site A wo= uld use it's consumer key and secret to sign the update call to Site B (no = access token involved).  Only one message is sent.

 

The closest I can come to the above with OAuth 2.0 is to use the MAC t= oken scheme and sign the request with the consumer secret.  Is that va= lid?  I kind of get the idea that the protocol doesn't care.

 

It feels like the bearer scheme just doesn't work for what I= 'm trying to do.

 <= /o:p>

Thanks

 

Brian

O= n Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:

This functionality can be implemented in two main ways:

 

1.    =    Using the client credentials flow to get an acce= ss token, then using the protocol as usual

2= .   &nb= sp;   Just using the Bearer (over SSL) or MAC token= schemes without the rest of OAuth

&nbs= p;

EHL

 

From: oauth-bounces@ietf.org [= mailto:oauth-bo= unces@ietf.org] On Behalf Of Brian Hawkins
Sent: Tuesd= ay, November 29, 2011 11:49 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] 2 Le= g with OAuth 2.0

 

I'm having trouble finding information on how to do 2leg aut= hentication with OAuth 2.0.  Does it even support it?

 

Thanks

Brian

 

= --_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DD1P3PW5EX1MB01E_-- From wmills@yahoo-inc.com Tue Nov 29 12:59:17 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBD5E1F0CA6 for ; Tue, 29 Nov 2011 12:59:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.995 X-Spam-Level: X-Spam-Status: No, score=-16.995 tagged_above=-999 required=5 tests=[AWL=0.603, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oY1db2kc74zD for ; Tue, 29 Nov 2011 12:59:13 -0800 (PST) Received: from nm27-vm0.bullet.mail.bf1.yahoo.com (nm27-vm0.bullet.mail.bf1.yahoo.com [98.139.213.139]) by ietfa.amsl.com (Postfix) with SMTP id 73B751F0CAB for ; Tue, 29 Nov 2011 12:59:13 -0800 (PST) Received: from [98.139.215.141] by nm27.bullet.mail.bf1.yahoo.com with NNFMP; 29 Nov 2011 20:59:10 -0000 Received: from [98.139.212.236] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 29 Nov 2011 20:59:10 -0000 Received: from [127.0.0.1] by omp1045.mail.bf1.yahoo.com with NNFMP; 29 Nov 2011 20:59:10 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 451124.75707.bm@omp1045.mail.bf1.yahoo.com Received: (qmail 32957 invoked by uid 60001); 29 Nov 2011 20:59:09 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1322600349; bh=2iW5F3qlnA+oPeyxw42VOBpzUN2ZML1dMrY9ZdML+lk=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Vp3nnJPNHXwoUc4B4ImwaA6qy17GBb0ZvimPU/K56ofYlDVGg0O4OuSsYjGEyuv2LmWFfPae3jml5+ff/LZTceOhZMw4a3DBXB3mRVAmArvWXhNpomgLdQWC3wwIHblfbgACJp2szLcJy00hnhg4II1qyhHSZ5FMnR21UC3C1+g= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=sjbAmKkjtWTBmfkLDhbrpk+NBbihRGU4JCk0oIz6ZH3BYiYXpUTkJsSiqv/4uoi3dtDcxqTvMeLAzVwPOx350pbR8Bh3t50QkYqB49H9acFbwWQ9BLxKeUImIg+oPk4ncqwwws8nzOphG+gXNsLu7Pe/GfSU1a5i7QTEjcViQ54=; X-YMail-OSG: nVgJ_qwVM1kfIGGV0rmZ4dBEWIpv8bI8q0MakvtNEl8PFF1 _s3Nd00wm0gzcGYBTi3YjPUXk6LB9jjenxCTXukG5tpixoCaR7cBN2Cidthz JM0CZ_qakhB9oI3Rt1T_GcGlyAfX6C78Z4iCg7e337V7028FTDww30xcQlgS YRVkFNh2isvatlIHG1RwgXFdVYgVL1aa2CnsSEMK7THgKEpMTA4S2hCnTe9f SizIB4Dpe.0aP4IeEreBBZPnUca4taUWs3gm3mfjLunCzgKzchrVzyLtCQC2 x9NcxNjitbiVRstk1azVJd4ch9QzrFimaGXs0Bih34OCAuk529mtHmSOfCoR xCTziQr1yPt9XzdnA4Q0Y4V0BxVRhh2nKuk208IFTlQoX9xvUCIARt5ib5Lx qwm8xU.5Y64R4ZIq4Vmc12sNfxaZ3.WjMY8vn Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Tue, 29 Nov 2011 12:59:09 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> Message-ID: <1322600349.22998.YahooMailNeo@web31804.mail.mud.yahoo.com> Date: Tue, 29 Nov 2011 12:59:09 -0800 (PST) From: William Mills To: Brian Hawkins , "oauth@ietf.org" In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="835683298-611104942-1322600349=:22998" Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 20:59:17 -0000 --835683298-611104942-1322600349=:22998 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable This isn't really OAuth, this is a trust relationship between A and B.=A0 O= Auth is providing an avenue for the user to approve access because the user= owns the resource.=A0 That's why this doesn't really fit what you are tryi= ng to do.=0A=0A=0AYou could use MAC signatures to secure the transactions w= ith a shared secret, sure.=A0 Just decide on a single (or pair) of secrest = to use in all cases one for the client and one for the "user" secret, which= isn't really a user secret, it's your global shared secret.=0A=0A-bill=0A= =0A=0A=0A________________________________=0A From: Brian Hawkins =0ATo: "oauth@ietf.org" =0ASent: Tuesday, Novemb= er 29, 2011 12:27 PM=0ASubject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0=0A =0A= =0AMaybe I'm making this harder then it should be. =A0=0A=0AHere is the sit= uation: =A0Site A and B both trust each other. =A0Site A needs to update us= er information at site B.=0A=0AWith OAuth 1.0 Site A would use it's consume= r key and secret to sign the update call to Site B (no access token involve= d). =A0Only one message is sent.=0A=0AThe closest I can come to the above w= ith OAuth 2.0 is to use the MAC token scheme and sign the request with the = consumer secret. =A0Is that valid? =A0I kind of get the idea that the proto= col doesn't care.=0A=0AIt feels like the bearer scheme just doesn't work fo= r what I'm trying to do.=0A=0AThanks=0A=0ABrian=0A=0A=0AOn Tue, Nov 29, 201= 1 at 1:06 PM, Eran Hammer-Lahav wrote:=0A=0AThis func= tionality can be implemented in two main ways:=0A>=A0=0A>1.=A0=A0=A0=A0=A0= =A0 Using the client credentials flow to get an access token, then using th= e protocol as usual=0A>2.=A0=A0=A0=A0=A0=A0 Just using the Bearer (over SSL= ) or MAC token schemes without the rest of OAuth=0A>=A0=0A>EHL=0A>=A0=0A>Fr= om:oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Bria= n Hawkins=0A>Sent: Tuesday, November 29, 2011 11:49 AM=0A>To: oauth@ietf.or= g=0A>Subject: [OAUTH-WG] 2 Leg with OAuth 2.0=0A>=A0=0A>I'm having trouble = finding information on how to do 2leg authentication with OAuth 2.0. =A0Doe= s it even support it?=0A>=A0=0A>Thanks=0A>Brian=0A=0A______________________= _________________________=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps://w= ww.ietf.org/mailman/listinfo/oauth --835683298-611104942-1322600349=:22998 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
This isn't really OAuth, this is a trust relationship between A and B.&nb= sp; OAuth is providing an avenue for the user to approve access because the= user owns the resource.  That's why this doesn't really fit what you = are trying to do.

Yo= u could use MAC signatures to secure the transactions with a shared secret,= sure.  Just decide on a single (or pair) of secrest to use in all cas= es one for the client and one for the "user" secret, which isn't really a u= ser secret, it's your global shared secret.

-bill

= From: Brian Hawkins <b= rian@lingotek.com>
To:<= /b> "oauth@ietf.org" <oauth@ietf.org>
Sent: Tuesday, November 29, 2011 12:27 PM
Subject: Re: [OAUTH-WG] 2 Leg wi= th OAuth 2.0
=0A
Maybe I'm making = this harder then it should be.  

Here is the situat= ion:  Site A and B both trust each other.  Site A needs to update= user information at site B.

With OAuth 1.0 Site A= would use it's consumer key and secret to sign the update call to Site B (= no access token involved).  Only one message is sent.
=0A=0A
=
The closest I can come to the above with OAuth 2.0 is to use= the MAC token scheme and sign the request with the consumer secret.  = Is that valid?  I kind of get the idea that the protocol doesn't care.=
=0A=0A

It feels like the bearer scheme just doesn'= t work for what I'm trying to do.

Thanks

Brian

On Tue= , Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:=0A=0A
This functionality can be implemented in two main ways:
=0A=0A
 
1.       = Using the client credentials flow to get an access token, then using t= he protocol as usual
=0A=0A
2.&= nbsp;      Just using = the Bearer (over SSL) or MAC token schemes without the rest of OAuth=
=0A=0A
 
EHL
=0A=0A
 
=0A=0A
From: oauth-bounces@i= etf.org [mailto:oauth-bounc= es@ietf.org] On Behalf Of Brian Hawkins
=0A=0ASent: Tu= esday, November 29, 2011 11:49 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] 2 Leg with OAuth 2.0
=0A=0A 
I'm having trouble finding information on how to do = 2leg authentication with OAuth 2.0.  Does it even support it?
=0A=0A 
Thanks
Brian=

=0A
_______________________________________________
OAuth mailing lis= t
OA= uth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= br>
--835683298-611104942-1322600349=:22998-- From wmills@yahoo-inc.com Tue Nov 29 13:00:35 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED8D21F84B0 for ; Tue, 29 Nov 2011 13:00:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.196 X-Spam-Level: X-Spam-Status: No, score=-17.196 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KElQg4l2+zBQ for ; Tue, 29 Nov 2011 13:00:31 -0800 (PST) Received: from nm38-vm4.bullet.mail.ne1.yahoo.com (nm38-vm4.bullet.mail.ne1.yahoo.com [98.138.229.148]) by ietfa.amsl.com (Postfix) with SMTP id E050C1F0C84 for ; Tue, 29 Nov 2011 13:00:30 -0800 (PST) Received: from [98.138.90.51] by nm38.bullet.mail.ne1.yahoo.com with NNFMP; 29 Nov 2011 21:00:27 -0000 Received: from [98.138.88.233] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 29 Nov 2011 21:00:27 -0000 Received: from [127.0.0.1] by omp1033.mail.ne1.yahoo.com with NNFMP; 29 Nov 2011 21:00:27 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 485011.31109.bm@omp1033.mail.ne1.yahoo.com Received: (qmail 45768 invoked by uid 60001); 29 Nov 2011 21:00:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1322600426; bh=SeJTSSZ8gu3ivSrmnczHB93wCG2y2pi0EYoy0baQER4=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=nzR+wMGstS2W4WvsN9W86jyrZB4LsUbp3i5Em5hMg9JVt8d2Vu/DOUE2+EZY99NKNBa2ykCB8lnIHcJ3AuOuy/bLKG5zmbqIhXqrHD/N3ing0ZRuc3yLiJnqoWhqAGicBQbfzrJ9fOLyI3LNqxeP9I4qsLEe3lwKOLAsQia6q0Y= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=HZG59y00tTd/mD6zoY3D3JyvACUNmOsPmGhn/0xNS60TuMGsMICdVtXZbkP89pB4rVQmfU387rzfzhHpyhHXkXTz1uPrmEroquxNvIGDdHW74sF4JcIvDh0jSVg8mW/JDz4xe1wo68Dv8wXLe+1HiumXHDsCh+E2yz5qfMpSYnQ=; X-YMail-OSG: KWA.spUVM1mt3ABnEIgsUNxHAvNO_bpPsowMqh0VgPcvJUV fsuHsI_ceeDSotzD4PAa1e__NK13ke90Wnby6.fgfxt6QHJUQOtSButVUJik WRPpJ.53NbS9FbUeiTu6tw9yQCmOzG6sxA6KbL5iUAQQgcdOeSkanFHGNrUE slrY2kGQN.ztJuKXOuhgCtWS9MY39zHe.nPUbhy.La82lR5qSFBhvT.HgMiS 2LbbiEZcKOtjyXnX0c8UDTCBLjTf8x70PCk_AaSyglCdVNlwRxBDZuB9qL8j dbxQybeMTRGxypB_V2juOox35kx8PUhte6sGMIFTUZ9M5os1DA_.q.Nvl6VK 9YoDGIC7NV_BXVJSv8e.c8IuDSZfn8Knx7pxC7nRBSRAy9m.XC3nAMTbVkmD NaRvgXpKEdIuh8VWmCdmV7MoxYM.7kOhvFDA- Received: from [209.131.62.115] by web31812.mail.mud.yahoo.com via HTTP; Tue, 29 Nov 2011 13:00:26 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E723452856C6DD1@P3PW5EX1MB01.EX1.SECURESERVER.NET> Message-ID: <1322600426.39892.YahooMailNeo@web31812.mail.mud.yahoo.com> Date: Tue, 29 Nov 2011 13:00:26 -0800 (PST) From: William Mills To: Eran Hammer-Lahav , Brian Hawkins , "oauth@ietf.org" In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452856C6DD1@P3PW5EX1MB01.EX1.SECURESERVER.NET> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="1458549034-1369596047-1322600426=:39892" Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 21:00:35 -0000 --1458549034-1369596047-1322600426=:39892 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable MAC would be more appropriate in my opinion for this.=A0 =0A=0A=0A=0A______= __________________________=0A From: Eran Hammer-Lahav = =0ATo: Brian Hawkins ; "oauth@ietf.org" =0ASent: Tuesday, November 29, 2011 12:38 PM=0ASubject: Re: [OAUTH-WG] 2 = Leg with OAuth 2.0=0A =0A=0ABoth MAC and Bearer work in this setup, just th= ink of them as HMAC-SHA-1 and PLAINTEXT in OAuth 1.0. In Bearer, your token= is the client secret and in MAC, the client secret is the key.=0A=A0=0AEHL= =0A=A0=0AFrom:oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Beh= alf Of Brian Hawkins=0ASent: Tuesday, November 29, 2011 12:28 PM=0ATo: oaut= h@ietf.org=0ASubject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0=0A=A0=0AMaybe I'm= making this harder then it should be. =A0=0A=A0=0AHere is the situation: = =A0Site A and B both trust each other. =A0Site A needs to update user infor= mation at site B.=0A=A0=0AWith OAuth 1.0 Site A would use it's consumer key= and secret to sign the update call to Site B (no access token involved). = =A0Only one message is sent.=0A=A0=0AThe closest I can come to the above wi= th OAuth 2.0 is to use the MAC token scheme and sign the request with the c= onsumer secret. =A0Is that valid? =A0I kind of get the idea that the protoc= ol doesn't care.=0A=A0=0AIt feels like the bearer scheme just doesn't work = for what I'm trying to do.=0A=A0=0AThanks=0A=A0=0ABrian=0AOn Tue, Nov 29, 2= 011 at 1:06 PM, Eran Hammer-Lahav wrote:=0AThis funct= ionality can be implemented in two main ways:=0A=A0=0A1.=A0=A0=A0=A0=A0=A0 = Using the client credentials flow to get an access token, then using the pr= otocol as usual=0A2.=A0=A0=A0=A0=A0=A0 Just using the Bearer (over SSL) or = MAC token schemes without the rest of OAuth=0A=A0=0AEHL=0A=A0=0AFrom:oauth-= bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Hawkins= =0ASent: Tuesday, November 29, 2011 11:49 AM=0ATo: oauth@ietf.org=0ASubject= : [OAUTH-WG] 2 Leg with OAuth 2.0=0A=A0=0AI'm having trouble finding inform= ation on how to do 2leg authentication with OAuth 2.0. =A0Does it even supp= ort it?=0A=A0=0AThanks=0ABrian=0A=A0=0A____________________________________= ___________=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/ma= ilman/listinfo/oauth --1458549034-1369596047-1322600426=:39892 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
MAC would be more appropriate in my opinion for this. 

From:<= /span> Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Hawkins <brian@lingotek.com= >; "oauth@ietf.org" <oauth@ietf.org>
Sent: Tuesday, November 29, 2011 12:38 PM
<= span style=3D"font-weight: bold;">Subject: Re: [OAUTH-WG] 2 Leg = with OAuth 2.0
=0A